Edit report at https://bugs.php.net/bug.php?id=64896&edit=1
ID: 64896
Comment by: webm4st0r at gmail dot com
Reported by: mark dot chong at acquireap dot com
Summary: Segfault with gc_collect_cycles using unserialize on
certain objects
Status: Open
Type: Bug
Package: Reproducible crash
Operating System: ubuntu
PHP Version: 5.4.15
Block user comment: N
Private report: N
New Comment:
I believe I am hitting a similar issue to this through running some test
suites.
I've not yet been able to get a smaller script to reproduce the problem, though
the one in this issue does fail to run.
I have tested this on 5.4.16 on 64bit CentOS 6. I would be interested in
testing
a patch for this to determine if it truly is the same problem, as the crash I'm
seeing in the test run is during php_request_shutdown, sometimes within a
gc_collect_cycles, sometimes within a destroy_zend_class.
I am unable to reproduce these failures with zend.enable_gc = 0, or in a debug
build.
I can provide some stack traces for both failures I've seen if that would be
useful in looking into this.
Previous Comments:
------------------------------------------------------------------------
[2013-06-05 13:32:34] larue...@php.net
Ha, I can reproduce this with non-debug build now. thanks
------------------------------------------------------------------------
[2013-06-05 11:18:22] arjen at react dot com
I can confirm the segfault using PHP-5.4.15 build from php.net sources.
Backtrace is same as above @ https://gist.github.com/anonymous/5713123
Valgrind trace @ https://gist.github.com/anonymous/5713183
------------------------------------------------------------------------
[2013-05-30 21:17:17] sjon at hortensius dot net
@laruence I can reproduce this easily, see http://3v4l.org/Z9Bg7#v545 every
version of PHP since 5.4.5 segfaults on the script (without xdebug)
here is your backtrace without xdebug:
#0 0x0000000000608737 in ?? ()
#1 0x000000000061f349 in _zval_ptr_dtor ()
#2 0x000000000063b8d8 in zend_hash_destroy ()
#3 0x000000000062d37b in _zval_dtor_func ()
#4 0x000000000069e31d in ?? ()
#5 0x000000000065508f in execute ()
#6 0x0000000000621190 in zend_call_function ()
#7 0x0000000000644e55 in zend_call_method ()
#8 0x000000000064eab2 in zend_objects_destroy_object ()
#9 0x000000000064c9a8 in gc_collect_cycles ()
#10 0x000000000063e699 in ?? ()
#11 0x00000000006d6d6c in ?? ()
#12 0x000000000065508f in execute ()
#13 0x000000000062fb94 in zend_execute_scripts ()
#14 0x00000000005d1afc in php_execute_script ()
#15 0x00000000006d8d1f in ?? ()
#16 0x000000000042615d in ?? ()
#17 0x00007ffff690fa15 in __libc_start_main () from /usr/lib/libc.so.6
#18 0x00000000004261f9 in _start ()
With a debug-build; this problem seems unreproducable
------------------------------------------------------------------------
[2013-05-24 13:23:43] larue...@php.net
please disable xdebug then try again
------------------------------------------------------------------------
[2013-05-24 01:21:08] edward dot savage at dodo dot com
With the given test case I get the segfault as described (Ubuntu 13.04/PHP
5.4.9-4ubuntu2). I found that I could work around it by adding a function like
'usleep(1);' or '$var = 2;' between global and the $bar operation in the
destructor. A simple operation like '6^123;', even repeated at length, wasn't
enough to avoid the fault.
Once the test case was running without crashing I started looking at the array
assignment to $bar. I found that printing the result of $bar after the
destructor ran showed that the values of $this->_private were lost from the
global $bar. Even more information is lost when gc_collect_cycles is executed.
It can be shown to only be the values as an assigned multidimensional array
will retain its keys.
This loss of data and the segfault can be avoided by moving the $bar assignment
into a pseudo destructor or by removing the circular reference. However, for
the reported case there is definitely a data integrity issue when assigning an
array to a global in a __destruct with a circular reference present. I could
not repeat this issue with other types of assignment like string and object.
------------------------------------------------------------------------
The remainder of the comments for this report are too long. To view
the rest of the comments, please view the bug report online at
https://bugs.php.net/bug.php?id=64896
--
Edit this bug report at https://bugs.php.net/bug.php?id=64896&edit=1
