PHP :: Bug #77692 :: Found crash when mb_convert_encoding() after creating Zookeeper instance

Bug #77692	Found crash when mb_convert_encoding() after creating Zookeeper instance
Submitted:	2019-03-05 01:05 UTC	Modified:	2019-03-12 01:39 UTC
From:	timandes@php.net	Assigned:	timandes (profile)
Status:	Closed	Package:	PECL (PECL)
PHP Version:	master-Git-2019-03-05 (Git)	OS:	CentOS Linux release 7.6.1810 (C
Private report:	No	CVE-ID:	None

View Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	timandes@php.net
New email:
PHP Version:		OS:

New Comment:

[2019-03-05 01:05 UTC] timandes@php.net

Description:
------------
I've been reported a strange issue:
https://github.com/php-zookeeper/php-zookeeper/issues/32

and I reproduced it in my container step by step and felt that it's not related with Zookeeper extension. But I still cannot explain why the segmentation fault disappeared after I commented out the statement:

$zk = new \Zookeeper('127.0.0.1:2181');

----
Core dump here:
(gdb) bt
#0  0x00000000008c1bf3 in zend_mm_alloc_small (heap=0x7f9369400040, size=144, bin_num=12, __zend_filename=0x7f9368d97678 "/root/php-src/ext/mbstring/mbstring.c", __zend_lineno=634,
    __zend_orig_filename=0x0, __zend_orig_lineno=0) at /root/php-7.3.1/Zend/zend_alloc.c:1287
#1  0x00000000008c1e8f in zend_mm_alloc_heap (heap=0x7f9369400040, size=144, __zend_filename=0x7f9368d97678 "/root/php-src/ext/mbstring/mbstring.c", __zend_lineno=634,
    __zend_orig_filename=0x0, __zend_orig_lineno=0) at /root/php-7.3.1/Zend/zend_alloc.c:1358

�
#2  0x00000000008c4ab0 in _emalloc (size=112, __zend_filename=0x7f9368d97678 "/root/php-src/ext/mbstring/mbstring.c", __zend_lineno=634, __zend_orig_filename=0x0, __zend_orig_lineno=0)
    at /root/php-7.3.1/Zend/zend_alloc.c:2498
#3  0x00007f9368c832dd in _php_mb_allocators_malloc (sz=112) at /root/php-src/ext/mbstring/mbstring.c:634
#4  0x00007f9368c80bb0 in mbfl_convert_filter_new (from=0x7f9368fbe540 <mbfl_encoding_ascii>, to=0x7f9368fbc920 <mbfl_encoding_wchar>,
    output_function=0x7f9368c79655 <mbfl_filt_conv_wchar_utf8>, flush_function=0x7f9368c814e1 <mbfl_filt_conv_common_flush>, data=0x7f936958df00)
    at /root/php-src/ext/mbstring/libmbfl/mbfl/mbfl_convert.c:177
#5  0x00007f9368c7a9a4 in mbfl_buffer_converter_new (from=0x7f9368fbe540 <mbfl_encoding_ascii>, to=0x7f9368fc2420 <mbfl_encoding_utf8>, buf_initsz=94)
    at /root/php-src/ext/mbstring/libmbfl/mbfl/mbfilter.c:145
#6  0x00007f9368c891e1 in php_mb_convert_encoding_ex (input=0x7f936958df18 "U\226\307h\223\177", length=94, to_encoding=0x7f9368fc2420 <mbfl_encoding_utf8>,
    from_encoding=0x7f9368fbe540 <mbfl_encoding_ascii>, output_len=0x7ffe7269b908) at /root/php-src/ext/mbstring/mbstring.c:2983
#7  0x00007f9368c894dd in php_mb_convert_encoding (input=0x7f936958df18 "U\226\307h\223\177", length=94, _to_encoding=0x7f93694a0918 "utf8", _from_encodings=0x7f93694d86d8 "ASCII",
    output_len=0x7ffe7269b908) at /root/php-src/ext/mbstring/mbstring.c:3057
#8  0x00007f9368c89cb5 in zif_mb_convert_encoding (execute_data=0x7f936941e750, return_value=0x7f936941e510) at /root/php-src/ext/mbstring/mbstring.c:3189
#9  0x000000000095dab0 in ZEND_DO_FCALL_BY_NAME_SPEC_RETVAL_USED_HANDLER () at /root/php-7.3.1/Zend/zend_vm_execute.h:892
#10 0x00000000009c528e in execute_ex (ex=0x7f936941e030) at /root/php-7.3.1/Zend/zend_vm_execute.h:55434
#11 0x00000000009ca890 in zend_execute (op_array=0x7f936947a300, return_value=0x0) at /root/php-7.3.1/Zend/zend_vm_execute.h:60834
#12 0x00000000008fa6d4 in zend_execute_scripts (type=8, retval=0x0, file_count=3) at /root/php-7.3.1/Zend/zend.c:1568
#13 0x000000000086ab0c in php_execute_script (primary_file=0x7ffe7269f0a0) at /root/php-7.3.1/main/main.c:2630
#14 0x00000000009cd269 in do_cli (argc=5, argv=0x18f2930) at /root/php-7.3.1/sapi/cli/php_cli.c:997
#15 0x00000000009ce1d5 in main (argc=5, argv=0x18f2930) at /root/php-7.3.1/sapi/cli/php_cli.c:1389


Can someone help me out?...
Thank you all.

Patches

valgrind-log-full-20190306 (last revision 2019-03-06 00:58 UTC by timandes@php.net)
valgrind-log-20190306 (last revision 2019-03-06 00:44 UTC by timandes@php.net)

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2019-03-05 08:10 UTC] laruence@php.net

you may run your test script with valgrind, like

USE_ZEND_ALLOC=0 valgrind php test_script.php

then paste the output out.

thanks

[2019-03-06 00:44 UTC] timandes@php.net

The following patch has been added/updated:

Patch Name: valgrind-log-20190306
Revision:   1551833093
URL:        https://bugs.php.net/patch-display.php?bug=77692&patch=valgrind-log-20190306&revision=1551833093

[2019-03-06 00:58 UTC] timandes@php.net

The following patch has been added/updated:

Patch Name: valgrind-log-full-20190306
Revision:   1551833903
URL:        https://bugs.php.net/patch-display.php?bug=77692&patch=valgrind-log-full-20190306&revision=1551833903

[2019-03-06 08:15 UTC] nikic@php.net

==133== Invalid read of size 4
==133==    at 0x94A219: zend_gc_delref (zend_types.h:996)
==133==    by 0x94A942: zend_objects_store_del (zend_objects_API.c:185)
==133==    by 0x8F6BF9: zend_object_destroy_wrapper (zend_variables.c:95)
==133==    by 0x8F6A6E: rc_dtor_func (zend_variables.c:65)
==133==    by 0x9BCAAA: ZEND_UNSET_CV_SPEC_CV_UNUSED_HANDLER (zend_vm_execute.h:47269)
==133==    by 0x9CA0E5: execute_ex (zend_vm_execute.h:60362)
==133==    by 0x9CA88F: zend_execute (zend_vm_execute.h:60834)
==133==    by 0x8FA6D3: zend_execute_scripts (zend.c:1568)
==133==    by 0x86AB0B: php_execute_script (main.c:2630)
==133==    by 0x9CD268: do_cli (php_cli.c:997)
==133==    by 0x9CE1D4: main (php_cli.c:1389)
==133==  Address 0x7bc0b78 is 72 bytes inside a block of size 112 free'd
==133==    at 0x4C2ACBD: free (vg_replace_malloc.c:530)
==133==    by 0x8C4B2C: _efree (zend_alloc.c:2508)
==133==    by 0x6F46C34: php_zk_destroy (php_zookeeper.c:832)
==133==    by 0x6F46C6E: php_zk_free_storage (php_zookeeper.c:841)
==133==    by 0x94A936: zend_objects_store_del (zend_objects_API.c:184)
==133==    by 0x8F6BF9: zend_object_destroy_wrapper (zend_variables.c:95)
==133==    by 0x8F6A6E: rc_dtor_func (zend_variables.c:65)
==133==    by 0x9BCAAA: ZEND_UNSET_CV_SPEC_CV_UNUSED_HANDLER (zend_vm_execute.h:47269)
==133==    by 0x9CA0E5: execute_ex (zend_vm_execute.h:60362)
==133==    by 0x9CA88F: zend_execute (zend_vm_execute.h:60834)
==133==    by 0x8FA6D3: zend_execute_scripts (zend.c:1568)
==133==    by 0x86AB0B: php_execute_script (main.c:2630)
==133==  Block was alloc'd at
==133==    at 0x4C29BC3: malloc (vg_replace_malloc.c:299)
==133==    by 0x8C57AD: __zend_malloc (zend_alloc.c:2904)
==133==    by 0x8C4A85: _emalloc (zend_alloc.c:2494)
==133==    by 0x8C4EDB: _ecalloc (zend_alloc.c:2579)
==133==    by 0x6F46D04: php_zk_new (php_zookeeper.c:856)
==133==    by 0x900408: object_and_properties_init (zend_API.c:1335)
==133==    by 0x900449: object_init_ex (zend_API.c:1343)
==133==    by 0x96D5C0: ZEND_NEW_SPEC_CONST_UNUSED_HANDLER (zend_vm_execute.h:8818)
==133==    by 0x9C5EEA: execute_ex (zend_vm_execute.h:56256)
==133==    by 0x9CA88F: zend_execute (zend_vm_execute.h:60834)
==133==    by 0x8FA6D3: zend_execute_scripts (zend.c:1568)
==133==    by 0x86AB0B: php_execute_script (main.c:2630)

Very likely some kind of refcounting bug in php-zookeeper (an addref missing somewhere?)

[2019-03-06 08:18 UTC] nikic@php.net

Actually, I think it's just this line being wrong: https://github.com/php-zookeeper/php-zookeeper/blob/master/php_zookeeper.c#L832

The free_obj handler should release the object contents, but *not* deallocate the object itself. The engine will do that itself. This results in a double free.

You should be able to fix this issue simply by dropping that efree().

[2019-03-07 00:54 UTC] timandes@php.net

-Status: Open +Status: Assigned -Package: *Unicode Issues +Package: PECL -Assigned To: +Assigned To: timandes

[2019-03-07 00:54 UTC] timandes@php.net

So it means I must allocate for the wrapper struct(like php_zk_t) of zend_object, but I should not free it manually?

It's interesting. : )

But it works fine, thanks a lot.

[2019-03-12 01:39 UTC] timandes@php.net

-Status: Assigned +Status: Closed

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Thu Dec 26 23:01:28 2024 UTC