php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #76183 3 Coredumps when running make test on Solaris 11.4/SPARC
Submitted: 2018-04-04 11:09 UTC Modified: 2021-08-02 10:57 UTC
From: stadtkind2 at gmx dot de Assigned: cmb (profile)
Status: Closed Package: Reproducible crash
PHP Version: 7.2.4 OS: Solaris 11.4 Beta SPARC
Private report: No CVE-ID: None
 [2018-04-04 11:09 UTC] stadtkind2 at gmx dot de
Description:
------------
First core:

Test -> php-7.2.4/ext/mbstring/tests/mb_ereg_replace-compat-06.php

program terminated by signal SEGV (no mapping at the fault address) (fault address is just beyond end of stack)
Current function is match_at
 2476         STATE_CHECK_VAL(scv, mem);
(dbx) where
=>[1] match_at(reg = 0xb0000015ac12df10, str = 0x1ffe6581070838 "abc+-|=123", end = 0x1ffe6581070842 "", right_range = 0x1ffe6581070842 "", sstart = 0x1ffe6581070838 "abc+-|=123", sprev = 0x1ffe658107083f "123", msa = 0xfffffe416c062608), line 2476 in "regexec.c"
  [2] onig_search(reg = 0xb0000015ac12df10, str = 0x1ffe6581070838 "abc+-|=123", end = 0x1ffe6581070842 "", start = 0x1ffe6581070838 "abc+-|=123", range = 0x1ffe6581070842 "", region = 0xc0000015ac12dc60, option = 0), line 3655 in "regexec.c"
  [3] _php_mb_regex_ereg_replace_exec(execute_data = 0x1ffe658101d090, return_value = 0x1ffe658101d080, options = 12U, is_callable = 0), line 924 in "php_mbregex.c"
  [4] zif_mb_ereg_replace(execute_data = 0x1ffe658101d090, return_value = 0x1ffe658101d080), line 1067 in "php_mbregex.c"
  [5] ZEND_DO_ICALL_SPEC_RETVAL_USED_HANDLER(execute_data = 0x1ffe658101d030), line 617 in "zend_vm_execute.h"
  [6] execute_ex(ex = 0x1ffe658101d030), line 59723 in "zend_vm_execute.h"
  [7] zend_execute(op_array = 0x1ffe65810802a0, return_value = (nil)), line 63760 in "zend_vm_execute.h"
  [8] zend_execute_scripts(type = 8, retval = (nil), file_count = 3, ... = 0x181066060, ...), line 1496 in "zend.c"
  [9] php_execute_script(primary_file = 0xfffffe416c063df8), line 2590 in "main.c"
  [10] do_cli(argc = 66, argv = 0x40000015abf339a0), line 1011 in "php_cli.c"
  [11] main(argc = 66, argv = 0x40000015abf339a0), line 1404 in "php_cli.c"


2nd core:

Test -> php-7.2.4/ext/mbstring/tests/mb_ereg_variation5.php

program terminated by signal SEGV (no mapping at the fault address) (fault address is just beyond end of stack)
Current function is match_at
 2476         STATE_CHECK_VAL(scv, mem);
(dbx) where
=>[1] match_at(reg = 0xb000000242b24190, str = 0x1ffdbbd2c03158 "This is an English string. 0123456789.", end = 0x1ffdbbd2c0317e "", right_range = 0x1ffdbbd2c0317e "", sstart = 0x1ffdbbd2c03158 "This is an English string. 0123456789.", sprev = 0x1ffdbbd2c03171 ". 0123456789.", msa = 0xfffffe5a8e9ae338), line 2476 in "regexec.c"
  [2] onig_search(reg = 0xb000000242b24190, str = 0x1ffdbbd2c03158 "This is an English string. 0123456789.", end = 0x1ffdbbd2c0317e "", start = 0x1ffdbbd2c03158 "This is an English string. 0123456789.", range = 0x1ffdbbd2c03159 "his is an English string. 0123456789.", region = 0xd000000242b239a0, option = 0), line 3655 in "regexec.c"
  [3] _php_mb_regex_ereg_exec(execute_data = 0x1ffdbbd2c1d220, return_value = 0x1ffdbbd2c1d120, icase = 0), line 750 in "php_mbregex.c"
  [4] zif_mb_ereg(execute_data = 0x1ffdbbd2c1d220, return_value = 0x1ffdbbd2c1d120), line 786 in "php_mbregex.c"
  [5] ZEND_DO_ICALL_SPEC_RETVAL_USED_HANDLER(execute_data = 0x1ffdbbd2c1d030), line 617 in "zend_vm_execute.h"
  [6] execute_ex(ex = 0x1ffdbbd2c1d030), line 59723 in "zend_vm_execute.h"
  [7] zend_execute(op_array = 0x1ffdbbd2c802a0, return_value = (nil)), line 63760 in "zend_vm_execute.h"
  [8] zend_execute_scripts(type = 8, retval = (nil), file_count = 3, ... = 0x1d2c66060, ...), line 1496 in "zend.c"
  [9] php_execute_script(primary_file = 0xfffffe5a8e9af938), line 2590 in "main.c"
  [10] do_cli(argc = 66, argv = 0x6000000242929c20), line 1011 in "php_cli.c"
  [11] main(argc = 66, argv = 0x6000000242929c20), line 1404 in "php_cli.c"

3rd core:

Test -> php-7.2.4/ext/mbstring/tests/mb_ereg_variation7.php

program terminated by signal SEGV (ADI version 1 mismatch for VA 0x754163855f)
Current function is match_at
 2476         STATE_CHECK_VAL(scv, mem);
(dbx) where
=>[1] match_at(reg = 0x3000007541634310, str = 0x1ffd68f746f198 "Αυτό είναι ελληνικό κείμενο. 0123456789.", end = 0x1ffd68f746f1d8 "", right_range = 0x1ffd68f746f1d8 "", sstart = 0x1ffd68f746f198 "Αυτό είναι ελληνικό κείμενο. 0123456789.", sprev = 0x1ffd68f746f1ae "λληνικό κείμενο. 0123456789.", msa = 0xfffffe2a46cc8a78), line 2476 in "regexec.c"
  [2] onig_search(reg = 0x3000007541634310, str = 0x1ffd68f746f198 "Αυτό είναι ελληνικό κείμενο. 0123456789.", end = 0x1ffd68f746f1d8 "", start = 0x1ffd68f746f198 "Αυτό είναι ελληνικό κείμενο. 0123456789.", range = 0x1ffd68f746f1c6 "µÎ½Î¿. 0123456789.", region = 0xb0000075416372a0, option = 0), line 3655 in "regexec.c"
  [3] _php_mb_regex_ereg_exec(execute_data = 0x1ffd68f741d220, return_value = 0x1ffd68f741d190, icase = 0), line 750 in "php_mbregex.c"
  [4] zif_mb_ereg(execute_data = 0x1ffd68f741d220, return_value = 0x1ffd68f741d190), line 786 in "php_mbregex.c"
  [5] ZEND_DO_ICALL_SPEC_RETVAL_USED_HANDLER(execute_data = 0x1ffd68f741d030), line 617 in "zend_vm_execute.h"
  [6] execute_ex(ex = 0x1ffd68f741d030), line 59723 in "zend_vm_execute.h"
  [7] zend_execute(op_array = 0x1ffd68f74802a0, return_value = (nil)), line 63760 in "zend_vm_execute.h"
  [8] zend_execute_scripts(type = 8, retval = (nil), file_count = 3, ... = 0x1f7466060, ...), line 1496 in "zend.c"
  [9] php_execute_script(primary_file = 0xfffffe2a46cca078), line 2590 in "main.c"
  [10] do_cli(argc = 66, argv = 0x700000754143a5a0), line 1011 in "php_cli.c"
  [11] main(argc = 66, argv = 0x700000754143a5a0), line 1404 in "php_cli.c"



Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2018-04-04 13:17 UTC] cmb@php.net
-Status: Open +Status: Feedback -Assigned To: +Assigned To: cmb
 [2018-04-04 13:17 UTC] cmb@php.net
Thanks for reporting this issue!  It might be a duplicate of bug
#75863.

Which version of Oniguruma do you use (check phpinfo())?

Could you also please try to compile a current PHP master[1], with
the bundled oniguruma?

[1] <https://github.com/php/php-src>
 [2018-04-05 06:48 UTC] stadtkind2 at gmx dot de
@cmb

Multibyte regex (oniguruma) version	6.3.0

I'm not getting very far with php-src master (coredumps near the end of gmake all) though :(

...
Generating phar.php
gmake: *** [Makefile:444: ext/phar/phar.php] Bus Error (core dumped)
gmake: *** Deleting file 'ext/phar/phar.php'

program terminated by signal BUS (invalid address alignment)
Current function is OnUpdateLong
  671           *p = zend_atol(ZSTR_VAL(new_value), ZSTR_LEN(new_value));

(dbx) where
=>[1] OnUpdateLong(entry = 0xa00000684deaaa30, new_value = 0x200000684dd87160, mh_arg1 = 0xad, mh_arg2 = 0x1ffc11e901f8c0, mh_arg3 = (nil), stage = 1), line 671 in "zend_ini.c"
  [2] zend_register_ini_entries(ini_entry = 0x1ffc11e8e68e40, module_number = 15), line 269 in "zend_ini.c"
  [3] zm_startup_mbstring(type = 1, module_number = 15), line 1567 in "mbstring.c"
  [4] zend_startup_module_ex(module = 0x800000684dde1410), line 1905 in "zend_API.c"
  [5] zend_startup_module_zval(zv = 0xb00000684dd94610), line 1920 in "zend_API.c"
  [6] zend_hash_apply(ht = 0x1ffc11e901c498, apply_func = 0x1ffc11e8a10f20 = &`php`zend_API.c`zend_startup_module_zval(zval *zv)), line 1617 in "zend_hash.c"
  [7] zend_startup_modules(), line 2031 in "zend_API.c"
  [8] php_module_startup(sf = 0x1ffc11e8e48df0, additional_modules = (nil), num_additional_modules = 0), line 2170 in "main.c"
  [9] php_cli_startup(sapi_module = 0x1ffc11e8e48df0), line 431 in "php_cli.c"
  [10] main(argc = 14, argv = 0xa00000684dd85a90), line 1371 in "php_cli.c"


(dbx) print *new_value
*new_value = {
    gc  = {
        refcount = 1U
        u        = {
            type_info = 454U
        }
    }
    h   = 9223372036854953429U
    len = 1U
    val = "0"
}
 [2018-04-05 07:53 UTC] stadtkind2 at gmx dot de
Ok, I made some compiler tweaks (building with -xmemalign=16i) and now I don't get coredumps (I also build php-7.2.4 with memalign=16i and I still get coredumps there) anymore:

$ TEST_PHP_EXECUTABLE=sapi/cli/php sapi/cli/php run-tests.php ext/mbstring/tests/*.phpt
...
=====================================================================
Number of tests :  343               339
Tests skipped   :    4 (  1.2%) --------
Tests warned    :    0 (  0.0%) (  0.0%)
Tests failed    :    2 (  0.6%) (  0.6%)
Expected fail   :    0 (  0.0%) (  0.0%)
Tests passed    :  337 ( 98.3%) ( 99.4%)
---------------------------------------------------------------------
Time taken      :   35 seconds
=====================================================================

=====================================================================
FAILED TEST SUMMARY
---------------------------------------------------------------------
Bug #43301 (mb_ereg*_replace() crashes when replacement string is invalid PHP expression and 'e' option is used) [ext/mbstring/tests/bug43301.phpt]
Test mb_get_info() function [ext/mbstring/tests/mb_get_info.phpt]
=====================================================================
 [2018-04-05 10:54 UTC] cmb@php.net
Thanks for further testing!

Apparently, the coredump issue has been resolved in Oniguruma in
the meantime.  We prefer not to update bundled libraries in stable
PHP branches, so we'd have to apply a patch for PHP-7.2 (and maybe
PHP-7.1).  According to PR 3143[1], `StateCheckNumType` would have
to be defined as `int` on big endian platforms at least.  It is
still defined as `short int`[2] in Oniguruma 6.8.1, but is unused
as of <https://github.com/kkos/oniguruma/commit/e2e9677> (I'd
rather not apply this commit, though, since it is tagged as
refactoring).

Could you please try if changing the typedef would solve the issue
for you with PHP 7.2(.4)?

[1] <https://github.com/php/php-src/pull/3143>
[2] <https://github.com/kkos/oniguruma/blob/v6.8.1/src/regint.h#L713>
 [2018-04-05 13:15 UTC] stadtkind2 at gmx dot de
@cmb

Changing 'typedef short int StateCheckNumType' to 'typedef int StateCheckNumType' works fine. No more core dumps when running the php-7.2.4 ext/mbstring tests.

Hint: __s390x__ is not defined on Solaris/SPARC :)
 [2018-04-05 13:36 UTC] cmb@php.net
-Status: Feedback +Status: Verified
 [2018-04-05 13:36 UTC] cmb@php.net
Thanks again!

> Hint: __s390x__ is not defined on Solaris/SPARC :)

I have expected that.  I suggest to move further discussion to
<https://github.com/php/php-src/pull/3143>.
 [2018-07-01 14:56 UTC] cmb@php.net
-Assigned To: cmb +Assigned To:
 [2021-08-02 10:57 UTC] cmb@php.net
-Status: Verified +Status: Closed -Assigned To: +Assigned To: cmb
 [2021-08-02 10:57 UTC] cmb@php.net
Oniguruma is unbundled as of PHP 7.4.0, so this ticket is
obsolete.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Fri Mar 29 01:01:28 2024 UTC