PHP :: Bug #52678 :: Segmentation fault on scripts execution

Bug #52678

Segmentation fault on scripts execution

Submitted:

2010-08-23 16:08 UTC

Modified:

2013-02-18 00:34 UTC

Votes:	3
Avg. Score:	4.3 ± 0.9
Reproduced:	1 of 1 (100.0%)
Same Version:	0 (0.0%)
Same OS:	0 (0.0%)

From:

andrzej dot pruszynski at autodesk dot com

Assigned:

Status:

No Feedback

Package:

Reproducible crash

PHP Version:

5.3.3

OS:

Solaris 5.10, Spark

Private report:

CVE-ID:

None

View Developer Edit

[2010-08-23 16:08 UTC] andrzej dot pruszynski at autodesk dot com

Description:
------------
Reading bug reports I've seen #47230, similar, near one year ago.
Apparently there is a problem with memory alignment. I used gcc 4.2.3
and make 3.81 from gcc installation.

Non of system script in CL mode can be executed. In my example script,
when commentting out 'sleep()', there is no crash.

- version ---------------------------------------------------------------
bash-3.2$ sapi/cli/php --version
PHP 5.3.3 (cli) (built: Aug 20 2010 07:45:05)
Copyright (c) 1997-2010 The PHP Group
Zend Engine v2.3.0, Copyright (c) 1998-2010 Zend Technologies

- phpinfo() -------------------------------------------------------------
System => SunOS csdev10 5.10 Generic_142900-02 sun4u
Build Date => Aug 20 2010 07:40:16
Configure Command =>  './configure'  '--without-iconv' '--disable-phar'
Server API => Command Line Interface
Virtual Directory Support => disabled
Configuration File (php.ini) Path => /usr/local/lib
Loaded Configuration File => (none)
Scan this dir for additional .ini files => (none)
Additional .ini files parsed => (none)
PHP API => 20090626
PHP Extension => 20090626
Zend Extension => 220090626
Zend Extension Build => API220090626,NTS
PHP Extension Build => API20090626,NTS
Debug Build => no
Thread Safety => disabled
Zend Memory Manager => enabled
Zend Multibyte Support => disabled



Test script:
---------------
<?php
echo "One\n";
sleep(1);
echo "Two\n";
?>


Expected result:
----------------
Text output: 'One, Two'.

Actual result:
--------------
bash-3.2$ gdb ./sapi/cli/php
GNU gdb 6.7.1
Copyright (C) 2007 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "sparc-sun-solaris2.10"...
(gdb) set args "test01.php"
(gdb) run
Starting program: /local/users/andrzejp/php-5.3.3/sapi/cli/php "test01.php"
warning: Temporarily disabling breakpoints for unloaded shared library "/usr/lib/ld.so.1"
warning: Lowest section in /lib/libpthread.so.1 is .dynamic at 00000074
One

Program received signal SIGSEGV, Segmentation fault.
_zval_ptr_dtor (zval_ptr=0xffbfef3c)
    at /local/users/andrzejp/php-5.3.3/Zend/zend.h:385
warning: Source file is more recent than executable.
385                     return --pz->refcount__gc;
(gdb) bt
#0  _zval_ptr_dtor (zval_ptr=0xffbfef3c)
    at /local/users/andrzejp/php-5.3.3/Zend/zend.h:385
#1  0x002a6830 in zend_do_fcall_common_helper_SPEC (execute_data=0x6dcc70)
    at /local/users/andrzejp/php-5.3.3/Zend/zend_execute.h:318
#2  0x0027a1d0 in execute (op_array=0x5a5d38)
    at /local/users/andrzejp/php-5.3.3/Zend/zend_vm_execute.h:107
#3  0x002565bc in zend_execute_scripts (type=8, retval=0x0, file_count=3)
    at /local/users/andrzejp/php-5.3.3/Zend/zend.c:1194
#4  0x002034ac in php_execute_script (primary_file=0xffbff718)
    at /local/users/andrzejp/php-5.3.3/main/main.c:2260
#5  0x002e779c in main (argc=2, argv=0xffbff83c)
    at /local/users/andrzejp/php-5.3.3/sapi/cli/php_cli.c:1192

Patches

zend_execute.h.patch (last revision 2010-08-26 14:20 UTC by andrzej dot pruszynski at autodesk dot com)

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2010-08-25 14:04 UTC] andrzej dot pruszynski at autodesk dot com

Culprit is in zend_vm_stack_clear_multiple() fuction from Zend/zend_execute.h.
Here is the corrected one ['*p = NULL' is moved down one line, after 'zval *q = *(zval **)(--p)' assignment].


static inline void zend_vm_stack_clear_multiple(TSRMLS_D)
{
        void **p = EG(argument_stack)->top - 1;
        int delete_count = (int)(zend_uintptr_t) *p;

        while (--delete_count>=0) {
                zval *q = *(zval **)(--p);
                zval_ptr_dtor(&q);
                *p = NULL;
        }

        zend_vm_stack_free_int(p TSRMLS_CC);
}

So it seems not be memory alignment problem but GCC optimization problem. I suggest it is globally fixed in the code this way, as all Solaris Spark 64 bit can be affected by gcc optimization 'problem'.

[2010-08-25 14:20 UTC] pajoye@php.net

-Status: Open +Status: Feedback

[2010-08-25 14:20 UTC] pajoye@php.net

Can you provide a patch against 5.3 please?

[2013-02-18 00:34 UTC] php-bugs at lists dot php dot net

No feedback was provided. The bug is being suspended because
we assume that you are no longer experiencing the problem.
If this is not the case and you are able to provide the
information that was requested earlier, please do so and
change the status of the bug back to "Open". Thank you.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2025 The PHP Group All rights reserved.	Last updated: Tue Nov 11 07:00:01 2025 UTC