search

xp-framework / compiler

Compiles future PHP to today's PHP.
19 stars 0 forks source link

Segmentation fault with PHP 7.3.0-dev #35

Closed thekid closed 6 years ago

thekid commented 6 years ago

See https://travis-ci.org/xp-framework/compiler/jobs/389491676

thekid commented 6 years ago 
Program received signal SIGSEGV, Segmentation fault.
0x000000000078f6d2 in zend_objects_store_put (object=object@entry=0x7ffffadc2310)
    at .../devel/php-src/Zend/zend_objects_API.c:141
141                     EG(objects_store).free_list_head = GET_OBJ_BUCKET_NUMBER(EG(objects_store).object_buckets[handle]);
(gdb) bt
#0  0x000000000078f6d2 in zend_objects_store_put (object=object@entry=0x7ffffadc2310)
    at .../devel/php-src/Zend/zend_objects_API.c:141
#1  0x000000000078a2ca in zend_object_std_init (object=0x7ffffadc2310, ce=0x7ffffaef34d0)
    at .../devel/php-src/Zend/zend_objects.c:36
#2  0x000000000078a6e6 in zend_objects_new (ce=ce@entry=0x7ffffaef34d0)
    at .../devel/php-src/Zend/zend_objects.c:161
#3  0x0000000000759481 in _object_and_properties_init (arg=arg@entry=0x7ffffb6236f0,
    class_type=class_type@entry=0x7ffffaef34d0, properties=properties@entry=0x0)
    at .../devel/php-src/Zend/zend_API.c:1359
#4  0x0000000000759567 in _object_init_ex (arg=arg@entry=0x7ffffb6236f0, class_type=class_type@entry=0x7ffffaef34d0)
    at .../devel/php-src/Zend/zend_API.c:1374
#5  0x00000000007d7ea4 in ZEND_NEW_SPEC_CONST_UNUSED_HANDLER ()
    at .../devel/php-src/Zend/zend_vm_execute.h:8720
#6  0x00000000007dfc2a in execute_ex (ex=0x7ffffadc2310)
    at .../devel/php-src/Zend/zend_vm_execute.h:55311
#7  0x0000000000749188 in zend_call_function (fci=0x7ffffb6234d0, fci@entry=0x7ffffffda4d0, fci_cache=<optimized out>,
    fci_cache@entry=0x0) at .../devel/php-src/Zend/zend_execute_API.c:786
#8  0x0000000000749505 in _call_user_function_ex (object=object@entry=0x0, function_name=<optimized out>,
    retval_ptr=retval_ptr@entry=0x7ffffb621820, param_count=<optimized out>, params=<optimized out>,
    no_separation=no_separation@entry=1) at .../devel/php-src/Zend/zend_execute_API.c:628
#9  0x000000000077fee5 in zim_Closure___invoke (execute_data=<optimized out>, return_value=0x7ffffb621820)
    at .../devel/php-src/Zend/zend_closures.c:54
#10 0x00000000007e6d40 in ZEND_DO_FCALL_SPEC_RETVAL_USED_HANDLER ()
    at .../devel/php-src/Zend/zend_vm_execute.h:1102
#11 execute_ex (ex=0x7ffffadc2310) at .../devel/php-src/Zend/zend_vm_execute.h:54505
#12 0x0000000000784006 in zend_generator_resume (orig_generator=orig_generator@entry=0x7ffffaa15080)
    at .../devel/php-src/Zend/zend_generators.c:772
#13 0x0000000000784f30 in zend_generator_ensure_initialized (generator=<optimized out>)
    at .../devel/php-src/Zend/zend_generators.c:817
---Type <return> to continue, or q <return> to quit---
#14 zend_generator_rewind (generator=<optimized out>)
    at .../devel/php-src/Zend/zend_generators.c:826
#15 zend_generator_iterator_rewind (iterator=<optimized out>)
    at .../devel/php-src/Zend/zend_generators.c:1124
#16 0x000000000079f3d2 in zend_fe_reset_iterator (array_ptr=array_ptr@entry=0x7ffffb6215d0, by_ref=by_ref@entry=0)
    at .../devel/php-src/Zend/zend_execute.c:3215
#17 0x00000000007ab52b in ZEND_FE_RESET_R_SPEC_CV_HANDLER ()
    at .../devel/php-src/Zend/zend_vm_execute.h:37145
#18 0x00000000007e113d in execute_ex (ex=0x7ffffadc2310)
    at .../devel/php-src/Zend/zend_vm_execute.h:58397
#19 0x0000000000749188 in zend_call_function (fci=0x7ffffb621570, fci@entry=0x7ffffffda820, fci_cache=<optimized out>,
    fci_cache@entry=0x7ffffffda800) at .../devel/php-src/Zend/zend_execute_API.c:786
#20 0x0000000000628571 in reflection_method_invoke (execute_data=<optimized out>, return_value=0x7ffffb621400,
    variadic=<optimized out>) at .../devel/php-src/ext/reflection/php_reflection.c:3208
#21 0x00000000007e6d40 in ZEND_DO_FCALL_SPEC_RETVAL_USED_HANDLER ()
    at .../devel/php-src/Zend/zend_vm_execute.h:1102
#22 execute_ex (ex=0x7ffffadc2310) at .../devel/php-src/Zend/zend_vm_execute.h:54505
#23 0x00000000007e799a in zend_execute (op_array=0x7ffffb67e2a0, op_array@entry=0x7ffffb7b9060,
    return_value=return_value@entry=0x7ffffb620f10)
    at .../devel/php-src/Zend/zend_vm_execute.h:59905
#24 0x00000000007578f3 in zend_execute_scripts (type=type@entry=8, retval=0x7ffffb620f10, retval@entry=0x0,
    file_count=file_count@entry=3) at .../devel/php-src/Zend/zend.c:1564
#25 0x00000000006f6d70 in php_execute_script (primary_file=primary_file@entry=0x7ffffffdced0)
    at .../devel/php-src/main/main.c:2467
#26 0x00000000007e9db9 in do_cli (argc=8, argv=0x1185820)
    at .../devel/php-src/sapi/cli/php_cli.c:1011
#27 0x000000000043b58c in main (argc=8, argv=0x1185820)
    at .../devel/php-src/sapi/cli/php_cli.c:1404
thekid commented 6 years ago

Filed a PHP bug @ https://bugs.php.net/bug.php?id=76427

thekid commented 6 years ago

Added some debugging:

(gdb) display executor_globals.objects_store
3: executor_globals.objects_store = {object_buckets = 0x7ffffab8b000, top = 14019, size = 16384,
  free_list_head = -43316288}

# ...
(gdb) display (char *)object.ce.name.val
21: (char *)object.ce.name.val = 0x7ffffb6f50e0 "lang\\ast\\Node"

diff --git a/Zend/zend_objects_API.c b/Zend/zend_objects_API.c
index 633abcc..505594c 100644
--- a/Zend/zend_objects_API.c
+++ b/Zend/zend_objects_API.c
@@ -138,6 +138,7 @@ ZEND_API void ZEND_FASTCALL zend_objects_store_put(zend_object *object)
         */
        if (!(EG(flags) & EG_FLAGS_IN_SHUTDOWN) && EG(objects_store).free_list_head != -1) {
                handle = EG(objects_store).free_list_head;
+fprintf(stderr, "HANDLE %d\n", handle);
                EG(objects_store).free_list_head = GET_OBJ_BUCKET_NUMBER(EG(objects_store).object_buckets[handle]);
        } else {
                if (EG(objects_store).top == EG(objects_store).size) {

Shortly before the crash, the readings are:

HANDLE 2689
HANDLE 2272
HANDLE 2720
HANDLE 4071
HANDLE 2272
HANDLE 1055591296
Segmentation fault

So for some reason, EG(objects_store).free_list_head contains the (most probably incorrect) ID 1055591296, which I assume is not inside object_buckets[handle]...

thekid commented 6 years ago

First fix http://git.php.net/?p=php-src.git;a=commitdiff;h=ffaee27478a9cb338e40edeb5acf233f9cb67111;hp=eebad01672b4201afa1049eb2f99508ac75fe2f6 unfortunately didn't catch this entirely...

thekid commented 6 years ago

Second, supplemental fix http://git.php.net/?p=php-src.git;a=commitdiff;h=72104d2b6ecbbabd18de15f10739be5ce3dc9ce0;hp=f2be6e732a0c18d5415b8372aee102829374545a fixed the problem

Kudos to @laruence for fixing this 🎉