php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #46568 Segfault on 64bit when chaining function calls that generate exceptions
Submitted: 2008-11-13 16:18 UTC Modified: 2008-11-19 09:57 UTC
Votes:1
Avg. Score:5.0 ± 0.0
Reproduced:0 of 1 (0.0%)
From: phpbugs at colin dot guthr dot ie Assigned:
Status: Closed Package: Scripting Engine problem
PHP Version: 5.2.7RC3 OS: * (64bit)
Private report: No CVE-ID: None
View Developer Edit
 [2008-11-13 16:18 UTC] phpbugs at colin dot guthr dot ie 
Description:
------------
I seem to have uncovered a bug that has been affecting me for a while (e.g. it affects 5.2.6 as well) but that, until now, I have been able to work around.

I have confirmed this bug on both 5.2.6 and 5.2.7RC3 on x86_64. I have confirmed this bug does *not* occur on i586 with these same versions.

The reproduce code has two examples. It should be obvious which is which ;)

I compiled up a fresh 5.2.7RC3 to produce the below backtrace.

Please remember that this bug affects x86_64 only.

I discovered this when using code in the Zend Framework in which this scenario crops up in the natural flow of code.

Reproduce code:
---------------
<?php
class foo
{
  private function bar($x)
  {
    echo $x;
  }
  private function wibble()
  {
    throw new Exception("Wibble");
  }
  public function bug()
  {
    $this->bar($this->wibble());
  }
  public function nobug()
  {
    $wibble = $this->wibble();
    $this->bar($wibble);
  }
}
$foo = new foo;
$foo->bug();
//$foo->nobug();


Expected result:
----------------
PHP Fatal error:  Uncaught exception 'Exception' with message 'Wibble' in /home/colin/bug.php:10
Stack trace:
#0 /home/colin/bug.php(14): foo->wibble()
#1 /home/colin/bug.php(23): foo->bug()
#2 {main}
  thrown in /home/colin/bug.php on line 10


Actual result:
--------------
[colin@jimmy pfx]$ gdb bin/php
GNU gdb 6.8-2mdv2009.0 (Mandriva Linux release 2009.0)
Copyright (C) 2008 Free Software Foundation, Inc.     
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.           
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"   
and "show warranty" for details.                                             
This GDB was configured as "x86_64-mandriva-linux-gnu"...                    
(gdb) set args bug.php
(gdb) run             
Starting program: /home/colin/php/pfx/bin/php bug.php
[Thread debugging using libthread_db enabled]        
[New Thread 0x7f75d9a056f0 (LWP 18074)]              

Program received signal SIGSEGV, Segmentation fault.
zend_do_fcall_common_helper_SPEC (execute_data=0x7fffe1a4fbd0) at /home/colin/php/php-5.2.7RC3/Zend/zend_vm_execute.h:289
289                             if (RETURN_VALUE_USED(ctor_opline)) {                                                    
Missing debug package(s), you should install: glibc-debug libxml2-debug zlib-debug                                       
(gdb) thread apply all bt full                                                                                           

Thread 1 (Thread 0x7f75d9a056f0 (LWP 18074)):
#0  zend_do_fcall_common_helper_SPEC (execute_data=0x7fffe1a4fbd0) at /home/colin/php/php-5.2.7RC3/Zend/zend_vm_execute.h:289
        opline = (zend_op *) 0x7f75d9a2a770                                                                                  
        original_return_value = (zval **) 0x7fffe1a4fcd0                                                                     
        current_scope = (zend_class_entry *) 0x0                                                                             
        current_this = (zval *) 0x0                                                                                          
        return_value_used = 0                                                                                                
        should_change_scope = 1 '\001'                                                                                       
#1  0x000000000064b8a4 in execute (op_array=0x7f75d9a2a108) at /home/colin/php/php-5.2.7RC3/Zend/zend_vm_execute.h:92        
        execute_data = {opline = 0x7f75d9a2a770, function_state = {function_symbol_table = 0x7f75d9a2d470,                   
    function = 0x7f75d9a2a108, reserved = {0x0, 0x7f75d9a2a200, 0x0, 0x7f75d9a2a210}}, fbc = 0x7f75d9a2cb90,                 
  op_array = 0x7f75d9a2a108, object = 0x7f75d9a29928, Ts = 0x7fffe1a4fa80, CVs = 0x7fffe1a4fa60, original_in_execution = 0 '\0', 
  symbol_table = 0x9db608, prev_execute_data = 0x0, old_error_reporting = 0x0}                                                   
#2  0x00000000006290d1 in zend_execute_scripts (type=8, retval=0x51, file_count=3)                                               
    at /home/colin/php/php-5.2.7RC3/Zend/zend.c:1134                                                                             
        files = {{gp_offset = 40, fp_offset = 0, overflow_arg_area = 0x7fffe1a4fdd0, reg_save_area = 0x7fffe1a4fce0}}            
        i = 1                                                                                                                    
        file_handle = (zend_file_handle *) 0x7fffe1a52240                                                                        
        orig_op_array = (zend_op_array *) 0x0                                                                                    
        orig_retval_ptr_ptr = (zval **) 0x0                                                                                      
        local_retval = (zval *) 0x0                                                                                              
#3  0x00000000005e741f in php_execute_script (primary_file=0x7fffe1a52240) at /home/colin/php/php-5.2.7RC3/main/main.c:2023      
        realfile = "/home/colin/php/pfx/bug.php\000\000\000\000\0000&#65533;%&#65533;u\177\000\000\000p&#65533;&#65533;u\177\000\000\000\000\000\000\000\000\000\000&#65533;&#65533;&#65533;&#65533;", '\0' <repeats 12 times>, "&#65533;U\232\000\000\000\000\000gister_an\000\000\000\000\000\000\000html_errH>\235", '\0' <repeats 13 times>, "&#65533;P\204&#65533;u\177\000\000\001", '\0' <repeats 15 times>, "&#65533;\001&&#65533;u\177\000\000\020&#65533;5\000\000\000\000\0000&#65533;%&#65533;u\177", '\0' <repeats 18 times>, "r&#65533;\204&#65533;u\177\000\000&#65533;\227i", '\0' <repeats 13 times>, "\t:r\000\000\000\000\000&#65533;2c\000\000"...                  
        __orig_bailout = (jmp_buf *) 0x7fffe1a52000                                                                                
        __bailout = {{__jmpbuf = {140736979084336, -6156957097008169452, 140736979086864, 0, 140736979086864, 0,                   
      -6156957080977539564, 6156943864853954068}, __mask_was_saved = 0, __saved_mask = {__val = {206158430215, 140736979082960,    
        0, 140736979082960, 22266960, 0, 140144139213016, 140144139214560, 6402516, 140144139213376, 140144139213096,
        140144139213056, 140144139213968, 140144139213016, 6921410, 3}}}}
        prepend_file_p = (zend_file_handle *) 0x0
        append_file_p = <value optimized out>
        prepend_file = {type = 0 '\0', filename = 0x0, opened_path = 0x0, handle = {fd = 0, fp = 0x0, stream = {handle = 0x0,
      reader = 0, closer = 0, fteller = 0, interactive = 0}}, free_filename = 0 '\0'}
        append_file = {type = 0 '\0', filename = 0x0, opened_path = 0x0, handle = {fd = 0, fp = 0x0, stream = {handle = 0x0,
      reader = 0, closer = 0, fteller = 0, interactive = 0}}, free_filename = 0 '\0'}
        retval = 0
#4  0x000000000069b0ce in main (argc=2, argv=0x7fffe1a52428) at /home/colin/php/php-5.2.7RC3/sapi/cli/php_cli.c:1134
        __bailout = {{__jmpbuf = {0, -5642054132341337382, 7016452524537506151, 110, 8246765328184210536, 10305096,
      -6156957097001877996, 6156943771903458836}, __mask_was_saved = 0, __saved_mask = {__val = {140144137211684,
        140144114257068, 23, 46448516, 140736979083392, 140736979083784, 140144114264912, 0, 140144139068736, 140144139071488,
        140144112053138, 140144114315624, 140144112046240, 4294967296, 4294967449, 140144114744752}}}}
        exit_status = 0
        c = <value optimized out>
        file_handle = {type = 2 '\002', filename = 0x7fffe1a52e10 "bug.php", opened_path = 0x0, handle = {fd = 22265984,
    fp = 0x153c080, stream = {handle = 0x153c080, reader = 0x63d0f0 <zend_stream_stdio_reader>,
      closer = 0x63d0d0 <zend_stream_stdio_closer>, fteller = 0x63d0c0 <zend_stream_stdio_fteller>, interactive = 0}},
  free_filename = 0 '\0'}
        behavior = <value optimized out>
        reflection_what = 0x0
        orig_optind = 1
        orig_optarg = 0x0
        arg_free = 0x7fffe1a52e10 "bug.php"
        arg_excp = (char **) 0x7fffe1a52430
        script_file = 0x7fffe1a52e10 "bug.php"
        interactive = 0
        module_started = 1
        request_started = 1
        lineno = 1
        exec_direct = 0x0
        exec_run = 0x0
        exec_begin = 0x0
        exec_end = 0x0
        param_error = <value optimized out>
        hide_argv = 0
        ini_entries_len = <value optimized out>
(gdb)

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2008-11-13 22:23 UTC] felipe@php.net 
I can't reproduce it on FreeBSD amd64.
 [2008-11-13 22:41 UTC] phpbugs at colin dot guthr dot ie 
Well I've confirmed this problem on three Mandriva systems with Mandriva packages but for this bug report I built a fresh vanilla version from the 5.2.7rc3 tarball on my own machine to ensure it was nothing to do with any additional patches in the Mandriva package causing the problem.

I do not have access to any non-Mandriva 64 bit build hosts here to do more tests... 

FWIW, the GCC version is 4.3.2.

I can tarball up the installed version if you want to give my build a run and see if it crashes on your machine. If it does crash then I'd expect the problem to be related to GCC.
 [2008-11-16 08:03 UTC] bruno at ioda dot net 
I've try this on 3 differents openSUSE 10.3 all with the lastest opensuse build services php version 5.2.6.

And the result was the expected exception
Fatal error: Uncaught exception 'Exception' with message 'Wibble' in /tmp/bugs.php:10
Stack trace:
#0 /tmp/bugs.php(14): foo->wibble()
#1 /tmp/bugs.php(23): foo->bug()
#2 {main}
  thrown in /tmp/bugs.php on line 10

PHP 5.2.6 with Suhosin-Patch 0.9.6.2 (cli) (built: Nov  5 2008 13:42:52)
Copyright (c) 1997-2008 The PHP Group
Zend Engine v2.2.0, Copyright (c) 1998-2008 Zend Technologies
    with Suhosin v0.9.27, Copyright (c) 2007, by SektionEins GmbH

For 10.3 gcc is :
Target: x86_64-suse-linux
Configuré avec: ../configure --enable-threads=posix --prefix=/usr --with-local-prefix=/usr/local --infodir=/usr/share/info --mandir=/usr/share/man --libdir=/usr/lib64 --libexecdir=/usr/lib64 --enable-languages=c,c++,objc,fortran,obj-c++,java,ada --enable-checking=release --with-gxx-include-dir=/usr/include/c++/4.2.1 --enable-ssp --disable-libssp --disable-libgcj --with-slibdir=/lib64 --with-system-zlib --enable-shared --enable-__cxa_atexit --enable-libstdcxx-allocator=new --disable-libstdcxx-pch --program-suffix=-4.2 --enable-version-specific-runtime-libs --without-system-libunwind --with-cpu=generic --host=x86_64-suse-linux
Modèle de thread: posix
version gcc 4.2.1 (SUSE Linux)

I've not yet try on the lastest 11.0 x64 which have the gcc
gcc version 4.3.1 20080507 (prerelease) [gcc-4_3-branch revision 135036] (SUSE Linux)
 [2008-11-17 10:18 UTC] jani@php.net 
I can not reproduce this within x86_64 Centos 5 using latest PHP_5_2 checkout. Would be nice to know your configure line for PHP too..?
 [2008-11-17 21:51 UTC] phpbugs at colin dot guthr dot ie 
My configure line is just the default. All I did was pass a custom prefix.

I'll try and find some other 64 bit systems to play on. I should be able to fire a few different systems into a vm to see if I can reproduce it with other distros.
 [2008-11-18 17:23 UTC] crrodriguez at opensuse dot org 
Cannot reproduce,in opensuse 11 64 bit , GCC 4.3.1 either with or without suhosin.

I suspect either your system or your compiler is doing something wrong.
 [2008-11-18 17:36 UTC] phpbugs at colin dot guthr dot ie 
Thanks for all the feedback/help. I will have to investigate further. I do not think my system hardware is at fault due to having confirmed on two other machines, although both Mandriva based. This is why I suspected the compiler.

I will try and work out more info.
 [2008-11-18 18:11 UTC] crrodriguez at opensuse dot org 
Did you built 5.2.7RC3 with --enable-debug ? if not, try that, does it crash anyway ?
 [2008-11-18 20:46 UTC] phpbugs at colin dot guthr dot ie 
Just tried --enable-debug and when built this way, it does indeed work as expected. Does this suggest anything else I can try to narrow down the problem.

I also tried make test and did get several failures.

I uploaded the test results to http://kenobi.mandriva.com/~colin/php_test_results_20081118_2006.txt although none of these look particularly relevant. I will do another build sans --enable-debug and see if any different standard tests fail.
 [2008-11-18 21:20 UTC] phpbugs at colin dot guthr dot ie 
OK, I repeated the make test sans-debug and it seems that a couple more tests fail under this scenario.

http://kenobi.mandriva.com/~colin/php_test_results_20081118_2054.txt

The most interesting extra failure is:
Bug #30707 (Segmentation fault on exception in method) [Zend/tests/bug30707.phpt]

This could perhaps provide some clues?

For convenience, here is a diff of non-debug vs. debug:
http://kenobi.mandriva.com/~colin/php-make-test.diff.txt
 [2008-11-19 05:22 UTC] crrodriguez at opensuse dot org 
Yes, it suggest that your compiler optimized badly.. try 

export CFLAGS="-O2 -fno-strict-aliasing"  and rebuild. if still crashes... try -O1..
 [2008-11-19 09:36 UTC] phpbugs at colin dot guthr dot ie 
Thank you for your help Mr Rodriguez!

The first CFLAGs option was sufficient to not trigger the segv.

This is clearly not a problem of PHP and the problem obviously lies with the GCC in Mandriva.

I'll raise the bug within our own systems for that.

Thanks to everyone for their patience and effort in helping diagnose this issue.
 [2008-11-19 09:57 UTC] phpbugs at colin dot guthr dot ie 
Actually for clarity in my further dealing with this problem, can you tell me if the OpenSuse builds used -fno-strict-aliasing or not? If it is compiled with -O2 -fstrict-aliasing and does not exhibit the bug it would be easier for me to point the finger at our gcc build.

Thanks.
 
PHP Copyright © 2001-2025 The PHP Group
All rights reserved. 		Last updated: Mon Jul 21 23:00:03 2025 UTC