PHP :: Bug #74845 :: Segfault during memory allocation since PHP 7.1

Bug #74845	Segfault during memory allocation since PHP 7.1
Submitted:	2017-07-03 08:36 UTC	Modified:	2017-07-03 09:29 UTC
From:	wouter at wouterj dot nl	Assigned:
Status:	Duplicate	Package:	Reproducible crash
PHP Version:	7.1Git-2017-07-03 (Git)	OS:	Linux
Private report:	No	CVE-ID:	None

View Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	wouter at wouterj dot nl
New email:
PHP Version:		OS:

New Comment:

[2017-07-03 08:36 UTC] wouter at wouterj dot nl

Description:
------------
A segfault occurs during the memory allocation after upgrading to PHP 7.1. This happens during the execution of our test suite.

Issues https://bugs.php.net/bug.php?id=74382 and https://bugs.php.net/bug.php?id=74608 seem to be related.

Test script:
---------------
The most minimal application I can consistently reproduce this bug is in https://github.com/wouterj/php7.1-segfault

To reproduce, follow these steps:

 * Clone the repository
 * composer install
 * php reproduce.php

Actual result:
--------------
GDB backtrace:

#0  0x00000000007bd7ac in zend_mm_alloc_small (heap=0x7ffff4000040, size=200, bin_num=14, __zend_filename=0xdce510 "/home/wouter/.pvm/php-7.1/Zend/zend_objects.c", __zend_lineno=171, 
    __zend_orig_filename=0x0, __zend_orig_lineno=0) at /home/wouter/.pvm/php-7.1/Zend/zend_alloc.c:1261
#1  0x00000000007bda50 in zend_mm_alloc_heap (heap=0x7ffff4000040, size=200, __zend_filename=0xdce510 "/home/wouter/.pvm/php-7.1/Zend/zend_objects.c", __zend_lineno=171, 
    __zend_orig_filename=0x0, __zend_orig_lineno=0) at /home/wouter/.pvm/php-7.1/Zend/zend_alloc.c:1332
#2  0x00000000007bff18 in _emalloc (size=168, __zend_filename=0xdce510 "/home/wouter/.pvm/php-7.1/Zend/zend_objects.c", __zend_lineno=171, __zend_orig_filename=0x0, __zend_orig_lineno=0)
    at /home/wouter/.pvm/php-7.1/Zend/zend_alloc.c:2419
#3  0x000000000082598c in zend_objects_new (ce=ce@entry=0x7fffed7bcc18) at /home/wouter/.pvm/php-7.1/Zend/zend_objects.c:171
#4  0x00000000007ecd44 in _object_and_properties_init (arg=arg@entry=0x7ffff4015630, class_type=class_type@entry=0x7fffed7bcc18, properties=properties@entry=0x0, 
    __zend_filename=__zend_filename@entry=0xdcf650 "/home/wouter/.pvm/php-7.1/Zend/zend_vm_execute.h", __zend_lineno=__zend_lineno@entry=3217)
    at /home/wouter/.pvm/php-7.1/Zend/zend_API.c:1295
#5  0x00000000007ecda6 in _object_init_ex (arg=arg@entry=0x7ffff4015630, class_type=class_type@entry=0x7fffed7bcc18, 
    __zend_filename=__zend_filename@entry=0xdcf650 "/home/wouter/.pvm/php-7.1/Zend/zend_vm_execute.h", __zend_lineno=__zend_lineno@entry=3217)
    at /home/wouter/.pvm/php-7.1/Zend/zend_API.c:1310
#6  0x00000000008805b6 in ZEND_NEW_SPEC_CONST_HANDLER () at /home/wouter/.pvm/php-7.1/Zend/zend_vm_execute.h:3217
#7  0x0000000000831cff in execute_ex (ex=<optimized out>) at /home/wouter/.pvm/php-7.1/Zend/zend_vm_execute.h:429
#8  0x000000000088517c in zend_execute (op_array=op_array@entry=0x7ffff4086000, return_value=return_value@entry=0x0) at /home/wouter/.pvm/php-7.1/Zend/zend_vm_execute.h:474
#9  0x00000000007e9d04 in zend_execute_scripts (type=-201239216, type@entry=8, retval=retval@entry=0x0, file_count=file_count@entry=3) at /home/wouter/.pvm/php-7.1/Zend/zend.c:1476
#10 0x0000000000779f2c in php_execute_script (primary_file=primary_file@entry=0x7fffffffc930) at /home/wouter/.pvm/php-7.1/main/main.c:2537
#11 0x0000000000886e2e in do_cli (argc=argc@entry=2, argv=argv@entry=0x114f390) at /home/wouter/.pvm/php-7.1/sapi/cli/php_cli.c:993
#12 0x0000000000887c67 in main (argc=2, argv=0x114f390) at /home/wouter/.pvm/php-7.1/sapi/cli/php_cli.c:1381

Running the script as: USE_ZEND_ALLOC=0 php reproduce.php
produces the following output:

*** Error in `php': corrupted double-linked list: 0x0000000002c6a260 ***
======= Backtrace: =========
/lib/x86_64-linux-gnu/libc.so.6(+0x777e5)[0x7ff49dfcc7e5]
/lib/x86_64-linux-gnu/libc.so.6(+0x80baf)[0x7ff49dfd5baf]
/lib/x86_64-linux-gnu/libc.so.6(cfree+0x4c)[0x7ff49dfd953c]
php(_efree+0x7b)[0x7bff95]
php(zend_objects_store_del+0x1c4)[0x82a7fc]
php(_zval_dtor_func+0xf3)[0x7e6be1]
php(zend_object_std_dtor+0x76)[0x825582]
php(zend_objects_store_del+0x163)[0x82a79b]
php(_zval_dtor_func+0xf3)[0x7e6be1]
php(_zval_ptr_dtor_wrapper+0x2c)[0x7e7055]
php(zend_hash_destroy+0x57)[0x7fbfc5]
php(zend_gc_collect_cycles+0x45c)[0x815862]
php(gc_possible_root+0xf9)[0x815023]
php[0x831c29]
php[0x883afe]
php[0x8849ab]
php(execute_ex+0x2a)[0x831cff]
php(zend_execute+0x2f4)[0x88517c]
php(zend_execute_scripts+0xe6)[0x7e9d04]
php(php_execute_script+0x354)[0x779f2c]
php[0x886e2e]
php[0x887c67]
/lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xf0)[0x7ff49df75830]
php(_start+0x29)[0x426629]

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2017-07-03 09:29 UTC] bwoebi@php.net

-Status: Open +Status: Duplicate

[2017-07-03 09:29 UTC] bwoebi@php.net

Duplicate of bug #72530.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Sat Nov 23 10:01:28 2024 UTC