SEGV in zend_fetch_debug_backtrace() when performing cycle collection for nested generators

[TimWolla]

Description

The following code:

<?php
class Foo {
    public $obj;
    public function __destruct()
    {
        debug_print_backtrace();
    }
}
function bar() {
    yield from foo();
}
function foo() {
    for ($i = 0; $i < 10001; $i++) {
        $obj = new Foo();
        $obj->obj = $obj;
    }

    yield;
}

$gen = bar();
foreach ($gen as $dummy);

Resulted in this output:

php-src/Zend/zend_builtin_functions.c:1898:7: runtime error: member access within null pointer of type 'zend_function' (aka 'union _zend_function')
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior php-src/Zend/zend_builtin_functions.c:1898:7 in 
php-src/Zend/zend_builtin_functions.c:1898:7: runtime error: load of null pointer of type 'uint8_t' (aka 'unsigned char')
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior php-src/Zend/zend_builtin_functions.c:1898:7 in 
AddressSanitizer:DEADLYSIGNAL
=================================================================
==777360==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x55721a816b98 bp 0x7fff23b3bb10 sp 0x7fff23b3a520 T0)
==777360==The signal is caused by a READ memory access.
==777360==Hint: address points to the zero page.
    #0 0x55721a816b98 in zend_fetch_debug_backtrace php-src/Zend/zend_builtin_functions.c:1898:7
    #1 0x55721a8143c5 in zif_debug_print_backtrace php-src/Zend/zend_builtin_functions.c:1823:2
    #2 0x55721aea8d74 in ZEND_DO_ICALL_SPEC_RETVAL_UNUSED_HANDLER php-src/Zend/zend_vm_execute.h:1287:2
    #3 0x55721aa29c47 in execute_ex php-src/Zend/zend_vm_execute.h:58585:7
    #4 0x55721a9d708b in zend_call_function php-src/Zend/zend_execute_API.c:996:3
    #5 0x55721a9db927 in zend_call_known_function php-src/Zend/zend_execute_API.c:1090:23
    #6 0x55721b41b41e in zend_call_known_instance_method php-src/Zend/zend_API.h:860:2
    #7 0x55721b4165bb in zend_call_known_instance_method_with_0_params php-src/Zend/zend_API.h:866:2
    #8 0x55721b415fbd in zend_objects_destroy_object php-src/Zend/zend_objects.c:194:3
    #9 0x55721b1211c8 in gc_call_destructors php-src/Zend/zend_gc.c:1835:5
    #10 0x55721b117ad3 in zend_gc_collect_cycles php-src/Zend/zend_gc.c:2014:5
    #11 0x55721b115437 in gc_possible_root_when_full php-src/Zend/zend_gc.c:664:23
    #12 0x55721b1142ce in gc_possible_root php-src/Zend/zend_gc.c:714:3
    #13 0x55721b0789fe in gc_check_possible_root php-src/Zend/zend_gc.h:99:3
    #14 0x55721b0783fc in i_zval_ptr_dtor php-src/Zend/zend_variables.h:47:4
    #15 0x55721aa12e04 in i_free_compiled_variables php-src/Zend/zend_execute.c:4085:3
    #16 0x55721aa12c04 in zend_free_compiled_variables php-src/Zend/zend_execute.c:4094:2
    #17 0x55721b143aff in zend_generator_close php-src/Zend/zend_generators.c:146:3
    #18 0x55721af483bc in ZEND_GENERATOR_RETURN_SPEC_CONST_HANDLER php-src/Zend/zend_vm_execute.h:4888:2
    #19 0x55721aa29c47 in execute_ex php-src/Zend/zend_vm_execute.h:58585:7
    #20 0x55721b14d924 in zend_generator_resume php-src/Zend/zend_generators.c:835:3
    #21 0x55721b1652c2 in zend_generator_iterator_move_forward php-src/Zend/zend_generators.c:1167:2
    #22 0x55721b0c1369 in zend_fe_fetch_object_helper_SPEC php-src/Zend/zend_vm_execute.h:2953:4
    #23 0x55721ad4adbe in ZEND_FE_FETCH_R_SPEC_VAR_HANDLER php-src/Zend/zend_vm_execute.h:22921:3
    #24 0x55721aa29c47 in execute_ex php-src/Zend/zend_vm_execute.h:58585:7
    #25 0x55721aa2b082 in zend_execute php-src/Zend/zend_vm_execute.h:64237:2
    #26 0x55721b547788 in zend_execute_script php-src/Zend/zend.c:1928:3
    #27 0x55721a0f6ce6 in php_execute_script_ex php-src/main/main.c:2578:13
    #28 0x55721a0f7588 in php_execute_script php-src/main/main.c:2618:9
    #29 0x55721b555d49 in do_cli php-src/sapi/cli/php_cli.c:935:5
    #30 0x55721b551742 in main php-src/sapi/cli/php_cli.c:1309:18
    #31 0x7f127142a1c9 in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
    #32 0x7f127142a28a in __libc_start_main csu/../csu/libc-start.c:360:3
    #33 0x557218203384 in _start (php-src/sapi/cli/php+0x1c03384) (BuildId: cc5bf4c04324412458a7726088356da3d6774196)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV php-src/Zend/zend_builtin_functions.c:1898:7 in zend_fetch_debug_backtrace
==777360==ABORTING

But I expected this output instead:

<some backtraces>

PHP Version

git master / 306a519

Operating System

Ubuntu 24.04

[cmb69]

Tentatively labeled as ext/standard issue, but might be more an engine problem.

[cmb69]

This might be related to frameless calls (at least that's where the segfault happens), so maybe @iluuu1994 can have a look?

[iluuu1994]

Thanks Christoph. There are actually two bugs here. One from 8.2, and one only on master. See #15952.

[cmb69]

Funny! I've tried that and got a looong list of backtraces, and thought the fix was bad; now looking at the given test script, I see why there has been that long list. :)