Bug #64960 [Com]: Segfault in gc_zval_possible_root

[arjen at react dot com]

Edit report at https://bugs.php.net/bug.php?id=64960&edit=1

 ID:                 64960
 Comment by:         arjen at react dot com
 Reported by:        arjen at react dot com
 Summary:            Segfault in gc_zval_possible_root
 Status:             Open
 Type:               Bug
 Package:            Scripting Engine problem
 Operating System:   Archlinux
 PHP Version:        5.4.15
 Block user comment: N
 Private report:     N

 New Comment:

Verified it's not an Archlinux issue:

~$ php -v
PHP 5.3.10-1ubuntu3.6 with Suhosin-Patch (cli) (built: Mar 11 2013 14:31:48) 

~$ php segfault.php 
PHP Notice:  ob_end_flush(): failed to delete and flush buffer. No buffer to 
delete or flush in /home/arjen/segfault.php on line 3
PHP Fatal error:  Uncaught exception 'Exception' in /home/arjen/segfault.php:19
Stack trace:
#0 [internal function]: {closure}(8, 'ob_end_clean():...', 
'/home/arjen/seg...', 
9, Array)
#1 /home/arjen/segfault.php(9): ob_end_clean()
#2 [internal function]: ExceptionHandler->__invoke(Object(Exception))
#3 {main}
  thrown in /home/arjen/segfault.php on line 19
Segmentation fault (core dumped)


Previous Comments:
------------------------------------------------------------------------
[2013-06-04 15:28:15] larue...@php.net

I can not reproduce the "segfault"

------------------------------------------------------------------------
[2013-06-03 11:48:55] arjen at react dot com

Description:
------------
Affects >= 5.3.0, including 5.4.16.

See http://3v4l.org/dTDPH#v536

Combination of custom exception handler and error handler, custom property with 
a 
debug_backtrace defined to an exception and calling ob_end_clean while 
ob_end_flush was called.

Wasn't able to reduce this further.

Test script:
---------------
// this makes ob_end_clean raise an error
ob_end_flush();

class ExceptionHandler {
        public function __invoke (Exception $e)
        {
                // this triggers the custom error handler
                ob_end_clean();
        }
}

// this must be a class, closure does not trigger segfault
set_exception_handler(new ExceptionHandler());

// exception must be throwed from error handler.
set_error_handler(function()
{
        $e = new Exception;
        $e->_trace = debug_backtrace();
        
        throw $e;
});

// trigger error handler
$a['waa'];

Expected result:
----------------
No segfault.

Actual result:
--------------
#0  0x0000000000648779 in gc_zval_possible_root ()
#1  0x0000000000637168 in zend_hash_destroy ()
#2  0x0000000000628c0b in _zval_dtor_func ()
#3  0x000000000061abd9 in _zval_ptr_dtor ()
#4  0x0000000000637168 in zend_hash_destroy ()
#5  0x0000000000628c0b in _zval_dtor_func ()
#6  0x000000000061abd9 in _zval_ptr_dtor ()
#7  0x000000000064a437 in zend_object_std_dtor ()
#8  0x000000000064a469 in zend_objects_free_object_storage ()
#9  0x000000000064fe16 in zend_objects_store_free_object_storage ()
#10 0x000000000061b123 in ?? ()
#11 0x0000000000629bc2 in ?? ()
#12 0x00000000005cc04d in php_request_shutdown ()
#13 0x0000000000426004 in ?? ()
#14 0x00007f9a6fddba15 in __libc_start_main () from /usr/lib/libc.so.6
#15 0x0000000000426db9 in _start ()



------------------------------------------------------------------------



-- 
Edit this bug report at https://bugs.php.net/bug.php?id=64960&edit=1