Edit report at https://bugs.php.net/bug.php?id=64896&edit=1
ID: 64896
User updated by: mark dot chong at acquireap dot com
Reported by: mark dot chong at acquireap dot com
Summary: Segfault with gc_collect_cycles using unserialize on
certain objects
-Status: Feedback
+Status: Open
Type: Bug
Package: Reproducible crash
Operating System: ubuntu
PHP Version: 5.4.15
Block user comment: N
Private report: N
New Comment:
I have run the test case on 3 different machines which call caused a segfault,
bellow is the bt from one of them
#0 _zend_mm_free_int (heap=0xe09290, p=0x7ffff7e793a8) at /tmp/buildd/php5-
5.4.15/Zend/zend_alloc.c:2100
#1 0x000000000068d97a in _zval_dtor (zvalue=<optimised out>) at
/tmp/buildd/php5-5.4.15/Zend/zend_variables.h:35
#2 _zval_ptr_dtor (zval_ptr=0x7ffff7e779a0) at /tmp/buildd/php5-
5.4.15/Zend/zend_execute_API.c:438
#3 _zval_ptr_dtor (zval_ptr=0x7ffff7e779a0) at /tmp/buildd/php5-
5.4.15/Zend/zend_execute_API.c:427
#4 0x00000000006aab38 in zend_hash_destroy (ht=0x7ffff7e778e0) at
/tmp/buildd/php5-5.4.15/Zend/zend_hash.c:560
#5 0x000000000069b8fb in _zval_dtor_func (zvalue=0x7fffffffa5a0) at
/tmp/buildd/php5-5.4.15/Zend/zend_variables.c:45
#6 0x0000000000718e7d in zend_assign_to_variable (value=0x7ffff7e776d8,
variable_ptr_ptr=0x7ffff7e40410) at /tmp/buildd/php5-
5.4.15/Zend/zend_execute.c:937
#7 ZEND_ASSIGN_SPEC_CV_VAR_HANDLER (execute_data=0x7ffff7e40378) at
/tmp/buildd/php5-5.4.15/Zend/zend_vm_execute.h:33084
#8 0x00000000006feaa7 in execute (op_array=0x7ffff7e76af0) at /tmp/buildd/php5-
5.4.15/Zend/zend_vm_execute.h:410
#9 0x00007ffff400fa81 in xdebug_execute (op_array=0x7ffff7e76af0) at
/srv/debian_developer/xdebug/xdebug-2.2.1/build-php5/xdebug.c:1391
#10 0x000000000068f7e0 in zend_call_function (fci=fci@entry=0x7fffffffa970,
fci_cache=0x7ffff7e73bb0, fci_cache@entry=0x7fffffffa940)
at /tmp/buildd/php5-5.4.15/Zend/zend_execute_API.c:958
#11 0x00000000006b4115 in zend_call_method
(object_pp=object_pp@entry=0x7fffffffaa28, obj_ce=<optimised out>,
fn_proxy=fn_proxy@entry=0x7fffffffaa20,
function_name=function_name@entry=0xaa42a0 "__destruct",
function_name_len=function_name_len@entry=10,
retval_ptr_ptr=retval_ptr_ptr@entry=0x0,
param_count=param_count@entry=0, arg1=arg1@entry=0x0, arg2=arg2@entry=0x0)
at /tmp/buildd/php5-5.4.15/Zend/zend_interfaces.c:97
#12 0x00000000006bdfa2 in zend_objects_destroy_object (object=0x7ffff7e775b0,
handle=<optimised out>) at /tmp/buildd/php5-5.4.15/Zend/zend_objects.c:123
#13 0x00000000006bbdf9 in gc_collect_cycles () at /tmp/buildd/php5-
5.4.15/Zend/zend_gc.c:816
#14 0x00000000006ad719 in zif_gc_collect_cycles (ht=<optimised out>,
return_value=0x7ffff7e75f48, return_value_ptr=<optimised out>, this_ptr=
<optimised out>,
return_value_used=<optimised out>) at /tmp/buildd/php5-
5.4.15/Zend/zend_builtin_functions.c:361
#15 0x00007ffff400fedc in xdebug_execute_internal
(current_execute_data=0x7ffff7e40060, return_value_used=0)
at /srv/debian_developer/xdebug/xdebug-2.2.1/build-php5/xdebug.c:1483
#16 0x0000000000744d49 in zend_do_fcall_common_helper_SPEC
(execute_data=0x7ffff7e40060) at /tmp/buildd/php5-
5.4.15/Zend/zend_vm_execute.h:645
#17 0x00000000006feaa7 in execute (op_array=0x7ffff7e73bb0) at /tmp/buildd/php5-
5.4.15/Zend/zend_vm_execute.h:410
#18 0x00007ffff400fa81 in xdebug_execute (op_array=0x7ffff7e73bb0) at
/srv/debian_developer/xdebug/xdebug-2.2.1/build-php5/xdebug.c:1391
#19 0x000000000069e0dc in zend_execute_scripts (type=type@entry=8,
retval=retval@entry=0x0, file_count=file_count@entry=3) at /tmp/buildd/php5-
5.4.15/Zend/zend.c:1315
#20 0x000000000063e433 in php_execute_script
(primary_file=primary_file@entry=0x7fffffffd170) at /tmp/buildd/php5-
5.4.15/main/main.c:2492
#21 0x0000000000747913 in do_cli (argc=2, argv=0x7fffffffe608) at
/tmp/buildd/php5-5.4.15/sapi/cli/php_cli.c:988
#22 0x000000000042ceaa in main (argc=2, argv=0x7fffffffe608) at
/tmp/buildd/php5-5.4.15/sapi/cli/php_cli.c:1364
Previous Comments:
------------------------------------------------------------------------
[2013-05-22 08:34:45] larue...@php.net
Thank you for this bug report. To properly diagnose the problem, we
need a backtrace to see what is happening behind the scenes. To
find out how to generate a backtrace, please read
http://bugs.php.net/bugs-generating-backtrace.php for *NIX and
http://bugs.php.net/bugs-generating-backtrace-win32.php for Win32
Once you have generated a backtrace, please submit it to this bug
report and change the status back to "Open". Thank you for helping
us make PHP better.
I have got it run till ouputs "1315828", no segfault occurred,
please show us the backtrace you get, will be helpful
thanks
------------------------------------------------------------------------
[2013-05-22 08:05:39] mark dot chong at acquireap dot com
Description:
------------
There are a few open bugs this may duplicate, but I have a reproducible case
under very specific circumstances:
Having an object that has
a. circular reference
b. changes global variable on destructor
If this object is unserialize()'d then gc_collect_cycles will cause a segfault
Test script:
---------------
<?php
class bad
{
private $_private = array();
public function __construct()
{
$this->_private[] = 'oh noes';
}
public function __destruct()
{
//echo "bad::destructor\n";
global $bar;
$bar = $this->_private;
}
}
$foo = new stdclass;
$foo->foo = $foo;
$foo->bad = new bad;
print_r($foo);
gc_disable();
for ($i=0; true; $i++)
{
$deep_clone = unserialize(serialize($foo));
gc_collect_cycles();
var_dump($i);
}
Expected result:
----------------
Script should run indefinitely.
Actual result:
--------------
int(0)
int(1)
Segmentation fault (core dumped)
------------------------------------------------------------------------
--
Edit this bug report at https://bugs.php.net/bug.php?id=64896&edit=1
