Nothing Special   »   [go: up one dir, main page]
Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SEGV in zend_fetch_debug_backtrace() when performing cycle collection for nested generators #15851

Closed
TimWolla opened this issue Sep 12, 2024 · 4 comments
Closed

SEGV in zend_fetch_debug_backtrace() when performing cycle collection for nested generators #15851

TimWolla opened this issue Sep 12, 2024 · 4 comments
Labels
Bug Category: Engine Status: Verified

Comments

@TimWolla
Copy link
Member

Description

The following code:

<?php
class Foo {
    public $obj;
    public function __destruct()
    {
        debug_print_backtrace();
    }
}
function bar() {
    yield from foo();
}
function foo() {
    for ($i = 0; $i < 10001; $i++) {
        $obj = new Foo();
        $obj->obj = $obj;
    }

    yield;
}

$gen = bar();
foreach ($gen as $dummy);

Resulted in this output:

php-src/Zend/zend_builtin_functions.c:1898:7: runtime error: member access within null pointer of type 'zend_function' (aka 'union _zend_function')
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior php-src/Zend/zend_builtin_functions.c:1898:7 in 
php-src/Zend/zend_builtin_functions.c:1898:7: runtime error: load of null pointer of type 'uint8_t' (aka 'unsigned char')
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior php-src/Zend/zend_builtin_functions.c:1898:7 in 
AddressSanitizer:DEADLYSIGNAL
=================================================================
==777360==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x55721a816b98 bp 0x7fff23b3bb10 sp 0x7fff23b3a520 T0)
==777360==The signal is caused by a READ memory access.
==777360==Hint: address points to the zero page.
    #0 0x55721a816b98 in zend_fetch_debug_backtrace php-src/Zend/zend_builtin_functions.c:1898:7
    #1 0x55721a8143c5 in zif_debug_print_backtrace php-src/Zend/zend_builtin_functions.c:1823:2
    #2 0x55721aea8d74 in ZEND_DO_ICALL_SPEC_RETVAL_UNUSED_HANDLER php-src/Zend/zend_vm_execute.h:1287:2
    #3 0x55721aa29c47 in execute_ex php-src/Zend/zend_vm_execute.h:58585:7
    #4 0x55721a9d708b in zend_call_function php-src/Zend/zend_execute_API.c:996:3
    #5 0x55721a9db927 in zend_call_known_function php-src/Zend/zend_execute_API.c:1090:23
    #6 0x55721b41b41e in zend_call_known_instance_method php-src/Zend/zend_API.h:860:2
    #7 0x55721b4165bb in zend_call_known_instance_method_with_0_params php-src/Zend/zend_API.h:866:2
    #8 0x55721b415fbd in zend_objects_destroy_object php-src/Zend/zend_objects.c:194:3
    #9 0x55721b1211c8 in gc_call_destructors php-src/Zend/zend_gc.c:1835:5
    #10 0x55721b117ad3 in zend_gc_collect_cycles php-src/Zend/zend_gc.c:2014:5
    #11 0x55721b115437 in gc_possible_root_when_full php-src/Zend/zend_gc.c:664:23
    #12 0x55721b1142ce in gc_possible_root php-src/Zend/zend_gc.c:714:3
    #13 0x55721b0789fe in gc_check_possible_root php-src/Zend/zend_gc.h:99:3
    #14 0x55721b0783fc in i_zval_ptr_dtor php-src/Zend/zend_variables.h:47:4
    #15 0x55721aa12e04 in i_free_compiled_variables php-src/Zend/zend_execute.c:4085:3
    #16 0x55721aa12c04 in zend_free_compiled_variables php-src/Zend/zend_execute.c:4094:2
    #17 0x55721b143aff in zend_generator_close php-src/Zend/zend_generators.c:146:3
    #18 0x55721af483bc in ZEND_GENERATOR_RETURN_SPEC_CONST_HANDLER php-src/Zend/zend_vm_execute.h:4888:2
    #19 0x55721aa29c47 in execute_ex php-src/Zend/zend_vm_execute.h:58585:7
    #20 0x55721b14d924 in zend_generator_resume php-src/Zend/zend_generators.c:835:3
    #21 0x55721b1652c2 in zend_generator_iterator_move_forward php-src/Zend/zend_generators.c:1167:2
    #22 0x55721b0c1369 in zend_fe_fetch_object_helper_SPEC php-src/Zend/zend_vm_execute.h:2953:4
    #23 0x55721ad4adbe in ZEND_FE_FETCH_R_SPEC_VAR_HANDLER php-src/Zend/zend_vm_execute.h:22921:3
    #24 0x55721aa29c47 in execute_ex php-src/Zend/zend_vm_execute.h:58585:7
    #25 0x55721aa2b082 in zend_execute php-src/Zend/zend_vm_execute.h:64237:2
    #26 0x55721b547788 in zend_execute_script php-src/Zend/zend.c:1928:3
    #27 0x55721a0f6ce6 in php_execute_script_ex php-src/main/main.c:2578:13
    #28 0x55721a0f7588 in php_execute_script php-src/main/main.c:2618:9
    #29 0x55721b555d49 in do_cli php-src/sapi/cli/php_cli.c:935:5
    #30 0x55721b551742 in main php-src/sapi/cli/php_cli.c:1309:18
    #31 0x7f127142a1c9 in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
    #32 0x7f127142a28a in __libc_start_main csu/../csu/libc-start.c:360:3
    #33 0x557218203384 in _start (php-src/sapi/cli/php+0x1c03384) (BuildId: cc5bf4c04324412458a7726088356da3d6774196)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV php-src/Zend/zend_builtin_functions.c:1898:7 in zend_fetch_debug_backtrace
==777360==ABORTING

But I expected this output instead:

<some backtraces>

PHP Version

git master / 306a519

Operating System

Ubuntu 24.04
@cmb69
Copy link
Member
cmb69 commented Sep 12, 2024

Tentatively labeled as ext/standard issue, but might be more an engine problem.

@cmb69
Copy link
Member
cmb69 commented Sep 17, 2024

This might be related to frameless calls (at least that's where the segfault happens), so maybe @iluuu1994 can have a look?

iluuu1994 added a commit to iluuu1994/php-src that referenced this issue Sep 18, 2024
@iluuu1994
Fix access on NULL when printing backtrace with freed generator
39993bc 
Fixes phpGH-15851
@iluuu1994 iluuu1994 mentioned this issue Sep 18, 2024
Closed
@iluuu1994
Copy link
Member

Thanks Christoph. There are actually two bugs here. One from 8.2, and one only on master. See #15952.

@cmb69
Copy link
Member
cmb69 commented Sep 19, 2024

Funny! I've tried that and got a looong list of backtraces, and thought the fix was bad; now looking at the given test script, I see why there has been that long list. :)

iluuu1994 added a commit to iluuu1994/php-src that referenced this issue Sep 23, 2024
@iluuu1994
Fix printing backtrace during generator closing
c87face 
Fixes phpGH-15851
iluuu1994 added a commit to iluuu1994/php-src that referenced this issue Sep 26, 2024
@iluuu1994
Fix printing backtrace during generator closing
75620c6 
Fixes phpGH-15851
jorgsowa pushed a commit to jorgsowa/php-src that referenced this issue Oct 1, 2024
@iluuu1994 @jorgsowa
Fix printing backtrace of fake generator frame
1142cb7 
Fixes phpGH-15851
Closes phpGH-15952
jorgsowa pushed a commit to jorgsowa/php-src that referenced this issue Oct 1, 2024
@iluuu1994 @jorgsowa
Fix printing backtrace of fake generator frame
3b760ac 
Fixes phpGH-15851
Closes phpGH-15952
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Bug Category: Engine Status: Verified
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@TimWolla @iluuu1994 @cmb69