php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #69674 SIGSEGV array.c:953
Submitted: 2015-05-20 15:08 UTC Modified: 2015-07-29 08:09 UTC
Votes:2
Avg. Score:4.5 ± 0.5
Reproduced:2 of 2 (100.0%)
Same Version:2 (100.0%)
Same OS:2 (100.0%)
From: opitz dot alexander at googlemail dot com Assigned: laruence (profile)
Status: Closed Package: *General Issues
PHP Version: 7.0.0beta2 OS: *
Private report: No CVE-ID: None
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: opitz dot alexander at googlemail dot com
New email:
PHP Version: OS:

 

 [2015-05-20 15:08 UTC] opitz dot alexander at googlemail dot com
Description:
------------
I'm running TYPO3 Unit tests with PHP7, which leads to this SIGSEGV while running the RequestBuilderTest.

>>>
Starting test 'TYPO3\CMS\Extbase\Tests\Unit\Mvc\Web\RequestBuilderTest::buildThrowsExceptionIfControllerConfigurationIsEmptyOrNotSet'.
Segmentation fault
<<<

Running the test alone (and not all tests inside the file) works fine.

Output of gdb

Program received signal SIGSEGV, Segmentation fault.
0x000000000081e8ca in zif_current (execute_data=0x7fffef0191a0, return_value=0x7fffef0190d0) at /php7/ext/standard/array.c:953
953             RETURN_ZVAL_FAST(entry);
(gdb) zbacktrace
[0x7fffef0191a0] current(Es gibt kein Mitglied mit dem Namen ht.
(gdb) backtrace
#0  0x000000000081e8ca in zif_current (execute_data=0x7fffef0191a0, return_value=0x7fffef0190d0) at /php7/ext/standard/array.c:953
#1  0x00000000009e62e4 in ZEND_DO_FCALL_BY_NAME_SPEC_HANDLER () at /php7/Zend/zend_vm_execute.h:692
#2  0x00000000009e5745 in execute_ex (ex=0x7fffef018900) at /php7/Zend/zend_vm_execute.h:394
#3  0x0000000000971df2 in zend_call_function (fci=0x7fffffffa490, fci_cache=0x7fffffffa460) at /php7/Zend/zend_execute_API.c:841
#4  0x00000000007bb533 in zim_reflection_method_invokeArgs (execute_data=0x7fffef018880, return_value=0x7fffef018580) at /php7/ext/reflection/php_reflection.c:3222
#5  0x00000000009e68f8 in ZEND_DO_FCALL_SPEC_HANDLER () at /php7/Zend/zend_vm_execute.h:821
#6  0x00000000009e5745 in execute_ex (ex=0x7fffef014030) at /php7/Zend/zend_vm_execute.h:394
#7  0x00000000009e585b in zend_execute (op_array=0x7fffef084000, return_value=0x0) at /php7/Zend/zend_vm_execute.h:434
#8  0x000000000098a1e5 in zend_execute_scripts (type=8, retval=0x0, file_count=3) at /php7/Zend/zend.c:1389
#9  0x00000000008f5666 in php_execute_script (primary_file=0x7fffffffcc40) at /php7/main/main.c:2479
#10 0x0000000000a56413 in do_cli (argc=4, argv=0x1384840) at /php7/sapi/cli/php_cli.c:967
#11 0x0000000000a575cb in main (argc=4, argv=0x1384840) at /php7/sapi/cli/php_cli.c:1334

Expected result:
----------------
No SIGSEGV

Actual result:
--------------
Crash with SIGSEGV

Patches

ZEND_HASH_FILL_END (last revision 2015-07-28 21:49 UTC by cmb@php.net)

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2015-05-21 03:07 UTC] laruence@php.net
-Status: Open +Status: Feedback
 [2015-05-21 03:07 UTC] laruence@php.net
Thank you for this bug report. To properly diagnose the problem, we
need a short but complete example script to be able to reproduce
this bug ourselves. 

A proper reproducing script starts with <?php and ends with ?>,
is max. 10-20 lines long and does not require any external 
resources such as databases, etc. If the script requires a 
database to demonstrate the issue, please make sure it creates 
all necessary tables, stored procedures etc.

Please avoid embedding huge scripts into the report.


 [2015-05-21 07:15 UTC] opitz dot alexander at googlemail dot com
-Status: Feedback +Status: Open
 [2015-05-21 07:15 UTC] opitz dot alexander at googlemail dot com
ATM I don't have the time to write the given testfile inclusive phpunit in 10-20 lines nor do I've the possibilities to drag this issue down to get this crash into 10-20 lines.
As you can see "zbacktrace" don't give a hint and a normal backtrace is attached.
The source of TYPO3 can be found on https://github.com/TYPO3/TYPO3.CMS in branch master. The testfile themself is located here: https://github.com/TYPO3/TYPO3.CMS/blob/master/typo3/sysext/extbase/Tests/Unit/Mvc/Web/RequestBuilderTest.php
 [2015-05-22 09:55 UTC] laruence@php.net
okey, I have cloned the TYPO3 , how could I run the test?
 [2015-05-22 10:25 UTC] opitz dot alexander at googlemail dot com
I run it normaly with

phpunit -c typo3/sysext/core/Build/UnitTests.xml

At the moment I use PHPUnit 4.6.6
 [2015-06-05 12:18 UTC] opitz dot alexander at googlemail dot com
Example of output for running the tests.

https://travis-ci.org/TYPO3/TYPO3.CMS/jobs/65556246
 [2015-06-23 13:26 UTC] opitz dot alexander at googlemail dot com
Dragged this down a bit further.

The crash happens on following line:
https://github.com/TYPO3/TYPO3.CMS/blob/master/typo3/sysext/extbase/Classes/Mvc/Web/RequestBuilder.php#L110

$this->defaultControllerName = current(array_keys($configuration['controllerConfiguration']));

in the crashing test, this is an empty array. But trying this in a 10 lines test doesn't fail.
 [2015-06-23 13:38 UTC] opitz dot alexander at googlemail dot com
Snippet to crash PHP7.

Without the unset, $var isn't changed and returns same content as before.
If array is empty in the first assignment you get a notice that $var is an uninitialized var.

<?php
    $configuration = array(
        'controllerConfiguration' => array(
            'TheFirstController' => array(
            ),
        )
    );
    $var = current(array_keys($configuration['controllerConfiguration']));
    var_dump($var);

    unset($configuration['controllerConfiguration']['TheFirstController']);

    $configuration['controllerConfiguration'] = array();
    $var = current(array_keys($configuration['controllerConfiguration']));
    var_dump($var);
 [2015-06-23 14:30 UTC] opitz dot alexander at googlemail dot com
Output of other PHP versions:

http://3v4l.org/UO3aI
 [2015-07-28 11:43 UTC] opitz dot alexander at googlemail dot com
-PHP Version: master-Git-2015-05-20 (Git) +PHP Version: 7.0.0beta2
 [2015-07-28 11:43 UTC] opitz dot alexander at googlemail dot com
This issue still exists with beta2.
What is needed to get this fixed?
 [2015-07-28 21:10 UTC] cmb@php.net
-Status: Open +Status: Verified -Operating System: Linux +Operating System: * -Assigned To: +Assigned To: laruence
 [2015-07-28 21:10 UTC] cmb@php.net
Thanks for the reproduce script. I can confirm the segfault on
Windows and Linux.

For some reason when current() is called the second time,
array->htInternalPointer == 0 for the empty array (instead of
0xffffffff), so zend_hash_get_current_data() returns an
uninitialized entry instead of NULL.

Laruence, could you please have a look at this issue.
 [2015-07-28 21:49 UTC] cmb@php.net
The following patch has been added/updated:

Patch Name: ZEND_HASH_FILL_END
Revision:   1438120153
URL:        https://bugs.php.net/patch-display.php?bug=69674&patch=ZEND_HASH_FILL_END&revision=1438120153
 [2015-07-28 21:51 UTC] cmb@php.net
It seems that's a general issue in ZEND_HASH_FILL_END[1], where
nInternalPointer is always set to zero, instead of 0xffffffff for
empty arrays (see the attached patch "ZEND_HASH_FILL_END").

[1] <https://github.com/php/php-src/blob/php-7.0.0beta2/Zend/zend_hash.h#L887>
 [2015-07-29 02:55 UTC] laruence@php.net
Automatic comment on behalf of laruence
Revision: http://git.php.net/?p=php-src.git;a=commit;h=7d5fb7bbf3c27017fa3bed462474aaa8d4746e72
Log: Fixed bug #69674 (SIGSEGV array.c:953)
 [2015-07-29 02:55 UTC] laruence@php.net
-Status: Verified +Status: Closed
 [2015-07-29 02:59 UTC] laruence@php.net
@cmb, thanks the patch looks fine. I committed it here: https://github.com/php/php-src/commit/7d5fb7bbf3c27017fa3bed462474aaa8d4746e72
 [2015-07-29 08:09 UTC] opitz dot alexander at googlemail dot com
Verified, works now. Many Thanks.
 [2015-08-04 20:54 UTC] ab@php.net
Automatic comment on behalf of laruence
Revision: http://git.php.net/?p=php-src.git;a=commit;h=7d5fb7bbf3c27017fa3bed462474aaa8d4746e72
Log: Fixed bug #69674 (SIGSEGV array.c:953)
 [2016-07-20 11:37 UTC] davey@php.net
Automatic comment on behalf of laruence
Revision: http://git.php.net/?p=php-src.git;a=commit;h=7d5fb7bbf3c27017fa3bed462474aaa8d4746e72
Log: Fixed bug #69674 (SIGSEGV array.c:953)
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Thu Nov 21 12:01:29 2024 UTC