PHP :: Bug #70631 :: Another Segfault in gc_remove_from

PHP :: Bug #70631 :: Another Segfault in gc_remove_from_buffer()

Bug #70631	Another Segfault in gc_remove_from_buffer()
Submitted:	2015-10-04 02:56 UTC	Modified:	-
From:	laruence@php.net	Assigned:
Status:	Closed	Package:	*General Issues
PHP Version:	5.6.14	OS:	all
Private report:	No	CVE-ID:	None

[2015-10-04 02:56 UTC] laruence@php.net

Description:
------------
this bug only can be triggered with concurrent requests. 

like using ab -n 1000 -c 50 

Test script:
---------------
<?php

function x($x = array(1)) {}

$func = new ReflectionFunction('x');
$params = $func->getParameters();
echo $params[0]->getDefaultValue();
?>


Expected result:
----------------
none segfault

Actual result:
--------------
segfault
Program terminated with signal SIGSEGV, Segmentation fault.
#0  0x000000000091a4a7 in gc_remove_from_buffer (root=0x7f7b2f69e5e8) at /home/huixinchen/opensource/php-5.6/Zend/zend_gc.h:189
189		root->next->prev = root->prev;
(gdb) bt
#0  0x000000000091a4a7 in gc_remove_from_buffer (root=0x7f7b2f69e5e8) at /home/huixinchen/opensource/php-5.6/Zend/zend_gc.h:189
#1  0x000000000091acc3 in gc_remove_zval_from_buffer (zv=0x7f7b2f69e630) at /home/huixinchen/opensource/php-5.6/Zend/zend_gc.c:260
#2  0x00000000008d744a in i_zval_ptr_dtor (zval_ptr=0x7f7b2f69e630, __zend_filename=0xdcd070 "/home/huixinchen/opensource/php-5.6/Zend/zend_variables.c", __zend_lineno=188) at /home/huixinchen/opensource/php-5.6/Zend/zend_execute.h:78
#3  0x00000000008d86c5 in _zval_ptr_dtor (zval_ptr=0x7f7b3644b590, __zend_filename=0xdcd070 "/home/huixinchen/opensource/php-5.6/Zend/zend_variables.c", __zend_lineno=188)
    at /home/huixinchen/opensource/php-5.6/Zend/zend_execute_API.c:424
#4  0x00000000008ec15a in _zval_ptr_dtor_wrapper (zval_ptr=0x7f7b3644b590) at /home/huixinchen/opensource/php-5.6/Zend/zend_variables.c:188
#5  0x0000000000901823 in zend_hash_destroy (ht=0x7f7b3644b440) at /home/huixinchen/opensource/php-5.6/Zend/zend_hash.c:548
#6  0x00000000008ebcf9 in _zval_dtor_func (zvalue=0x7f7b3644b3c8, __zend_filename=0xdd1ab8 "/home/huixinchen/opensource/php-5.6/Zend/zend_execute.h", __zend_lineno=95) at /home/huixinchen/opensource/php-5.6/Zend/zend_variables.c:45
#7  0x000000000092e9c6 in _zval_dtor (zvalue=0x7f7b3644b3c8, __zend_filename=0xdd1ab8 "/home/huixinchen/opensource/php-5.6/Zend/zend_execute.h", __zend_lineno=95) at /home/huixinchen/opensource/php-5.6/Zend/zend_variables.h:35
#8  0x000000000092eb66 in i_zval_ptr_dtor_nogc (zval_ptr=0x7f7b3644b3c8, __zend_filename=0xdd2130 "/home/huixinchen/opensource/php-5.6/Zend/zend_vm_execute.h", __zend_lineno=13044)
    at /home/huixinchen/opensource/php-5.6/Zend/zend_execute.h:95
#9  0x0000000000950397 in ZEND_ECHO_SPEC_VAR_HANDLER (execute_data=0x7f7b36419ca8) at /home/huixinchen/opensource/php-5.6/Zend/zend_vm_execute.h:13044
#10 0x00000000009342b2 in execute_ex (execute_data=0x7f7b36419ca8) at /home/huixinchen/opensource/php-5.6/Zend/zend_vm_execute.h:363
#11 0x000000000093433b in zend_execute (op_array=0x7f7b3644a910) at /home/huixinchen/opensource/php-5.6/Zend/zend_vm_execute.h:388
#12 0x00000000008ef790 in zend_execute_scripts (type=8, retval=0x0, file_count=3) at /home/huixinchen/opensource/php-5.6/Zend/zend.c:1341
#13 0x000000000085596f in php_execute_script (primary_file=0x7fff762650b0) at /home/huixinchen/opensource/php-5.6/main/main.c:2597
#14 0x00000000009b0b60 in main (argc=1, argv=0x7fff76267418) at /home/huixinchen/opensource/php-5.6/sapi/fpm/fpm/fpm_main.c:1964

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports