php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #77692 Found crash when mb_convert_encoding() after creating Zookeeper instance
Submitted: 2019-03-05 01:05 UTC Modified: 2019-03-12 01:39 UTC
From: timandes@php.net Assigned: timandes (profile)
Status: Closed Package: PECL (PECL)
PHP Version: master-Git-2019-03-05 (Git) OS: CentOS Linux release 7.6.1810 (C
Private report: No CVE-ID: None
View Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
If you reported this bug, you can edit this bug over here.
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: timandes@php.net
New email:
PHP Version: OS:

 

 [2019-03-05 01:05 UTC] timandes@php.net
Description:
------------
I've been reported a strange issue:
https://github.com/php-zookeeper/php-zookeeper/issues/32

and I reproduced it in my container step by step and felt that it's not related with Zookeeper extension. But I still cannot explain why the segmentation fault disappeared after I commented out the statement:

$zk = new \Zookeeper('127.0.0.1:2181');

----
Core dump here:
(gdb) bt
#0  0x00000000008c1bf3 in zend_mm_alloc_small (heap=0x7f9369400040, size=144, bin_num=12, __zend_filename=0x7f9368d97678 "/root/php-src/ext/mbstring/mbstring.c", __zend_lineno=634,
    __zend_orig_filename=0x0, __zend_orig_lineno=0) at /root/php-7.3.1/Zend/zend_alloc.c:1287
#1  0x00000000008c1e8f in zend_mm_alloc_heap (heap=0x7f9369400040, size=144, __zend_filename=0x7f9368d97678 "/root/php-src/ext/mbstring/mbstring.c", __zend_lineno=634,
    __zend_orig_filename=0x0, __zend_orig_lineno=0) at /root/php-7.3.1/Zend/zend_alloc.c:1358

�
#2  0x00000000008c4ab0 in _emalloc (size=112, __zend_filename=0x7f9368d97678 "/root/php-src/ext/mbstring/mbstring.c", __zend_lineno=634, __zend_orig_filename=0x0, __zend_orig_lineno=0)
    at /root/php-7.3.1/Zend/zend_alloc.c:2498
#3  0x00007f9368c832dd in _php_mb_allocators_malloc (sz=112) at /root/php-src/ext/mbstring/mbstring.c:634
#4  0x00007f9368c80bb0 in mbfl_convert_filter_new (from=0x7f9368fbe540 <mbfl_encoding_ascii>, to=0x7f9368fbc920 <mbfl_encoding_wchar>,
    output_function=0x7f9368c79655 <mbfl_filt_conv_wchar_utf8>, flush_function=0x7f9368c814e1 <mbfl_filt_conv_common_flush>, data=0x7f936958df00)
    at /root/php-src/ext/mbstring/libmbfl/mbfl/mbfl_convert.c:177
#5  0x00007f9368c7a9a4 in mbfl_buffer_converter_new (from=0x7f9368fbe540 <mbfl_encoding_ascii>, to=0x7f9368fc2420 <mbfl_encoding_utf8>, buf_initsz=94)
    at /root/php-src/ext/mbstring/libmbfl/mbfl/mbfilter.c:145
#6  0x00007f9368c891e1 in php_mb_convert_encoding_ex (input=0x7f936958df18 "U\226\307h\223\177", length=94, to_encoding=0x7f9368fc2420 <mbfl_encoding_utf8>,
    from_encoding=0x7f9368fbe540 <mbfl_encoding_ascii>, output_len=0x7ffe7269b908) at /root/php-src/ext/mbstring/mbstring.c:2983
#7  0x00007f9368c894dd in php_mb_convert_encoding (input=0x7f936958df18 "U\226\307h\223\177", length=94, _to_encoding=0x7f93694a0918 "utf8", _from_encodings=0x7f93694d86d8 "ASCII",
    output_len=0x7ffe7269b908) at /root/php-src/ext/mbstring/mbstring.c:3057
#8  0x00007f9368c89cb5 in zif_mb_convert_encoding (execute_data=0x7f936941e750, return_value=0x7f936941e510) at /root/php-src/ext/mbstring/mbstring.c:3189
#9  0x000000000095dab0 in ZEND_DO_FCALL_BY_NAME_SPEC_RETVAL_USED_HANDLER () at /root/php-7.3.1/Zend/zend_vm_execute.h:892
#10 0x00000000009c528e in execute_ex (ex=0x7f936941e030) at /root/php-7.3.1/Zend/zend_vm_execute.h:55434
#11 0x00000000009ca890 in zend_execute (op_array=0x7f936947a300, return_value=0x0) at /root/php-7.3.1/Zend/zend_vm_execute.h:60834
#12 0x00000000008fa6d4 in zend_execute_scripts (type=8, retval=0x0, file_count=3) at /root/php-7.3.1/Zend/zend.c:1568
#13 0x000000000086ab0c in php_execute_script (primary_file=0x7ffe7269f0a0) at /root/php-7.3.1/main/main.c:2630
#14 0x00000000009cd269 in do_cli (argc=5, argv=0x18f2930) at /root/php-7.3.1/sapi/cli/php_cli.c:997
#15 0x00000000009ce1d5 in main (argc=5, argv=0x18f2930) at /root/php-7.3.1/sapi/cli/php_cli.c:1389


Can someone help me out?...
Thank you all.


Patches

valgrind-log-full-20190306 (last revision 2019-03-06 00:58 UTC by timandes@php.net)
valgrind-log-20190306 (last revision 2019-03-06 00:44 UTC by timandes@php.net)

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2019-03-05 08:10 UTC] laruence@php.net
you may run your test script with valgrind, like

USE_ZEND_ALLOC=0 valgrind php test_script.php

then paste the output out.

thanks
 [2019-03-06 00:44 UTC] timandes@php.net
The following patch has been added/updated:

Patch Name: valgrind-log-20190306
Revision:   1551833093
URL:        https://bugs.php.net/patch-display.php?bug=77692&patch=valgrind-log-20190306&revision=1551833093
 [2019-03-06 00:58 UTC] timandes@php.net
The following patch has been added/updated:

Patch Name: valgrind-log-full-20190306
Revision:   1551833903
URL:        https://bugs.php.net/patch-display.php?bug=77692&patch=valgrind-log-full-20190306&revision=1551833903
 [2019-03-06 08:15 UTC] nikic@php.net
==133== Invalid read of size 4
==133==    at 0x94A219: zend_gc_delref (zend_types.h:996)
==133==    by 0x94A942: zend_objects_store_del (zend_objects_API.c:185)
==133==    by 0x8F6BF9: zend_object_destroy_wrapper (zend_variables.c:95)
==133==    by 0x8F6A6E: rc_dtor_func (zend_variables.c:65)
==133==    by 0x9BCAAA: ZEND_UNSET_CV_SPEC_CV_UNUSED_HANDLER (zend_vm_execute.h:47269)
==133==    by 0x9CA0E5: execute_ex (zend_vm_execute.h:60362)
==133==    by 0x9CA88F: zend_execute (zend_vm_execute.h:60834)
==133==    by 0x8FA6D3: zend_execute_scripts (zend.c:1568)
==133==    by 0x86AB0B: php_execute_script (main.c:2630)
==133==    by 0x9CD268: do_cli (php_cli.c:997)
==133==    by 0x9CE1D4: main (php_cli.c:1389)
==133==  Address 0x7bc0b78 is 72 bytes inside a block of size 112 free'd
==133==    at 0x4C2ACBD: free (vg_replace_malloc.c:530)
==133==    by 0x8C4B2C: _efree (zend_alloc.c:2508)
==133==    by 0x6F46C34: php_zk_destroy (php_zookeeper.c:832)
==133==    by 0x6F46C6E: php_zk_free_storage (php_zookeeper.c:841)
==133==    by 0x94A936: zend_objects_store_del (zend_objects_API.c:184)
==133==    by 0x8F6BF9: zend_object_destroy_wrapper (zend_variables.c:95)
==133==    by 0x8F6A6E: rc_dtor_func (zend_variables.c:65)
==133==    by 0x9BCAAA: ZEND_UNSET_CV_SPEC_CV_UNUSED_HANDLER (zend_vm_execute.h:47269)
==133==    by 0x9CA0E5: execute_ex (zend_vm_execute.h:60362)
==133==    by 0x9CA88F: zend_execute (zend_vm_execute.h:60834)
==133==    by 0x8FA6D3: zend_execute_scripts (zend.c:1568)
==133==    by 0x86AB0B: php_execute_script (main.c:2630)
==133==  Block was alloc'd at
==133==    at 0x4C29BC3: malloc (vg_replace_malloc.c:299)
==133==    by 0x8C57AD: __zend_malloc (zend_alloc.c:2904)
==133==    by 0x8C4A85: _emalloc (zend_alloc.c:2494)
==133==    by 0x8C4EDB: _ecalloc (zend_alloc.c:2579)
==133==    by 0x6F46D04: php_zk_new (php_zookeeper.c:856)
==133==    by 0x900408: object_and_properties_init (zend_API.c:1335)
==133==    by 0x900449: object_init_ex (zend_API.c:1343)
==133==    by 0x96D5C0: ZEND_NEW_SPEC_CONST_UNUSED_HANDLER (zend_vm_execute.h:8818)
==133==    by 0x9C5EEA: execute_ex (zend_vm_execute.h:56256)
==133==    by 0x9CA88F: zend_execute (zend_vm_execute.h:60834)
==133==    by 0x8FA6D3: zend_execute_scripts (zend.c:1568)
==133==    by 0x86AB0B: php_execute_script (main.c:2630)

Very likely some kind of refcounting bug in php-zookeeper (an addref missing somewhere?)
 [2019-03-06 08:18 UTC] nikic@php.net
Actually, I think it's just this line being wrong: https://github.com/php-zookeeper/php-zookeeper/blob/master/php_zookeeper.c#L832

The free_obj handler should release the object contents, but *not* deallocate the object itself. The engine will do that itself. This results in a double free.

You should be able to fix this issue simply by dropping that efree().
 [2019-03-07 00:54 UTC] timandes@php.net
-Status: Open +Status: Assigned -Package: *Unicode Issues +Package: PECL -Assigned To: +Assigned To: timandes
 [2019-03-07 00:54 UTC] timandes@php.net
So it means I must allocate for the wrapper struct(like php_zk_t) of zend_object, but I should not free it manually?

It's interesting. : )

But it works fine, thanks a lot.
 [2019-03-12 01:39 UTC] timandes@php.net
-Status: Assigned +Status: Closed
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Thu Dec 26 10:01:29 2024 UTC