php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #61133 segfault in tests/apc_bin_002.phpt
Submitted: 2012-02-18 07:27 UTC Modified: 2012-08-12 15:26 UTC
Votes:2
Avg. Score:5.0 ± 0.0
Reproduced:2 of 2 (100.0%)
Same Version:1 (50.0%)
Same OS:2 (100.0%)
From: remi@php.net Assigned: ab (profile)
Status: Closed Package: APC (PECL)
PHP Version: 5.4.0RC8 OS: GNU/Linux (Fedora 16)
Private report: No CVE-ID: None
View Developer Edit
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: remi@php.net
New email:
PHP Version: OS:

 

 [2012-02-18 07:27 UTC] remi@php.net 
Description:
------------
Here is the backtrace get with PHP 5.4.0RC8 and APC rev 322617

(gdb) run  -n -d extension_dir=../modules -d extension=apc.so -d apc.enabled=1 -d apc.enable_cli=1 -d apc.stat=0 apc_bin_002.php
Starting program: /usr/bin/php -n -d extension_dir=../modules -d extension=apc.so -d apc.enabled=1 -d apc.enable_cli=1 -d apc.stat=0 apc_bin_002.php
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib64/libthread_db.so.1".

Program received signal SIGSEGV, Segmentation fault.
my_copy_zval (dst=0x7fffef9cc650, src=0x2725, ctxt=0x7fffffffb450) at /usr/include/bits/string3.h:52
52	  return __builtin___memcpy_chk (__dest, __src, __len, __bos0 (__dest));


(gdb) bt
#0  my_copy_zval (dst=0x7fffef9cc650, src=0x2725, ctxt=0x7fffffffb450) at /usr/include/bits/string3.h:52
#1  0x00007ffff15d10d7 in my_copy_zval_ptr (dst=0x7fffef9cc8b0, src=0x7fffef58252d, ctxt=0x7fffffffb450) at /home/rpmbuild/BUILD/php-pecl-apc-3.1.9/APC-3.1.9/apc_compile.c:219
#2  0x00007ffff15d1dbc in my_copy_class_entry (dst=0x7fffef9cc270, src=0x7fffef588801, ctxt=0x7fffffffb450) at /home/rpmbuild/BUILD/php-pecl-apc-3.1.9/APC-3.1.9/apc_compile.c:721
#3  0x00007ffff15db74a in apc_bin_load (bd=0x7fffef5867e0, flags=<optimized out>) at /home/rpmbuild/BUILD/php-pecl-apc-3.1.9/APC-3.1.9/apc_bin.c:925
#4  0x00007ffff15cb269 in zif_apc_bin_load (ht=<optimized out>, return_value=0x7ffff7d975e0, return_value_ptr=<optimized out>, this_ptr=<optimized out>, 
    return_value_used=<optimized out>) at /home/rpmbuild/BUILD/php-pecl-apc-3.1.9/APC-3.1.9/php_apc.c:1482
#5  0x0000000000669529 in zend_do_fcall_common_helper_SPEC (execute_data=<optimized out>) at /usr/src/debug/php-5.4.0RC8/Zend/zend_vm_execute.h:642
#6  0x000000000062847f in execute (op_array=0x7ffff7d97f20) at /usr/src/debug/php-5.4.0RC8/Zend/zend_vm_execute.h:410
#7  0x00000000005c4500 in zend_execute_scripts (type=8, retval=0x0, file_count=3) at /usr/src/debug/php-5.4.0RC8/Zend/zend.c:1272
#8  0x00000000005644a3 in php_execute_script (primary_file=0x7fffffffdca0) at /usr/src/debug/php-5.4.0RC8/main/main.c:2473
#9  0x000000000066bbd1 in do_cli (argc=13, argv=0x7fffffffdfb8) at /usr/src/debug/php-5.4.0RC8/sapi/cli/php_cli.c:983
#10 0x000000000042599e in main (argc=13, argv=0x7fffffffdfb8) at /usr/src/debug/php-5.4.0RC8/sapi/cli/php_cli.c:1356



Test script:
---------------
Running provided tests or

$ LANG=C php -n -d extension_dir=../modules -d extension=apc.so -d apc.enabled=1 -d apc.enable_cli=1 -d apc.stat=0 apc_bin_002.php


Expected result:
----------------
Test OK

Actual result:
--------------
segfault

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2012-03-07 22:14 UTC] ab@php.net
-Assigned To: +Assigned To: ab
 [2012-03-08 08:46 UTC] ab@php.net
-Status: Assigned +Status: Verified
 [2012-03-08 08:46 UTC] ab@php.net 
Confirmed, a simple call on the debug build says:


/usr/bin/php -n -d extension_dir=.libs -d extension=apc.so -d apc.enabled=1 -d 
apc.enable_cli=1 -d apc.stat=0 tests/apc_bin_002.php
php: /usr/local/src/apc/apc_compile.c:371: my_copy_zval: Assertion `0' failed.
Aborted

And the valgrind outs:

==31016== Invalid write of size 4
==31016==    at 0x47E561B: sma_allocate (apc_sma.c:258)
==31016==    by 0x47E5C2C: apc_sma_malloc_ex (apc_sma.c:453)
==31016==    by 0x47E619F: apc_sma_malloc (apc_sma.c:517)
==31016==    by 0x47E8F5F: create_pool_block (apc_pool.c:217)
==31016==    by 0x47E90DA: apc_realpool_alloc (apc_pool.c:274)
==31016==    by 0x47DF1FA: apc_copy_op_array (apc_compile.c:1097)
==31016==    by 0x47EED21: apc_bin_load (apc_bin.c:878)
==31016==    by 0x47D8321: zif_apc_bin_load (php_apc.c:1482)
==31016==    by 0x82C6CED: zend_do_fcall_common_helper_SPEC 
(zend_vm_execute.h:642)
==31016==    by 0x82CEB4F: ZEND_DO_FCALL_SPEC_CONST_HANDLER 
(zend_vm_execute.h:2219)
==31016==    by 0x82C4FAB: execute (zend_vm_execute.h:410)
==31016==    by 0x8286127: zend_execute_scripts (zend.c:1272)
==31016==  Address 0x4bff378 is 8 bytes after a block of size 584 alloc'd
==31016==    at 0x47E5DFF: apc_sma_malloc_ex (apc_sma.c:467)
==31016==    by 0x47E619F: apc_sma_malloc (apc_sma.c:517)
==31016==    by 0x47E9352: apc_realpool_create (apc_pool.c:435)
==31016==    by 0x47E8DD1: apc_pool_create (apc_pool.c:57)
==31016==    by 0x47EEC31: apc_bin_load (apc_bin.c:856)
==31016==    by 0x47D8321: zif_apc_bin_load (php_apc.c:1482)
==31016==    by 0x82C6CED: zend_do_fcall_common_helper_SPEC 
(zend_vm_execute.h:642)
==31016==    by 0x82CEB4F: ZEND_DO_FCALL_SPEC_CONST_HANDLER 
(zend_vm_execute.h:2219)
==31016==    by 0x82C4FAB: execute (zend_vm_execute.h:410)
==31016==    by 0x8286127: zend_execute_scripts (zend.c:1272)
==31016==    by 0x81E0EAF: php_execute_script (main.c:2473)
==31016==    by 0x83D7C06: do_cli (php_cli.c:983)
==31016== 
==31016== Invalid read of size 4
==31016==    at 0x47E562B: sma_allocate (apc_sma.c:261)
==31016==    by 0x47E5C2C: apc_sma_malloc_ex (apc_sma.c:453)
==31016==    by 0x47E619F: apc_sma_malloc (apc_sma.c:517)
==31016==    by 0x47E8F5F: create_pool_block (apc_pool.c:217)
==31016==    by 0x47E90DA: apc_realpool_alloc (apc_pool.c:274)
==31016==    by 0x47DF1FA: apc_copy_op_array (apc_compile.c:1097)
==31016==    by 0x47EED21: apc_bin_load (apc_bin.c:878)
==31016==    by 0x47D8321: zif_apc_bin_load (php_apc.c:1482)
==31016==    by 0x82C6CED: zend_do_fcall_common_helper_SPEC 
(zend_vm_execute.h:642)
==31016==    by 0x82CEB4F: ZEND_DO_FCALL_SPEC_CONST_HANDLER 
(zend_vm_execute.h:2219)
==31016==    by 0x82C4FAB: execute (zend_vm_execute.h:410)
==31016==    by 0x8286127: zend_execute_scripts (zend.c:1272)
==31016==  Address 0x4bff370 is 0 bytes after a block of size 584 alloc'd
==31016==    at 0x47E5DFF: apc_sma_malloc_ex (apc_sma.c:467)
==31016==    by 0x47E619F: apc_sma_malloc (apc_sma.c:517)
==31016==    by 0x47E9352: apc_realpool_create (apc_pool.c:435)
==31016==    by 0x47E8DD1: apc_pool_create (apc_pool.c:57)
==31016==    by 0x47EEC31: apc_bin_load (apc_bin.c:856)
==31016==    by 0x47D8321: zif_apc_bin_load (php_apc.c:1482)
==31016==    by 0x82C6CED: zend_do_fcall_common_helper_SPEC 
(zend_vm_execute.h:642)
==31016==    by 0x82CEB4F: ZEND_DO_FCALL_SPEC_CONST_HANDLER 
(zend_vm_execute.h:2219)
==31016==    by 0x82C4FAB: execute (zend_vm_execute.h:410)
==31016==    by 0x8286127: zend_execute_scripts (zend.c:1272)
==31016==    by 0x81E0EAF: php_execute_script (main.c:2473)
==31016==    by 0x83D7C06: do_cli (php_cli.c:983)
==31016== 
==31016== Invalid write of size 4
==31016==    at 0x47E5638: sma_allocate (apc_sma.c:266)
==31016==    by 0x47E5C2C: apc_sma_malloc_ex (apc_sma.c:453)
==31016==    by 0x47E619F: apc_sma_malloc (apc_sma.c:517)
==31016==    by 0x47E8F5F: create_pool_block (apc_pool.c:217)
==31016==    by 0x47E90DA: apc_realpool_alloc (apc_pool.c:274)
==31016==    by 0x47DF1FA: apc_copy_op_array (apc_compile.c:1097)
==31016==    by 0x47EED21: apc_bin_load (apc_bin.c:878)
==31016==    by 0x47D8321: zif_apc_bin_load (php_apc.c:1482)
==31016==    by 0x82C6CED: zend_do_fcall_common_helper_SPEC 
(zend_vm_execute.h:642)
==31016==    by 0x82CEB4F: ZEND_DO_FCALL_SPEC_CONST_HANDLER 
(zend_vm_execute.h:2219)
==31016==    by 0x82C4FAB: execute (zend_vm_execute.h:410)
==31016==    by 0x8286127: zend_execute_scripts (zend.c:1272)
==31016==  Address 0x4bff380 is not stack'd, malloc'd or (recently) free'd
 [2012-03-08 12:53 UTC] ab@php.net 
Much simplier test scenario

one.php:
<?php

apc_compile_file('two.php');
$data = apc_bin_dump(NULL, NULL);
apc_clear_cache();

apc_bin_load($data, APC_BIN_VERIFY_MD5 | APC_BIN_VERIFY_CRC32);

two.php:
<?php

$a = 'uuu';

The fail happens in the apc_bin_load but the data seem to be already corrupted.
 [2012-08-12 15:20 UTC] laruence@php.net 
Automatic comment from SVN on behalf of laruence
Revision: http://svn.php.net/viewvc/?view=revision&amp;revision=327074
Log: Fixed bug #61133 (segfault in tests/apc_bin_002.phpt)
 [2012-08-12 15:22 UTC] laruence@php.net
-Status: Verified +Status: Closed
 [2012-08-12 15:22 UTC] laruence@php.net 
This bug has been fixed in SVN.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.

 For Windows:

http://windows.php.net/snapshots/
 
Thank you for the report, and for helping us make PHP better.
 [2012-08-12 15:26 UTC] laruence@php.net 
fixed,  all test script passed in my box(regardless the memleaks),  cheers! :)
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Sat Dec 21 16:01:28 2024 UTC