PHP :: Bug #73156 :: segfault on undefined function

Bug #73156	segfault on undefined function
Submitted:	2016-09-23 20:03 UTC	Modified:	2016-09-26 06:36 UTC
From:	ryan dot brothers at gmail dot com	Assigned:	dmitry (profile)
Status:	Closed	Package:	Scripting Engine problem
PHP Version:	7.1.0RC2	OS:	Linux
Private report:	No	CVE-ID:	None

View Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	ryan dot brothers at gmail dot com
New email:
PHP Version:		OS:

New Comment:

[2016-09-23 20:03 UTC] ryan dot brothers at gmail dot com

Description:
------------
I am running into a few segmentation faults in PHP 7.0 and 7.1 when using Opcache.  They seem to be very dependent on the code structure as minor updates to the code fix it - even just renaming a variable in some cases.  It's tricky to generate small reproduce scripts, but I've been able to do one so far.

I am running on CentOS 7.

Create the below 3 files and run the script as:

php -n -d zend_extension=opcache.so -d opcache.enable_cli=1 file1.php


Test script:
---------------
file1.php:
-------
<?php
class a1
{
	public function __call($name, $arguments)
	{
		require('file2.php');
	}
}

$a1 = new a1;
$a1->file2();
-------

file2.php:
-------
<?php
$arguments = array();

require('file3.php');

class a2
{
	public function __call($method_name, $arguments)
	{
		try
		{
			throw new \Exception('abc');
		}
		catch (\Exception $e)
		{
			try
			{
				test();
			}
			catch (\Error $e)
			{
				echo 'caught';
				exit;
			}
		}
	}
}

$a2 = new a2;
$a2->function2();
-------

file3.php:
-------
<?php
namespace test_aaaa;

function abc($row)
{
	if (array_key_exists('a', $row) == true)
	{
		$a = ABC_ERROR_AAA__123_ERROR;

		$a = ABC_ERROR_AAA__123_ERROR;
	}
	else
	{
		$a = ABC_ERROR_AAA__123_ERROR;
	}
}
-------


Expected result:
----------------
caught

Actual result:
--------------
Segmentation fault

backtrace is:
Program received signal SIGSEGV, Segmentation fault.
zend_mm_alloc_small (size=56, bin_num=6, heap=0x7fffee200040) at /usr/local/src/php-7.1.0RC2/Zend/zend_alloc.c:1250
1250                    heap->free_slot[bin_num] = p->next_free_slot;
(gdb) bt
#0  zend_mm_alloc_small (size=56, bin_num=6, heap=0x7fffee200040) at /usr/local/src/php-7.1.0RC2/Zend/zend_alloc.c:1250
#1  _emalloc_56 () at /usr/local/src/php-7.1.0RC2/Zend/zend_alloc.c:2325
#2  0x0000000000857300 in _array_init (arg=arg@entry=0x7fffffffab20, size=size@entry=2) at /usr/local/src/php-7.1.0RC2/Zend/zend_API.c:1060
#3  0x0000000000869baf in debug_backtrace_get_args (call=call@entry=0x7fffee2131a0, arg_array=arg_array@entry=0x7fffffffab20)
    at /usr/local/src/php-7.1.0RC2/Zend/zend_builtin_functions.c:2271
#4  0x000000000086e446 in zend_fetch_debug_backtrace (return_value=return_value@entry=0x7fffffffaba0, skip_last=skip_last@entry=0, options=options@entry=0,
    limit=limit@entry=0) at /usr/local/src/php-7.1.0RC2/Zend/zend_builtin_functions.c:2671
#5  0x0000000000874d9f in zend_default_exception_new_ex (class_type=0x1282820, skip_top_traces=0) at /usr/local/src/php-7.1.0RC2/Zend/zend_exceptions.c:214
#6  0x0000000000857abb in _object_and_properties_init (arg=arg@entry=0x7fffffffac10, class_type=class_type@entry=0x1282820, properties=properties@entry=0x0)
    at /usr/local/src/php-7.1.0RC2/Zend/zend_API.c:1302
#7  0x0000000000857ba7 in _object_init_ex (arg=arg@entry=0x7fffffffac10, class_type=class_type@entry=0x1282820) at /usr/local/src/php-7.1.0RC2/Zend/zend_API.c:1310
#8  0x000000000044a403 in zend_throw_exception (exception_ce=exception_ce@entry=0x1282820, message=0x7fffee284000 "Call to undefined function test()",
    code=code@entry=0) at /usr/local/src/php-7.1.0RC2/Zend/zend_exceptions.c:903
#9  0x0000000000449494 in zend_throw_error (exception_ce=0x1282820, exception_ce@entry=0x0, format=format@entry=0xe48ad8 "Call to undefined function %s()")
    at /usr/local/src/php-7.1.0RC2/Zend/zend.c:1336
#10 0x00000000008e2589 in ZEND_INIT_FCALL_BY_NAME_SPEC_CONST_HANDLER () at /usr/local/src/php-7.1.0RC2/Zend/zend_vm_execute.h:2130
#11 0x0000000000899b8b in execute_ex (ex=<optimized out>) at /usr/local/src/php-7.1.0RC2/Zend/zend_vm_execute.h:429
#12 0x00000000008ec7c4 in zend_execute (op_array=0x7fffee27f0e0, op_array@entry=0x7fffe432a720, return_value=return_value@entry=0x7fffee2131a0)
    at /usr/local/src/php-7.1.0RC2/Zend/zend_vm_execute.h:474
#13 0x0000000000855444 in zend_execute_scripts (type=type@entry=8, retval=0x7fffee2131a0, retval@entry=0x0, file_count=file_count@entry=3)
    at /usr/local/src/php-7.1.0RC2/Zend/zend.c:1464
#14 0x00000000007f7140 in php_execute_script (primary_file=primary_file@entry=0x7fffffffd150) at /usr/local/src/php-7.1.0RC2/main/main.c:2533
#15 0x00000000008ee95f in do_cli (argc=7, argv=0x1202bd0) at /usr/local/src/php-7.1.0RC2/sapi/cli/php_cli.c:990
#16 0x000000000044dd50 in main (argc=7, argv=0x1202bd0) at /usr/local/src/php-7.1.0RC2/sapi/cli/php_cli.c:1378

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2016-09-25 14:55 UTC] ryan dot brothers at gmail dot com

Please also see bug 73168 that I just added on a different segfault.  I wasn't sure if it was the same underlying issue.

[2016-09-26 06:17 UTC] laruence@php.net

actually, this is not opcache issue, and also can be reproduced in 7.0, 

a simpler reproduce script is:
<?php
class A {
    public function __call($name, $args) {
        eval('$args = array(); var_dump(debug_backtrace());');
    }
}

$a = new A();

$a->test("test");
?>


I don't see a easy fix for now howerver:<

[2016-09-26 06:18 UTC] laruence@php.net

please note, my test script may not trigger segfault, should run with valgrind.

[2016-09-26 06:36 UTC] laruence@php.net

-Package: opcache +Package: Scripting Engine problem -Assigned To: +Assigned To: dmitry

[2016-09-26 06:36 UTC] laruence@php.net

a fix could be:
diff --git a/Zend/zend_execute_API.c b/Zend/zend_execute_API.c
index 194f16d..1e68534 100644
--- a/Zend/zend_execute_API.c
+++ b/Zend/zend_execute_API.c
@@ -1527,7 +1527,9 @@ ZEND_API void zend_attach_symbol_table(zend_execute_data *execute_data) /* {{{ *
                        if (zv) {
                                if (Z_TYPE_P(zv) == IS_INDIRECT) {
                                        zval *val = Z_INDIRECT_P(zv);
-
+                                 if (EXPECTED(Z_REFCOUNTED_P(zv) && (!Z_ISREF_P(val)))) {
+                                         ZVAL_NEW_REF(val, Z_INDIRECT_P(zv));
+                                 }
                                        ZVAL_COPY_VALUE(var, val);
                                } else {
                                        ZVAL_COPY_VALUE(var, zv);

[2016-09-26 11:19 UTC] dmitry@php.net

Automatic comment on behalf of dmitry@zend.com
Revision: http://git.php.net/?p=php-src.git;a=commit;h=d2791184228ff86878acda46567a3bc2a94f2a36
Log: Fixed bug #73156 (segfault on undefined function)

[2016-09-26 11:19 UTC] dmitry@php.net

-Status: Assigned +Status: Closed

[2016-10-17 10:07 UTC] bwoebi@php.net

Automatic comment on behalf of dmitry@zend.com
Revision: http://git.php.net/?p=php-src.git;a=commit;h=d2791184228ff86878acda46567a3bc2a94f2a36
Log: Fixed bug #73156 (segfault on undefined function)

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Thu Nov 21 14:01:29 2024 UTC