PHP :: Bug #38268 :: zend_hash

Bug #38268	zend_hash_find segfault
Submitted:	2006-07-31 14:40 UTC	Modified:	2006-08-08 01:00 UTC
From:	marc dot dassonneville at gmail dot com	Assigned:
Status:	No Feedback	Package:	Reproducible crash
PHP Version:	5.1.4	OS:	linux
Private report:	No	CVE-ID:	None

View Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	marc dot dassonneville at gmail dot com
New email:
PHP Version:		OS:

New Comment:

[2006-07-31 14:40 UTC] marc dot dassonneville at gmail dot com

Description:
------------
zend_hash_find segfault when calling property of null object

I can reproduce the SEGFAULT, but can't reduce the code (code of 7KLines).

It seems that the bug occurs when an object A returns null instead of an object B,  + try to access a property of B.

Exemple :
$foo->give_me_A()->property_of_B = $bar; // crash when give_me_A() return null.

If I test that $foo->give_me_A() don't return null before doing this call, it doesn't segfault.

BUT .. I can't manage to reproduce this bug in a smaller code :/


I gave below some GDB debug.

Segfault tested on : PHP 5.1.4 (cli) (built: Jul 19 2006 12:36:47) on an old linux box (2.4.20)
It also segfault on : PHP 5.1.2 (cgi-fcgi) (built: Jul 19 2006 00:02:34) on the last KUbuntu (2.6.15)



Actual result:
--------------
GDB Result on the old linux box :

0x081e0098 in zend_std_get_method (object_ptr=0xbfffbe98, method_name=0x8374b64 "get_client", method_len=10) at /home/marc/tmp/PHP/php-5.1.4/Zend/zend_object_handlers.c:738
738             if (zend_hash_find(&zobj->ce->function_table, lc_method_name, method_len+1, (void **)&fbc) == FAILURE) {
(gdb) where
#0  0x081e0098 in zend_std_get_method (object_ptr=0xbfffbe98, method_name=0x8374b64 "get_client", method_len=10) at /home/marc/tmp/PHP/php-5.1.4/Zend/zend_object_handlers.c:738
#1  0x08218f6a in ZEND_INIT_METHOD_CALL_SPEC_CV_CONST_HANDLER (execute_data=0xbfffc9e0) at /home/marc/tmp/PHP/php-5.1.4/Zend/zend_vm_execute.h:20875
#2  0x081e28f8 in execute (op_array=0x83701b4) at /home/marc/tmp/PHP/php-5.1.4/Zend/zend_vm_execute.h:92
#3  0x081ca270 in zend_execute_scripts (type=8, retval=0x0, file_count=3) at /home/marc/tmp/PHP/php-5.1.4/Zend/zend.c:1109
#4  0x08190dc3 in php_execute_script (primary_file=0xbfffee10) at /home/marc/tmp/PHP/php-5.1.4/main/main.c:1732
#5  0x0822eea3 in main (argc=3, argv=0xbfffeec4) at /home/marc/tmp/PHP/php-5.1.4/sapi/cli/php_cli.c:1092
#6  0x400a45d9 in __libc_start_main () from /lib/libc.so.6



Some valgrind info on KUbuntu :

==32660==
==32660== Invalid read of size 4
==32660==    at 0x8282B54: (within /usr/bin/php5-cgi)
==32660==    by 0x82B5896: (within /usr/bin/php5-cgi)
==32660==    by 0x8286381: execute (in /usr/bin/php5-cgi)
==32660==    by 0x826B814: zend_execute_scripts (in /usr/bin/php5-cgi)
==32660==    by 0x822D2F7: php_execute_script (in /usr/bin/php5-cgi)
==32660==    by 0x8300285: main (in /usr/bin/php5-cgi)
==32660==  Address 0xA is not stack'd, malloc'd or (recently) free'd
==32660==
==32660== Process terminating with default action of signal 11 (SIGSEGV)
==32660==  Access not within mapped region at address 0xA
==32660==    at 0x8282B54: (within /usr/bin/php5-cgi)
==32660==    by 0x82B5896: (within /usr/bin/php5-cgi)
==32660==    by 0x8286381: execute (in /usr/bin/php5-cgi)
==32660==    by 0x826B814: zend_execute_scripts (in /usr/bin/php5-cgi)
==32660==    by 0x822D2F7: php_execute_script (in /usr/bin/php5-cgi)
==32660==    by 0x8300285: main (in /usr/bin/php5-cgi)

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2006-07-31 14:44 UTC] tony2001@php.net

Please try using this CVS snapshot:

  http://snaps.php.net/php5.2-latest.tar.gz
 
For Windows:
 
  http://snaps.php.net/win32/php5.2-win32-latest.zip

[2006-07-31 16:22 UTC] marc dot dassonneville at gmail dot com

I tried http://snaps.php.net/php5.2-latest.tar.gz

I have compiled it on 2 different box using :
  gcc 4.0.3 (Ubuntu 4.0.3-1ubuntu5)
  gcc version 3.3.2 (old linux box)
and with configure options 
  ./configure --disable-libxml --disable-dom --disable-simplexml --disable-xml --disable-xmlwriter --disable-xmlreader --without-pear --enable-sockets

I was writing you that it worked when I saw an error :(

It used to segfault after 1 sec with php 5.1.4.
Now, with the CVS snapshot, it segfault after a random time (> 10 sec, sometimes > 1 min)

It segfault both on kubuntu with a recent gcc and the old linux box with an old gcc.

On the ubuntu box, I launched it several times with Valgrind, and it ends up in different ways :

1/ 
==1202== Stack overflow in thread 1: can't grow stack to 0xBE47AFF4
==1202==
==1202== Process terminating with default action of signal 11 (SIGSEGV)
==1202==  Access not within mapped region at address 0xBE47AFF4
==1202==    at 0x81F765E: zend_objects_store_del_ref_by_handle (zend_objects_API.c:174)
==1202== Stack overflow in thread 1: can't grow stack to 0xBE47AFDC
==1202==
==1202== Process terminating with default action of signal 11 (SIGSEGV)
==1202==  Access not within mapped region at address 0xBE47AFDC
==1202==    at 0x4019308: _vgw_freeres (vg_preloaded.c:58)
==1202==
==1202== ERROR SUMMARY: 10 errors from 10 contexts (suppressed: 21 from 1)
==1202== malloc/free: in use at exit: 1,639,071 bytes in 9,876 blocks.
==1202== malloc/free: 16,722 allocs, 6,846 frees, 2,591,007 bytes allocated.
==1202== For counts of detected errors, rerun with: -v
==1202== searching for pointers to 9,876 not-freed blocks.
==1202== checked 5,609,488 bytes.

2/
==1231== Invalid write of size 4
==1231==    at 0x81C8F04: _zend_mm_alloc_int (zend_alloc.c:478)
==1231==    by 0x81C92A1: _estrndup (zend_alloc.c:1729)
==1231==    by 0x81F56CB: zend_std_object_get_class_name (zend_object_handlers.c:1062)
==1231==    by 0x81EAA38: zif_get_parent_class (zend_builtin_functions.c:607)
==1231==    by 0x81F9AA7: zend_do_fcall_common_helper_SPEC (zend_vm_execute.h:200)
==1231==    by 0x81F7C8A: execute (zend_vm_execute.h:92)
==1231==    by 0x81D42FE: zend_eval_string (zend_execute_API.c:1130)
==1231==    by 0x8186AA3: zif_assert (assert.c:152)
==1231==    by 0x81F9AA7: zend_do_fcall_common_helper_SPEC (zend_vm_execute.h:200)
==1231==    by 0x81F7C8A: execute (zend_vm_execute.h:92)
==1231==    by 0x81F963A: zend_do_fcall_common_helper_SPEC (zend_vm_execute.h:234)
==1231==    by 0x81F7C8A: execute (zend_vm_execute.h:92)
==1231==  Address 0xD is not stack'd, malloc'd or (recently) free'd
==1231==
==1231== Process terminating with default action of signal 11 (SIGSEGV)
==1231==  Access not within mapped region at address 0xD
==1231==    at 0x81C8F04: _zend_mm_alloc_int (zend_alloc.c:478)
==1231==    by 0x81C92A1: _estrndup (zend_alloc.c:1729)
==1231==    by 0x81F56CB: zend_std_object_get_class_name (zend_object_handlers.c:1062)
==1231==    by 0x81EAA38: zif_get_parent_class (zend_builtin_functions.c:607)
==1231==    by 0x81F9AA7: zend_do_fcall_common_helper_SPEC (zend_vm_execute.h:200)
==1231==    by 0x81F7C8A: execute (zend_vm_execute.h:92)
==1231==    by 0x81D42FE: zend_eval_string (zend_execute_API.c:1130)
==1231==    by 0x8186AA3: zif_assert (assert.c:152)
==1231==    by 0x81F9AA7: zend_do_fcall_common_helper_SPEC (zend_vm_execute.h:200)
==1231==    by 0x81F7C8A: execute (zend_vm_execute.h:92)
==1231==    by 0x81F963A: zend_do_fcall_common_helper_SPEC (zend_vm_execute.h:234)
==1231==    by 0x81F7C8A: execute (zend_vm_execute.h:92)

3/
==1236== Stack overflow in thread 1: can't grow stack to 0xBE3A9FF4
==1236==
==1236== Process terminating with default action of signal 11 (SIGSEGV)
==1236==  Access not within mapped region at address 0xBE3A9FF4
==1236==    at 0x81F765E: zend_objects_store_del_ref_by_handle (zend_objects_API.c:174)
==1236== Stack overflow in thread 1: can't grow stack to 0xBE3A9FDC
==1236==
==1236== Process terminating with default action of signal 11 (SIGSEGV)
==1236==  Access not within mapped region at address 0xBE3A9FDC
==1236==    at 0x4019308: _vgw_freeres (vg_preloaded.c:58)

With GDB on the old linux box :

1/
Program received signal SIGSEGV, Segmentation fault.
_zend_mm_free_int (heap=0x82fe190, p=0x0) at /home/marc/tmp/PHP/php5.2-200607311230/Zend/zend_alloc.c:477
477             prev->next_free_block = next;
(gdb) where
#0  _zend_mm_free_int (heap=0x82fe190, p=0x0) at /home/marc/tmp/PHP/php5.2-200607311230/Zend/zend_alloc.c:477
#1  0x081bfcca in _efree (ptr=0x0) at /home/marc/tmp/PHP/php5.2-200607311230/Zend/zend_alloc.c:1621
#2  0x081f592d in ZEND_ECHO_SPEC_TMP_HANDLER (execute_data=0xbfffacd0) at /home/marc/tmp/PHP/php5.2-200607311230/Zend/zend_variables.h:35
#3  0x081ee2c8 in execute (op_array=0xbfffacd0) at /home/marc/tmp/PHP/php5.2-200607311230/Zend/zend_vm_execute.h:92
#4  0x081ee838 in zend_do_fcall_common_helper_SPEC (execute_data=0xbfffb800) at /home/marc/tmp/PHP/php5.2-200607311230/Zend/zend_vm_execute.h:234
#5  0x081ee2c8 in execute (op_array=0x400a1254) at /home/marc/tmp/PHP/php5.2-200607311230/Zend/zend_vm_execute.h:92
#6  0x081d585e in zend_execute_scripts (type=8, retval=0x0, file_count=3) at /home/marc/tmp/PHP/php5.2-200607311230/Zend/zend.c:1095
#7  0x0819a2b6 in php_execute_script (primary_file=0xbfffdc10) at /home/marc/tmp/PHP/php5.2-200607311230/main/main.c:1759
#8  0x0823ae2d in main (argc=3, argv=0xbfffdcc4) at /home/marc/tmp/PHP/php5.2-200607311230/sapi/cli/php_cli.c:1097
#9  0x42017589 in __libc_start_main () from /lib/i686/libc.so.6

2/
Program received signal SIGSEGV, Segmentation fault.
0x401a2dff in ?? ()
(gdb) where
#0  0x401a2dff in ?? ()
#1  0x081ee2c8 in execute (op_array=0x401a2df8) at /home/marc/tmp/PHP/php5.2-200607311230/Zend/zend_vm_execute.h:92
#2  0x081d585e in zend_execute_scripts (type=8, retval=0x0, file_count=3) at /home/marc/tmp/PHP/php5.2-200607311230/Zend/zend.c:1095
#3  0x0819a2b6 in php_execute_script (primary_file=0xbffff590) at /home/marc/tmp/PHP/php5.2-200607311230/main/main.c:1759
#4  0x0823ae2d in main (argc=3, argv=0xbffff644) at /home/marc/tmp/PHP/php5.2-200607311230/sapi/cli/php_cli.c:1097
#5  0x42017589 in __libc_start_main () from /lib/i686/libc.so.6

[2006-07-31 17:47 UTC] tony2001@php.net

Okay, now we need a reproduce case.

[2006-08-08 01:00 UTC] php-bugs at lists dot php dot net

No feedback was provided for this bug for over a week, so it is
being suspended automatically. If you are able to provide the
information that was originally requested, please do so and change
the status of the bug back to "Open".

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2025 The PHP Group All rights reserved.	Last updated: Sun May 11 03:01:27 2025 UTC