PHP :: Bug #76713 :: Segmentation fault caused by property corruption

Bug #76713	Segmentation fault caused by property corruption
Submitted:	2018-08-06 21:20 UTC	Modified:	2018-08-07 04:27 UTC
From:	shiranai7 at hotmail dot com	Assigned:	laruence (profile)
Status:	Closed	Package:	Reproducible crash
PHP Version:	7.3.0beta1	OS:	Linux, Windows
Private report:	No	CVE-ID:	None

View Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	shiranai7 at hotmail dot com
New email:
PHP Version:		OS:

New Comment:

[2018-08-06 21:20 UTC] shiranai7 at hotmail dot com

Description:
------------
I'm getting a segmentation fault while running PHPUnit tests of one of my libraries, both on Linux and Windows.

I've traced it to an array_column() call in ./tests/EventEmitterTest.php@642

Dumping $actualListeners reveals that some of the object properties are corrupted just before the crash occurs. This seems to change randomly depending on which code is added or commented-out.

Test script:
---------------
Unfortunately, I haven't been able to reproduce this crash in isolation. I've prepared a ZIP archive with all the necessary PHP files:

(1.75 MB) https://github.com/kuria/event/raw/segfault-repr/segfault-repr.zip

The following command can be used to run the test:

php ./vendor/phpunit/phpunit/phpunit

Expected result:
----------------
No segfault

Actual result:
--------------
Program received signal SIGSEGV, Segmentation fault.
zend_mm_alloc_small (bin_num=<optimized out>, size=140737287172912, heap=0x7ffff4000040)
    at /home/user/Downloads/php-7.3.0beta1/Zend/zend_alloc.c:1283
1283			heap->free_slot[bin_num] = p->next_free_slot;
(gdb) bt
#0  zend_mm_alloc_small (bin_num=<optimized out>, size=140737287172912, heap=0x7ffff4000040)
    at /home/user/Downloads/php-7.3.0beta1/Zend/zend_alloc.c:1283
#1  zend_mm_realloc_heap (copy_size=140737287172912, use_copy_size=0 '\000', size=<optimized out>, 
    ptr=0x7ffff3416100, heap=0x7ffff4000040) at /home/user/Downloads/php-7.3.0beta1/Zend/zend_alloc.c:1598
#2  _erealloc (ptr=ptr@entry=0x7ffff3416100, size=size@entry=72)
    at /home/user/Downloads/php-7.3.0beta1/Zend/zend_alloc.c:2523
#3  0x00005555559e1c5f in zend_string_extend (persistent=0, len=<optimized out>, s=0x7ffff3416100)
    at /home/user/Downloads/php-7.3.0beta1/Zend/zend_string.h:205
#4  ZEND_CONCAT_SPEC_TMPVAR_CV_HANDLER ()
    at /home/user/Downloads/php-7.3.0beta1/Zend/zend_vm_execute.h:16985
#5  0x00005555559f99e5 in execute_ex (ex=0x7ffff3416100)
    at /home/user/Downloads/php-7.3.0beta1/Zend/zend_vm_execute.h:57284
#6  0x0000555555a007de in zend_execute (op_array=op_array@entry=0x7ffff407d2a0, return_value=0x0, 
    return_value@entry=0x7ffff41810e0) at /home/user/Downloads/php-7.3.0beta1/Zend/zend_vm_execute.h:60882
#7  0x0000555555973092 in zend_execute_scripts (type=type@entry=8, retval=0x7ffff41810e0, retval@entry=0x0, 
    file_count=-201182608, file_count@entry=3) at /home/user/Downloads/php-7.3.0beta1/Zend/zend.c:1562
#8  0x0000555555913c40 in php_execute_script (primary_file=0x7fffffffcdc0)
    at /home/user/Downloads/php-7.3.0beta1/main/main.c:2630
#9  0x0000555555a02c7c in do_cli (argc=2, argv=0x555556396fa0)
    at /home/user/Downloads/php-7.3.0beta1/sapi/cli/php_cli.c:997
#10 0x000055555565ce9b in main (argc=2, argv=0x555556396fa0)
    at /home/user/Downloads/php-7.3.0beta1/sapi/cli/php_cli.c:1390

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2018-08-07 04:27 UTC] laruence@php.net

-Assigned To: +Assigned To: laruence

[2018-08-07 04:37 UTC] laruence@php.net

Automatic comment on behalf of laruence@gmail.com
Revision: http://git.php.net/?p=php-src.git;a=commit;h=2b1d79ce6661efdfae881884ca40b4ca7fc991e7
Log: Fixed bug #76713 (Segmentation fault caused by property corruption)

[2018-08-07 04:37 UTC] laruence@php.net

-Status: Assigned +Status: Closed

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Thu Nov 21 11:01:29 2024 UTC