PHP :: Bug #39418 :: ltrim() crash in _zval_ptr

Bug #39418

ltrim() crash in _zval_ptr_dtor()

Submitted:

2006-11-07 23:22 UTC

Modified:

2006-11-21 21:16 UTC

Votes:	1
Avg. Score:	5.0 ± 0.0
Reproduced:	1 of 1 (100.0%)
Same Version:	1 (100.0%)
Same OS:	0 (0.0%)

From:

php at fiddaman dot net

Assigned:

Status:

Not a bug

Package:

Reproducible crash

PHP Version:

5.2.0

OS:

Solaris 10

Private report:

CVE-ID:

None

View Developer Edit

[2006-11-07 23:22 UTC] php at fiddaman dot net

Description:
------------
I've compiled PHP 5.2.0 as a replacement for 5.1.6 which is running fine here. 5.2.0 crashes with any PHP web page.

This is Solaris 10, 64-bit.

I've recompiled without any extensions, same result.

./configure \
        --prefix=$DIR \
        --with-exec-dir=$DIR/bin \
        --with-apxs2=/opt/apache/bin/apxs \
        --disable-libgcc \
        --disable-libxml \
        --disable-dom \
        --disable-simplexml \
        --disable-xml \
        --disable-xmlreader \
        --disable-xmlwriter \
        --without-pear

Not sure how to debug this further.

Reproduce code:
---------------
<?php print "test"; ?>

Expected result:
----------------
test

Actual result:
--------------
Program terminated with signal 11, Segmentation fault.
#0  _zval_ptr_dtor (zval_ptr=0xffffffff7fffd1a0)
    at /data/src/build/php-5.2.0/Zend/zend_execute_API.c:412
412             (*zval_ptr)->refcount--;
(gdb) where
#0  _zval_ptr_dtor (zval_ptr=0xffffffff7fffd1a0)
    at /data/src/build/php-5.2.0/Zend/zend_execute_API.c:412
#1  0xffffffff78abd1c8 in zend_do_fcall_common_helper_SPEC (
    execute_data=0xffffffff7fffd438)
    at /data/src/build/php-5.2.0/Zend/zend_execute.h:149
#2  0xffffffff78aac2dc in execute (op_array=0xffffffff7fffe660)
    at /data/src/build/php-5.2.0/Zend/zend_vm_execute.h:92
#3  0xffffffff78a8e1a8 in zend_execute_scripts (type=5034360,
    retval=<value optimized out>, file_count=2024194208)
    at /data/src/build/php-5.2.0/Zend/zend.c:1097
#4  0xffffffff78a49fc4 in php_execute_script (primary_file=0x0)
    at /data/src/build/php-5.2.0/main/main.c:1758
#5  0xffffffff78b18d98 in php_handler (r=0x0)
    at /data/src/build/php-5.2.0/sapi/apache2handler/sapi_apache2.c:592
#6  0x0000000100049e00 in ap_run_handler ()
#7  0x000000010004abf0 in ap_invoke_handler ()
#8  0x00000001000a6314 in ap_process_request ()
#9  0x00000001000a1158 in ap_process_http_connection ()
#10 0x0000000100056710 in ap_run_process_connection ()
#11 0x0000000100056d8c in ap_process_connection ()
#12 0x00000001000d9358 in child_main ()
#13 0x00000001000d9674 in make_child ()
#14 0x00000001000d9b68 in perform_idle_server_maintenance ()
#15 0x00000001000da5ac in ap_mpm_run ()
#16 0x0000000100024c28 in main ()

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2006-11-07 23:41 UTC] php at fiddaman dot net

Same result with latest 5.2 CVS

#0  _zval_ptr_dtor (zval_ptr=0xffffffff7fffd260)
    at /data/src/build/php5.2-200611072130/Zend/zend_execute_API.c:412
412             (*zval_ptr)->refcount--;

[2006-11-08 15:54 UTC] tony2001@php.net

I don't have access to Solaris 10/64bit, but I can't reproduce the problem on any other OS I can find around here (Linux, FreeBSD, MacOS, AIX).
Please try to build it with --disable-all and see if it changes anything.
What compiler do you use, btw?

[2006-11-08 21:28 UTC] php at fiddaman dot net

Ok, --disable-all reminded me that I had an auto-included header on that web site so the test code wasn't as simple as I thought. Sorry for the confusion.

I've narrowed down the code which is causing the crash to:

ltrim('/test.php', '/');

and it still crashes with --disable-all

% gcc -v
Using built-in specs.
Target: sparcv9-sun-solaris2.9
Configured with: /data/src/build/gcc-4.1.1/configure --prefix=/opt/GNUgcc --enable-languages=c,c++ --disable-nls sparcv9-sun-solaris2.9
Thread model: posix
gcc version 4.1.1

[2006-11-08 21:29 UTC] php at fiddaman dot net

Changing summary to include ltrim()

[2006-11-08 21:39 UTC] iliaa@php.net

Please try the following patch:
http://bb.prohost.org/patch/trim.txt

[2006-11-08 21:47 UTC] php at fiddaman dot net

Same result:

# mdb /var/core/60001-httpd-25059
Loading modules: [ libc.so.1 libuutil.so.1 ld.so.1 ]
> ::stack
libphp5.2.0.so`_zval_ptr_dtor+0x14(ffffffff7fffe618, 100455bf8, 0, 0, 0, 1)
libphp5.2.0.so`zend_do_fcall_common_helper_SPEC+0x364(ffffffff7fffe720, 0, 0, 
1004459f8, 0, 0)
libphp5.2.0.so`execute+0x160(1004553b0, ffffffff7ffff068, ffffffff79053360, 
ffffffff7fffe94c, 4, 0)
libphp5.2.0.so`zend_execute_scripts+0x128(8, 0, 3, ffffffff792b7780, 
ffffffff7ffff068, 1004554a8)
libphp5.2.0.so`php_execute_script+0x210(0, ffffffff79171078, 6, 0, 70687000, 
7068702d)
libphp5.2.0.so`php_handler+0x634(1003afbe8, 25252525, 70000000, 80808080, ff00, 80808080)
ap_run_handler+0x84(1003afbe8, 0, 1003afbe8, 1003a9ea8, 1003afe68, 1003afe78)
ap_invoke_handler+0x1c4(1003afbe8, 0, 4, 1003afbe8, 0, 1003afe91)
ap_process_request+0x94(1003afbe8, 4, 1003afbe8, 0, 0, 0)
ap_process_http_connection+0x6c(1003a9ea8, 1003a9bb8, 1003a9bb8, 
fffffffffffffff8, 0, 1003a9f59)
ap_run_process_connection+0x84(1003a9ea8, 1003a9bb8, 1003a9bb8, 0, 1003a7c00, 
1003adb68)
ap_process_connection+0x88(1003a9ea8, 1003a9bb8, 1003a9bb8, 0, 1003a7c00, 
1003adb68)
child_main+0x7f4(0, 1000d850c, ffffffff7d006ae8, 0, ffffffff7d202000, 
ffffffff7d5eef40)
make_child+0x230(100233628, 0, 0, ffffffff7d5ef440, ffffffff7d202000, 0)
startup_children+0x7c(1, 2, 5, 100225d68, 100382fd0, 0)
ap_mpm_run+0x4f8(100225d68, 10026dfa8, 100233628, 100233628, 0, 0)
main+0x1040(3, ffffffff7ffffcc8, ffffffff7ffffce8, 100219b80, 100000000, 
ffffffff7d200140)
_start+0x7c(0, 0, 0, 0, 0, 0)

[2006-11-15 12:41 UTC] tony2001@php.net

Please try using this CVS snapshot:

  http://snaps.php.net/php5.2-latest.tar.gz
 
For Windows:
 
  http://snaps.php.net/win32/php5.2-win32-latest.zip

[2006-11-16 03:53 UTC] pkwarren at gmail dot com

I am seeing this problem on Solaris 9 with a build of PHP 5.2.0 (released version and the latest snapshot - 200611152130). I am also building PHP with the GCC 4.1.1 compiler. Here is the stack trace from GDB:

(gdb) where
#0  _zval_ptr_dtor (zval_ptr=0x45e520)
    at /build/php/work/php5.2-200611152130/Zend/zend_execute_API.c:412
#1  0x00202288 in zend_do_fcall_common_helper_SPEC (execute_data=0xffbff1ec)
    at zend_execute.h:149
#2  0x00201654 in execute (op_array=0xffbff318) at zend_vm_execute.h:92
#3  0x001e3c84 in zend_execute_scripts (type=1, retval=Variable "retval" is not available.
)
    at /build/php/work/php5.2-200611152130/Zend/zend.c:1098
#4  0x001a0fc8 in php_execute_script (primary_file=0x1)
    at /build/php/work/php5.2-200611152130/main/main.c:1758
#5  0x0026e0f4 in main (argc=1, argv=0x0)
    at /build/php/work/php5.2-200611152130/sapi/cli/php_cli.c:1108

I can reproduce the crash with the ltrim testcase, and also with this testcase:

<?php
    $doc = new DOMDocument();
    $root = $doc->createElement("root");
?>

[2006-11-16 10:18 UTC] php at fiddaman dot net

Latest snapshot - no change, crashes in the same place.

[2006-11-16 10:23 UTC] tony2001@php.net

Is there any chance to try to build PHP with GCC 3.x ?

[2006-11-16 16:07 UTC] php at fiddaman dot net

Can't reproduce the problem with gcc 3

# gcc -v
Reading specs from /opt/GNUgcc3/lib/gcc/sparcv9-sun-solaris2.9/3.4.6/specs
Configured with: ../configure --prefix=/opt/GNUgcc3 --enable-languages=c --disable-nls sparcv9-sun-solaris2.9
Thread model: posix
gcc version 3.4.6

# file sapi/cli/php
sapi/cli/php:   ELF 64-bit MSB executable SPARCV9 Version 1, dynamically linked, not stripped

[2006-11-16 16:12 UTC] tony2001@php.net

This explains why I'm unable to reproduce it..
Well, I'm afraid you're most likely on your own with such exotic platform and compiler version.

[2006-11-21 21:16 UTC] tony2001@php.net

The problem seems to be caused by GCC 4.1.1, so it doesn't look like PHP problem (PHP itself works perfectly fine with GCC4 on Linux, for example).
Please reopen the report when/if you have any additional information. 
Thank you.

[2010-12-17 13:57 UTC] furcube at gmail dot com

gcc -v
Using built-in specs.
Target: sparc-sun-solaris2.10
Configured with: ./configure --prefix=/usr/local -v --enable-languages=c,c++ --enable-shared --with-system-zlib --enable-threads=posix --enable-nls --program-suffix=-4.3 --enable-clocale=gnu --enable-libstdcxx-debug --enable-mpfr --enable-targets=all --enable-checking=release
Thread model: posix
gcc version 4.3.2 (GCC)

uname -a
SunOS sol 5.10 Generic_127127-11 sun4u sparc SUNW,Sun-Fire-V210

Building php-5.3.4

./configure --prefix=/usr/local/apache2 --with-zlib --with-xsl --enable-zip --enable-soap --with-mysql=/usr/local/mysql --with-pdo-mysql=/usr/local/mysql 


Generating phar.php
Segmentation Fault - core dumped
make: *** [ext/phar/phar.php] Error 139

pstack core.1292590431.php.1292590431
core 'core.1292590431.php.1292590431' of 18512: /export/home/devel/php-5.3.4/sapi/cli/php -n -d open_basedir= -d outpu
 0030f1c8 _zval_ptr_dtor (ffbfef2c, 68be70, 0, 0, 1, 0) + 8
 0036933c zend_do_fcall_common_helper_SPEC (7e6710, 0, 648630, fffffff8, 18, 7e6d14) + 364
 00345e3c execute  (68b7d8, 68b790, 3b, 6798a8, 648ce8, 2) + 1e0
 0031b534 zend_execute_scripts (8, 6783dc, 3, 1, ffbff708, 68b790) + 70
 002ca2e8 php_execute_script (0, 64df50, ff5b1a91, fffffffd, 80808080, 1010101) + 16c
 003a5768 main     (3a57d4, 64e374, 0, 0, 0, 0) + 1330
 0004cc34 _start   (0, 0, 0, 0, 0, 0) + 5c

gdb -c core.1292590431.php.1292590431 /export/home/devel/php-5.3.4/sapi/cli/php
GNU gdb 6.8
Copyright (C) 2008 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "sparc-sun-solaris2.10"...
Reading symbols from /usr/local/lib/libz.so...done.
Loaded symbols for /usr/local/lib/libz.so
Reading symbols from /usr/lib/libexslt.so.0...done.
Loaded symbols for /usr/lib/libexslt.so.0
Reading symbols from /lib/libresolv.so.2...done.
Loaded symbols for /lib/libresolv.so.2
Reading symbols from /lib/librt.so.1...done.
Loaded symbols for /lib/librt.so.1
Reading symbols from /usr/local/lib/libiconv.so.2...done.
Loaded symbols for /usr/local/lib/libiconv.so.2
Reading symbols from /lib/libm.so.2...done.
Loaded symbols for /lib/libm.so.2
Reading symbols from /lib/libnsl.so.1...done.
Loaded symbols for /lib/libnsl.so.1
Reading symbols from /lib/libsocket.so.1...done.
Loaded symbols for /lib/libsocket.so.1
Reading symbols from /usr/lib/libxml2.so.2...done.
Loaded symbols for /usr/lib/libxml2.so.2
Reading symbols from /usr/local/mysql/lib/mysql/libmysqlclient.so.16...done.
Loaded symbols for /usr/local/mysql/lib/mysql/libmysqlclient.so.16
Reading symbols from /usr/lib/libxslt.so.1...done.
Loaded symbols for /usr/lib/libxslt.so.1
Reading symbols from /lib/libc.so.1...done.
Loaded symbols for /lib/libc.so.1
Reading symbols from /usr/local/lib/libgcc_s.so.1...done.
Loaded symbols for /usr/local/lib/libgcc_s.so.1
Reading symbols from /lib/libpthread.so.1...
warning: Lowest section in /lib/libpthread.so.1 is .dynamic at 00000074
done.
Loaded symbols for /lib/libpthread.so.1
Reading symbols from /lib/libaio.so.1...done.
Loaded symbols for /lib/libaio.so.1
Reading symbols from /lib/libmd.so.1...done.
Loaded symbols for /lib/libmd.so.1
Reading symbols from /platform/SUNW,Sun-Fire-V240/lib/libc_psr.so.1...done.
Loaded symbols for /platform/SUNW,Sun-Fire-V210/lib/libc_psr.so.1
Reading symbols from /lib/nss_files.so.1...done.
Loaded symbols for /lib/nss_files.so.1
Reading symbols from /lib/ld.so.1...done.
Loaded symbols for /lib/ld.so.1
Core was generated by `/export/home/devel/php-5.3.4/sapi/cli/php -n -d open_basedir= -d output_bufferi'.
Program terminated with signal 11, Segmentation fault.
[New process 84048    ]
#0  _zval_ptr_dtor (zval_ptr=0xffbfef2c) at /export/home/devel/php-5.3.4/Zend/zend.h:385
385             return --pz->refcount__gc;
(gdb) bt
#0  _zval_ptr_dtor (zval_ptr=0xffbfef2c) at /export/home/devel/php-5.3.4/Zend/zend.h:385
#1  0x00369344 in zend_do_fcall_common_helper_SPEC (execute_data=0x7e6710) at /export/home/devel/php-5.3.4/Zend/zend_execute.h:318
#2  0x00345e44 in execute (op_array=0x68b7d8) at /export/home/devel/php-5.3.4/Zend/zend_vm_execute.h:107
#3  0x0031b53c in zend_execute_scripts (type=8, retval=0x0, file_count=3) at /export/home/devel/php-5.3.4/Zend/zend.c:1194
#4  0x002ca2f0 in php_execute_script (primary_file=0xffbff708) at /export/home/devel/php-5.3.4/main/main.c:2265
#5  0x003a5770 in main (argc=13, argv=0xffbff82c) at /export/home/devel/php-5.3.4/sapi/cli/php_cli.c:1193

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2025 The PHP Group All rights reserved.	Last updated: Tue Apr 22 09:01:27 2025 UTC