PHP :: Bug #59255 :: Segfault with APC

Bug #59255	Segfault with APC
Submitted:	2010-06-06 16:27 UTC	Modified:	2010-06-16 10:09 UTC
From:	Jared dot Williams at ntlworld dot com	Assigned:	gopalv (profile)
Status:	Closed	Package:	APC (PECL)
PHP Version:	5_3 SVN-2010-06-06 (dev)	OS:	Ubuntu 10.04 x64
Private report:	No	CVE-ID:	None

View Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	Jared dot Williams at ntlworld dot com
New email:
PHP Version:		OS:

New Comment:

[2010-06-06 16:27 UTC] Jared dot Williams at ntlworld dot com

Description:
------------
The second time the url containing 
http://gist.github.com/427850, is requested a segfault occurs.

PHP 5.3.3-dev (cli) (built: Jun  6 2010 20:28:37) (DEBUG 
(r300229)
APC Version 3.1.4-dev (r300049)



Reproduce code:
---------------
http://gist.github.com/427850

--

jared@ubuntu:~$ wget -O - http://127.0.0.1/APCSegfault.php
jared@ubuntu:~$ wget -O - http://127.0.0.1/APCSegfault.php

Expected result:
----------------
--2010-06-06 21:15:38--  http://127.0.0.1/APCSegfault.php
Connecting to 127.0.0.1:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 457 [text/html]
Saving to: `STDOUT'

 0% [                                       ] 0           --
.-K/s              <
form method="post">
        <dl>
                <dt><label for="name">Name</label></dt>
                <dd><input type="text" id="name" name="name" 
title="" required="
required" pattern="[a-zA-Z][a-zA-Z0-9]*" 
maxlength="12"/></dd>
                <dt><label 
for="password">Password</label></dt>
                <dd><input type="password" id="password" 
name="password" title="
An alpha numeric string" required="required" pattern="[a-zA-
Z0-9]+" maxlength="6
4"/></dd>
        </dl>
        <input type="submit" value="Log in"/>
100%[======================================>] 457         --
.-K/s   in 0s

2010-06-06 21:15:38 (42.8 MB/s) - written to stdout 
[457/457]

Twice.

Actual result:
--------------
Program received signal SIGSEGV, Segmentation fault.
0x00007ffff424f1a0 in execute (op_array=0x7ffff85c3a30, 
tsrm_ls=0x7ffff82a4e20)
    at /home/jared/Desktop/php-
5.3/Zend/zend_vm_execute.h:104
104                     if ((ret = EX(opline)-
>handler(execute_data TSRMLS_CC))
> 0) {
(gdb) bt
#0  0x00007ffff424f1a0 in execute (op_array=0x7ffff85c3a30,
    tsrm_ls=0x7ffff82a4e20)
    at /home/jared/Desktop/php-
5.3/Zend/zend_vm_execute.h:104
#1  0x00007ffff4212d58 in zend_execute_scripts (type=8,
    tsrm_ls=0x7ffff82a4e20, retval=0x0, file_count=3)
    at /home/jared/Desktop/php-5.3/Zend/zend.c:1194
#2  0x00007ffff416fbb2 in php_execute_script 
(primary_file=0x7fffffffe040,
    tsrm_ls=0x7ffff82a4e20) at /home/jared/Desktop/php-
5.3/main/main.c:2260
#3  0x00007ffff431aab0 in php_handler (r=0x7ffff8638078)
    at /home/jared/Desktop/php-
5.3/sapi/apache2handler/sapi_apache2.c:669
#4  0x00007ffff7fd6140 in ap_run_handler (r=0x7ffff8638078)
    at /build/buildd/apache2-2.2.14/server/config.c:159
#5  0x00007ffff7fd9aa8 in ap_invoke_handler 
(r=0x7ffff8638078)
    at /build/buildd/apache2-2.2.14/server/config.c:373
#6  0x00007ffff7fe7678 in ap_process_request 
(r=0x7ffff8638078)
    at /build/buildd/apache2-
2.2.14/modules/http/http_request.c:282
#7  0x00007ffff7fe4528 in ap_process_http_connection 
(c=0x7ffff85e7338)
    at /build/buildd/apache2-
2.2.14/modules/http/http_core.c:190
#8  0x00007ffff7fddcf8 in ap_run_process_connection 
(c=0x7ffff85e7338)
    at /build/buildd/apache2-2.2.14/server/connection.c:43
#9  0x00007ffff7fec037 in child_main (child_num_arg=<value 
optimized out>)
    at /build/buildd/apache2-
2.2.14/server/mpm/prefork/prefork.c:662
#10 0x00007ffff7fec306 in make_child (s=0x7ffff8214938, 
slot=0)
    at /build/buildd/apache2-
2.2.14/server/mpm/prefork/prefork.c:702
#11 0x00007ffff7fec953 in ap_mpm_run (_pconf=<value 
optimized out>,
    plog=<value optimized out>, s=<value optimized out>)
    at /build/buildd/apache2-
2.2.14/server/mpm/prefork/prefork.c:978
#12 0x00007ffff7fc2350 in main (argc=2, argv=0x7fffffffe6d8)
    at /build/buildd/apache2-2.2.14/server/main.c:742

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2010-06-06 17:09 UTC] Jared dot Williams at ntlworld dot com

It appears the problem is with the goto on line 231 in the 
code provided.

[2010-06-07 07:27 UTC] gopalv82 at yahoo dot com

I confirm that this happens with my apc/php trunk builds.

Happens in render()

I suspect that a jump offset is somehow not being rewritten properly and causing a jump into an opline which does not exist anymore.

(gdb) p *execute_data->opline
$19 = {handler = 0x5a5a5a5a,

apc_fixup_op_array_jumps probably needs a review and update.

[2010-06-07 10:19 UTC] Jared dot Williams at ntlworld dot com

Ok, reduced the test code, still segfaults on 2nd run

<?php
  $i = 0;
  while ($i < 10)
  {
loop:
    echo ++$i, "\n";

    switch ($i & 2)
    {
      case 2:
        goto loop;

      default:
        break;
    }
  }

[2010-06-14 00:51 UTC] gopalv82 at yahoo dot com

ZEND_GOTO opcode. That's definitely the culprit.

[2010-06-15 06:39 UTC] gopalv82 at yahoo dot com

Fixed, my bad.

http://news.php.net/php.pecl.cvs/14327

[2010-06-16 10:09 UTC] Jared dot Williams at ntlworld dot com

Yeah, seems fine. Cheers.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2025 The PHP Group All rights reserved.	Last updated: Wed Jul 16 05:01:34 2025 UTC