[1.2.0 - 1.2.3] Segfault @ PriorityQueue

[andrew-demb]

Segfault on call gc_collect_cycles(). Problem is reproduced on 1.2.0 - 1.2.3 versions.
Installed via pecl (1.2.0-1.2.3) and compiled from sources

php -v:

PHP 7.1.11-1+ubuntu17.04.1+deb.sury.org+1 (cli) (built: Oct 27 2017 13:50:28) ( NTS )
Copyright (c) 1997-2017 The PHP Group
Zend Engine v3.1.0, Copyright (c) 1998-2017 Zend Technologies
    with Zend OPcache v7.1.11-1+ubuntu17.04.1+deb.sury.org+1, Copyright (c) 1999-2017, by Zend Technologies

ds:

ds support => enabled
ds version => 1.2.3

PHP:

ad@ad-desktop:~/php/php-ds$ cat priority-queue-segfault.php 
<?php
$queue = new Ds\PriorityQueue();
gc_collect_cycles();

gdb output:

(gdb) run priority-queue-segfault.php 
Starting program: /usr/bin/php priority-queue-segfault.php
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".

Program received signal SIGSEGV, Segmentation fault.
ds_priority_queue_copy_gc (gc_size=0x7fffffffa3f4, gc_data=0x7fffffffa3f8, obj=0x7ffff386b140) at /home/ad/extension/src/php/handlers/php_priority_queue_handlers.c:51
51	        ZVAL_COPY_VALUE(target++, value);
(gdb) bt
#0  ds_priority_queue_copy_gc (gc_size=0x7fffffffa3f4, gc_data=0x7fffffffa3f8, obj=0x7ffff386b140) at /home/ad/extension/src/php/handlers/php_priority_queue_handlers.c:51
#1  php_ds_priority_queue_get_gc (object=<optimized out>, gc_data=0x7fffffffa3f8, gc_size=0x7fffffffa3f4) at /home/ad/extension/src/php/handlers/php_priority_queue_handlers.c:70
#2  0x00005555557ec9f9 in gc_mark_grey (ref=<optimized out>) at ./Zend/zend_gc.c:499
#3  0x00005555557eda80 in gc_mark_roots () at ./Zend/zend_gc.c:598
#4  zend_gc_collect_cycles () at ./Zend/zend_gc.c:1072
#5  0x00005555557d941d in zif_gc_collect_cycles (execute_data=<optimized out>, return_value=0x7fffffffa510) at ./Zend/zend_builtin_functions.c:476
#6  0x000055555581ef9a in ZEND_DO_ICALL_SPEC_RETVAL_UNUSED_HANDLER () at ./Zend/zend_vm_execute.h:628
#7  0x000055555580d7eb in execute_ex (ex=<optimized out>) at ./Zend/zend_vm_execute.h:429
#8  0x0000555555868a38 in zend_execute (op_array=op_array@entry=0x7ffff3882000, return_value=return_value@entry=0x7ffff38772c0) at ./Zend/zend_vm_execute.h:474
#9  0x00005555557c3b33 in zend_execute_scripts (type=-209637328, type@entry=8, retval=0x7ffff38772c0, retval@entry=0x0, file_count=file_count@entry=3) at ./Zend/zend.c:1482
#10 0x000055555575fb80 in php_execute_script (primary_file=0x7fffffffcb30) at ./main/main.c:2577
#11 0x000055555586aca0 in do_cli (argc=2, argv=0x555555be2140) at ./sapi/cli/php_cli.c:993
#12 0x000055555563b4d9 in main (argc=2, argv=0x555555be2140) at ./sapi/cli/php_cli.c:1381
(gdb)

[andrew-demb]

(gdb) bt full
#0  ds_priority_queue_copy_gc (gc_size=0x7fffffffa3f4, gc_data=0x7fffffffa3f8, obj=0x7ffff386b140) at /home/ad/extension/src/php/handlers/php_priority_queue_handlers.c:51
        _z1 = 0x10
        _z2 = 0x7ffff3877300
        _gc = 0x0
        _t = 0
        _queue = <optimized out>
        _node = 0x7ffff3877318
        _last = 0x8017f38772e8
        value = 0x7ffff3877300
        target = 0x10
        __node = 0x7ffff3877300
#1  php_ds_priority_queue_get_gc (object=<optimized out>, gc_data=0x7fffffffa3f8, gc_size=0x7fffffffa3f4) at /home/ad/extension/src/php/handlers/php_priority_queue_handlers.c:70
        obj = 0x7ffff386b140
#2  0x00005555557ec9f9 in gc_mark_grey (ref=<optimized out>) at ./Zend/zend_gc.c:499
        n = 0
        zv = 0xffffffff00000004
        end = <optimized out>
        tmp = {value = {lval = 140737279078720, dval = 6.9533454681967552e-310, counted = 0x7ffff386b140, str = 0x7ffff386b140, arr = 0x7ffff386b140, obj = 0x7ffff386b140, res = 0x7ffff386b140, 
            ref = 0x7ffff386b140, ast = 0x7ffff386b140, zv = 0x7ffff386b140, ptr = 0x7ffff386b140, ce = 0x7ffff386b140, func = 0x7ffff386b140, ww = {w1 = 4085690688, w2 = 32767}}, u1 = {v = {type = 8 '\b', 
              type_flags = 12 '\f', const_flags = 0 '\000', reserved = 0 '\000'}, type_info = 3080}, u2 = {next = 4294967295, cache_slot = 4294967295, lineno = 4294967295, num_args = 4294967295, 
            fe_pos = 4294967295, fe_iter_idx = 4294967295, access_flags = 4294967295, property_guard = 4294967295, extra = 4294967295}}
        get_gc = <optimized out>
        obj = <optimized out>
        ht = 0x0
        p = <optimized out>
        end = <optimized out>
        zv = <optimized out>
#3  0x00005555557eda80 in gc_mark_roots () at ./Zend/zend_gc.c:598
        current = 0x7ffff7f7c050
#4  zend_gc_collect_cycles () at ./Zend/zend_gc.c:1072
        current = <optimized out>
        gc_flags = 0
        next = <optimized out>
        orig_next_to_free = <optimized out>
        p = <optimized out>
        to_free = {ref = 0x7fffe988d088 <php_ds_priority_queue_ce>, next = 0x7ffff386b180, prev = 0x7ffff386b180, refcount = 1442470416}
        additional_buffer_snapshot = <optimized out>
        count = 0
#5  0x00005555557d941d in zif_gc_collect_cycles (execute_data=<optimized out>, return_value=0x7fffffffa510) at ./Zend/zend_builtin_functions.c:476
        __z = 0x7fffffffa510
#6  0x000055555581ef9a in ZEND_DO_ICALL_SPEC_RETVAL_UNUSED_HANDLER () at ./Zend/zend_vm_execute.h:628
        call = 0x7ffff38130d0
        fbc = <optimized out>
        ret = 0x7fffffffa510
        retval = {value = {lval = 140737279103264, dval = 6.9533454694093899e-310, counted = 0x7ffff3871120, str = 0x7ffff3871120, arr = 0x7ffff3871120, obj = 0x7ffff3871120, res = 0x7ffff3871120, 
            ref = 0x7ffff3871120, ast = 0x7ffff3871120, zv = 0x7ffff3871120, ptr = 0x7ffff3871120, ce = 0x7ffff3871120, func = 0x7ffff3871120, ww = {w1 = 4085715232, w2 = 32767}}, u1 = {v = {type = 1 '\001', 
              type_flags = 0 '\000', const_flags = 0 '\000', reserved = 0 '\000'}, type_info = 1}, u2 = {next = 21845, cache_slot = 21845, lineno = 21845, num_args = 21845, fe_pos = 21845, fe_iter_idx = 21845, 
            access_flags = 21845, property_guard = 21845, extra = 21845}}
#7  0x000055555580d7eb in execute_ex (ex=<optimized out>) at ./Zend/zend_vm_execute.h:429
        orig_opline = 0x0
        orig_execute_data = 0x8
#8  0x0000555555868a38 in zend_execute (op_array=op_array@entry=0x7ffff3882000, return_value=return_value@entry=0x7ffff38772c0) at ./Zend/zend_vm_execute.h:474
No locals.
#9  0x00005555557c3b33 in zend_execute_scripts (type=-209637328, type@entry=8, retval=0x7ffff38772c0, retval@entry=0x0, file_count=file_count@entry=3) at ./Zend/zend.c:1482
        files = {{gp_offset = 40, fp_offset = 32767, overflow_arg_area = 0x7fffffffa650, reg_save_area = 0x7fffffffa5e0}}
        i = 1
        file_handle = 0x7fffffffcb30
        op_array = 0x7ffff3882000
#10 0x000055555575fb80 in php_execute_script (primary_file=0x7fffffffcb30) at ./main/main.c:2577
        realfile = "/home/ad/php/php-ds/priority-queue-segfault.php\000\220\346\322UUU\000\000\220\271\377\377\377\177\000\000\060\274\377\377\377\177\000\000Ĺ\377\377\377\177\000\000\217\213\374\071\226Rb\300M\3-
#10 0x000055555575fb80 in php_execute_script (primary_file=0x7fffffffcb30) at ./main/main.c:2577
        realfile = "/home/ad/php/php-ds/priority-queue-segfault.php\000\220\346\322UUU\000\000\220\271\377\377\377\177\000\000\060\274\377\377\377\177\000\000Ĺ\377\377\377\177\000\000\217\213\374\071\226Rb\300M\3---Type <return> to continue, or q <return> to quit---
74~UUU\000\000(\000\000\000\000\000\000\000\000\313w\366\377\177\000\000`\000\000\000\000\000\000\000p\353\307UUU\000\000\001\000\000\000\001", '\000' <repeats 11 times>, "\002\000\000\000\002", '\000' <repeats 11 times>, "\001\000\000\000\000\000\000\000\001\000\000\000P\000\000\000 \362\307UUU\000\000ݒ|UUU\000\000\023", '\000' <repeats 15 times>...
        __orig_bailout = 0x7fffffffcba0
        __bailout = {{__jmpbuf = {0, 3160691127296596131, 140737488341440, 93824995865112, 1, 0, 3160691126268991651, 9117628438517127331}, __mask_was_saved = 0, __saved_mask = {__val = {140737351920759, 
                93824999670448, 140737488337168, 1879047679, 140737351900874, 472446402651, 140737488336496, 140737118122168, 2175160, 140737488336544, 140737328433920, 140737328433920, 1168, 32, 93824999738080, 
                93824999738080}}}}
        prepend_file_p = 0x0
        append_file_p = 0x0
        prepend_file = {handle = {fd = 0, fp = 0x0, stream = {handle = 0x0, isatty = 0, mmap = {len = 0, pos = 0, map = 0x0, buf = 0x0, old_handle = 0x0, old_closer = 0x0}, reader = 0x0, fsizer = 0x0, 
              closer = 0x0}}, filename = 0x0, opened_path = 0x0, type = ZEND_HANDLE_FILENAME, free_filename = 0 '\000'}
        append_file = {handle = {fd = 0, fp = 0x0, stream = {handle = 0x0, isatty = 0, mmap = {len = 0, pos = 0, map = 0x0, buf = 0x0, old_handle = 0x0, old_closer = 0x0}, reader = 0x0, fsizer = 0x0, 
              closer = 0x0}}, filename = 0x0, opened_path = 0x0, type = ZEND_HANDLE_FILENAME, free_filename = 0 '\000'}
        old_cwd = 0x7fffffffa650 ""
        retval = 0
#11 0x000055555586aca0 in do_cli (argc=2, argv=0x555555be2140) at ./sapi/cli/php_cli.c:993
        __orig_bailout = 0x7fffffffdd50
        __bailout = {{__jmpbuf = {93824998887008, 3160691127709210787, 0, 0, 140737488346440, 0, 3160691127307081891, 9117628873246513315}, __mask_was_saved = 0, __saved_mask = {__val = {93824995742973, 
                93824995742997, 93824995647326, 93824995647347, 93824995743010, 93824995743030, 93824995743047, 93824995743611, 93824995743068, 93824995743082, 93824995743104, 93824995743123, 93824995743150, 
                93824995743179, 0, 0}}}}
        c = <optimized out>
        file_handle = {handle = {fd = -209219568, fp = 0x7ffff3879010, stream = {handle = 0x7ffff3879010, isatty = 0, mmap = {len = 60, pos = 0, map = 0x7ffff7fe4000, 
                buf = 0x7ffff7fe4000 <error: Cannot access memory at address 0x7ffff7fe4000>, old_handle = 0x555555cf9cb0, old_closer = 0x5555557e12c0 <zend_stream_stdio_closer>}, 
              reader = 0x5555557e12f0 <zend_stream_stdio_reader>, fsizer = 0x5555557e1240 <zend_stream_stdio_fsizer>, closer = 0x5555557e11c0 <zend_stream_mmap_closer>}}, 
          filename = 0x555555be2180 "priority-queue-segfault.php", opened_path = 0x0, type = ZEND_HANDLE_MAPPED, free_filename = 0 '\000'}
        behavior = <optimized out>
        reflection_what = <optimized out>
        request_started = 1
        exit_status = 0
        php_optarg = 0x0
        php_optind = 2
        exec_direct = <optimized out>
        exec_run = <optimized out>
        exec_begin = <optimized out>
        exec_end = <optimized out>
        arg_free = <optimized out>
        arg_excp = <optimized out>
        script_file = <optimized out>
        translated_path = 0x555555cf9c00 "/home/ad/php/php-ds/priority-queue-segfault.php"
        interactive = <optimized out>
        lineno = 1
        param_error = <optimized out>
#12 0x000055555563b4d9 in main (argc=2, argv=0x555555be2140) at ./sapi/cli/php_cli.c:1381
        __orig_bailout = 0x0
        __bailout = {{__jmpbuf = {93824998887008, 3160691127709210787, 0, 0, 140737488346440, 0, 3160691127659403427, 9117628625535375523}, __mask_was_saved = 0, __saved_mask = {__val = {140737328433904, 13, 13, 
                0, 0, 18446744073709551615, 18446744073709551615, 17179869188, 17179869188, 0, 18446603336221204945, 1136, 5085241283009, 142, 17, 1}}}}
        c = <optimized out>
        exit_status = 0
        module_started = 1
        sapi_started = 1
        php_optarg = 0x0
        php_optind = 1
        use_extended_info = 0
        ini_path_override = 0x0
        ini_entries = 0x555555be23d0 "html_errors=0\nregister_argc_argv=1\nimplicit_flush=1\noutput_buffering=0\nmax_execution_time=0\nmax_input_time=-1\n"
        ini_entries_len = 0
        ini_ignore = 0
        sapi_module = <optimized out>

[andrew-demb]

Also reproducible on docker container
https://hub.docker.com/r/devdrops/php-ds/

[rtheunissen]

Fixed on master

[rtheunissen]

Released in 1.2.4