PHP :: Bug #59255 :: Segfault with APC

Bug #59255	Segfault with APC
Submitted:	2010-06-06 16:27 UTC	Modified:	2010-06-16 10:09 UTC
From:	Jared dot Williams at ntlworld dot com	Assigned:	gopalv (profile)
Status:	Closed	Package:	APC (PECL)
PHP Version:	5_3 SVN-2010-06-06 (dev)	OS:	Ubuntu 10.04 x64
Private report:	No	CVE-ID:	None

View Developer Edit

Welcome! If you don't have a Git account, you can't do anything here.
If you reported this bug, you can edit this bug over here.

php.net Username: php.net Password:

	Block user comment
Status:		Assign to:
Package:
Bug Type:
Summary:
From:	Jared dot Williams at ntlworld dot com
New email:
PHP Version:		OS:

New/Additional Comment:

[2010-06-06 16:27 UTC] Jared dot Williams at ntlworld dot com

Description:
------------
The second time the url containing 
http://gist.github.com/427850, is requested a segfault occurs.

PHP 5.3.3-dev (cli) (built: Jun  6 2010 20:28:37) (DEBUG 
(r300229)
APC Version 3.1.4-dev (r300049)



Reproduce code:
---------------
http://gist.github.com/427850

--

jared@ubuntu:~$ wget -O - http://127.0.0.1/APCSegfault.php
jared@ubuntu:~$ wget -O - http://127.0.0.1/APCSegfault.php

Expected result:
----------------
--2010-06-06 21:15:38--  http://127.0.0.1/APCSegfault.php
Connecting to 127.0.0.1:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 457 [text/html]
Saving to: `STDOUT'

 0% [                                       ] 0           --
.-K/s              <
form method="post">
        <dl>
                <dt><label for="name">Name</label></dt>
                <dd><input type="text" id="name" name="name" 
title="" required="
required" pattern="[a-zA-Z][a-zA-Z0-9]*" 
maxlength="12"/></dd>
                <dt><label 
for="password">Password</label></dt>
                <dd><input type="password" id="password" 
name="password" title="
An alpha numeric string" required="required" pattern="[a-zA-
Z0-9]+" maxlength="6
4"/></dd>
        </dl>
        <input type="submit" value="Log in"/>
100%[======================================>] 457         --
.-K/s   in 0s

2010-06-06 21:15:38 (42.8 MB/s) - written to stdout 
[457/457]

Twice.

Actual result:
--------------
Program received signal SIGSEGV, Segmentation fault.
0x00007ffff424f1a0 in execute (op_array=0x7ffff85c3a30, 
tsrm_ls=0x7ffff82a4e20)
    at /home/jared/Desktop/php-
5.3/Zend/zend_vm_execute.h:104
104                     if ((ret = EX(opline)-
>handler(execute_data TSRMLS_CC))
> 0) {
(gdb) bt
#0  0x00007ffff424f1a0 in execute (op_array=0x7ffff85c3a30,
    tsrm_ls=0x7ffff82a4e20)
    at /home/jared/Desktop/php-
5.3/Zend/zend_vm_execute.h:104
#1  0x00007ffff4212d58 in zend_execute_scripts (type=8,
    tsrm_ls=0x7ffff82a4e20, retval=0x0, file_count=3)
    at /home/jared/Desktop/php-5.3/Zend/zend.c:1194
#2  0x00007ffff416fbb2 in php_execute_script 
(primary_file=0x7fffffffe040,
    tsrm_ls=0x7ffff82a4e20) at /home/jared/Desktop/php-
5.3/main/main.c:2260
#3  0x00007ffff431aab0 in php_handler (r=0x7ffff8638078)
    at /home/jared/Desktop/php-
5.3/sapi/apache2handler/sapi_apache2.c:669
#4  0x00007ffff7fd6140 in ap_run_handler (r=0x7ffff8638078)
    at /build/buildd/apache2-2.2.14/server/config.c:159
#5  0x00007ffff7fd9aa8 in ap_invoke_handler 
(r=0x7ffff8638078)
    at /build/buildd/apache2-2.2.14/server/config.c:373
#6  0x00007ffff7fe7678 in ap_process_request 
(r=0x7ffff8638078)
    at /build/buildd/apache2-
2.2.14/modules/http/http_request.c:282
#7  0x00007ffff7fe4528 in ap_process_http_connection 
(c=0x7ffff85e7338)
    at /build/buildd/apache2-
2.2.14/modules/http/http_core.c:190
#8  0x00007ffff7fddcf8 in ap_run_process_connection 
(c=0x7ffff85e7338)
    at /build/buildd/apache2-2.2.14/server/connection.c:43
#9  0x00007ffff7fec037 in child_main (child_num_arg=<value 
optimized out>)
    at /build/buildd/apache2-
2.2.14/server/mpm/prefork/prefork.c:662
#10 0x00007ffff7fec306 in make_child (s=0x7ffff8214938, 
slot=0)
    at /build/buildd/apache2-
2.2.14/server/mpm/prefork/prefork.c:702
#11 0x00007ffff7fec953 in ap_mpm_run (_pconf=<value 
optimized out>,
    plog=<value optimized out>, s=<value optimized out>)
    at /build/buildd/apache2-
2.2.14/server/mpm/prefork/prefork.c:978
#12 0x00007ffff7fc2350 in main (argc=2, argv=0x7fffffffe6d8)
    at /build/buildd/apache2-2.2.14/server/main.c:742

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2010-06-06 17:09 UTC] Jared dot Williams at ntlworld dot com

It appears the problem is with the goto on line 231 in the 
code provided.

[2010-06-07 07:27 UTC] gopalv82 at yahoo dot com

I confirm that this happens with my apc/php trunk builds.

Happens in render()

I suspect that a jump offset is somehow not being rewritten properly and causing a jump into an opline which does not exist anymore.

(gdb) p *execute_data->opline
$19 = {handler = 0x5a5a5a5a,

apc_fixup_op_array_jumps probably needs a review and update.

[2010-06-07 10:19 UTC] Jared dot Williams at ntlworld dot com

Ok, reduced the test code, still segfaults on 2nd run

<?php
  $i = 0;
  while ($i < 10)
  {
loop:
    echo ++$i, "\n";

    switch ($i & 2)
    {
      case 2:
        goto loop;

      default:
        break;
    }
  }

[2010-06-14 00:51 UTC] gopalv82 at yahoo dot com

ZEND_GOTO opcode. That's definitely the culprit.

[2010-06-15 06:39 UTC] gopalv82 at yahoo dot com

Fixed, my bad.

http://news.php.net/php.pecl.cvs/14327

[2010-06-16 10:09 UTC] Jared dot Williams at ntlworld dot com

Yeah, seems fine. Cheers.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2025 The PHP Group All rights reserved.	Last updated: Tue Jul 15 21:01:32 2025 UTC