php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #63741 Crash when autoloading from spl
Submitted: 2012-12-11 15:26 UTC Modified: 2012-12-14 09:16 UTC
From: bobwei9 at hotmail dot com Assigned: dmitry (profile)
Status: Closed Package: SPL related
PHP Version: master-Git-2012-12-11 (Git) OS: Mac OS X Mountain Lion
Private report: No CVE-ID: None
 [2012-12-11 15:26 UTC] bobwei9 at hotmail dot com
Description:
------------
When calling the index.php of a fresh MediaWiki (Version 1.18.0) install, PHP segfaults. I know, 1.18.0 is an old version, but it shouldn't crash .

Test script:
---------------
normal MediaWiki 1.18.0 install

Expected result:
----------------
No segmentation fault...

Actual result:
--------------
wiki root# gdb --args php index.php
GNU gdb 6.3.50-20050815 (Apple version gdb-1821) (Fri Jun 29 16:14:03 UTC 2012)
Copyright 2004 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for details.
This GDB was configured as "x86_64-apple-darwin"...Reading symbols for shared libraries ............

........ done

(gdb) run
Starting program: /usr/bin/php index.php
Reading symbols for shared libraries +++++++++++++++++++++....................................................................................................................................... done
Reading symbols for shared libraries . done
PHP Warning:  PHP Startup: Unable to load dynamic library '/usr/lib/php/extensions/debug-zts-20121204/apc.so' - dlopen(/usr/lib/php/extensions/debug-zts-20121204/apc.so, 9): Symbol not found: _apc_globals_id
  Referenced from: /usr/lib/php/extensions/debug-zts-20121204/apc.so
  Expected in: flat namespace
 in /usr/lib/php/extensions/debug-zts-20121204/apc.so in Unknown on line 0
<font size=3px color=#ff0000>
Warning: PHP Startup: Unable to load dynamic library '/usr/lib/php/extensions/debug-zts-20121204/apc.so' - dlopen(/usr/lib/php/extensions/debug-zts-20121204/apc.so, 9): Symbol not found: _apc_globals_id
  Referenced from: /usr/lib/php/extensions/debug-zts-20121204/apc.so
  Expected in: flat namespace
 in /usr/lib/php/extensions/debug-zts-20121204/apc.so in Unknown on line 0
Reading symbols for shared libraries . done
PHP Warning:  PHP Startup: pthreads: Unable to initialize module
Module compiled with module API=20121113
PHP    compiled with module API=20121204
These options need to match
 in Unknown on line 0
</font><font size=3px color=#ff0000>
Warning: PHP Startup: pthreads: Unable to initialize module
Module compiled with module API=20121113
PHP    compiled with module API=20121204
These options need to match
 in Unknown on line 0
</font>PHP Notice:  Undefined index: HTTP_HOST in /[...]/wiki/LocalSettings.php on line 44
<font size=3px color=#ff0000>
Notice: Undefined index: HTTP_HOST in /[...]/wiki/LocalSettings.php on line 44
</font>PHP Notice:  Undefined index: REQUEST_METHOD in /[...]/wiki/includes/Setup.php on line 387

Program received signal EXC_BAD_ACCESS, Could not access memory.
Reason: KERN_INVALID_ADDRESS at address: 0x00000007000001f8
0x00000001008fb936 in instanceof_function_ex (instance_ce=0x700000008, ce=0x10264a818, interfaces_only=0 '\0', tsrm_ls=0x101710ed0) at zend_operators.c:1720
1720		for (i=0; i<instance_ce->num_interfaces; i++) {
(gdb) bt
#0  0x00000001008fb936 in instanceof_function_ex (instance_ce=0x700000008, ce=0x10264a818, interfaces_only=0 '\0', tsrm_ls=0x101710ed0) at zend_operators.c:1720
#1  0x00000001008fb9e5 in instanceof_function (instance_ce=0x700000008, ce=0x10264a818, tsrm_ls=0x101710ed0) at zend_operators.c:1740
#2  0x00000001008fb919 in instanceof_function_ex (instance_ce=0x1025b8400, ce=0x10264a818, interfaces_only=0 '\0', tsrm_ls=0x101710ed0) at zend_operators.c:1721
#3  0x00000001008fb9e5 in instanceof_function (instance_ce=0x1025b8400, ce=0x10264a818, tsrm_ls=0x101710ed0) at zend_operators.c:1740
#4  0x0000000100934457 in zend_call_method (object_pp=0x0, obj_ce=0x10264a818, fn_proxy=0x1026735d0, function_name=0x102673558 "autoloader::autoload", function_name_len=21, retval_ptr_ptr=0x7fff5fbfd698, param_count=1, arg1=0x1029fe810, arg2=0x0, tsrm_ls=0x101710ed0) at zend_interfaces.c:89
#5  0x00000001005a6128 in zif_spl_autoload_call (ht=1, return_value=0x1029fe890, return_value_ptr=0x7fff5fbfdf48, this_ptr=0x0, return_value_used=1, tsrm_ls=0x101710ed0) at php_spl.c:436
#6  0x00000001008e7023 in zend_call_function (fci=0x7fff5fbfdee8, fci_cache=0x7fff5fbfdec0, tsrm_ls=0x101710ed0) at zend_execute_API.c:979
#7  0x00000001008e814a in zend_lookup_class_ex (name=0x1029f2670 "Hooks", name_length=5, key=0x1029f2278, use_autoload=1, ce=0x7fff5fbfdfe0, tsrm_ls=0x101710ed0) at zend_execute_API.c:1129
#8  0x00000001008e9f2e in zend_fetch_class_by_name (class_name=0x1029f2670 "Hooks", class_name_len=5, key=0x1029f2278, fetch_type=0, tsrm_ls=0x101710ed0) at zend_execute_API.c:1609
#9  0x0000000100978c23 in ZEND_INIT_STATIC_METHOD_CALL_SPEC_CONST_CONST_HANDLER (execute_data=0x102207280, tsrm_ls=0x101710ed0) at zend_vm_execute.h:3550
#10 0x0000000100963fe2 in execute_ex (execute_data=0x102207280, tsrm_ls=0x101710ed0) at zend_vm_execute.h:356
#11 0x00000001009650fc in zend_execute (op_array=0x102239b30, tsrm_ls=0x101710ed0) at zend_vm_execute.h:381
#12 0x0000000100905463 in zend_execute_scripts (type=8, tsrm_ls=0x101710ed0, retval=0x0, file_count=3) at zend.c:1309
#13 0x00000001008215ac in php_execute_script (primary_file=0x7fff5fbff798, tsrm_ls=0x101710ed0) at main.c:2468
#14 0x0000000100b2e98f in do_cli (argc=2, argv=0x7fff5fbffa88, tsrm_ls=0x101710ed0) at php_cli.c:988
#15 0x0000000100b30a3e in main (argc=2, argv=0x7fff5fbffa88) at php_cli.c:1364
(gdb) source /var/root/php-src/.gdbinit
(gdb) zbacktrace
[0x7fff5fbfd928] spl_autoload_call("Hooks") 
[0x102207280] wfRunHooks() /[...]/wiki/includes/GlobalFunctions.php:3631 
[0x102207108] wfRunHooks("Debug", array(2)[0x1029fe790]) /[...]/wiki/includes/GlobalFunctions.php:711 
[0x102206810] wfDebug("Start\40request\12\12\40index.php\12HTTP\40HEADERS:\12\12") /[...]/wiki/includes/Setup.php:396 
[0x102202e50] ??? /[...]/wiki/includes/WebStart.php:157 
[0x102202388] ??? /[...]/wiki/index.php:53 

Patches

bug63741.phpt (last revision 2012-12-14 06:29 UTC by bobwei9 at hotmail dot com)
bug63741.patch (last revision 2012-12-14 02:33 UTC by laruence@php.net)

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2012-12-12 04:15 UTC] laruence@php.net
-Status: Open +Status: Feedback
 [2012-12-12 04:15 UTC] laruence@php.net
Thank you for this bug report. To properly diagnose the problem, we
need a short but complete example script to be able to reproduce
this bug ourselves. 

A proper reproducing script starts with <?php and ends with ?>,
is max. 10-20 lines long and does not require any external 
resources such as databases, etc. If the script requires a 
database to demonstrate the issue, please make sure it creates 
all necessary tables, stored procedures etc.

Please avoid embedding huge scripts into the report.

where the index.php is?
 [2012-12-12 09:15 UTC] bobwei9 at hotmail dot com
-Status: Feedback +Status: Open
 [2012-12-12 09:15 UTC] bobwei9 at hotmail dot com
In the base directory of the install. An autoloader defined previously with 
spl_autoload_register is called in the GlobalFunctions.php (see the zbacktrace in 
the opening post) and then crashes.
In the evening I'll try to create a smaller reproduce script if needed.
 [2012-12-12 10:16 UTC] laruence@php.net
yes, it's needed :), thanks
 [2012-12-12 18:33 UTC] bobwei9 at hotmail dot com
<?php

if (isset($autoload))
{
        class ClassToLoad
        {
                static function func ()
                {
                        print "OK!\n";
                }
        }
        return;
}

class autoloader
{
        static function autoload($classname)
        {
                print "autoloaded\n";
                $autoload = true;
                include __FILE__;
        }
}

spl_autoload_register(["autoloader", "autoload"]);

function main()
{
        ClassToLoad::func();
}

main();


=>

Segmentation fault: 11 (core dumped)

Segfault if called from a function (≠ in a class)

Can you reproduce this? Or do you need more info?
 [2012-12-13 02:49 UTC] laruence@php.net
unfortunately, I can not reproduce it. instead I got a FATAL ERROR:

can not redeclare function main ....
 [2012-12-13 06:36 UTC] bobwei9 at hotmail dot com
I get everytime the same backtrace... Is it perhaps OS-dependent? The phpinfo() is here: http://bobweinand.no-ip.org/phpinfo.php
instance_ce seems wrong: for example instance_ce->num_interfaces: it had a value of 2^32-1

#0  0x00000001008fb936 in instanceof_function_ex (instance_ce=0x5a5a5a5a00000000, ce=0x10223d8f0, interfaces_only=0 '\0', tsrm_ls=0x101710f20) at zend_operators.c:1720
#1  0x00000001008fb9e5 in instanceof_function (instance_ce=0x5a5a5a5a00000000, ce=0x10223d8f0, tsrm_ls=0x101710f20) at zend_operators.c:1740
#2  0x0000000100934457 in zend_call_method (object_pp=0x0, obj_ce=0x10223d8f0, fn_proxy=0x10223f170, function_name=0x10223c418 "autoloader::autoload", function_name_len=21, retval_ptr_ptr=0x7fff5fbfd628, param_count=1, arg1=0x10223ada0, arg2=0x0, tsrm_ls=0x101710f20) at zend_interfaces.c:89
#3  0x00000001005a6128 in zif_spl_autoload_call (ht=1, return_value=0x102237d18, return_value_ptr=0x7fff5fbfded8, this_ptr=0x0, return_value_used=1, tsrm_ls=0x101710f20) at php_spl.c:436
#4  0x00000001008e7023 in zend_call_function (fci=0x7fff5fbfde78, fci_cache=0x7fff5fbfde50, tsrm_ls=0x101710f20) at zend_execute_API.c:979
#5  0x00000001008e814a in zend_lookup_class_ex (name=0x10223dea8 "ClassToLoad", name_length=11, key=0x10223e008, use_autoload=1, ce=0x7fff5fbfdf70, tsrm_ls=0x101710f20) at zend_execute_API.c:1129
#6  0x00000001008e9f2e in zend_fetch_class_by_name (class_name=0x10223dea8 "ClassToLoad", class_name_len=11, key=0x10223e008, fetch_type=0, tsrm_ls=0x101710f20) at zend_execute_API.c:1609
#7  0x0000000100978c23 in ZEND_INIT_STATIC_METHOD_CALL_SPEC_CONST_CONST_HANDLER (execute_data=0x102202358, tsrm_ls=0x101710f20) at zend_vm_execute.h:3550
#8  0x0000000100963fe2 in execute_ex (execute_data=0x102202358, tsrm_ls=0x101710f20) at zend_vm_execute.h:356
#9  0x00000001009650fc in zend_execute (op_array=0x102239d98, tsrm_ls=0x101710f20) at zend_vm_execute.h:381
#10 0x0000000100905463 in zend_execute_scripts (type=8, tsrm_ls=0x101710f20, retval=0x0, file_count=3) at zend.c:1309
#11 0x00000001008215ac in php_execute_script (primary_file=0x7fff5fbff728, tsrm_ls=0x101710f20) at main.c:2468
#12 0x0000000100b2e98f in do_cli (argc=2, argv=0x7fff5fbffa18, tsrm_ls=0x101710f20) at php_cli.c:988
#13 0x0000000100b30a3e in main (argc=2, argv=0x7fff5fbffa18) at php_cli.c:1364
 [2012-12-13 08:12 UTC] laruence@php.net
-Status: Open +Status: Feedback
 [2012-12-13 08:12 UTC] laruence@php.net
@bobwei9  hmm, seems EG(called_scope) was polluted somewhere, maybe you can break 
at zend_execute , then watch executor_globals->called_scope, find the place where 
it became 0x5a5a5a5a00000 

that will be very helpful..

thanks
 [2012-12-13 08:18 UTC] laruence@php.net
oh, seems your are a zts build, then you have to find out executor_global first

it should be:
(((zend_executor_globals *) (*((void ***) tsrm_ls))[executor_globals_id-1])-
>called_scope)
 [2012-12-13 08:19 UTC] laruence@php.net
however, it is better if you can provide a access to a reproduceable box (via 
mail)  :)

thanks
 [2012-12-14 02:33 UTC] laruence@php.net
The following patch has been added/updated:

Patch Name: bug63741.patch
Revision:   1355452419
URL:        https://bugs.php.net/patch-display.php?bug=63741&patch=bug63741.patch&revision=1355452419
 [2012-12-14 02:33 UTC] laruence@php.net
The following patch has been added/updated:

Patch Name: bug63741.patch
Revision:   1355452420
URL:        https://bugs.php.net/patch-display.php?bug=63741&patch=bug63741.patch&revision=1355452420
 [2012-12-14 02:36 UTC] laruence@php.net
-Assigned To: +Assigned To: dmitry
 [2012-12-14 09:16 UTC] laruence@php.net
-Status: Feedback +Status: Closed
 [2012-12-14 09:16 UTC] laruence@php.net
The fix for this bug has been committed.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.

 For Windows:

http://windows.php.net/snapshots/
 
Thank you for the report, and for helping us make PHP better.


 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Tue Mar 19 02:01:28 2024 UTC