php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #76427 Segfault in zend_objects_store_put
Submitted: 2018-06-08 00:50 UTC Modified: 2018-06-12 20:10 UTC
From: thekid@php.net Assigned: laruence (profile)
Status: Closed Package: Reproducible crash
PHP Version: 7.3.0alpha1 OS: Linux
Private report: No CVE-ID: None
 [2018-06-08 00:50 UTC] thekid@php.net
Description:
------------
Running the test suite for the project https://github.com/xp-framework/compiler causes a segmentation fault, see https://github.com/xp-framework/compiler/issues/35


Test script:
---------------
Haven't been able to reproduce this with a short script, sorry!

Expected result:
----------------
Test suite runs fine, as does with most recent PHP 7.2

Actual result:
--------------
Crash

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2018-06-08 01:23 UTC] thekid@php.net
Here's the stack trace from GDB:

Program received signal SIGSEGV, Segmentation fault.
0x000000000078f6d2 in zend_objects_store_put (object=object@entry=0x7ffffadc2310)
    at .../devel/php-src/Zend/zend_objects_API.c:141
141                     EG(objects_store).free_list_head = GET_OBJ_BUCKET_NUMBER(EG(objects_store).object_buckets[handle]);
(gdb) bt
#0  0x000000000078f6d2 in zend_objects_store_put (object=object@entry=0x7ffffadc2310)
    at .../devel/php-src/Zend/zend_objects_API.c:141
#1  0x000000000078a2ca in zend_object_std_init (object=0x7ffffadc2310, ce=0x7ffffaef34d0)
    at .../devel/php-src/Zend/zend_objects.c:36
#2  0x000000000078a6e6 in zend_objects_new (ce=ce@entry=0x7ffffaef34d0)
    at .../devel/php-src/Zend/zend_objects.c:161
#3  0x0000000000759481 in _object_and_properties_init (arg=arg@entry=0x7ffffb6236f0,
    class_type=class_type@entry=0x7ffffaef34d0, properties=properties@entry=0x0)
    at .../devel/php-src/Zend/zend_API.c:1359
#4  0x0000000000759567 in _object_init_ex (arg=arg@entry=0x7ffffb6236f0, class_type=class_type@entry=0x7ffffaef34d0)
    at .../devel/php-src/Zend/zend_API.c:1374
#5  0x00000000007d7ea4 in ZEND_NEW_SPEC_CONST_UNUSED_HANDLER ()
    at .../devel/php-src/Zend/zend_vm_execute.h:8720
#6  0x00000000007dfc2a in execute_ex (ex=0x7ffffadc2310)
    at .../devel/php-src/Zend/zend_vm_execute.h:55311
#7  0x0000000000749188 in zend_call_function (fci=0x7ffffb6234d0, fci@entry=0x7ffffffda4d0, fci_cache=<optimized out>,
    fci_cache@entry=0x0) at .../devel/php-src/Zend/zend_execute_API.c:786
#8  0x0000000000749505 in _call_user_function_ex (object=object@entry=0x0, function_name=<optimized out>,
    retval_ptr=retval_ptr@entry=0x7ffffb621820, param_count=<optimized out>, params=<optimized out>,
    no_separation=no_separation@entry=1) at .../devel/php-src/Zend/zend_execute_API.c:628
#9  0x000000000077fee5 in zim_Closure___invoke (execute_data=<optimized out>, return_value=0x7ffffb621820)
    at .../devel/php-src/Zend/zend_closures.c:54
#10 0x00000000007e6d40 in ZEND_DO_FCALL_SPEC_RETVAL_USED_HANDLER ()
    at .../devel/php-src/Zend/zend_vm_execute.h:1102
#11 execute_ex (ex=0x7ffffadc2310) at .../devel/php-src/Zend/zend_vm_execute.h:54505
#12 0x0000000000784006 in zend_generator_resume (orig_generator=orig_generator@entry=0x7ffffaa15080)
    at .../devel/php-src/Zend/zend_generators.c:772
#13 0x0000000000784f30 in zend_generator_ensure_initialized (generator=<optimized out>)
    at .../devel/php-src/Zend/zend_generators.c:817
---Type <return> to continue, or q <return> to quit---
#14 zend_generator_rewind (generator=<optimized out>)
    at .../devel/php-src/Zend/zend_generators.c:826
#15 zend_generator_iterator_rewind (iterator=<optimized out>)
    at .../devel/php-src/Zend/zend_generators.c:1124
#16 0x000000000079f3d2 in zend_fe_reset_iterator (array_ptr=array_ptr@entry=0x7ffffb6215d0, by_ref=by_ref@entry=0)
    at .../devel/php-src/Zend/zend_execute.c:3215
#17 0x00000000007ab52b in ZEND_FE_RESET_R_SPEC_CV_HANDLER ()
    at .../devel/php-src/Zend/zend_vm_execute.h:37145
#18 0x00000000007e113d in execute_ex (ex=0x7ffffadc2310)
    at .../devel/php-src/Zend/zend_vm_execute.h:58397
#19 0x0000000000749188 in zend_call_function (fci=0x7ffffb621570, fci@entry=0x7ffffffda820, fci_cache=<optimized out>,
    fci_cache@entry=0x7ffffffda800) at .../devel/php-src/Zend/zend_execute_API.c:786
#20 0x0000000000628571 in reflection_method_invoke (execute_data=<optimized out>, return_value=0x7ffffb621400,
    variadic=<optimized out>) at .../devel/php-src/ext/reflection/php_reflection.c:3208
#21 0x00000000007e6d40 in ZEND_DO_FCALL_SPEC_RETVAL_USED_HANDLER ()
    at .../devel/php-src/Zend/zend_vm_execute.h:1102
#22 execute_ex (ex=0x7ffffadc2310) at .../devel/php-src/Zend/zend_vm_execute.h:54505
#23 0x00000000007e799a in zend_execute (op_array=0x7ffffb67e2a0, op_array@entry=0x7ffffb7b9060,
    return_value=return_value@entry=0x7ffffb620f10)
    at .../devel/php-src/Zend/zend_vm_execute.h:59905
#24 0x00000000007578f3 in zend_execute_scripts (type=type@entry=8, retval=0x7ffffb620f10, retval@entry=0x0,
    file_count=file_count@entry=3) at .../devel/php-src/Zend/zend.c:1564
#25 0x00000000006f6d70 in php_execute_script (primary_file=primary_file@entry=0x7ffffffdced0)
    at .../devel/php-src/main/main.c:2467
#26 0x00000000007e9db9 in do_cli (argc=8, argv=0x1185820)
    at .../devel/php-src/sapi/cli/php_cli.c:1011
#27 0x000000000043b58c in main (argc=8, argv=0x1185820)
    at .../devel/php-src/sapi/cli/php_cli.c:1404
 [2018-06-11 13:03 UTC] laruence@php.net
Automatic comment on behalf of laruence@gmail.com
Revision: http://git.php.net/?p=php-src.git;a=commit;h=ffaee27478a9cb338e40edeb5acf233f9cb67111
Log: Fixed bug #76427 (Segfault in zend_objects_store_put)
 [2018-06-11 13:03 UTC] laruence@php.net
-Status: Open +Status: Closed
 [2018-06-12 01:36 UTC] thekid@php.net
-Status: Closed +Status: Re-Opened
 [2018-06-12 01:36 UTC] thekid@php.net
Thanks!

The test case now works:

$ ../../php-src/sapi/cli/php bug76427.php
int(4)

Unfortunately, the original code still doesn't, failing for the same reason:

(gdb) run -d include_path=".::.:vendor/autoload.php" -d date.timezone=Europe/Berlin /usr/bin
Starting program: .../php-src/sapi/cli/php -d include_path=".::.:vendor/autoload.php" -d date.timezone=Europe/Berlin /usr/bin
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
[Inferior 1 (process 30751) exited normally]
(gdb) run -d include_path=".::.:vendor/autoload.php" -d date.timezone=Europe/Berlin /usr/bin/class-main.php xp.unittest.Runner src/test/php
Starting program: .../php-src/sapi/cli/php -d include_path=".::.:vendor/autoload.php" -d date.timezone=Europe/Berlin /usr/bin/class-main.php xp.unittest.Runner src/test/php
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
[........................................................................
.........................................................................
.........................................................................
.........................................................................
....................
Program received signal SIGSEGV, Segmentation fault.
0x0000000008499972 in zend_objects_store_put (object=object@entry=0x7ffffa3a0380)
    at .../php-src/Zend/zend_objects_API.c:141
141                     EG(objects_store).free_list_head = GET_OBJ_BUCKET_NUMBER(EG(objects_store).object_buckets[handle]);
(gdb) bt
#0  0x0000000008499972 in zend_objects_store_put (object=object@entry=0x7ffffa3a0380)
    at .../php-src/Zend/zend_objects_API.c:141
#1  0x00000000084944ca in zend_object_std_init (object=0x7ffffa3a0380, ce=0x7ffffa4e1290)
    at .../php-src/Zend/zend_objects.c:36
#2  0x0000000008494906 in zend_objects_new (ce=ce@entry=0x7ffffa4e1290)
    at .../php-src/Zend/zend_objects.c:161
#3  0x0000000008463931 in _object_and_properties_init (arg=arg@entry=0x7ffffaa22330,
    class_type=class_type@entry=0x7ffffa4e1290, properties=properties@entry=0x0)
    at .../php-src/Zend/zend_API.c:1359
#4  0x0000000008463987 in _object_init_ex (arg=arg@entry=0x7ffffaa22330,
    class_type=class_type@entry=0x7ffffa4e1290)
    at .../php-src/Zend/zend_API.c:1374
#5  0x00000000084e12b4 in ZEND_NEW_SPEC_CONST_UNUSED_HANDLER ()
    at .../php-src/Zend/zend_vm_execute.h:8720
#6  0x00000000084ea1cd in execute_ex (ex=0x7ffffa3a0380)
    at .../php-src/Zend/zend_vm_execute.h:55301
#7  0x000000000845398b in zend_call_function (fci=fci@entry=0x7ffffffea7a0, fci_cache=<optimized out>,
    fci_cache@entry=0x7ffffffea780) at .../php-src/Zend/zend_execute_API.c:786
#8  0x0000000008322786 in reflection_method_invoke (execute_data=<optimized out>,
    return_value=0x7ffffaa21490, variadic=0)
    at .../php-src/ext/reflection/php_reflection.c:3208
#9  0x00000000084ee5be in ZEND_DO_FCALL_SPEC_RETVAL_USED_HANDLER ()
    at .../php-src/Zend/zend_vm_execute.h:1102
#10 execute_ex (ex=0x7ffffa3a0380) at .../php-src/Zend/zend_vm_execute.h:54495
#11 0x00000000084f09ee in zend_execute (op_array=op_array@entry=0x7ffffaa7e2a0, return_value=0x0,
    return_value@entry=0x7ffffabe0060)
    at .../php-src/Zend/zend_vm_execute.h:59895
#12 0x0000000008461e02 in zend_execute_scripts (type=type@entry=8, retval=0x7ffffabe0060, retval@entry=0x0,
    file_count=-90042464, file_count@entry=3) at .../php-src/Zend/zend.c:1564
#13 0x0000000008402830 in php_execute_script (primary_file=0x7ffffffece60)
    at .../php-src/main/main.c:2467
#14 0x00000000084f2e4c in do_cli (argc=8, argv=0x909fb50)
    at .../php-src/sapi/cli/php_cli.c:1011
#15 0x0000000008117a5b in main (argc=8, argv=0x909fb50)
    at .../php-src/sapi/cli/php_cli.c:1404
(gdb) p handle
$1 = -49631200
 [2018-06-12 01:53 UTC] thekid@php.net
I'm sorry I still can't come up with a short reproducible script. Here's the setup procedure:

# Clone, fetch dependencies
$ git clone git@github.com:xp-framework/compiler.git
$ composer install
$ curl -sSL https://dl.bintray.com/xp-runners/generic/xp-run-master.sh | sed '0,/^EOF;$/d' > class-main.php

# Run
$ /path/to/php-src/sapi/cli/php -d include_path=".::.:vendor/autoload.php" -d date.timezone=UTC class-main.php xp.unittest.Runner src/test/php/
 [2018-06-12 03:25 UTC] laruence@php.net
-Status: Re-Opened +Status: Closed -Assigned To: +Assigned To: laruence
 [2018-06-12 04:00 UTC] laruence@php.net
I committed another supplemental fix just now, it should works now.
 [2018-06-12 20:10 UTC] thekid@php.net
Indeed! Thanks a lot:-)
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Sat Dec 21 16:01:28 2024 UTC