Edit report at https://bugs.php.net/bug.php?id=64868&edit=1
ID: 64868
Comment by: ulrich dot schmidt-goertz at gmx dot de
Reported by: martin dot schuette at icans-gmbh dot com
Summary: segfault in zval_mark_grey(), Zend/zend_gc.c:421
Status: Feedback
Type: Bug
Package: Reproducible crash
Operating System: Debian Linux
PHP Version: 5.4.15
Block user comment: N
Private report: N
New Comment:
I've experienced the same issue on Ubuntu.
$ php -v
PHP 5.4.6-1ubuntu1.2 (cli) (built: Mar 11 2013 14:57:54)
Copyright (c) 1997-2012 The PHP Group
Zend Engine v2.4.0, Copyright (c) 1998-2012 Zend Technologies
with Xdebug v2.2.1, Copyright (c) 2002-2012, by Derick Rethans
Previous Comments:
------------------------------------------------------------------------
[2013-06-22 09:18:15] [email protected]
Hey, after a second look into your backtrace, seems you are running with
php5.4.4?
then this segfault is very like and should be fixed in #63055
https://github.com/php/php-src/commit/e88cdaa0
please try with the newer php version.
------------------------------------------------------------------------
[2013-05-29 19:14:33] Sjon at hortensius dot net
Well pinpointing this should be easy; open PHPUnit_Util_Test and look for the
usage of REGEX_REQUIRES (which is in your trace). Var dump the parameters and
tell us which ones were passed that caused that caused the segfault?
------------------------------------------------------------------------
[2013-05-21 10:09:13] martin dot schuette at icans-gmbh dot com
So far I was unable to reproduce the crash with a smaller code sample (i.e.
without requiring our complete application and test suite).
------------------------------------------------------------------------
[2013-05-17 10:57:43] [email protected]
could you please provide a reproduce test script?
thanks
------------------------------------------------------------------------
[2013-05-17 10:47:30] martin dot schuette at icans-gmbh dot com
Description:
------------
As part of a PHPUnit test suite I get this segfault.
Interestingly it depends on phpunit's command line options.
Segfault with "phpunit -c app/phpunit.xml.dist --log-junit /dev/null"
No problem with "phpunit -c app/phpunit.xml.dist" and "phpunit -c
app/phpunit.xml.dist --log-junit /dev/null --debug"
Without GC it works as well: "php -dzend.enable_gc=0 /usr/bin/phpunit -c
app/phpunit.xml.dist --log-junit /dev/null"
Expected result:
----------------
complete PHPUnit run
Actual result:
--------------
deploy@jenkins:/tmp/git>php -v
PHP 5.4.4-14 (cli) (built: Mar 4 2013 14:08:43)
Copyright (c) 1997-2012 The PHP Group
Zend Engine v2.4.0, Copyright (c) 1998-2012 Zend Technologies
deploy@jenkins:/tmp/git>gdb --args php /usr/bin/phpunit -c app/phpunit.xml.dist
--log-junit /dev/null
GNU gdb (GDB) 7.4.1-debian
Copyright (C) 2012 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law. Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu".
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>...
Reading symbols from /usr/bin/php...Reading symbols from
/usr/lib/debug/usr/bin/php5...done.
done.
(gdb) run
Starting program: /usr/bin/php /usr/bin/phpunit -c app/phpunit.xml.dist
--log-junit /dev/null
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
warning: the debug information found in
"/usr/lib/debug//usr/lib/php5/20100525/mysql.so" does not match
"/usr/lib/php5/20100525/mysql.so" (CRC mismatch).
warning: the debug information found in
"/usr/lib/debug/usr/lib/php5/20100525/mysql.so" does not match
"/usr/lib/php5/20100525/mysql.so" (CRC mismatch).
warning: the debug information found in
"/usr/lib/debug//usr/lib/php5/20100525/mysqli.so" does not match
"/usr/lib/php5/20100525/mysqli.so" (CRC mismatch).
warning: the debug information found in
"/usr/lib/debug/usr/lib/php5/20100525/mysqli.so" does not match
"/usr/lib/php5/20100525/mysqli.so" (CRC mismatch).
warning: the debug information found in
"/usr/lib/debug//usr/lib/php5/20100525/pdo_mysql.so" does not match
"/usr/lib/php5/20100525/pdo_mysql.so" (CRC mismatch).
warning: the debug information found in
"/usr/lib/debug/usr/lib/php5/20100525/pdo_mysql.so" does not match
"/usr/lib/php5/20100525/pdo_mysql.so" (CRC mismatch).
[New Thread 0x7fffe80d8700 (LWP 27679)]
[Thread 0x7fffe80d8700 (LWP 27679) exited]
PHPUnit 3.7.10 by Sebastian Bergmann.
Configuration read from /tmp/git/app/phpunit.xml.dist
............................................................. 61 / 3421 ( 1%)
...........................................................S. 122 / 3421 ( 3%)
............................................................. 183 / 3421 ( 5%)
............................................................. 244 / 3421 ( 7%)
............................................................. 305 / 3421 ( 8%)
............................................................. 366 / 3421 ( 10%)
............................................................. 427 / 3421 ( 12%)
............................................................. 488 / 3421 ( 14%)
............................................................. 549 / 3421 ( 16%)
............................................................. 610 / 3421 ( 17%)
............................................................. 671 / 3421 ( 19%)
............................................................. 732 / 3421 ( 21%)
............................................................. 793 / 3421 ( 23%)
............................................................. 854 / 3421 ( 24%)
............................................................. 915 / 3421 ( 26%)
............................................................. 976 / 3421 ( 28%)
............................................................. 1037 / 3421 ( 30%)
............................................................. 1098 / 3421 ( 32%)
............................................................. 1159 / 3421 ( 33%)
............................................................. 1220 / 3421 ( 35%)
............................................................. 1281 / 3421 ( 37%)
............................................................. 1342 / 3421 ( 39%)
............................................................. 1403 / 3421 ( 41%)
............................................................. 1464 / 3421 ( 42%)
.................
Program received signal SIGSEGV, Segmentation fault.
zval_mark_grey (pz=0xcf1fa60) at /tmp/buildd/php5-5.4.4/Zend/zend_gc.c:421
421 /tmp/buildd/php5-5.4.4/Zend/zend_gc.c: No such file or directory.
(gdb) bt full
#0 zval_mark_grey (pz=0xcf1fa60) at /tmp/buildd/php5-5.4.4/Zend/zend_gc.c:421
p = 0xcf1fd58
#1 0x00000000006bcbdc in zval_mark_grey (pz=0xcf1fa60) at
/tmp/buildd/php5-5.4.4/Zend/zend_gc.c:432
p = 0xcf1fd58
#2 0x00000000006bda55 in gc_collect_cycles () at
/tmp/buildd/php5-5.4.4/Zend/zend_gc.c:501
current = 0x7ffff4306f30
q = 0x7ffff4306f30
orig_free_list = 0x0
orig_next_to_free = 0x2
#3 0x00000000006bdde4 in gc_zval_possible_root (zv=0xcf1fa60) at
/tmp/buildd/php5-5.4.4/Zend/zend_gc.c:166
newRoot = 0x0
#4 0x00000000006ac968 in zend_hash_destroy (ht=0xcf1fa08) at
/tmp/buildd/php5-5.4.4/Zend/zend_hash.c:560
No locals.
#5 0x000000000069dba7 in _zval_dtor_func (zvalue=0xcf09770) at
/tmp/buildd/php5-5.4.4/Zend/zend_variables.c:43
No locals.
#6 0x0000000000476c78 in php_pcre_match_impl (pce=0x0, subject=0x40faa20
"\340\026\221\006", subject_len=217094144, return_value=0x2,
subpats=0xcf09770, global=1, use_flags=4682104, flags=0, start_offset=0) at
/tmp/buildd/php5-5.4.4/Zend/zend_variables.h:35
result_set = 0x50cf09c70
match_sets = 0x7fffffffb1e8
extra = 0xcf1fe08
extra_data = {flags = 3, study_data = 0x12, match_limit = 68135456,
callout_data = 0xf4240, tables = 0xcf09e18 "\235\065",
match_limit_recursion = 1, mark = 0x186a0, executable_jit =
0x7fffe729bff0}
exoptions = 1
offsets = 0x1
num_subpats = 32767
matched = 0
g_notempty = 2
stringlist = 0x3000000010
subpat_names = 0x6ad3d0
rc = 0
subpats_order = 332
offset_capture = 2
start_offset = 0
#7 0x0000000000477178 in php_do_pcre_match.isra.8 (ht=3,
return_value=0xcf1fe08, global=1) at
/tmp/buildd/php5-5.4.4/ext/pcre/php_pcre.c:520
regex = 0x14c00000043 <Address 0x14c00000043 out of bounds>
subject = 0xcefe7d8
"/@requires\\s+(?P<name>function|extension)\\s(?P<value>([^ ]+))\\r?$/m"
regex_len = 6785162
subject_len = 0
pce = 0x0
subpats = 0xcf09800
flags = 217094000
start_offset = 0
#8 0x0000000000746bd2 in zend_do_fcall_common_helper_SPEC
(execute_data=0x7ffff7e4ce50) at
/tmp/buildd/php5-5.4.4/Zend/zend_vm_execute.h:642
ret = 0x7ffff52ae3f0
opline = 0x7fffe73cbd40
should_change_scope = 0 '\000'
fbc = 0xddc650
#9 0x0000000000700447 in execute (op_array=0x7fffe73c9918) at
/tmp/buildd/php5-5.4.4/Zend/zend_vm_execute.h:410
ret = 0
execute_data = 0x7ffff7e4ce50
nested = 1 '\001'
original_in_execution = 0 '\000'
#10 0x00000000006a028e in zend_execute_scripts (type=8, retval=0x7ffff7e74f60,
file_count=3) at /tmp/buildd/php5-5.4.4/Zend/zend.c:1279
files = 0x7fffffffb3a0
i = 1
file_handle = <incomplete type>
orig_op_array = 0xdb8898
orig_retval_ptr_ptr = 0x0
#11 0x000000000063f863 in php_execute_script (primary_file=0x74696d6d6f632d68)
at /tmp/buildd/php5-5.4.4/main/main.c:2473
---Type <return> to continue, or q <return> to quit---
__orig_bailout = 0x6170736b726f772f
__bailout = {{__jmpbuf = {0, 0, 0, 0, 1, 0, 7053200, 0},
__mask_was_saved = 1, __saved_mask = {__val = {14386368, 0, 6328, 0, 0, 2, 14,
0, 1,
0, 0, 0, 4294943848, 32767, 14, 0}}}}
prepend_file_p = 0x0
append_file_p = 0x0
prepend_file = {type = ZEND_HANDLE_FILENAME, filename = 0x0,
opened_path = 0x0, handle = {fd = 0, fp = 0x0, stream = {handle = 0x0, isatty =
0,
mmap = {len = 0, pos = 0, map = 0x0, buf = 0x0, old_handle = 0x0,
old_closer = 0}, reader = 0, fsizer = 0, closer = 0}},
free_filename = 0 '\000'}
append_file = {type = ZEND_HANDLE_FILENAME, filename = 0x0, opened_path
= 0x0, handle = {fd = 6996323, fp = 0x6ac163, stream = {
handle = 0x6ac163, isatty = -23247, mmap = {len = 0, pos = 0, map
= 0xce8ffb0, buf = 0x7fffffffa551 "", old_handle = 0x7fffffffada0,
old_closer = 0x7fffffffa3e8}, reader = 0x6b9aa0 <d2b+208>,
fsizer = 0xceca668, closer = 0x1500000000}}, free_filename = 0 '\000'}
retval = 0
#12 0x00000000007491b3 in do_cli (argc=0, argv=0x7fffffffee07) at
/tmp/buildd/php5-5.4.4/sapi/cli/php_cli.c:988
__orig_bailout = 0x7fffffffebb8
__bailout = {{__jmpbuf = {0, 0, 0, 0, 508161992, 3784896587, 0, 0},
__mask_was_saved = 455471048, __saved_mask = {__val = {0, 0, 10978083, 0,
10978107, 0, 10892777, 0, 10892798, 0, 10978120, 0, 10978140,
0, 10978157, 0}}}}
file_handle = {type = 6538160, filename = 0x4 <Address 0x4 out of
bounds>, opened_path = 0x7fffffffee07 "/usr/bin/phpunit", handle = {fd = 0,
fp = 0x0, stream = {handle = 0x0, isatty = -135835472, mmap = {len
= 0, pos = 2018, map = 0x0, buf = 0x7ffff7e3e000 "\023",
old_handle = 0x7ffff7e3e00f, old_closer = 0x10dd230}, reader =
0x6b4c10 <zend_stream_stdio_closer>,
fsizer = 0x6b4d00 <zend_stream_stdio_reader>, closer = 0x6b4c40
<zend_stream_stdio_fsizer>}}, free_filename = 144 '\220'}
behavior = 1
reflection_what = 0x0
request_started = 6609936
exit_status = 0
php_optarg = 0x200000002 <Address 0x200000002 out of bounds>
php_optind = 1
exec_direct = 0x0
exec_run = 0x7fffffffe9d0 ""
exec_begin = 0x0
exec_end = 0x0
arg_excp = 0x7fffffffebc0
interactive = 0
lineno = 0
param_error = 0x7fffffffebc0 "\a\356\377\377\377\177"
hide_argv = 0
#13 0x000000000043110a in main (argc=32767, argv=0xdb9230) at
/tmp/buildd/php5-5.4.4/sapi/cli/php_cli.c:1361
__bailout = {{__jmpbuf = {0, 0, 0, 0, 508161992, 3784896587, 0, 0},
__mask_was_saved = 98693064, __saved_mask = {__val = {0, 0, 0, 0, 3, 0, 0,
0, 4147400704, 32767, 4158564850, 32767, 1, 0, 0, 0}}}}
c = 0
exit_status = 0
module_started = 0
sapi_started = 0
php_optarg = 0x100000000 <Address 0x100000000 out of bounds>
php_optind = 32767
use_extended_info = 0
ini_ignore = 0
sapi_module = 0x6ffffea30
(gdb) info frame 0
Stack frame at 0x7fffffffaf80:
rip = 0x6bcc17 in zval_mark_grey (/tmp/buildd/php5-5.4.4/Zend/zend_gc.c:421);
saved rip 0x6bcbdc
called by frame at 0x7fffffffafc0
source language c.
Arglist at 0x7fffffffaf38, args: pz=0xcf1fa60
Locals at 0x7fffffffaf38, Previous frame's sp is 0x7fffffffaf80
Saved registers:
rbx at 0x7fffffffaf58, rbp at 0x7fffffffaf60, r12 at 0x7fffffffaf68, r13 at
0x7fffffffaf70, rip at 0x7fffffffaf78
(gdb) p pz
$1 = (zval *) 0xcf1fa60
(gdb) p *pz
$2 = {value = {lval = 0, dval = 0, str = {val = 0x0, len = 217184848}, ht =
0x0, obj = {handle = 0, handlers = 0xcf1fa50}}, refcount__gc = 4294967295,
type = 4 '\004', is_ref__gc = 0 '\000'}
(gdb)
------------------------------------------------------------------------
--
Edit this bug report at https://bugs.php.net/bug.php?id=64868&edit=1
