Bug #64960 [Opn]: Segfault in gc_zval_possible_root
Edit report at https://bugs.php.net/bug.php?id=64960edit=1 ID: 64960 Updated by: paj...@php.net Reported by:arjen at react dot com Summary:Segfault in gc_zval_possible_root Status: Open Type: Bug Package:Scripting Engine problem Operating System: Archlinux PHP Version:5.4.15 Block user comment: N Private report: N New Comment: This is what we actually support: http://www.php.net/downloads.php or using: https://github.com/php/php-src (use the 5.4 branch). External patched versions like the one in ZendServer are not supported, while this possible bug may happen in these versions, we need to reproduce it with our code base. Previous Comments: [2013-06-05 07:58:06] arjen at react dot com Centos 6.3 with Zend Server PHP (no Suhosin): # php -v PHP 5.3.14 (cli) (built: Jun 19 2012 03:47:42) Archlinux (from repo, no Suhosin) $ php -v PHP 5.4.15 (cli) (built: May 12 2013 13:11:23) Are you sure you're not testing with a debug build? The segfault does not happen in debug builds. [2013-06-05 03:10:20] larue...@php.net please disable Suhosin patch and try again. [2013-06-04 19:25:14] arjen at react dot com Verified it's not an Archlinux issue: ~$ php -v PHP 5.3.10-1ubuntu3.6 with Suhosin-Patch (cli) (built: Mar 11 2013 14:31:48) ~$ php segfault.php PHP Notice: ob_end_flush(): failed to delete and flush buffer. No buffer to delete or flush in /home/arjen/segfault.php on line 3 PHP Fatal error: Uncaught exception 'Exception' in /home/arjen/segfault.php:19 Stack trace: #0 [internal function]: {closure}(8, 'ob_end_clean():...', '/home/arjen/seg...', 9, Array) #1 /home/arjen/segfault.php(9): ob_end_clean() #2 [internal function]: ExceptionHandler-__invoke(Object(Exception)) #3 {main} thrown in /home/arjen/segfault.php on line 19 Segmentation fault (core dumped) [2013-06-04 15:28:15] larue...@php.net I can not reproduce the segfault [2013-06-03 11:48:55] arjen at react dot com Description: Affects = 5.3.0, including 5.4.16. See http://3v4l.org/dTDPH#v536 Combination of custom exception handler and error handler, custom property with a debug_backtrace defined to an exception and calling ob_end_clean while ob_end_flush was called. Wasn't able to reduce this further. Test script: --- // this makes ob_end_clean raise an error ob_end_flush(); class ExceptionHandler { public function __invoke (Exception $e) { // this triggers the custom error handler ob_end_clean(); } } // this must be a class, closure does not trigger segfault set_exception_handler(new ExceptionHandler()); // exception must be throwed from error handler. set_error_handler(function() { $e = new Exception; $e-_trace = debug_backtrace(); throw $e; }); // trigger error handler $a['waa']; Expected result: No segfault. Actual result: -- #0 0x00648779 in gc_zval_possible_root () #1 0x00637168 in zend_hash_destroy () #2 0x00628c0b in _zval_dtor_func () #3 0x0061abd9 in _zval_ptr_dtor () #4 0x00637168 in zend_hash_destroy () #5 0x00628c0b in _zval_dtor_func () #6 0x0061abd9 in _zval_ptr_dtor () #7 0x0064a437 in zend_object_std_dtor () #8 0x0064a469 in zend_objects_free_object_storage () #9 0x0064fe16 in zend_objects_store_free_object_storage () #10 0x0061b123 in ?? () #11 0x00629bc2 in ?? () #12 0x005cc04d in php_request_shutdown () #13 0x00426004 in ?? () #14 0x7f9a6fddba15 in __libc_start_main () from /usr/lib/libc.so.6 #15 0x00426db9 in _start () -- Edit this bug report at https://bugs.php.net/bug.php?id=64960edit=1
Bug #64960 [Opn]: Segfault in gc_zval_possible_root
Edit report at https://bugs.php.net/bug.php?id=64960edit=1 ID: 64960 Updated by: larue...@php.net Reported by:arjen at react dot com Summary:Segfault in gc_zval_possible_root Status: Open Type: Bug Package:Scripting Engine problem Operating System: Archlinux PHP Version:5.4.15 Block user comment: N Private report: N New Comment: ah, thanks, I can verify it. and got a fix. will commit soon. thanks Previous Comments: [2013-06-05 08:54:10] arjen at react dot com Archlinux fetches src tarballs from http://www.php.net/downloads.php and does not apply any patch to the code. I tried the other versions to show it's not an Archlinux problem. I manually verified by building it from src: wget http://www.php.net/distributions/php-5.4.15.tar.gz tar xf php-5.4.15.tar.gz cd php-5.4.15 ./configure make sapi/cli/php segfault.php Fatal error: Uncaught exception 'Exception' in segfault.php:20 Stack trace: #0 [internal function]: {closure}(8, 'ob_end_clean():...', 'segfault.php', 10, Array) #1 segfault.php(10): ob_end_clean() #2 [internal function]: ExceptionHandler-__invoke(Object(Exception)) #3 {main} thrown in segfault.php on line 20 Segmentation fault (core dumped) sapi/cli/php -v PHP 5.4.15 (cli) (built: Jun 5 2013 10:36:25) Copyright (c) 1997-2013 The PHP Group Zend Engine v2.4.0, Copyright (c) 1998-2013 Zend Technologies and again, when compiling from src (php.net tarball) with ./configure --enable-debug the segfault does not occur. [2013-06-05 08:17:24] paj...@php.net This is what we actually support: http://www.php.net/downloads.php or using: https://github.com/php/php-src (use the 5.4 branch). External patched versions like the one in ZendServer are not supported, while this possible bug may happen in these versions, we need to reproduce it with our code base. [2013-06-05 07:58:06] arjen at react dot com Centos 6.3 with Zend Server PHP (no Suhosin): # php -v PHP 5.3.14 (cli) (built: Jun 19 2012 03:47:42) Archlinux (from repo, no Suhosin) $ php -v PHP 5.4.15 (cli) (built: May 12 2013 13:11:23) Are you sure you're not testing with a debug build? The segfault does not happen in debug builds. [2013-06-05 03:10:20] larue...@php.net please disable Suhosin patch and try again. [2013-06-04 19:25:14] arjen at react dot com Verified it's not an Archlinux issue: ~$ php -v PHP 5.3.10-1ubuntu3.6 with Suhosin-Patch (cli) (built: Mar 11 2013 14:31:48) ~$ php segfault.php PHP Notice: ob_end_flush(): failed to delete and flush buffer. No buffer to delete or flush in /home/arjen/segfault.php on line 3 PHP Fatal error: Uncaught exception 'Exception' in /home/arjen/segfault.php:19 Stack trace: #0 [internal function]: {closure}(8, 'ob_end_clean():...', '/home/arjen/seg...', 9, Array) #1 /home/arjen/segfault.php(9): ob_end_clean() #2 [internal function]: ExceptionHandler-__invoke(Object(Exception)) #3 {main} thrown in /home/arjen/segfault.php on line 19 Segmentation fault (core dumped) The remainder of the comments for this report are too long. To view the rest of the comments, please view the bug report online at https://bugs.php.net/bug.php?id=64960 -- Edit this bug report at https://bugs.php.net/bug.php?id=64960edit=1
Bug #64960 [Opn]: Segfault in gc_zval_possible_root
Edit report at https://bugs.php.net/bug.php?id=64960edit=1 ID: 64960 Updated by: larue...@php.net Reported by:arjen at react dot com Summary:Segfault in gc_zval_possible_root Status: Open Type: Bug Package:Scripting Engine problem Operating System: Archlinux PHP Version:5.4.15 Block user comment: N Private report: N New Comment: I can not reproduce the segfault Previous Comments: [2013-06-03 11:48:55] arjen at react dot com Description: Affects = 5.3.0, including 5.4.16. See http://3v4l.org/dTDPH#v536 Combination of custom exception handler and error handler, custom property with a debug_backtrace defined to an exception and calling ob_end_clean while ob_end_flush was called. Wasn't able to reduce this further. Test script: --- // this makes ob_end_clean raise an error ob_end_flush(); class ExceptionHandler { public function __invoke (Exception $e) { // this triggers the custom error handler ob_end_clean(); } } // this must be a class, closure does not trigger segfault set_exception_handler(new ExceptionHandler()); // exception must be throwed from error handler. set_error_handler(function() { $e = new Exception; $e-_trace = debug_backtrace(); throw $e; }); // trigger error handler $a['waa']; Expected result: No segfault. Actual result: -- #0 0x00648779 in gc_zval_possible_root () #1 0x00637168 in zend_hash_destroy () #2 0x00628c0b in _zval_dtor_func () #3 0x0061abd9 in _zval_ptr_dtor () #4 0x00637168 in zend_hash_destroy () #5 0x00628c0b in _zval_dtor_func () #6 0x0061abd9 in _zval_ptr_dtor () #7 0x0064a437 in zend_object_std_dtor () #8 0x0064a469 in zend_objects_free_object_storage () #9 0x0064fe16 in zend_objects_store_free_object_storage () #10 0x0061b123 in ?? () #11 0x00629bc2 in ?? () #12 0x005cc04d in php_request_shutdown () #13 0x00426004 in ?? () #14 0x7f9a6fddba15 in __libc_start_main () from /usr/lib/libc.so.6 #15 0x00426db9 in _start () -- Edit this bug report at https://bugs.php.net/bug.php?id=64960edit=1