Bug #64896 [Com]: Segfault with gc_collect_cycles using unserialize on certain objects
Edit report at https://bugs.php.net/bug.php?id=64896&edit=1 ID: 64896 Comment by: webm4st0r at gmail dot com Reported by:mark dot chong at acquireap dot com Summary:Segfault with gc_collect_cycles using unserialize on certain objects Status: Open Type: Bug Package:Reproducible crash Operating System: ubuntu PHP Version:5.4.15 Block user comment: N Private report: N New Comment: I believe I am hitting a similar issue to this through running some test suites. I've not yet been able to get a smaller script to reproduce the problem, though the one in this issue does fail to run. I have tested this on 5.4.16 on 64bit CentOS 6. I would be interested in testing a patch for this to determine if it truly is the same problem, as the crash I'm seeing in the test run is during php_request_shutdown, sometimes within a gc_collect_cycles, sometimes within a destroy_zend_class. I am unable to reproduce these failures with zend.enable_gc = 0, or in a debug build. I can provide some stack traces for both failures I've seen if that would be useful in looking into this. Previous Comments: [2013-06-05 13:32:34] larue...@php.net Ha, I can reproduce this with non-debug build now. thanks [2013-06-05 11:18:22] arjen at react dot com I can confirm the segfault using PHP-5.4.15 build from php.net sources. Backtrace is same as above @ https://gist.github.com/anonymous/5713123 Valgrind trace @ https://gist.github.com/anonymous/5713183 [2013-05-30 21:17:17] sjon at hortensius dot net @laruence I can reproduce this easily, see http://3v4l.org/Z9Bg7#v545 every version of PHP since 5.4.5 segfaults on the script (without xdebug) here is your backtrace without xdebug: #0 0x00608737 in ?? () #1 0x0061f349 in _zval_ptr_dtor () #2 0x0063b8d8 in zend_hash_destroy () #3 0x0062d37b in _zval_dtor_func () #4 0x0069e31d in ?? () #5 0x0065508f in execute () #6 0x00621190 in zend_call_function () #7 0x00644e55 in zend_call_method () #8 0x0064eab2 in zend_objects_destroy_object () #9 0x0064c9a8 in gc_collect_cycles () #10 0x0063e699 in ?? () #11 0x006d6d6c in ?? () #12 0x0065508f in execute () #13 0x0062fb94 in zend_execute_scripts () #14 0x005d1afc in php_execute_script () #15 0x006d8d1f in ?? () #16 0x0042615d in ?? () #17 0x7690fa15 in __libc_start_main () from /usr/lib/libc.so.6 #18 0x004261f9 in _start () With a debug-build; this problem seems unreproducable [2013-05-24 13:23:43] larue...@php.net please disable xdebug then try again [2013-05-24 01:21:08] edward dot savage at dodo dot com With the given test case I get the segfault as described (Ubuntu 13.04/PHP 5.4.9-4ubuntu2). I found that I could work around it by adding a function like 'usleep(1);' or '$var = 2;' between global and the $bar operation in the destructor. A simple operation like '6^123;', even repeated at length, wasn't enough to avoid the fault. Once the test case was running without crashing I started looking at the array assignment to $bar. I found that printing the result of $bar after the destructor ran showed that the values of $this->_private were lost from the global $bar. Even more information is lost when gc_collect_cycles is executed. It can be shown to only be the values as an assigned multidimensional array will retain its keys. This loss of data and the segfault can be avoided by moving the $bar assignment into a pseudo destructor or by removing the circular reference. However, for the reported case there is definitely a data integrity issue when assigning an array to a global in a __destruct with a circular reference present. I could not repeat this issue with other types of assignment like string and object. The remainder of the comments for this report are too long. To view the rest of the comments, please view the bug report online at https://bugs.php.net/bug.php?id=64896 -- Edit this bug report at https://bugs.php.net/bug.php?id=64896&edit=1
[PHP-BUG] Bug #55323 [NEW]: SoapClient segmentation fault when XSD_TYPEKIND_EXTENSION contains itself
From:
Operating system: Any
PHP version: Irrelevant
Package: SOAP related
Bug Type: Bug
Bug description:SoapClient segmentation fault when XSD_TYPEKIND_EXTENSION
contains itself
Description:
While running a soap client in wsdl mode, if the response of a call
contains an
element which is
an extension, and it contains itself, an infinite loop occurs in resulting
in a
segmentation fault. The provided patch is against 5.3.6, does not produce
the
expected results (but does not segfault), and causes other tests to fail,
but it
identifies where the problem is (to_zval_object_ex). I've confirmed that
this also
occurs in previous versions.
Test script:
---
Test script: http://soapbug.privatepaste.com/700d21fc7f
WSDL: http://soapbug.privatepaste.com/4d7e882d61
XSD: http://soapbug.privatepaste.com/43f7a3e274
Expected result:
object(stdClass)#%d (2) {
["accountId"]=>
int(1234)
["parent"]=>
*RECURSION*
}
}
Actual result:
--
Segmentation fault
--
Edit bug report at https://bugs.php.net/bug.php?id=55323&edit=1
--
Try a snapshot (PHP 5.4):
https://bugs.php.net/fix.php?id=55323&r=trysnapshot54
Try a snapshot (PHP 5.3):
https://bugs.php.net/fix.php?id=55323&r=trysnapshot53
Try a snapshot (trunk):
https://bugs.php.net/fix.php?id=55323&r=trysnapshottrunk
Fixed in SVN:
https://bugs.php.net/fix.php?id=55323&r=fixed
Fixed in SVN and need be documented:
https://bugs.php.net/fix.php?id=55323&r=needdocs
Fixed in release:
https://bugs.php.net/fix.php?id=55323&r=alreadyfixed
Need backtrace:
https://bugs.php.net/fix.php?id=55323&r=needtrace
Need Reproduce Script:
https://bugs.php.net/fix.php?id=55323&r=needscript
Try newer version:
https://bugs.php.net/fix.php?id=55323&r=oldversion
Not developer issue:
https://bugs.php.net/fix.php?id=55323&r=support
Expected behavior:
https://bugs.php.net/fix.php?id=55323&r=notwrong
Not enough info:
https://bugs.php.net/fix.php?id=55323&r=notenoughinfo
Submitted twice:
https://bugs.php.net/fix.php?id=55323&r=submittedtwice
register_globals:
https://bugs.php.net/fix.php?id=55323&r=globals
PHP 4 support discontinued:
https://bugs.php.net/fix.php?id=55323&r=php4
Daylight Savings:https://bugs.php.net/fix.php?id=55323&r=dst
IIS Stability:
https://bugs.php.net/fix.php?id=55323&r=isapi
Install GNU Sed:
https://bugs.php.net/fix.php?id=55323&r=gnused
Floating point limitations:
https://bugs.php.net/fix.php?id=55323&r=float
No Zend Extensions:
https://bugs.php.net/fix.php?id=55323&r=nozend
MySQL Configuration Error:
https://bugs.php.net/fix.php?id=55323&r=mysqlcfg
Bug #55323 [Com]: SoapClient segmentation fault when XSD_TYPEKIND_EXTENSION contains itself
Edit report at https://bugs.php.net/bug.php?id=55323&edit=1
ID: 55323
Comment by: webm4st0r at gmail dot com
Reported by:webm4st0r at gmail dot com
Summary:SoapClient segmentation fault when
XSD_TYPEKIND_EXTENSION contains itself
Status: Open
Type: Bug
Package:SOAP related
Operating System: Any
PHP Version:Irrelevant
Block user comment: N
Private report: N
New Comment:
Updated the attached patch with one that appears to produce the correct results
and passes all existing tests.
Previous Comments:
[2011-07-30 08:43:59] webm4st0r at gmail dot com
Description:
While running a soap client in wsdl mode, if the response of a call contains an
element which is
an extension, and it contains itself, an infinite loop occurs in resulting in a
segmentation fault. The provided patch is against 5.3.6, does not produce the
expected results (but does not segfault), and causes other tests to fail, but
it
identifies where the problem is (to_zval_object_ex). I've confirmed that this
also
occurs in previous versions.
Test script:
---
Test script: http://soapbug.privatepaste.com/700d21fc7f
WSDL: http://soapbug.privatepaste.com/4d7e882d61
XSD: http://soapbug.privatepaste.com/43f7a3e274
Expected result:
object(stdClass)#%d (2) {
["accountId"]=>
int(1234)
["parent"]=>
*RECURSION*
}
}
Actual result:
--
Segmentation fault
--
Edit this bug report at https://bugs.php.net/bug.php?id=55323&edit=1
