[PHP-BUG] Bug #63407 [NEW]: segmentation fault in zval_mark_grey()

[ber...@php.net]

From: berdir
Operating system: linux
PHP version:  5.4.8
Package:  Reproducible crash
Bug Type: Bug
Bug description:segmentation fault in zval_mark_grey()

Description:

I'm experiencing segfaults in the mentioned function while working on
Drupal 8. 
Here's what I found out so far:

- Happens both with the default ubuntu 12.04 php 5.3.10 and php 5.4.8 from

https://launchpad.net/~ondrej/+archive/php5
- See http://drupal.org/node/512026#comment-6673974 for the backtrace
- Happens both on my local installation and our automated testbots
- The segfault does not happen if zend.enable_gc is Off.

It's non-trivial to set up, see "script" below, so just tell me what
commands to 
run in gdb to give you additional information if required.

Test script:
---
git clone g...@git.drupal.org:project/drupal.git --branch=8.x
# Install Drupal, enable Testing module.
wget http://drupal.org/files/form-state-keyvalue-512026-98.patch
git apply form-state-keyvalue-512026-98.patch

php core/scripts/run-tests.sh --class
"Drupal\views\Tests\Handler\FilterStringTest"


Expected result:

Drupal test run
---

Tests to be run:
 -  (Drupal\views\Tests\Handler\FilterStringTest)

Test run started:
 Wednesday, October 31, 2012 - 23:50

Test summary


Filter: String n passes, 0 fails, and 0 exception

Test run duration: n sec

Actual result:
--
Drupal test run
---

Tests to be run:
 -  (Drupal\views\Tests\Handler\FilterStringTest)

Test run started:
 Wednesday, October 31, 2012 - 23:50

Test summary


Segmentation fault (core dumped)
FATAL Drupal\views\Tests\Handler\FilterStringTest: test runner returned a
non-
zero error code (139).
- Found database prefix 'simpletest916618' for test ID 372.
- Removed test files directory.
- Removed 43 leftover tables.

Test run duration: 11 sec


-- 
Edit bug report at https://bugs.php.net/bug.php?id=63407&edit=1
-- 
Try a snapshot (PHP 5.4):   
https://bugs.php.net/fix.php?id=63407&r=trysnapshot54
Try a snapshot (PHP 5.3):   
https://bugs.php.net/fix.php?id=63407&r=trysnapshot53
Try a snapshot (trunk): 
https://bugs.php.net/fix.php?id=63407&r=trysnapshottrunk
Fixed in SVN:   https://bugs.php.net/fix.php?id=63407&r=fixed
Fixed in release:   https://bugs.php.net/fix.php?id=63407&r=alreadyfixed
Need backtrace: https://bugs.php.net/fix.php?id=63407&r=needtrace
Need Reproduce Script:  https://bugs.php.net/fix.php?id=63407&r=needscript
Try newer version:  https://bugs.php.net/fix.php?id=63407&r=oldversion
Not developer issue:https://bugs.php.net/fix.php?id=63407&r=support
Expected behavior:  https://bugs.php.net/fix.php?id=63407&r=notwrong
Not enough info:
https://bugs.php.net/fix.php?id=63407&r=notenoughinfo
Submitted twice:
https://bugs.php.net/fix.php?id=63407&r=submittedtwice
register_globals:   https://bugs.php.net/fix.php?id=63407&r=globals
PHP 4 support discontinued: https://bugs.php.net/fix.php?id=63407&r=php4
Daylight Savings:   https://bugs.php.net/fix.php?id=63407&r=dst
IIS Stability:  https://bugs.php.net/fix.php?id=63407&r=isapi
Install GNU Sed:https://bugs.php.net/fix.php?id=63407&r=gnused
Floating point limitations: https://bugs.php.net/fix.php?id=63407&r=float
No Zend Extensions: https://bugs.php.net/fix.php?id=63407&r=nozend
MySQL Configuration Error:  https://bugs.php.net/fix.php?id=63407&r=mysqlcfg

Bug #63407 [Com]: segmentation fault in zval_mark_grey()

[ber...@php.net]

Edit report at https://bugs.php.net/bug.php?id=63407&edit=1

 ID: 63407
 Comment by:     ber...@php.net
 Reported by:    ber...@php.net
 Summary:segmentation fault in zval_mark_grey()
 Status: Feedback
 Type:   Bug
 Package:Reproducible crash
 Operating System:   linux
 PHP Version:5.4.8
 Block user comment: N
 Private report: N

 New Comment:

Tried that, still crashes, although now it seems to happen on the line below?

Updated gdb backtrace. Do you need something else?

Program received signal SIGSEGV, Segmentation fault.
zval_mark_grey (pz=0x1a9fafa00) at .../php5.4-201211020030/Zend/zend_gc.c:426
426 if (Z_TYPE_P(pz) != IS_ARRAY || Z_ARRVAL_P(pz) 
!= &EG(symbol_table)) {
(gdb) bt
#0  zval_mark_grey (pz=0x1a9fafa00) at .../php5.4-
201211020030/Zend/zend_gc.c:426
#1  0x007e43a4 in zval_mark_grey (pz=) at .../php5.4-
201211020030/Zend/zend_gc.c:432
#2  0x007e43a4 in zval_mark_grey (pz=) at .../php5.4-
201211020030/Zend/zend_gc.c:432
#3  0x007e43a4 in zval_mark_grey (pz=) at .../php5.4-
201211020030/Zend/zend_gc.c:432
#4  0x007e43dd in zval_mark_grey (pz=) at .../php5.4-
201211020030/Zend/zend_gc.c:407
#5  0x007e51f5 in gc_mark_roots () at .../php5.4-
201211020030/Zend/zend_gc.c:501
#6  gc_collect_cycles () at .../php5.4-201211020030/Zend/zend_gc.c:793
#7  0x007e5584 in gc_zval_possible_root (zv=) at 
.../php5.4-201211020030/Zend/zend_gc.c:166
#8  0x007d4138 in zend_hash_destroy (ht=0x214ea30) at .../php5.4-
201211020030/Zend/zend_hash.c:560
#9  0x007c5787 in _zval_dtor_func (zvalue=0x1db4ba0) at .../php5.4-
201211020030/Zend/zend_variables.c:43
#10 0x0086ca10 in _zval_dtor (zvalue=0x1db4ba0) at .../php5.4-
201211020030/Zend/zend_variables.h:35
#11 i_zval_ptr_dtor (zval_ptr=0x1db4ba0) at .../php5.4-
201211020030/Zend/zend_execute.h:87
#12 zend_vm_stack_clear_multiple () at .../php5.4-
201211020030/Zend/zend_execute.h:339
#13 zend_do_fcall_common_helper_SPEC (execute_data=) at 
.../php5.4-201211020030/Zend/zend_vm_execute.h:736
#14 0x00826cdf in execute (op_array=0x1174570) at .../php5.4-
201211020030/Zend/zend_vm_execute.h:410
#15 0x007c7ea9 in zend_execute_scripts (type=8, retval=0x0, 
file_count=3) at .../php5.4-201211020030/Zend/zend.c:1279
#16 0x00767763 in php_execute_script (primary_file=0x7fffcd80) at 
.../php5.4-201211020030/main/main.c:2473
#17 0x0086f45f in do_cli (argc=10, argv=0x7fffe168) at .../php5.4-
201211020030/sapi/cli/php_cli.c:988
#18 0x00435dce in main (argc=10, argv=0x7fffe168) at .../php5.4-
201211020030/sapi/cli/php_cli.c:1364


Previous Comments:

[2012-11-01 02:23:19] larue...@php.net

Please try using this snapshot:

  http://snaps.php.net/php5.4-latest.tar.gz
 
For Windows:

  http://windows.php.net/snapshots/

there is a knew issue of segfault caused by traits alias.

please try with the 5.4-snapshot


[2012-10-31 22:55:43] ber...@php.net

Description:

I'm experiencing segfaults in the mentioned function while working on Drupal 8. 
Here's what I found out so far:

- Happens both with the default ubuntu 12.04 php 5.3.10 and php 5.4.8 from 
https://launchpad.net/~ondrej/+archive/php5
- See http://drupal.org/node/512026#comment-6673974 for the backtrace
- Happens both on my local installation and our automated testbots
- The segfault does not happen if zend.enable_gc is Off.

It's non-trivial to set up, see "script" below, so just tell me what commands 
to 
run in gdb to give you additional information if required.

Test script:
---
git clone g...@git.drupal.org:project/drupal.git --branch=8.x
# Install Drupal, enable Testing module.
wget http://drupal.org/files/form-state-keyvalue-512026-98.patch
git apply form-state-keyvalue-512026-98.patch

php core/scripts/run-tests.sh --class 
"Drupal\views\Tests\Handler\FilterStringTest"


Expected result:

Drupal test run
---

Tests to be run:
 -  (Drupal\views\Tests\Handler\FilterStringTest)

Test run started:
 Wednesday, October 31, 2012 - 23:50

Test summary


Filter: String n passes, 0 fails, and 0 exception

Test run duration: n sec

Actual result:
--
Drupal test run
---

Tests to be run:
 -  (Drupal\views\Tests\Handler\FilterStringTest)

Test run started:
 Wednesday, October 31, 2012 - 23:50

Test summary


Segmentation fault (core dumped)
FATAL Drupal\views\Tests\Handler\FilterStringTest: test runner returned a non-
zero error code (139).
- Found database prefix 'simpletest916618' for test ID 372.
- Removed test files directory.
- R