php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #62953 PHP Segfaults on var_dump
Submitted: 2012-08-27 15:11 UTC Modified: 2012-09-10 05:37 UTC
Votes:3
Avg. Score:5.0 ± 0.0
Reproduced:2 of 2 (100.0%)
Same Version:2 (100.0%)
Same OS:2 (100.0%)
From: fs-pecl at gigacodes dot de Assigned:
Status: Duplicate Package: amqp (PECL)
PHP Version: 5.3.16 OS: Centos 6.3
Private report: No CVE-ID: None
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: fs-pecl at gigacodes dot de
New email:
PHP Version: OS:

 

 [2012-08-27 15:11 UTC] fs-pecl at gigacodes dot de
Description:
------------
PHP Segfaults if a var_dump is issued on an object and an amqp connection class 
is present.
The second var_dump in the script gives a segfault

We tried this with php 5.3.14 and 5.3.16 
and with amqp-1.0.4 and 1.0.5
on Centos 6.3 with latest kernel(2.6.32-279.5.2.el6.x86_64) and latest glibc as 
well as on Centos 6.3 with kernel (2.6.32-279.2.1.el6.x86_64)

Upon researching we've found the *is_temp variable in the get_debug_info handler 
with the kinda revealing comment: "/* Super magic make shit work variable. 
Seriously though, without this using print_r and/or var_dump will either cause 
memory leak or crash. */".

Therefore we disabled the debug_info handler on all amqp classes as a workaround 
and the problem vanishes

Test script:
---------------
<?php
class XYZ {
}

        $unserObject = new XYZ;
	var_dump($unserObject);
	$connection = new AMQPConnection(array('host' => 'localhost'));
        var_dump($unserObject);
?>

Actual result:
--------------
here's a full backtrace of the segfault:

(gdb) run
Starting program: /home/php-5.3.16/bin/php /root/test.php
[Thread debugging using libthread_db enabled]
object(XYZ)#1 (1) {
  ["var"]=>
  string(5) "value"
}
object(AMQPConnection)#2 (5) {
  ["login"]=>
  string(5) "guest"
  ["password"]=>
  string(5) "guest"
  ["host"]=>
  string(9) "localhost"
  ["vhost"]=>
  string(1) "/"
  ["port"]=>
  int(5672)
}

Program received signal SIGSEGV, Segmentation fault.
0x00007ffff35b2601 in __strlen_sse2 () from /lib64/libc.so.6
Missing separate debuginfos, use: debuginfo-install cyrus-sasl-lib-2.1.23-
13.el6.x86_64 glibc-2.12-1.80.el6_3.4.x86_64 keyutils-libs-1.4-4.el6.x86_64 
krb5-libs-1.9-33.el6_3.2.x86_64 libaio-0.3.107-10.el6.x86_64 libcom_err-1.41.12-
12.el6.x86_64 libcurl-7.19.7-26.el6_2.4.x86_64 libidn-1.18-2.el6.x86_64 libjpeg-
6b-46.el6.x86_64 libpng-1.2.49-1.el6_2.x86_64 librabbitmq-0.1-
0.2.hgfb6fca832fd2.el6.x86_64 libselinux-2.0.94-5.3.el6.x86_64 libssh2-1.2.2-
11.el6_3.x86_64 libxml2-2.7.6-4.el6_2.4.x86_64 nspr-4.9.1-2.el6_3.x86_64 nss-
3.13.5-1.el6_3.x86_64 nss-softokn-freebl-3.12.9-11.el6.x86_64 nss-util-3.13.5-
1.el6_3.x86_64 openldap-2.4.23-26.el6_3.2.x86_64 openssl-1.0.0-25.el6_3.1.x86_64 
zlib-1.2.3-27.el6.x86_64
(gdb) bt full
#0  0x00007ffff35b2601 in __strlen_sse2 () from /lib64/libc.so.6
No symbol table info available.
#1  0x00007fffe9ddc3e0 in amqp_connection_object_get_debug_info (object=<value 
optimized out>, is_temp=<value optimized out>) at /usr/local/src/amqp-
1.0.5/amqp_connection.c:60
        __s = 0x29 <Address 0x29 out of bounds>
        value = 0x1886448
        connection = 0x1885c70
#2  0x00000000006f8df3 in php_var_dump (struc=0x7ffff7ecc300, level=1) at 
/usr/local/src/php-5.3.16/ext/standard/var.c:129
        myht = <value optimized out>
        class_name = <value optimized out>
        class_name_len = 0
        php_element_dump_func = <value optimized out>
        is_temp = <value optimized out>
#3  0x00000000006f8fa9 in zif_var_dump (ht=<value optimized out>, return_value=
<value optimized out>, return_value_ptr=<value optimized out>, this_ptr=<value 
optimized out>, return_value_used=<value optimized out>)
    at /usr/local/src/php-5.3.16/ext/standard/var.c:181
        args = 0x1884f08
        argc = 1
        i = <value optimized out>
#4  0x00000000007d9930 in zend_do_fcall_common_helper_SPEC 
(execute_data=0x7ffff7ecc050) at /usr/local/src/php-
5.3.16/Zend/zend_vm_execute.h:320
        opline = <value optimized out>
        should_change_scope = 0 '\000'
#5  0x00000000007b2038 in execute (op_array=0x1884f28) at /usr/local/src/php-
5.3.16/Zend/zend_vm_execute.h:107
        ret = <value optimized out>
        execute_data = 0x7ffff7ecc050
        nested = 1 '\001'
        original_in_execution = 0 '\000'
#6  0x000000000078d05a in zend_execute_scripts (type=8, retval=0x0, 
file_count=3) at /usr/local/src/php-5.3.16/Zend/zend.c:1236
        files = {{gp_offset = 40, fp_offset = 0, overflow_arg_area = 
0x7fffffffad80, reg_save_area = 0x7fffffffad10}}
        i = <value optimized out>
        file_handle = 0x7fffffffe190
        orig_op_array = 0x0
        orig_retval_ptr_ptr = 0x0
#7  0x000000000073bf7e in php_execute_script (primary_file=0x7fffffffe190) at 
/usr/local/src/php-5.3.16/main/main.c:2308
        realfile = 
"/root/test.php\000\000\001\000\000\000\000\000\000\000\210\341\377\367\377\177\
000\000Ц
\377\367\377\177\000\000\000\000\000\000\000\000\000\000\220\277\377\377\377\177
\000\000)|\336\367\377\177\000\000\000\000\000\000\000\000\000\000\340\344\377\3
67\377\177\000\000\240\276\377\377\377\177\000\000\a\000\000\000\000\000\000\000
XdS\363\377\177\000\000\000\260\376\367\377\177\000\000\220\211\376\367\377\177\
000\000\230<\315\006", '\000' <repeats 12 times>, 
"\001\000\000\000\000\000\000\000h\375\374", '\000' <repeats 37 times>, "Я
\336\367\377\177\000\000\001\000\000\000\377\177", '\000' <repeats 11 
times>"\260, 
\376\367\377\177\000\000XdS\363\377\177\000\000\210sS\363\377\177\000\000\330\31
4\375\000\000\000\000\000p\317\377\377\377\177\000\000\220\332\375\000\000\000\0
00\000\000\344\377\377\377\177\000\000\225\026\337\367\377\177\000\000\002", 
'\000' <repeats 23 times>, "@", '\000' <repeats 31 times>, 
"\002\000\000\000\060\000\000\000[\000\000\000"...
        __orig_bailout = 0x7fffffffe020
        __bailout = {{__jmpbuf = {25871440, 4616387247387821243, 
140737488348819, 0, 140737488348176, 0, 4616387250680349883, 
-4616386813821860677}, __mask_was_saved = 0, __saved_mask = {__val = 
{229440404087961, 0, 140737276197873, 
---Type <return> to continue, or q <return> to quit--- 
                48, 16784576, 25871952, 7978245, 532575944752, 7, 
140737488342752, 1177, 7, 140737488342752, 0, 25871824, 0}}}}
        prepend_file_p = <value optimized out>
        append_file_p = 0x0
        prepend_file = {type = ZEND_HANDLE_FILENAME, filename = 0x0, opened_path 
= 0x0, handle = {fd = 0, fp = 0x0, stream = {handle = 0x0, isatty = 0, mmap = 
{len = 0, pos = 0, map = 0x0, buf = 0x0, old_handle = 0x0, old_closer = 0}, 
              reader = 0, fsizer = 0, closer = 0}}, free_filename = 0 '\000'}
        append_file = {type = ZEND_HANDLE_FILENAME, filename = 0x0, opened_path 
= 0x0, handle = {fd = 0, fp = 0x0, stream = {handle = 0x0, isatty = 0, mmap = 
{len = 0, pos = 0, map = 0x0, buf = 0x0, old_handle = 0x0, old_closer = 0}, 
              reader = 0, fsizer = 0, closer = 0}}, free_filename = 0 '\000'}
        old_cwd = 0x7fffffffad90 ""
        use_heap = 0 '\000'
        retval = 0
#8  0x0000000000813644 in main (argc=2, argv=0x7fffffffe408) at 
/usr/local/src/php-5.3.16/sapi/cli/php_cli.c:1189
        __orig_bailout = 0x0
        __bailout = {{__jmpbuf = {110, -4616385417133308741, 16636560, 
140737488348160, 0, 0, 4616387247385724091, -4616386138658585413}, 
__mask_was_saved = 0, __saved_mask = {__val = {140737351936935, 40, 316149, 29, 
140737268784600, 
                0, 140737488347744, 140737268784896, 140737268790920, 0, 
140737351934614, 140737275714632, 140737488347504, 140733193388095, 
140737488347504, 40}}}}
        exit_status = 0
        c = <value optimized out>
        file_handle = {type = ZEND_HANDLE_MAPPED, filename = 0x7fffffffe693 
"/root/test.php", opened_path = 0x0, handle = {fd = 25711192, fp = 0x1885258, 
stream = {handle = 0x1885258, isatty = 0, mmap = {len = 336, pos = 0, 
                map = 0x7ffff7ec9000, buf = 0x7ffff7ec9000 <Address 
0x7ffff7ec9000 out of bounds>, old_handle = 0x18ac170, old_closer = 0x7a1d90 
<zend_stream_stdio_closer>}, reader = 0x7a2380 <zend_stream_stdio_reader>, 
              fsizer = 0x7a22c0 <zend_stream_stdio_fsizer>, closer = 0x7a2310 
<zend_stream_mmap_closer>}}, free_filename = 0 '\000'}
        behavior = 1
        reflection_what = 0x0
        orig_optind = 1
        orig_optarg = 0x0
        arg_free = <value optimized out>
        arg_excp = <value optimized out>
        script_file = <value optimized out>
        translated_path = 0x18ac450 "/root/test.php"
        interactive = <value optimized out>
        module_started = 1
        request_started = 1
        lineno = 1
        exec_direct = 0x0
        exec_run = <value optimized out>
        exec_begin = 0x0
        exec_end = 0x0
        param_error = <value optimized out>
        hide_argv = 0
        ini_entries_len = <value optimized out>
(gdb) 


Patches

print-r.patch (last revision 2012-09-05 20:53 UTC by bkw at codingforce dot com)

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2012-09-05 20:57 UTC] bkw at codingforce dot com
I attached a patch that solves this and the other print_r/var_dump
related problems (at least for me). Feedback welcome.

It is also in my github copy in branch "print_r-fix":
https://github.com/bkw/pecl-amqp/commit/738f413ade12070441cb227f86d7e7f0bcf154f4
 [2012-09-10 05:37 UTC] pdezwart@php.net
Please do not submit the same bug more than once. An existing
bug report already describes this very problem. Even if you feel
that your issue is somewhat different, the resolution is likely
to be the same. 

Thank you for your interest in PHP.


 [2012-09-10 05:37 UTC] pdezwart@php.net
-Status: Open +Status: Duplicate
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Sun Dec 22 11:01:30 2024 UTC