PHP :: Bug #60158 :: Segmentation fault in zend

Bug #60158

Segmentation fault in zend_variables.c

Submitted:

2011-10-28 16:05 UTC

Modified:

2011-10-31 21:14 UTC

Votes:	2
Avg. Score:	4.0 ± 1.0
Reproduced:	1 of 2 (50.0%)
Same Version:	0 (0.0%)
Same OS:	0 (0.0%)

From:

michael dot irey at gmail dot com

Assigned:

Status:

Suspended

Package:

Scripting Engine problem

PHP Version:

5.3.x

OS:

Ubuntu 10.04.3 LTS

Private report:

CVE-ID:

None

View Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	michael dot irey at gmail dot com
New email:
PHP Version:		OS:

New Comment:

[2011-10-28 16:05 UTC] michael dot irey at gmail dot com

Description:
------------
Using ZendFramework-1.11.10. Seg fault occurs also in 5.3.2 as well as 5.3.8. Does 
not occur in 5.2.4.  Difficult to reproduce, but I will include the gdb backtrace. 
Basically assigning the value of variable to another, causes the seg fault. I can 
not determine why. The line $this->_element = $element; causes the seg fault.

Test script:
---------------
    public function setElement($element)
    {
        if ((!$element instanceof Zend_Form_Element)
            && (!$element instanceof Zend_Form)
            && (!$element instanceof Zend_Form_DisplayGroup))
        {
            require_once 'Zend/Form/Decorator/Exception.php';
            throw new Zend_Form_Decorator_Exception('Invalid element type passed to decorator');
        }

        $this->_element = $element;
        return $this;
    }

Expected result:
----------------
Not this: exit signal Segmentation fault (11)

Actual result:
--------------
Program terminated with signal 11, Segmentation fault.
#0  0x00007ffd348abe53 in _zend_mm_free_canary_int (heap=0x7ffd39b11130, 
p=0x21143c453bb97f0f) at /build/buildd/php5-5.3.2/Zend/zend_alloc_canary.c:2090
2090	/build/buildd/php5-5.3.2/Zend/zend_alloc_canary.c: No such file or 
directory.
	in /build/buildd/php5-5.3.2/Zend/zend_alloc_canary.c




(gdb) dump_bt executor_globals.current_execute_data
[0x386f2e30] setElement() /web/lib/zend/ZendFramework-1.11.10-
minimal/library/Zend/Form/Decorator/Abstract.php:186 
[0x386f2ac8] setElement() /web/lib/zend/ZendFramework-1.11.10-
minimal/library/Zend/Form/Element.php:2030 
[0x386f28f0] render() /web/lib/zend/ZendFramework-1.11.10-
minimal/library/Zend/Form/Element.php:2046 
[0xa59d03f0] __toString() 
[0x386f1080] ??? 
/web/vhosts/imac.michael.dev.bluehawk.evanta.com/website/application/views/scrip
ts/contacts/duplicate.phtml:186 
[0x386f0e80] ??? /web/lib/zend/ZendFramework-1.11.10-
minimal/library/Zend/View.php:108 
[0x386f0c38] _run() /web/lib/zend/ZendFramework-1.11.10-
minimal/library/Zend/View/Abstract.php:888 
[0x386f0968] render() /web/lib/zend/ZendFramework-1.11.10-
minimal/library/Zend/Controller/Action/Helper/ViewRenderer.php:900 
[0x386f0760] renderScript() /web/lib/zend/ZendFramework-1.11.10-
minimal/library/Zend/Controller/Action/Helper/ViewRenderer.php:921 
[0x386f0620] render() /web/lib/zend/ZendFramework-1.11.10-
minimal/library/Zend/Controller/Action/Helper/ViewRenderer.php:960 
[0x386f0458] postDispatch() /web/lib/zend/ZendFramework-1.11.10-
minimal/library/Zend/Controller/Action/HelperBroker.php:277 
[0x386efdd0] notifyPostDispatch() /web/lib/zend/ZendFramework-1.11.10-
minimal/library/Zend/Controller/Action.php:527 
[0x386eefb8] dispatch() /web/lib/zend/ZendFramework-1.11.10-
minimal/library/Zend/Controller/Dispatcher/Standard.php:295 
[0x386ed590] dispatch() /web/lib/zend/ZendFramework-1.11.10-
minimal/library/Zend/Controller/Front.php:954 
[0x386ed190] dispatch() /web/lib/zend/ZendFramework-1.11.10-
minimal/library/Zend/Application/Bootstrap/Bootstrap.php:97 
[0x386ed050] run() /web/lib/zend/ZendFramework-1.11.10-
minimal/library/Zend/Application.php:366 
[0x386ec068] run() 
/web/vhosts/imac.michael.dev.bluehawk.evanta.com/website/public/index.php:69

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2011-10-28 16:10 UTC] michael dot irey at gmail dot com

Added more detail in the summary

[2011-10-28 16:10 UTC] michael dot irey at gmail dot com

-Summary: Segmentation fault +Summary: Segmentation fault in _zend_mm_free_canary_int

[2011-10-28 16:14 UTC] felipe@php.net

zend_alloc_canary.c is from Suhosin project, not PHP.

So, try reproduce the crash in a clean PHP build.

[2011-10-28 16:14 UTC] felipe@php.net

-Status: Open +Status: Bogus

[2011-10-31 18:47 UTC] michael dot irey at gmail dot com

-PHP Version: 5.3.8 +PHP Version: 5.3.x

[2011-10-31 18:47 UTC] michael dot irey at gmail dot com

Ok, I have reproduced the bug from a clean PHP build using 5.3.8

Here is the new gdb details:


Program terminated with signal 11, Segmentation fault.
#0  0x00007fabd4b288b6 in _zval_dtor_func (zvalue=0x7fff0a50eb70, 
__zend_filename=0x7fabd4ea8558 "/root/downloads/php-
5.3.8/Zend/zend_object_handlers.c", __zend_lineno=441)
    at /root/downloads/php-5.3.8/Zend/zend_variables.c:35
35				CHECK_ZVAL_STRING_REL(zvalue);
(gdb) dump_bt executor_globals.current_execute_data
[0xd8959e80] setElement() /web/lib/zend/ZendFramework-1.11.10-
minimal/library/Zend/Form/Decorator/Abstract.php:186 
[0xd8959b18] setElement() /web/lib/zend/ZendFramework-1.11.10-
minimal/library/Zend/Form/Element.php:2030 
[0xd8959940] render() /web/lib/zend/ZendFramework-1.11.10-
minimal/library/Zend/Form/Element.php:2046 
[0x0a50eec0] __toString() 
[0xd89580d0] ??? 
/web/vhosts/imac.michael.dev.bluehawk.evanta.com/website/application/views/scrip
ts/contacts/duplicate.phtml:62 
[0xd8957ed0] ??? /web/lib/zend/ZendFramework-1.11.10-
minimal/library/Zend/View.php:108 
[0xd8957c88] _run() /web/lib/zend/ZendFramework-1.11.10-
minimal/library/Zend/View/Abstract.php:888 
[0xd89579b8] render() /web/lib/zend/ZendFramework-1.11.10-
minimal/library/Zend/Controller/Action/Helper/ViewRenderer.php:900 
[0xd89577b0] renderScript() /web/lib/zend/ZendFramework-1.11.10-
minimal/library/Zend/Controller/Action/Helper/ViewRenderer.php:921 
[0xd8957670] render() /web/lib/zend/ZendFramework-1.11.10-
minimal/library/Zend/Controller/Action/Helper/ViewRenderer.php:960 
[0xd89574a8] postDispatch() /web/lib/zend/ZendFramework-1.11.10-
minimal/library/Zend/Controller/Action/HelperBroker.php:277 
[0xd8956e20] notifyPostDispatch() /web/lib/zend/ZendFramework-1.11.10-
minimal/library/Zend/Controller/Action.php:527 
[0xd8956008] dispatch() /web/lib/zend/ZendFramework-1.11.10-
minimal/library/Zend/Controller/Dispatcher/Standard.php:295 
[0xd89545e0] dispatch() /web/lib/zend/ZendFramework-1.11.10-
minimal/library/Zend/Controller/Front.php:954 
[0xd89541e0] dispatch() /web/lib/zend/ZendFramework-1.11.10-
minimal/library/Zend/Application/Bootstrap/Bootstrap.php:97 
[0xd89540a0] run() /web/lib/zend/ZendFramework-1.11.10-
minimal/library/Zend/Application.php:366 
[0xd8953090] run() 
/web/vhosts/imac.michael.dev.bluehawk.evanta.com/website/public/index.php:69

[2011-10-31 18:49 UTC] michael dot irey at gmail dot com

Updated the summary line to contain zend_variables.c

[2011-10-31 18:49 UTC] michael dot irey at gmail dot com

-Summary: Segmentation fault in _zend_mm_free_canary_int +Summary: Segmentation fault in zend_variables.c

[2011-10-31 19:51 UTC] michael dot irey at gmail dot com

Changed the package description

[2011-10-31 19:51 UTC] michael dot irey at gmail dot com

-Package: Apache2 related +Package: Scripting Engine problem

[2011-10-31 20:13 UTC] pajoye@php.net

-Status: Bogus +Status: Feedback

[2011-10-31 20:13 UTC] pajoye@php.net

Thank you for this bug report. To properly diagnose the problem, we
need a short but complete example script to be able to reproduce
this bug ourselves. 

A proper reproducing script starts with <?php and ends with ?>,
is max. 10-20 lines long and does not require any external 
resources such as databases, etc. If the script requires a 
database to demonstrate the issue, please make sure it creates 
all necessary tables, stored procedures etc.

Please avoid embedding huge scripts into the report.

[2011-10-31 21:02 UTC] michael dot irey at gmail dot com

I would really like to provide a short example script to reproduce the problem. 
However, the problem only seems to pop up on when a large amount of objects are 
used, but that is only a guess.

We use ZendFramework 1.11.x. I have re-compiled PHP with --enable-debug and when 
I execute the script that caused the seg fault I get this:

Unknown(0) : Warning - String is not zero-terminated (APPLICATION_PATH??
bZZZZZZZZZZZ?b) (source: /root/downloads/php-5.3.8/Zend/zend_opcode.c:261)
[Mon Oct 31 12:17:52 2011]  Script:  
'/web/vhosts/imac.michael.dev.bluehawk.evanta.com/website/public/index.php'
---------------------------------------
/root/downloads/php-5.3.8/Zend/zend_opcode.c(261) : Block 0x7f88250c2ab0 status:
/root/downloads/php-5.3.8/Zend/zend_variables.c(36) : Actual location (location 
was relayed)
Beginning:  	OK (allocated on Zend/zend_language_scanner.l:1695, 17 bytes)
    Start:	OK
      End:	Overflown (magic=0x0000002B instead of 0x62D3082C)
          	1 byte(s) overflown
---------------------------------------
[Mon Oct 31 12:17:52 2011]  Script:  
'/web/vhosts/imac.michael.dev.bluehawk.evanta.com/website/public/index.php'
Zend/zend_language_scanner.l(1695) :  Freeing 0x7F88250C2AB0 (17 bytes), 
script=/web/vhosts/imac.michael.dev.bluehawk.evanta.com/website/public/index.php
=== Total 1 memory leaks detected ===
Unknown(0) : Warning - String is not zero-terminated (APPLICATION_PATH??
bZZZZZZZZZZZ?b) (source: /root/downloads/php-5.3.8/Zend/zend_opcode.c:261)
[Mon Oct 31 12:18:09 2011]  Script:  
'/web/vhosts/imac.michael.dev.bluehawk.evanta.com/website/public/index.php'
---------------------------------------
/root/downloads/php-5.3.8/Zend/zend_opcode.c(261) : Block 0x7f88250c2ab0 status:
/root/downloads/php-5.3.8/Zend/zend_variables.c(36) : Actual location (location 
was relayed)
Beginning:  	OK (allocated on Zend/zend_language_scanner.l:1695, 17 bytes)
    Start:	OK
      End:	Overflown (magic=0x0000002B instead of 0x62D3082C)
          	1 byte(s) overflown
---------------------------------------
[Mon Oct 31 12:18:09 2011]  Script:  
'/web/vhosts/imac.michael.dev.bluehawk.evanta.com/website/public/index.php'
Zend/zend_language_scanner.l(1695) :  Freeing 0x7F88250C2AB0 (17 bytes), 
script=/web/vhosts/imac.michael.dev.bluehawk.evanta.com/website/public/index.php
=== Total 1 memory leaks detected ===


Is there anything else I can do to help diagnose and resolve this issue?

[2011-10-31 21:02 UTC] michael dot irey at gmail dot com

-Status: Feedback +Status: Open

[2011-10-31 21:14 UTC] pajoye@php.net

I would suggest to report this issue at zend framework or zend directly then. They 
can help you to figure out the issue.

[2011-10-31 21:14 UTC] pajoye@php.net

-Status: Open +Status: Suspended

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Fri Dec 27 19:01:28 2024 UTC