Edit report at https://bugs.php.net/bug.php?id=64896&edit=1
ID: 64896 User updated by: mark dot chong at acquireap dot com Reported by: mark dot chong at acquireap dot com Summary: Segfault with gc_collect_cycles using unserialize on certain objects -Status: Feedback +Status: Open Type: Bug Package: Reproducible crash Operating System: ubuntu PHP Version: 5.4.15 Block user comment: N Private report: N New Comment: I have run the test case on 3 different machines which call caused a segfault, bellow is the bt from one of them #0 _zend_mm_free_int (heap=0xe09290, p=0x7ffff7e793a8) at /tmp/buildd/php5- 5.4.15/Zend/zend_alloc.c:2100 #1 0x000000000068d97a in _zval_dtor (zvalue=<optimised out>) at /tmp/buildd/php5-5.4.15/Zend/zend_variables.h:35 #2 _zval_ptr_dtor (zval_ptr=0x7ffff7e779a0) at /tmp/buildd/php5- 5.4.15/Zend/zend_execute_API.c:438 #3 _zval_ptr_dtor (zval_ptr=0x7ffff7e779a0) at /tmp/buildd/php5- 5.4.15/Zend/zend_execute_API.c:427 #4 0x00000000006aab38 in zend_hash_destroy (ht=0x7ffff7e778e0) at /tmp/buildd/php5-5.4.15/Zend/zend_hash.c:560 #5 0x000000000069b8fb in _zval_dtor_func (zvalue=0x7fffffffa5a0) at /tmp/buildd/php5-5.4.15/Zend/zend_variables.c:45 #6 0x0000000000718e7d in zend_assign_to_variable (value=0x7ffff7e776d8, variable_ptr_ptr=0x7ffff7e40410) at /tmp/buildd/php5- 5.4.15/Zend/zend_execute.c:937 #7 ZEND_ASSIGN_SPEC_CV_VAR_HANDLER (execute_data=0x7ffff7e40378) at /tmp/buildd/php5-5.4.15/Zend/zend_vm_execute.h:33084 #8 0x00000000006feaa7 in execute (op_array=0x7ffff7e76af0) at /tmp/buildd/php5- 5.4.15/Zend/zend_vm_execute.h:410 #9 0x00007ffff400fa81 in xdebug_execute (op_array=0x7ffff7e76af0) at /srv/debian_developer/xdebug/xdebug-2.2.1/build-php5/xdebug.c:1391 #10 0x000000000068f7e0 in zend_call_function (fci=fci@entry=0x7fffffffa970, fci_cache=0x7ffff7e73bb0, fci_cache@entry=0x7fffffffa940) at /tmp/buildd/php5-5.4.15/Zend/zend_execute_API.c:958 #11 0x00000000006b4115 in zend_call_method (object_pp=object_pp@entry=0x7fffffffaa28, obj_ce=<optimised out>, fn_proxy=fn_proxy@entry=0x7fffffffaa20, function_name=function_name@entry=0xaa42a0 "__destruct", function_name_len=function_name_len@entry=10, retval_ptr_ptr=retval_ptr_ptr@entry=0x0, param_count=param_count@entry=0, arg1=arg1@entry=0x0, arg2=arg2@entry=0x0) at /tmp/buildd/php5-5.4.15/Zend/zend_interfaces.c:97 #12 0x00000000006bdfa2 in zend_objects_destroy_object (object=0x7ffff7e775b0, handle=<optimised out>) at /tmp/buildd/php5-5.4.15/Zend/zend_objects.c:123 #13 0x00000000006bbdf9 in gc_collect_cycles () at /tmp/buildd/php5- 5.4.15/Zend/zend_gc.c:816 #14 0x00000000006ad719 in zif_gc_collect_cycles (ht=<optimised out>, return_value=0x7ffff7e75f48, return_value_ptr=<optimised out>, this_ptr= <optimised out>, return_value_used=<optimised out>) at /tmp/buildd/php5- 5.4.15/Zend/zend_builtin_functions.c:361 #15 0x00007ffff400fedc in xdebug_execute_internal (current_execute_data=0x7ffff7e40060, return_value_used=0) at /srv/debian_developer/xdebug/xdebug-2.2.1/build-php5/xdebug.c:1483 #16 0x0000000000744d49 in zend_do_fcall_common_helper_SPEC (execute_data=0x7ffff7e40060) at /tmp/buildd/php5- 5.4.15/Zend/zend_vm_execute.h:645 #17 0x00000000006feaa7 in execute (op_array=0x7ffff7e73bb0) at /tmp/buildd/php5- 5.4.15/Zend/zend_vm_execute.h:410 #18 0x00007ffff400fa81 in xdebug_execute (op_array=0x7ffff7e73bb0) at /srv/debian_developer/xdebug/xdebug-2.2.1/build-php5/xdebug.c:1391 #19 0x000000000069e0dc in zend_execute_scripts (type=type@entry=8, retval=retval@entry=0x0, file_count=file_count@entry=3) at /tmp/buildd/php5- 5.4.15/Zend/zend.c:1315 #20 0x000000000063e433 in php_execute_script (primary_file=primary_file@entry=0x7fffffffd170) at /tmp/buildd/php5- 5.4.15/main/main.c:2492 #21 0x0000000000747913 in do_cli (argc=2, argv=0x7fffffffe608) at /tmp/buildd/php5-5.4.15/sapi/cli/php_cli.c:988 #22 0x000000000042ceaa in main (argc=2, argv=0x7fffffffe608) at /tmp/buildd/php5-5.4.15/sapi/cli/php_cli.c:1364 Previous Comments: ------------------------------------------------------------------------ [2013-05-22 08:34:45] larue...@php.net Thank you for this bug report. To properly diagnose the problem, we need a backtrace to see what is happening behind the scenes. To find out how to generate a backtrace, please read http://bugs.php.net/bugs-generating-backtrace.php for *NIX and http://bugs.php.net/bugs-generating-backtrace-win32.php for Win32 Once you have generated a backtrace, please submit it to this bug report and change the status back to "Open". Thank you for helping us make PHP better. I have got it run till ouputs "1315828", no segfault occurred, please show us the backtrace you get, will be helpful thanks ------------------------------------------------------------------------ [2013-05-22 08:05:39] mark dot chong at acquireap dot com Description: ------------ There are a few open bugs this may duplicate, but I have a reproducible case under very specific circumstances: Having an object that has a. circular reference b. changes global variable on destructor If this object is unserialize()'d then gc_collect_cycles will cause a segfault Test script: --------------- <?php class bad { private $_private = array(); public function __construct() { $this->_private[] = 'oh noes'; } public function __destruct() { //echo "bad::destructor\n"; global $bar; $bar = $this->_private; } } $foo = new stdclass; $foo->foo = $foo; $foo->bad = new bad; print_r($foo); gc_disable(); for ($i=0; true; $i++) { $deep_clone = unserialize(serialize($foo)); gc_collect_cycles(); var_dump($i); } Expected result: ---------------- Script should run indefinitely. Actual result: -------------- int(0) int(1) Segmentation fault (core dumped) ------------------------------------------------------------------------ -- Edit this bug report at https://bugs.php.net/bug.php?id=64896&edit=1