PHP :: Bug #71443 :: Segfault using built-in webserver with intl using symfony

Bug #71443	Segfault using built-in webserver with intl using symfony
Submitted:	2016-01-25 00:28 UTC	Modified:	2016-01-26 04:07 UTC
From:	wegvonhier+phpbugs at gmail dot com	Assigned:	laruence (profile)
Status:	Closed	Package:	Reproducible crash
PHP Version:	master-Git-2016-01-25 (Git)	OS:	Linux
Private report:	No	CVE-ID:	None

View Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	wegvonhier+phpbugs at gmail dot com
New email:
PHP Version:		OS:

New Comment:

[2016-01-25 00:28 UTC] wegvonhier+phpbugs at gmail dot com

Description:
------------
Using master@319e82838
Compiled using ./configure --enable-debug --enable-intl (Removing intl solves the issue; Not sure if this should be filed under pecl/intl or reproducible crash, as the crash happens in zend_ini/zend_string)

php.ini content:
zend_extension=<path>opcache.so
opcache.file_cache_only=1
opcache.file_cache=<path>php-op-cache
opcache.enable_cli=0


Test script:
---------------
Steps to reproduce:
Using a clean symfony 3 app generated using 'symfony new proj-name'.
Go to web/app_dev.php; Comment the call to Debug::enable(); and set the first parameter of the AppKernel ctor to 'prod', but leave the second parameter set to true.

Start the webserver using php -S <addr> in the web directory and request <addr>/app_dev.php

If other files have been requested before the request behaves as expected. If app_dev.php is the first file requested the php process crashes with the backtrace posted below.

Actual result:
--------------
(gdb) run -S 127.0.0.1:8182
Starting program: /home/vm-user/php-src/sapi/cli/php -S 127.0.0.1:8182
Traceback (most recent call last):
PHP 7.1.0-dev Development Server started at Mon Jan 25 00:16:35 2016
Listening on http://127.0.0.1:8182
Document root is /home/vm-user/symf-proj/web
Press Ctrl-C to quit.
[Mon Jan 25 00:16:43 2016] 127.0.0.1:60070 [200]: /app_dev.php

Program received signal SIGSEGV, Segmentation fault.
0x00000000008aed40 in zend_string_release (s=0x7ffff3698dd8)
    at /home/vm-user/php-src/Zend/zend_string.h:269
269		if (!ZSTR_IS_INTERNED(s)) {
(gdb) bt
#0  0x00000000008aed40 in zend_string_release (s=0x7ffff3698dd8)
    at /home/vm-user/php-src/Zend/zend_string.h:269
#1  0x00000000008af033 in zend_restore_ini_entry_cb (ini_entry=0x117d850, 
    stage=8) at /home/vm-user/php-src/Zend/zend_ini.c:67
#2  0x00000000008af0b7 in zend_restore_ini_entry_wrapper (el=0x7ffff42634a0)
    at /home/vm-user/php-src/Zend/zend_ini.c:82
#3  0x00000000008a24ea in zend_hash_apply (ht=0x7ffff425b420, 
    apply_func=0x8af08f <zend_restore_ini_entry_wrapper>)
    at /home/vm-user/php-src/Zend/zend_hash.c:1521
#4  0x00000000008af25d in zend_ini_deactivate ()
    at /home/vm-user/php-src/Zend/zend_ini.c:142
#5  0x000000000088be74 in zend_deactivate ()
    at /home/vm-user/php-src/Zend/zend.c:989
#6  0x00000000007f8808 in php_request_shutdown (dummy=0x0)
    at /home/vm-user/php-src/main/main.c:1823
#7  0x000000000095746f in php_cli_server_request_shutdown (
    server=0x11049c0 <server>, client=0x12981b0)
    at /home/vm-user/php-src/sapi/cli/php_cli_server.c:2025
#8  0x0000000000957857 in php_cli_server_dispatch (server=0x11049c0 <server>, 
    client=0x12981b0) at /home/vm-user/php-src/sapi/cli/php_cli_server.c:2106
#9  0x0000000000958071 in php_cli_server_recv_event_read_request (
    server=0x11049c0 <server>, client=0x12981b0)
    at /home/vm-user/php-src/sapi/cli/php_cli_server.c:2315



Different run:
Breakpoint 1, zend_restore_ini_entry_cb (ini_entry=0x117d850, stage=8)
    at /home/vm-user/php-src/Zend/zend_ini.c:51
51		int result = FAILURE;
(gdb) print *ini_entry
$6 = {name = 0x117d8b0, on_modify = 0x8b024d <OnUpdateStringUnempty>, 
  mh_arg1 = 0x10, mh_arg2 = 0x11054c0 <intl_globals>, mh_arg3 = 0x0, 
  value = 0x7ffff3698dd8, orig_value = 0x0, displayer = 0x0, modifiable = 7, 
  orig_modifiable = 7, modified = 1, module_number = 12}
(gdb) print *ini_entry->value
Cannot access memory at address 0x7ffff3698dd8
(gdb) continue
Continuing.

Program received signal SIGSEGV, Segmentation fault.
0x00000000008aed40 in zend_string_release (s=0x7ffff3698dd8)
    at /home/vm-user/php-src/Zend/zend_string.h:269
269		if (!ZSTR_IS_INTERNED(s)) {

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2016-01-25 03:54 UTC] laruence@php.net

-Assigned To: +Assigned To: laruence

[2016-01-25 03:54 UTC] laruence@php.net

from the backtrace, this is very similar to #71425.

anyway, I am get trouble using symfony, could you please try with valgrind?

startup php-cli server with valgrind:

USE_ZEND_ALLOC=0 valgrind php7  -S 127.0.0.1:8182

and see if there is anything ouputed

thanks

[2016-01-25 13:44 UTC] wegvonhier+phpbugs at gmail dot com

Updated master to 52d89557f3

valgrind output:
~/symf-proj/web $ USE_ZEND_ALLOC=0 valgrind /home/vm-user/php-src/sapi/cli/php -S 127.0.0.1:8182
==21380== Memcheck, a memory error detector
==21380== Copyright (C) 2002-2013, and GNU GPL'd, by Julian Seward et al.
==21380== Using Valgrind-3.10.1 and LibVEX; rerun with -h for copyright info
==21380== Command: /home/vm-user/php-src/sapi/cli/php -S 127.0.0.1:8182
==21380== 
PHP 7.1.0-dev Development Server started at Mon Jan 25 14:40:42 2016
Listening on http://127.0.0.1:8182
Document root is /home/vm-user/symf-proj/web
Press Ctrl-C to quit.
[Mon Jan 25 14:40:47 2016] 127.0.0.1:52069 [200]: /app_dev.php
==21380== Invalid read of size 1
==21380==    at 0x8AE860: zend_string_release (zend_string.h:269)
==21380==    by 0x8AEB52: zend_restore_ini_entry_cb (zend_ini.c:67)
==21380==    by 0x8AEBD6: zend_restore_ini_entry_wrapper (zend_ini.c:82)
==21380==    by 0x8A2009: zend_hash_apply (zend_hash.c:1521)
==21380==    by 0x8AED7C: zend_ini_deactivate (zend_ini.c:142)
==21380==    by 0x88B993: zend_deactivate (zend.c:989)
==21380==    by 0x7F8327: php_request_shutdown (main.c:1823)
==21380==    by 0x956F8E: php_cli_server_request_shutdown (php_cli_server.c:2025)
==21380==    by 0x957376: php_cli_server_dispatch (php_cli_server.c:2106)
==21380==    by 0x957B90: php_cli_server_recv_event_read_request (php_cli_server.c:2315)
==21380==    by 0x957EB8: php_cli_server_do_event_for_each_fd_callback (php_cli_server.c:2395)
==21380==    by 0x9540BA: php_cli_server_poller_iter_on_active (php_cli_server.c:834)
==21380==  Address 0x941c7c5 is 322,853 bytes inside a block of size 1,292,960 free'd
==21380==    at 0x4C2BDEC: free (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==21380==    by 0x858ABD: _efree (zend_alloc.c:2453)
==21380==    by 0x85A67C: zend_arena_destroy (zend_arena.h:48)
==21380==    by 0x85B3A4: shutdown_compiler (zend_compile.c:350)
==21380==    by 0x88B929: zend_deactivate (zend.c:970)
==21380==    by 0x7F8327: php_request_shutdown (main.c:1823)
==21380==    by 0x956F8E: php_cli_server_request_shutdown (php_cli_server.c:2025)
==21380==    by 0x957376: php_cli_server_dispatch (php_cli_server.c:2106)
==21380==    by 0x957B90: php_cli_server_recv_event_read_request (php_cli_server.c:2315)
==21380==    by 0x957EB8: php_cli_server_do_event_for_each_fd_callback (php_cli_server.c:2395)
==21380==    by 0x9540BA: php_cli_server_poller_iter_on_active (php_cli_server.c:834)
==21380==    by 0x957F75: php_cli_server_do_event_for_each_fd (php_cli_server.c:2418)
==21380== 
==21380== Invalid read of size 1
==21380==    at 0x89D4AE: zend_string_release (zend_string.h:269)
==21380==    by 0x8A0AC7: _zend_hash_del_el_ex (zend_hash.c:1007)
==21380==    by 0x8A0BF5: _zend_hash_del_el (zend_hash.c:1037)
==21380==    by 0x8A202B: zend_hash_apply (zend_hash.c:1524)
==21380==    by 0x8AED7C: zend_ini_deactivate (zend_ini.c:142)
==21380==    by 0x88B993: zend_deactivate (zend.c:989)
==21380==    by 0x7F8327: php_request_shutdown (main.c:1823)
==21380==    by 0x956F8E: php_cli_server_request_shutdown (php_cli_server.c:2025)
==21380==    by 0x957376: php_cli_server_dispatch (php_cli_server.c:2106)
==21380==    by 0x957B90: php_cli_server_recv_event_read_request (php_cli_server.c:2315)
==21380==    by 0x957EB8: php_cli_server_do_event_for_each_fd_callback (php_cli_server.c:2395)
==21380==    by 0x9540BA: php_cli_server_poller_iter_on_active (php_cli_server.c:834)
==21380==  Address 0x949d20d is 849,773 bytes inside a block of size 1,292,960 free'd
==21380==    at 0x4C2BDEC: free (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==21380==    by 0x858ABD: _efree (zend_alloc.c:2453)
==21380==    by 0x85A67C: zend_arena_destroy (zend_arena.h:48)
==21380==    by 0x85B3A4: shutdown_compiler (zend_compile.c:350)
==21380==    by 0x88B929: zend_deactivate (zend.c:970)
==21380==    by 0x7F8327: php_request_shutdown (main.c:1823)
==21380==    by 0x956F8E: php_cli_server_request_shutdown (php_cli_server.c:2025)
==21380==    by 0x957376: php_cli_server_dispatch (php_cli_server.c:2106)
==21380==    by 0x957B90: php_cli_server_recv_event_read_request (php_cli_server.c:2315)
==21380==    by 0x957EB8: php_cli_server_do_event_for_each_fd_callback (php_cli_server.c:2395)
==21380==    by 0x9540BA: php_cli_server_poller_iter_on_active (php_cli_server.c:834)
==21380==    by 0x957F75: php_cli_server_do_event_for_each_fd (php_cli_server.c:2418)
==21380== 
[Mon Jan 25 14:40:51 2016] 127.0.0.1:52072 [200]: /app_dev.php
^C==21380== 
==21380== HEAP SUMMARY:
==21380==     in use at exit: 27,127 bytes in 1,013 blocks
==21380==   total heap usage: 50,278 allocs, 49,265 frees, 19,687,216 bytes allocated
==21380== 
==21380== LEAK SUMMARY:
==21380==    definitely lost: 24,224 bytes in 982 blocks
==21380==    indirectly lost: 0 bytes in 0 blocks
==21380==      possibly lost: 0 bytes in 0 blocks
==21380==    still reachable: 2,903 bytes in 31 blocks
==21380==         suppressed: 0 bytes in 0 blocks
==21380== Rerun with --leak-check=full to see details of leaked memory
==21380== 
==21380== For counts of detected and suppressed errors, rerun with: -v
==21380== ERROR SUMMARY: 6 errors from 2 contexts (suppressed: 0 from 0)

[2016-01-26 04:07 UTC] laruence@php.net

okey, a simple reproduce case is:
<?php
ini_set("include_path", "/tmp");
?>

run with php -d opcache.file_cache_only=1 opcache.file_cache=/tmp/ test.php

[2016-01-26 07:58 UTC] laruence@php.net

Automatic comment on behalf of laruence@gmail.com
Revision: http://git.php.net/?p=php-src.git;a=commit;h=9ff08ae17cc6092810268b647dd9966e33fdc0a6
Log: Fixed bug #71443 (Segfault using built-in webserver with intl using symfony)

[2016-01-26 07:58 UTC] laruence@php.net

-Status: Assigned +Status: Closed

[2016-07-20 11:33 UTC] davey@php.net

Automatic comment on behalf of laruence@gmail.com
Revision: http://git.php.net/?p=php-src.git;a=commit;h=9ff08ae17cc6092810268b647dd9966e33fdc0a6
Log: Fixed bug #71443 (Segfault using built-in webserver with intl using symfony)

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Thu Nov 21 11:01:29 2024 UTC