SegFault 11 on 5.5.6 on function return

From:	Ralph Schindler	Date:	Mon, 09 Dec 2013 17:25:47 +0000
Subject:	SegFault 11 on 5.5.6 on function return
Groups:	php.internals
Request:	Send a blank email to internals+get-70558@lists.php.net to get a copy of this message

Hi all,

We started noticing Segfaults in Travis when PHP was upgraded to 5.5.6. 
  I've tested this particular issue on both linux and mac and can 
produce the segfault in both place.

Looking at the backtrace (provided), can anyone offer assistance as to 
what changed between 5.5.5 and 5.5.6 that might be causing this?

I've been able to isolate the last line of PHP code that executes before 
the segfault:

 
https://github.com/sebastianbergmann/phpunit/blob/3.7/PHPUnit/Util/Type.php#L203

I know the value of $value there to be null when this SegFault occurs.

Also, the backtrace seems to hint at a problem in the garbage collector 
since the source of the issue emanates from gc_remove_from_buffer().

My guesses...

Is it possible that either the garbage collector is running and 
destroying the stack, and that when unwinding the stack frames it is in 
an inconsistent state and/or the return value for that particular 
function is not placed on the stack so that the stack is in the proper 
context when the return is processed?

I can do additional research if anyone would like to point me in the 
right direction, or I can provide access to a VM where this particular 
backtrace was produced from.

Thanks in advance.
-ralph


travis@debug-ralphschindler-hs-3881-php-1386357134:~/zendframework/zf2/tests$ /home/travis/.phpenv/versions/5.5.6/bin/php --version
PHP 5.5.6 (cli) (built: Nov 30 2013 14:49:24)
Copyright (c) 1997-2013 The PHP Group
Zend Engine v2.5.0, Copyright (c) 1998-2013 Zend Technologies
    with Zend OPcache v7.0.3-dev, Copyright (c) 1999-2013, by Zend Technologies
    with Xdebug v2.2.3, Copyright (c) 2002-2013, by Derick Rethans

travis@debug-ralphschindler-hs-3881-php-1386357134:~/zendframework/zf2/tests$ gdb --args /home/travis/.phpenv/versions/5.5.6/bin/php ../vendor/bin/phpunit --tap ZendTest/Soap/Client/DotNetTest.php
GNU gdb (Ubuntu/Linaro 7.4-2012.04-0ubuntu2.1) 7.4-2012.04
Copyright (C) 2012 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu".
For bug reporting instructions, please see:
<http://bugs.launchpad.net/gdb-linaro/>...
Reading symbols from /home/travis/.phpenv/versions/5.5.6/bin/php...done.
(gdb) run
Starting program: /home/travis/.phpenv/versions/5.5.6/bin/php ../vendor/bin/phpunit --tap ZendTest/Soap/Client/DotNetTest.php
warning: no loadable sections found in added symbol-file system-supplied DSO at 0x7ffff7fff000
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
TAP version 13
ok 1 - ZendTest\Soap\Client\DotNetTest::testADefaultCurlClientIsUsedIfNoneIsInjected
ok 2 - ZendTest\Soap\Client\DotNetTest::testCurlClientCanBeInjected
ok 3 - ZendTest\Soap\Client\DotNetTest::testCurlClientRequestIsDoneWhenUsingNtlmAuthentication

Program received signal SIGSEGV, Segmentation fault.
0x00000000008a696e in gc_remove_from_buffer (tsrm_ls=0x114fea0, root=0x141e330) at /tmp/php-build/source/5.5.6/Zend/zend_gc.h:189
189	/tmp/php-build/source/5.5.6/Zend/zend_gc.h: No such file or directory.
(gdb) bt
#0  0x00000000008a696e in gc_remove_from_buffer (tsrm_ls=0x114fea0, root=0x141e330) at /tmp/php-build/source/5.5.6/Zend/zend_gc.h:189
#1  gc_remove_zval_from_buffer (zv=0x7fffffff7c30, tsrm_ls=0x114fea0) at /tmp/php-build/source/5.5.6/Zend/zend_gc.c:265
#2  0x000000000093d0f3 in i_zval_ptr_dtor (zval_ptr=0x7fffffff7c30) at /tmp/php-build/source/5.5.6/Zend/zend_execute.h:80
#3  i_free_compiled_variables (execute_data=0x7ffff7f99ef8) at /tmp/php-build/source/5.5.6/Zend/zend_execute.c:1511
#4  zend_leave_helper_SPEC (execute_data=0x7ffff7f99ef8, tsrm_ls=0x114fea0) at /tmp/php-build/source/5.5.6/Zend/zend_vm_execute.h:399
#5  0x00000000008fd67b in execute_ex (execute_data=0x7ffff7f99ef8, tsrm_ls=0x114fea0) at /tmp/php-build/source/5.5.6/Zend/zend_vm_execute.h:363
#6  0x00007fffedb5d0d5 in xdebug_execute_ex (execute_data=0x7ffff7f99ef8, tsrm_ls=0x114fea0) at /tmp/php-build/source/xdebug-2.2.3/xdebug.c:1437
#7  0x000000000093fd83 in zend_do_fcall_common_helper_SPEC (execute_data=0x7ffff7f99d98, tsrm_ls=0x114fea0) at /tmp/php-build/source/5.5.6/Zend/zend_vm_execute.h:584
#8  0x00000000008fd67b in execute_ex (execute_data=0x7ffff7f99d98, tsrm_ls=0x114fea0) at /tmp/php-build/source/5.5.6/Zend/zend_vm_execute.h:363
#9  0x00007fffedb5d0d5 in xdebug_execute_ex (execute_data=0x7ffff7f99d98, tsrm_ls=0x114fea0) at /tmp/php-build/source/xdebug-2.2.3/xdebug.c:1437
#10 0x000000000093fd83 in zend_do_fcall_common_helper_SPEC (execute_data=0x7ffff7f99b50, tsrm_ls=0x114fea0) at /tmp/php-build/source/5.5.6/Zend/zend_vm_execute.h:584
#11 0x00000000008fd67b in execute_ex (execute_data=0x7ffff7f99b50, tsrm_ls=0x114fea0) at /tmp/php-build/source/5.5.6/Zend/zend_vm_execute.h:363
#12 0x00007fffedb5d0d5 in xdebug_execute_ex (execute_data=0x7ffff7f99b50, tsrm_ls=0x114fea0) at /tmp/php-build/source/xdebug-2.2.3/xdebug.c:1437
#13 0x000000000093fd83 in zend_do_fcall_common_helper_SPEC (execute_data=0x7ffff7f99820, tsrm_ls=0x114fea0) at /tmp/php-build/source/5.5.6/Zend/zend_vm_execute.h:584
#14 0x00000000008fd67b in execute_ex (execute_data=0x7ffff7f99820, tsrm_ls=0x114fea0) at /tmp/php-build/source/5.5.6/Zend/zend_vm_execute.h:363
#15 0x00007fffedb5d0d5 in xdebug_execute_ex (execute_data=0x7ffff7f99820, tsrm_ls=0x114fea0) at /tmp/php-build/source/xdebug-2.2.3/xdebug.c:1437
#16 0x000000000093fd83 in zend_do_fcall_common_helper_SPEC (execute_data=0x7ffff7f99268, tsrm_ls=0x114fea0) at /tmp/php-build/source/5.5.6/Zend/zend_vm_execute.h:584
#17 0x00000000008fd67b in execute_ex (execute_data=0x7ffff7f99268, tsrm_ls=0x114fea0) at /tmp/php-build/source/5.5.6/Zend/zend_vm_execute.h:363
#18 0x00007fffedb5d0d5 in xdebug_execute_ex (execute_data=0x7ffff7f99268, tsrm_ls=0x114fea0) at /tmp/php-build/source/xdebug-2.2.3/xdebug.c:1437
#19 0x000000000093fd83 in zend_do_fcall_common_helper_SPEC (execute_data=0x7ffff7f990a8, tsrm_ls=0x114fea0) at /tmp/php-build/source/5.5.6/Zend/zend_vm_execute.h:584
#20 0x00000000008fd67b in execute_ex (execute_data=0x7ffff7f990a8, tsrm_ls=0x114fea0) at /tmp/php-build/source/5.5.6/Zend/zend_vm_execute.h:363
#21 0x00007fffedb5d0d5 in xdebug_execute_ex (execute_data=0x7ffff7f990a8, tsrm_ls=0x114fea0) at /tmp/php-build/source/xdebug-2.2.3/xdebug.c:1437
#22 0x000000000093fd83 in zend_do_fcall_common_helper_SPEC (execute_data=0x7ffff7f98e60, tsrm_ls=0x114fea0) at /tmp/php-build/source/5.5.6/Zend/zend_vm_execute.h:584
#23 0x00000000008fd67b in execute_ex (execute_data=0x7ffff7f98e60, tsrm_ls=0x114fea0) at /tmp/php-build/source/5.5.6/Zend/zend_vm_execute.h:363
#24 0x00007fffedb5d0d5 in xdebug_execute_ex (execute_data=0x7ffff7f98e60, tsrm_ls=0x114fea0) at /tmp/php-build/source/xdebug-2.2.3/xdebug.c:1437
#25 0x0000000000875190 in zend_call_function (fci=0x7fffffff8a30, fci_cache=<optimized out>, tsrm_ls=0x114fea0) at /tmp/php-build/source/5.5.6/Zend/zend_execute_API.c:939
#26 0x00000000006c1466 in zim_reflection_method_invokeArgs (tsrm_ls=0x114fea0, this_ptr=<optimized out>, return_value=0x1793928, ht=<optimized out>, return_value_ptr=<optimized out>,
    return_value_used=<optimized out>) at /tmp/php-build/source/5.5.6/ext/reflection/php_reflection.c:3018
#27 zim_reflection_method_invokeArgs (ht=<optimized out>, return_value=0x1793928, return_value_ptr=<optimized out>, this_ptr=<optimized out>, return_value_used=<optimized out>, tsrm_ls=0x114fea0)
    at /tmp/php-build/source/5.5.6/ext/reflection/php_reflection.c:2921
#28 0x00007fffedb5b7dd in xdebug_execute_internal (current_execute_data=0x7ffff7f989f0, fci=0x0, return_value_used=1, tsrm_ls=0x114fea0) at /tmp/php-build/source/xdebug-2.2.3/xdebug.c:1553
#29 0x000000000093f61a in zend_do_fcall_common_helper_SPEC (execute_data=<optimized out>, tsrm_ls=<optimized out>) at /tmp/php-build/source/5.5.6/Zend/zend_vm_execute.h:552
#30 0x00000000008fd67b in execute_ex (execute_data=0x7ffff7f989f0, tsrm_ls=0x114fea0) at /tmp/php-build/source/5.5.6/Zend/zend_vm_execute.h:363
#31 0x00007fffedb5d0d5 in xdebug_execute_ex (execute_data=0x7ffff7f989f0, tsrm_ls=0x114fea0) at /tmp/php-build/source/xdebug-2.2.3/xdebug.c:1437
#32 0x000000000093fd83 in zend_do_fcall_common_helper_SPEC (execute_data=0x7ffff7f97f78, tsrm_ls=0x114fea0) at /tmp/php-build/source/5.5.6/Zend/zend_vm_execute.h:584
#33 0x00000000008fd67b in execute_ex (execute_data=0x7ffff7f97f78, tsrm_ls=0x114fea0) at /tmp/php-build/source/5.5.6/Zend/zend_vm_execute.h:363
#34 0x00007fffedb5d0d5 in xdebug_execute_ex (execute_data=0x7ffff7f97f78, tsrm_ls=0x114fea0) at /tmp/php-build/source/xdebug-2.2.3/xdebug.c:1437
#35 0x000000000093fd83 in zend_do_fcall_common_helper_SPEC (execute_data=0x7ffff7f96c90, tsrm_ls=0x114fea0) at /tmp/php-build/source/5.5.6/Zend/zend_vm_execute.h:584
#36 0x00000000008fd67b in execute_ex (execute_data=0x7ffff7f96c90, tsrm_ls=0x114fea0) at /tmp/php-build/source/5.5.6/Zend/zend_vm_execute.h:363
#37 0x00007fffedb5d0d5 in xdebug_execute_ex (execute_data=0x7ffff7f96c90, tsrm_ls=0x114fea0) at /tmp/php-build/source/xdebug-2.2.3/xdebug.c:1437
#38 0x000000000093fd83 in zend_do_fcall_common_helper_SPEC (execute_data=0x7ffff7f957e0, tsrm_ls=0x114fea0) at /tmp/php-build/source/5.5.6/Zend/zend_vm_execute.h:584
#39 0x00000000008fd67b in execute_ex (execute_data=0x7ffff7f957e0, tsrm_ls=0x114fea0) at /tmp/php-build/source/5.5.6/Zend/zend_vm_execute.h:363
#40 0x00007fffedb5d0d5 in xdebug_execute_ex (execute_data=0x7ffff7f957e0, tsrm_ls=0x114fea0) at /tmp/php-build/source/xdebug-2.2.3/xdebug.c:1437
#41 0x000000000093fd83 in zend_do_fcall_common_helper_SPEC (execute_data=0x7ffff7f94770, tsrm_ls=0x114fea0) at /tmp/php-build/source/5.5.6/Zend/zend_vm_execute.h:584
#42 0x00000000008fd67b in execute_ex (execute_data=0x7ffff7f94770, tsrm_ls=0x114fea0) at /tmp/php-build/source/5.5.6/Zend/zend_vm_execute.h:363
#43 0x00007fffedb5d0d5 in xdebug_execute_ex (execute_data=0x7ffff7f94770, tsrm_ls=0x114fea0) at /tmp/php-build/source/xdebug-2.2.3/xdebug.c:1437
#44 0x000000000093fd83 in zend_do_fcall_common_helper_SPEC (execute_data=0x7ffff7f94548, tsrm_ls=0x114fea0) at /tmp/php-build/source/5.5.6/Zend/zend_vm_execute.h:584
#45 0x00000000008fd67b in execute_ex (execute_data=0x7ffff7f94548, tsrm_ls=0x114fea0) at /tmp/php-build/source/5.5.6/Zend/zend_vm_execute.h:363
#46 0x00007fffedb5d0d5 in xdebug_execute_ex (execute_data=0x7ffff7f94548, tsrm_ls=0x114fea0) at /tmp/php-build/source/xdebug-2.2.3/xdebug.c:1437
#47 0x000000000093fd83 in zend_do_fcall_common_helper_SPEC (execute_data=0x7ffff7f93218, tsrm_ls=0x114fea0) at /tmp/php-build/source/5.5.6/Zend/zend_vm_execute.h:584
#48 0x00000000008fd67b in execute_ex (execute_data=0x7ffff7f93218, tsrm_ls=0x114fea0) at /tmp/php-build/source/5.5.6/Zend/zend_vm_execute.h:363
#49 0x00007fffedb5d0d5 in xdebug_execute_ex (execute_data=0x7ffff7f93218, tsrm_ls=0x114fea0) at /tmp/php-build/source/xdebug-2.2.3/xdebug.c:1437
#50 0x000000000093fd83 in zend_do_fcall_common_helper_SPEC (execute_data=0x7ffff7f90d90, tsrm_ls=0x114fea0) at /tmp/php-build/source/5.5.6/Zend/zend_vm_execute.h:584
#51 0x00000000008fd67b in execute_ex (execute_data=0x7ffff7f90d90, tsrm_ls=0x114fea0) at /tmp/php-build/source/5.5.6/Zend/zend_vm_execute.h:363
#52 0x00007fffedb5d0d5 in xdebug_execute_ex (execute_data=0x7ffff7f90d90, tsrm_ls=0x114fea0) at /tmp/php-build/source/xdebug-2.2.3/xdebug.c:1437
#53 0x000000000093fd83 in zend_do_fcall_common_helper_SPEC (execute_data=0x7ffff7f90478, tsrm_ls=0x114fea0) at /tmp/php-build/source/5.5.6/Zend/zend_vm_execute.h:584
#54 0x00000000008fd67b in execute_ex (execute_data=0x7ffff7f90478, tsrm_ls=0x114fea0) at /tmp/php-build/source/5.5.6/Zend/zend_vm_execute.h:363
#55 0x00007fffedb5d0d5 in xdebug_execute_ex (execute_data=0x7ffff7f90478, tsrm_ls=0x114fea0) at /tmp/php-build/source/xdebug-2.2.3/xdebug.c:1437
#56 0x000000000093fd83 in zend_do_fcall_common_helper_SPEC (execute_data=0x7ffff7f902c0, tsrm_ls=0x114fea0) at /tmp/php-build/source/5.5.6/Zend/zend_vm_execute.h:584
#57 0x00000000008fd67b in execute_ex (execute_data=0x7ffff7f902c0, tsrm_ls=0x114fea0) at /tmp/php-build/source/5.5.6/Zend/zend_vm_execute.h:363
#58 0x00007fffedb5d0d5 in xdebug_execute_ex (execute_data=0x7ffff7f902c0, tsrm_ls=0x114fea0) at /tmp/php-build/source/xdebug-2.2.3/xdebug.c:1437
#59 0x00000000008862f8 in zend_execute_scripts (type=8, tsrm_ls=0x114fea0, retval=0x0, file_count=3) at /tmp/php-build/source/5.5.6/Zend/zend.c:1320
#60 0x0000000000815964 in php_execute_script (primary_file=0x7fffffffc530, tsrm_ls=0x114fea0) at /tmp/php-build/source/5.5.6/main/main.c:2489
---Type <return> to continue, or q <return> to quit---
#61 0x0000000000943581 in do_cli (argc=4, argv=0x114fd40, tsrm_ls=0x114fea0) at /tmp/php-build/source/5.5.6/sapi/cli/php_cli.c:994
#62 0x0000000000446c00 in main (argc=4, argv=0x114fd40) at /tmp/php-build/source/5.5.6/sapi/cli/php_cli.c:1378   

Thread (9 messages)

• Ralph SchindlerMon, 09 Dec 2013 17:25:47 +0000
  • Ralph SchindlerMon, 09 Dec 2013 17:34:50 +0000Re: SegFault 11 on 5.5.6 on function return
    • Julien PauliMon, 09 Dec 2013 18:48:07 +0000Re: Re: SegFault 11 on 5.5.6 on function return
      • Ralph SchindlerMon, 09 Dec 2013 18:58:11 +0000
  • MikeMon, 09 Dec 2013 17:44:55 +0000
    • MikeMon, 09 Dec 2013 17:49:23 +0000
      • Dmitry StogovMon, 09 Dec 2013 18:22:04 +0000
  • Ralph SchindlerWed, 11 Dec 2013 20:09:05 +0000Re: SegFault 11 on 5.5.6 on function return
    • Julien PauliThu, 12 Dec 2013 10:27:33 +0000Re: Re: SegFault 11 on 5.5.6 on function return