#47343 [NEW]: gc_collect_cycles causes a segfault when called within a destructor in one case

[geoffers+phpbugs at gmail dot com]

From:             geoffers+phpbugs at gmail dot com
Operating system: Debian Etch
PHP version:      5.3CVS-2009-02-08 (CVS)
PHP Bug Type:     Reproducible crash
Bug description:  gc_collect_cycles causes a segfault when called within a 
destructor in one case

Description:
------------
When running PHP a segfault occurs when trying to call 
gc_collect_cycles() within the destructor in the included code. Removing 
any line from that code (with the exception of the DONE echo) causes the 
segfault to not occur.

This is on Debian Etch, with everything apart from PHP 5.3 from the 
Debian stable repositories. PHP 5.3 was compiled with:

'./configure' '--enable-bcmath' '--enable-calendar' '--with-zlib-
dir=/usr' '--with-gd' '--with-apxs2=/usr/bin/apxs2' '--with-curl=/usr' 
'--without-pear' '--enable-mbstring' '--enable-debug'

I have only tested through the CLI.

Reproduce code:
---------------
<?php

class A
{
        public function __destruct()
        {
                gc_collect_cycles();
        }
        
        public function getB()
        {
                $this->data['foo'] = new B($this);
                $this->data['bar'] = new B($this);
                // Return either of the above
                return $this->data['foo'];
        }
}

class B
{
        public function B($A)
        {
                $this->A = $A;
        }

        public function __destruct()
        {
        }
}

for ($i = 0; $i < 2; $i++)
{
        $Aobj = new A;
        $Bobj = $Aobj->getB();
        unset($Bobj);
        unset($Aobj);
}

echo "DONE\n";


Expected result:
----------------
Output:

DONE

Actual result:
--------------
Output:

DONE
Segmentation fault (core dumped)

Backtrace:

#0  0x0844a0b0 in gc_collect_cycles () at 
/root/php5/Zend/zend_gc.c:551
#1  0x08439ab6 in zif_gc_collect_cycles (ht=0, 
return_value=0xb79767d8, return_value_ptr=0x0, this_ptr=0x0, 
return_value_used=0)
    at /root/php5/Zend/zend_builtin_functions.c:336
#2  0x084536bd in zend_do_fcall_common_helper_SPEC 
(execute_data=0xb77d604c) at /root/php5/Zend/zend_vm_execute.h:313
#3  0x08458202 in ZEND_DO_FCALL_SPEC_CONST_HANDLER 
(execute_data=0xb77d604c) at /root/php5/Zend/zend_vm_execute.h:1564
#4  0x08452afa in execute (op_array=0xb7979664) at 
/root/php5/Zend/zend_vm_execute.h:104
#5  0x0841a08a in zend_call_function (fci=0xbfe69304, 
fci_cache=0xbfe692d4) at /root/php5/Zend/zend_execute_API.c:928
#6  0x08441628 in zend_call_method (object_pp=0xbfe69394, 
obj_ce=0xb7977e94, fn_proxy=0xbfe69398, function_name=0x8902ee6 
"__destruct", 
    function_name_len=10, retval_ptr_ptr=0x0, param_count=0, arg1=0x0, 
arg2=0x0) at /root/php5/Zend/zend_interfaces.c:89
#7  0x0844bb8d in zend_objects_destroy_object (object=0xb7979054, 
handle=1) at /root/php5/Zend/zend_objects.c:106
#8  0x084502d3 in zend_objects_store_call_destructors 
(objects=0x8939d80) at /root/php5/Zend/zend_objects_API.c:57
#9  0x08417947 in shutdown_destructors () at 
/root/php5/Zend/zend_execute_API.c:221
#10 0x08427ce5 in zend_call_destructors () at 
/root/php5/Zend/zend.c:867
#11 0x083bbcf4 in php_request_shutdown (dummy=0x0) at 
/root/php5/main/main.c:1506
#12 0x084b9825 in main (argc=2, argv=0xbfe69924) at 
/root/php5/sapi/cli/php_cli.c:1340

-- 
Edit bug report at http://bugs.php.net/?id=47343&edit=1
-- 
Try a CVS snapshot (PHP 5.2):        
http://bugs.php.net/fix.php?id=47343&r=trysnapshot52
Try a CVS snapshot (PHP 5.3):        
http://bugs.php.net/fix.php?id=47343&r=trysnapshot53
Try a CVS snapshot (PHP 6.0):        
http://bugs.php.net/fix.php?id=47343&r=trysnapshot60
Fixed in CVS:                        
http://bugs.php.net/fix.php?id=47343&r=fixedcvs
Fixed in CVS and need be documented: 
http://bugs.php.net/fix.php?id=47343&r=needdocs
Fixed in release:                    
http://bugs.php.net/fix.php?id=47343&r=alreadyfixed
Need backtrace:                      
http://bugs.php.net/fix.php?id=47343&r=needtrace
Need Reproduce Script:               
http://bugs.php.net/fix.php?id=47343&r=needscript
Try newer version:                   
http://bugs.php.net/fix.php?id=47343&r=oldversion
Not developer issue:                 
http://bugs.php.net/fix.php?id=47343&r=support
Expected behavior:                   
http://bugs.php.net/fix.php?id=47343&r=notwrong
Not enough info:                     
http://bugs.php.net/fix.php?id=47343&r=notenoughinfo
Submitted twice:                     
http://bugs.php.net/fix.php?id=47343&r=submittedtwice
register_globals:                    
http://bugs.php.net/fix.php?id=47343&r=globals
PHP 4 support discontinued:          http://bugs.php.net/fix.php?id=47343&r=php4
Daylight Savings:                    http://bugs.php.net/fix.php?id=47343&r=dst
IIS Stability:                       
http://bugs.php.net/fix.php?id=47343&r=isapi
Install GNU Sed:                     
http://bugs.php.net/fix.php?id=47343&r=gnused
Floating point limitations:          
http://bugs.php.net/fix.php?id=47343&r=float
No Zend Extensions:                  
http://bugs.php.net/fix.php?id=47343&r=nozend
MySQL Configuration Error:           
http://bugs.php.net/fix.php?id=47343&r=mysqlcfg