PHP :: Bug #71005 :: Segfault in php_cli_server_dispatch

Bug #71005	Segfault in php_cli_server_dispatch_router()
Submitted:	2015-12-01 00:44 UTC	Modified:	2015-12-01 00:57 UTC
From:	aharvey@php.net	Assigned:	aharvey (profile)
Status:	Closed	Package:	Built-in web server
PHP Version:	7.0Git-2015-12-01 (Git)	OS:	Probably irrelevant (OSX; Linux)
Private report:	No	CVE-ID:	None

View Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	aharvey@php.net
New email:
PHP Version:		OS:

New Comment:

[2015-12-01 00:44 UTC] aharvey@php.net

Description:
------------
Using a router script that handles an exception with set_exception_handler() results in an invalid read occurring in php_cli_server_dispatch_router() when it attempts to destroy the retval.

PHP was built with --disable-all --enable-debug, then run with "php -S 0.0.0.0:8888 /tmp/test.php" (test.php is provided as the test script below), then curl was used to poke the router script via "curl http://localhost:8888/".

The segfault isn't totally reliable (I've seen it on both OS X 10.11.1 and Ubuntu 15.10, but not completely consistently on either), but the valgrind output is, and is pasted below:

==22135== Memcheck, a memory error detector
==22135== Copyright (C) 2002-2015, and GNU GPL'd, by Julian Seward et al.
==22135== Using Valgrind-3.11.0 and LibVEX; rerun with -h for copyright info
==22135== Command: ./sapi/cli/php -S 0.0.0.0:8888 /tmp/test.php
==22135==
PHP 7.0.1-dev Development Server started at Tue Dec  1 00:41:00 2015
Listening on http://0.0.0.0:8888
Document root is /home/vagrant/php-src/7.0
Press Ctrl-C to quit.
==22135== Conditional jump or move depends on uninitialised value(s)
==22135==    at 0xD11824: php_cli_server_dispatch_router (php_cli_server.c:2054)
==22135==    by 0xD1133D: php_cli_server_dispatch (php_cli_server.c:2092)
==22135==    by 0xD0FF84: php_cli_server_recv_event_read_request (php_cli_server.c:2313)
==22135==    by 0xD144DA: php_cli_server_do_event_for_each_fd_callback (php_cli_server.c:2393)
==22135==    by 0xD1424B: php_cli_server_poller_iter_on_active (php_cli_server.c:834)
==22135==    by 0xD0FE7F: php_cli_server_do_event_for_each_fd (php_cli_server.c:2416)
==22135==    by 0xD0FBB9: php_cli_server_do_event_loop (php_cli_server.c:2426)
==22135==    by 0xD0F5B7: do_cli_server (php_cli_server.c:2527)
==22135==    by 0xD06DA7: main (php_cli.c:1348)
==22135==
==22135== Conditional jump or move depends on uninitialised value(s)
==22135==    at 0xBF14D7: i_zval_ptr_dtor (zend_variables.h:56)
==22135==    by 0xBF0F62: _zval_ptr_dtor (zend_execute_API.c:527)
==22135==    by 0xD11861: php_cli_server_dispatch_router (php_cli_server.c:2056)
==22135==    by 0xD1133D: php_cli_server_dispatch (php_cli_server.c:2092)
==22135==    by 0xD0FF84: php_cli_server_recv_event_read_request (php_cli_server.c:2313)
==22135==    by 0xD144DA: php_cli_server_do_event_for_each_fd_callback (php_cli_server.c:2393)
==22135==    by 0xD1424B: php_cli_server_poller_iter_on_active (php_cli_server.c:834)
==22135==    by 0xD0FE7F: php_cli_server_do_event_for_each_fd (php_cli_server.c:2416)
==22135==    by 0xD0FBB9: php_cli_server_do_event_loop (php_cli_server.c:2426)
==22135==    by 0xD0F5B7: do_cli_server (php_cli_server.c:2527)
==22135==    by 0xD06DA7: main (php_cli.c:1348)
==22135==
==22135== Conditional jump or move depends on uninitialised value(s)
==22135==    at 0xBF15AE: zval_delref_p (zend_types.h:826)
==22135==    by 0xBF14E5: i_zval_ptr_dtor (zend_variables.h:57)
==22135==    by 0xBF0F62: _zval_ptr_dtor (zend_execute_API.c:527)
==22135==    by 0xD11861: php_cli_server_dispatch_router (php_cli_server.c:2056)
==22135==    by 0xD1133D: php_cli_server_dispatch (php_cli_server.c:2092)
==22135==    by 0xD0FF84: php_cli_server_recv_event_read_request (php_cli_server.c:2313)
==22135==    by 0xD144DA: php_cli_server_do_event_for_each_fd_callback (php_cli_server.c:2393)
==22135==    by 0xD1424B: php_cli_server_poller_iter_on_active (php_cli_server.c:834)
==22135==    by 0xD0FE7F: php_cli_server_do_event_for_each_fd (php_cli_server.c:2416)
==22135==    by 0xD0FBB9: php_cli_server_do_event_loop (php_cli_server.c:2426)
==22135==    by 0xD0F5B7: do_cli_server (php_cli_server.c:2527)
==22135==    by 0xD06DA7: main (php_cli.c:1348)
==22135==
==22135== Use of uninitialised value of size 8
==22135==    at 0xBF15DF: zval_delref_p (zend_types.h:827)
==22135==    by 0xBF14E5: i_zval_ptr_dtor (zend_variables.h:57)
==22135==    by 0xBF0F62: _zval_ptr_dtor (zend_execute_API.c:527)
==22135==    by 0xD11861: php_cli_server_dispatch_router (php_cli_server.c:2056)
==22135==    by 0xD1133D: php_cli_server_dispatch (php_cli_server.c:2092)
==22135==    by 0xD0FF84: php_cli_server_recv_event_read_request (php_cli_server.c:2313)
==22135==    by 0xD144DA: php_cli_server_do_event_for_each_fd_callback (php_cli_server.c:2393)
==22135==    by 0xD1424B: php_cli_server_poller_iter_on_active (php_cli_server.c:834)
==22135==    by 0xD0FE7F: php_cli_server_do_event_for_each_fd (php_cli_server.c:2416)
==22135==    by 0xD0FBB9: php_cli_server_do_event_loop (php_cli_server.c:2426)
==22135==    by 0xD0F5B7: do_cli_server (php_cli_server.c:2527)
==22135==    by 0xD06DA7: main (php_cli.c:1348)
==22135==
==22135== Conditional jump or move depends on uninitialised value(s)
==22135==    at 0xBF66A4: gc_check_possible_root (zend_gc.h:134)
==22135==    by 0xBF1511: i_zval_ptr_dtor (zend_variables.h:60)
==22135==    by 0xBF0F62: _zval_ptr_dtor (zend_execute_API.c:527)
==22135==    by 0xD11861: php_cli_server_dispatch_router (php_cli_server.c:2056)
==22135==    by 0xD1133D: php_cli_server_dispatch (php_cli_server.c:2092)
==22135==    by 0xD0FF84: php_cli_server_recv_event_read_request (php_cli_server.c:2313)
==22135==    by 0xD144DA: php_cli_server_do_event_for_each_fd_callback (php_cli_server.c:2393)
==22135==    by 0xD1424B: php_cli_server_poller_iter_on_active (php_cli_server.c:834)
==22135==    by 0xD0FE7F: php_cli_server_do_event_for_each_fd (php_cli_server.c:2416)
==22135==    by 0xD0FBB9: php_cli_server_do_event_loop (php_cli_server.c:2426)
==22135==    by 0xD0F5B7: do_cli_server (php_cli_server.c:2527)
==22135==    by 0xD06DA7: main (php_cli.c:1348)
==22135==
==22135== Conditional jump or move depends on uninitialised value(s)
==22135==    at 0xBF66D4: gc_check_possible_root (zend_gc.h:135)
==22135==    by 0xBF1511: i_zval_ptr_dtor (zend_variables.h:60)
==22135==    by 0xBF0F62: _zval_ptr_dtor (zend_execute_API.c:527)
==22135==    by 0xD11861: php_cli_server_dispatch_router (php_cli_server.c:2056)
==22135==    by 0xD1133D: php_cli_server_dispatch (php_cli_server.c:2092)
==22135==    by 0xD0FF84: php_cli_server_recv_event_read_request (php_cli_server.c:2313)
==22135==    by 0xD144DA: php_cli_server_do_event_for_each_fd_callback (php_cli_server.c:2393)
==22135==    by 0xD1424B: php_cli_server_poller_iter_on_active (php_cli_server.c:834)
==22135==    by 0xD0FE7F: php_cli_server_do_event_for_each_fd (php_cli_server.c:2416)
==22135==    by 0xD0FBB9: php_cli_server_do_event_loop (php_cli_server.c:2426)
==22135==    by 0xD0F5B7: do_cli_server (php_cli_server.c:2527)
==22135==    by 0xD06DA7: main (php_cli.c:1348)
==22135==
==22135== Use of uninitialised value of size 8
==22135==    at 0xBF66E1: gc_check_possible_root (zend_gc.h:135)
==22135==    by 0xBF1511: i_zval_ptr_dtor (zend_variables.h:60)
==22135==    by 0xBF0F62: _zval_ptr_dtor (zend_execute_API.c:527)
==22135==    by 0xD11861: php_cli_server_dispatch_router (php_cli_server.c:2056)
==22135==    by 0xD1133D: php_cli_server_dispatch (php_cli_server.c:2092)
==22135==    by 0xD0FF84: php_cli_server_recv_event_read_request (php_cli_server.c:2313)
==22135==    by 0xD144DA: php_cli_server_do_event_for_each_fd_callback (php_cli_server.c:2393)
==22135==    by 0xD1424B: php_cli_server_poller_iter_on_active (php_cli_server.c:834)
==22135==    by 0xD0FE7F: php_cli_server_do_event_for_each_fd (php_cli_server.c:2416)
==22135==    by 0xD0FBB9: php_cli_server_do_event_loop (php_cli_server.c:2426)
==22135==    by 0xD0F5B7: do_cli_server (php_cli_server.c:2527)
==22135==    by 0xD06DA7: main (php_cli.c:1348)
==22135==
==22135== Use of uninitialised value of size 8
==22135==    at 0xC4DC3A: gc_possible_root (zend_gc.c:226)
==22135==    by 0xBF6713: gc_check_possible_root (zend_gc.h:136)
==22135==    by 0xBF1511: i_zval_ptr_dtor (zend_variables.h:60)
==22135==    by 0xBF0F62: _zval_ptr_dtor (zend_execute_API.c:527)
==22135==    by 0xD11861: php_cli_server_dispatch_router (php_cli_server.c:2056)
==22135==    by 0xD1133D: php_cli_server_dispatch (php_cli_server.c:2092)
==22135==    by 0xD0FF84: php_cli_server_recv_event_read_request (php_cli_server.c:2313)
==22135==    by 0xD144DA: php_cli_server_do_event_for_each_fd_callback (php_cli_server.c:2393)
==22135==    by 0xD1424B: php_cli_server_poller_iter_on_active (php_cli_server.c:834)
==22135==    by 0xD0FE7F: php_cli_server_do_event_for_each_fd (php_cli_server.c:2416)
==22135==    by 0xD0FBB9: php_cli_server_do_event_loop (php_cli_server.c:2426)
==22135==    by 0xD0F5B7: do_cli_server (php_cli_server.c:2527)
==22135==
==22135== Use of uninitialised value of size 8
==22135==    at 0xC4DC4E: gc_possible_root (zend_gc.c:226)
==22135==    by 0xBF6713: gc_check_possible_root (zend_gc.h:136)
==22135==    by 0xBF1511: i_zval_ptr_dtor (zend_variables.h:60)
==22135==    by 0xBF0F62: _zval_ptr_dtor (zend_execute_API.c:527)
==22135==    by 0xD11861: php_cli_server_dispatch_router (php_cli_server.c:2056)
==22135==    by 0xD1133D: php_cli_server_dispatch (php_cli_server.c:2092)
==22135==    by 0xD0FF84: php_cli_server_recv_event_read_request (php_cli_server.c:2313)
==22135==    by 0xD144DA: php_cli_server_do_event_for_each_fd_callback (php_cli_server.c:2393)
==22135==    by 0xD1424B: php_cli_server_poller_iter_on_active (php_cli_server.c:834)
==22135==    by 0xD0FE7F: php_cli_server_do_event_for_each_fd (php_cli_server.c:2416)
==22135==    by 0xD0FBB9: php_cli_server_do_event_loop (php_cli_server.c:2426)
==22135==    by 0xD0F5B7: do_cli_server (php_cli_server.c:2527)
==22135==
php: /home/vagrant/php-src/7.0/Zend/zend_gc.c:226: void gc_possible_root(zend_refcounted *): Assertion `(ref)->gc.u.v.type == 7 || (ref)->gc.u.v.type == 8' failed.
==22135==
==22135== Process terminating with default action of signal 6 (SIGABRT)
==22135==    at 0xA88E267: raise (raise.c:55)
==22135==    by 0xA88FEC9: abort (abort.c:89)
==22135==    by 0xA88703C: __assert_fail_base (assert.c:92)
==22135==    by 0xA8870F1: __assert_fail (assert.c:101)
==22135==    by 0xC4DC81: gc_possible_root (zend_gc.c:226)
==22135==    by 0xBF6713: gc_check_possible_root (zend_gc.h:136)
==22135==    by 0xBF1511: i_zval_ptr_dtor (zend_variables.h:60)
==22135==    by 0xBF0F62: _zval_ptr_dtor (zend_execute_API.c:527)
==22135==    by 0xD11861: php_cli_server_dispatch_router (php_cli_server.c:2056)
==22135==    by 0xD1133D: php_cli_server_dispatch (php_cli_server.c:2092)
==22135==    by 0xD0FF84: php_cli_server_recv_event_read_request (php_cli_server.c:2313)
==22135==    by 0xD144DA: php_cli_server_do_event_for_each_fd_callback (php_cli_server.c:2393)
==22135==
==22135== HEAP SUMMARY:
==22135==     in use at exit: 2,405,356 bytes in 23,054 blocks
==22135==   total heap usage: 29,250 allocs, 6,196 frees, 3,120,371 bytes allocated
==22135==
==22135== LEAK SUMMARY:
==22135==    definitely lost: 0 bytes in 0 blocks
==22135==    indirectly lost: 0 bytes in 0 blocks
==22135==      possibly lost: 1,673,791 bytes in 18,116 blocks
==22135==    still reachable: 731,565 bytes in 4,938 blocks
==22135==         suppressed: 0 bytes in 0 blocks
==22135== Rerun with --leak-check=full to see details of leaked memory
==22135==
==22135== For counts of detected and suppressed errors, rerun with: -v
==22135== Use --track-origins=yes to see where uninitialised values come from
==22135== ERROR SUMMARY: 9 errors from 9 contexts (suppressed: 0 from 0)
Aborted (core dumped)

Test script:
---------------
<?php

set_exception_handler(function () {});

throw new Exception;

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2015-12-01 00:57 UTC] aharvey@php.net

-Assigned To: +Assigned To: aharvey

[2015-12-01 00:57 UTC] aharvey@php.net

I'm an idiot: the fix for this is obvious. I'll push it later tonight.

[2015-12-01 03:12 UTC] aharvey@php.net

Automatic comment on behalf of aharvey
Revision: http://git.php.net/?p=php-src.git;a=commit;h=91bad929aa0d7b7560a20c58e1e02a76f522b0bd
Log: Fix bug #71005 (Segfault in php_cli_server_dispatch_router()).

[2015-12-01 03:12 UTC] aharvey@php.net

-Status: Assigned +Status: Closed

[2016-07-20 11:35 UTC] davey@php.net

Automatic comment on behalf of aharvey
Revision: http://git.php.net/?p=php-src.git;a=commit;h=91bad929aa0d7b7560a20c58e1e02a76f522b0bd
Log: Fix bug #71005 (Segfault in php_cli_server_dispatch_router()).

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2025 The PHP Group All rights reserved.	Last updated: Mon Mar 31 07:01:29 2025 UTC