php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #77099 PHP crashes with segfault
Submitted: 2018-11-03 14:58 UTC Modified: 2021-05-28 11:30 UTC
Votes:3
Avg. Score:4.3 ± 0.5
Reproduced:3 of 3 (100.0%)
Same Version:1 (33.3%)
Same OS:1 (33.3%)
From: info at phpgangsta dot de Assigned: cmb (profile)
Status: Not a bug Package: Pspell related
PHP Version: 7.2.11 OS: Ubuntu 18.04
Private report: No CVE-ID: None
 [2018-11-03 14:58 UTC] info at phpgangsta dot de
Description:
------------
If I use pspell for spellchecking, it sometimes crashes with a segfault. Every 3-5 times I call the script via Apache, Apache crashes:

[Sat Nov 03 15:36:12.592943 2018] [core:notice] [pid 5264] AH00051: child pid 29189 exit signal Segmentation fault (11), possible coredump in /etc/apache2
[Sat Nov 03 15:37:33.689349 2018] [core:notice] [pid 5264] AH00051: child pid 29965 exit signal Segmentation fault (11), possible coredump in /etc/apache2
[Sat Nov 03 15:40:12.879852 2018] [core:notice] [pid 5264] AH00051: child pid 30367 exit signal Segmentation fault (11), possible coredump in /etc/apache2

The small script below can reproduce the problem: If you call it from outside via HTTP, it crashes every 3-5 requests:

curl https://url.de/spellchecker.php

See segmentation faults above.

$ php -v
PHP 7.2.11-3+ubuntu18.04.1+deb.sury.org+1 (cli) (built: Oct 25 2018 06:44:08) ( NTS )
Copyright (c) 1997-2018 The PHP Group
Zend Engine v3.2.0, Copyright (c) 1998-2018 Zend Technologies
    with Zend OPcache v7.2.11-3+ubuntu18.04.1+deb.sury.org+1, Copyright (c) 1999-2018, by Zend Technologies


It seems to just happen with de_DE. If I change it to en_US, it does not crash. Maybe it has to do with Umlauts oder similar?
Interestingly I'm not able to reproduce it on the command line...

Segmentation fault also happens on Ubuntu 16.04 with PHP 7.1:

$ php -v
PHP 7.1.23-3+ubuntu16.04.1+deb.sury.org+1 (cli) (built: Oct 25 2018 06:43:19) ( NTS )
Copyright (c) 1997-2018 The PHP Group
Zend Engine v3.1.0, Copyright (c) 1998-2018 Zend Technologies
    with Zend OPcache v7.1.23-3+ubuntu16.04.1+deb.sury.org+1, Copyright (c) 1999-2018, by Zend Technologies

Test script:
---------------
<?php
$plink = pspell_new('de_DE', "", "", "utf-8", PSPELL_FAST);
pspell_suggest($plink, '___');

Expected result:
----------------
no crash

Actual result:
--------------
crash with segmentation fault

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2019-08-13 09:33 UTC] ih at vollzeitjobs dot de
I'm experiencing the same, the small testscript crashes every 3-5 times I call it.

Debian 9.9 
ii  php7.3                         7.3.8-1+0~20190807.43+debian9~1.gbp7731bf
ii  php7.3-pspell                  7.3.8-1+0~20190807.43+debian9~1.gbp7731bf 


PHP 7.3.8-1+0~20190807.43+debian9~1.gbp7731bf (cli) (built: Aug  7 2019 19:46:25) ( NTS )
Copyright (c) 1997-2018 The PHP Group
Zend Engine v3.3.8, Copyright (c) 1998-2018 Zend Technologies
    with Zend OPcache v7.3.8-1+0~20190807.43+debian9~1.gbp7731bf, Copyright (c) 1999-2018, by Zend Technologies

---

Aug 13 11:30:55 jobs-herford kernel: [353562.678985] traps: php-fpm7.3[8795] general protection ip:7f1fc1622828 sp:7fffa675bfe0 error:0
Aug 13 11:30:57 jobs-herford kernel: [353563.968722] traps: php-fpm7.3[8845] general protection ip:7f1fc16227ec sp:7fffa675bfe0 error:0
Aug 13 11:30:58 jobs-herford kernel: [353565.366368] traps: php-fpm7.3[8801] general protection ip:7f1fc16227ec sp:7fffa675bfe0 error:0
Aug 13 11:31:03 jobs-herford kernel: [353570.736281] traps: php-fpm7.3[8857] general protection ip:7f1fc16227ec sp:7fffa675bfe0 error:0
Aug 13 11:31:05 jobs-herford kernel: [353572.048257] php-fpm7.3[8851]: segfault at 8 ip 00007f1fc1622828 sp 00007fffa675bfe0 error 4 in libaspell.so.15.2.0[7f1fc15a8000+a3000]
Aug 13 11:31:06 jobs-herford kernel: [353573.510952] traps: php-fpm7.3[8842] general protection ip:7f1fc1622828 sp:7fffa675bfe0 error:0
 [2019-08-13 09:57 UTC] nikic@php.net
-Status: Open +Status: Verified
 [2019-08-13 09:57 UTC] nikic@php.net
Confirming the crash after a couple reloads. Valgrind also produces the following error on a simple run:

==18344== Conditional jump or move depends on uninitialised value(s)
==18344==    at 0x57D5F28: aspeller::AffixMgr::suffix_check(aspeller::LookupInfo const&, acommon::ParmString, acommon::CheckInfo&, aspeller::GuessInfo*, int, aspeller::AffEntry*) const (in /usr/lib/x86_64-linux-gnu/libaspell.so.15.2.0)
==18344==    by 0x57D676A: aspeller::AffixMgr::affix_check(aspeller::LookupInfo const&, acommon::ParmString, acommon::CheckInfo&, aspeller::GuessInfo*) const (in /usr/lib/x86_64-linux-gnu/libaspell.so.15.2.0)
==18344==    by 0x57AF79F: ??? (in /usr/lib/x86_64-linux-gnu/libaspell.so.15.2.0)
==18344==    by 0x57B3965: ??? (in /usr/lib/x86_64-linux-gnu/libaspell.so.15.2.0)
==18344==    by 0x57C2103: aspeller::SpellerImpl::suggest(acommon::MutableString) (in /usr/lib/x86_64-linux-gnu/libaspell.so.15.2.0)
==18344==    by 0x57EA6CB: aspell_speller_suggest (in /usr/lib/x86_64-linux-gnu/libaspell.so.15.2.0)
==18344==    by 0x713C26: zif_pspell_suggest (pspell.c:536)
==18344==    by 0xA7C44B: ZEND_DO_ICALL_SPEC_RETVAL_UNUSED_HANDLER (zend_vm_execute.h:573)
==18344==    by 0xB0311D: execute_ex (zend_vm_execute.h:59747)
==18344==    by 0xB08529: zend_execute (zend_vm_execute.h:63776)
==18344==    by 0xA179D5: zend_execute_scripts (zend.c:1498)
==18344==    by 0x97B072: php_execute_script (main.c:2599)

This looks like a bug in libaspell to me.
 [2021-03-16 18:33 UTC] mason dot malone at gmail dot com
We ran into this too, and I'm pretty sure it's due to the following bug in libaspell: https://github.com/GNUAspell/aspell/issues/496

The fix was released as version 0.60.8. I confirmed that installing that fixes the issue locally, but updating our Debian servers is going to be tricky since that version isn't in Debian stable and hasn't been backported as far as I can tell.
 [2021-05-28 11:30 UTC] cmb@php.net
-Status: Verified +Status: Not a bug -Assigned To: +Assigned To: cmb
 [2021-05-28 11:30 UTC] cmb@php.net
> This looks like a bug in libaspell to me.

That.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Thu Oct 31 22:01:27 2024 UTC