PHP :: Bug #60158 :: Segmentation fault in zend

Bug #60158

Segmentation fault in zend_variables.c

Submitted:

2011-10-28 16:05 UTC

Modified:

2011-10-31 21:14 UTC

Votes:	2
Avg. Score:	4.0 ± 1.0
Reproduced:	1 of 2 (50.0%)
Same Version:	0 (0.0%)
Same OS:	0 (0.0%)

From:

michael dot irey at gmail dot com

Assigned:

Status:

Suspended

Package:

Scripting Engine problem

PHP Version:

5.3.x

OS:

Ubuntu 10.04.3 LTS

Private report:

CVE-ID:

None

View Developer Edit

Anyone can comment on a bug. Have a simpler test case? Does it work for you on a different platform? Let us know!
Just going to say 'Me too!'? Don't clutter the database with that please !

Your email address: MUST BE VALID
Solve the problem: 19 - 7 = ?
Subscribe to this entry?

[2011-10-28 16:05 UTC] michael dot irey at gmail dot com

Description:
------------
Using ZendFramework-1.11.10. Seg fault occurs also in 5.3.2 as well as 5.3.8. Does 
not occur in 5.2.4.  Difficult to reproduce, but I will include the gdb backtrace. 
Basically assigning the value of variable to another, causes the seg fault. I can 
not determine why. The line $this->_element = $element; causes the seg fault.

Test script:
---------------
    public function setElement($element)
    {
        if ((!$element instanceof Zend_Form_Element)
            && (!$element instanceof Zend_Form)
            && (!$element instanceof Zend_Form_DisplayGroup))
        {
            require_once 'Zend/Form/Decorator/Exception.php';
            throw new Zend_Form_Decorator_Exception('Invalid element type passed to decorator');
        }

        $this->_element = $element;
        return $this;
    }

Expected result:
----------------
Not this: exit signal Segmentation fault (11)

Actual result:
--------------
Program terminated with signal 11, Segmentation fault.
#0  0x00007ffd348abe53 in _zend_mm_free_canary_int (heap=0x7ffd39b11130, 
p=0x21143c453bb97f0f) at /build/buildd/php5-5.3.2/Zend/zend_alloc_canary.c:2090
2090	/build/buildd/php5-5.3.2/Zend/zend_alloc_canary.c: No such file or 
directory.
	in /build/buildd/php5-5.3.2/Zend/zend_alloc_canary.c




(gdb) dump_bt executor_globals.current_execute_data
[0x386f2e30] setElement() /web/lib/zend/ZendFramework-1.11.10-
minimal/library/Zend/Form/Decorator/Abstract.php:186 
[0x386f2ac8] setElement() /web/lib/zend/ZendFramework-1.11.10-
minimal/library/Zend/Form/Element.php:2030 
[0x386f28f0] render() /web/lib/zend/ZendFramework-1.11.10-
minimal/library/Zend/Form/Element.php:2046 
[0xa59d03f0] __toString() 
[0x386f1080] ??? 
/web/vhosts/imac.michael.dev.bluehawk.evanta.com/website/application/views/scrip
ts/contacts/duplicate.phtml:186 
[0x386f0e80] ??? /web/lib/zend/ZendFramework-1.11.10-
minimal/library/Zend/View.php:108 
[0x386f0c38] _run() /web/lib/zend/ZendFramework-1.11.10-
minimal/library/Zend/View/Abstract.php:888 
[0x386f0968] render() /web/lib/zend/ZendFramework-1.11.10-
minimal/library/Zend/Controller/Action/Helper/ViewRenderer.php:900 
[0x386f0760] renderScript() /web/lib/zend/ZendFramework-1.11.10-
minimal/library/Zend/Controller/Action/Helper/ViewRenderer.php:921 
[0x386f0620] render() /web/lib/zend/ZendFramework-1.11.10-
minimal/library/Zend/Controller/Action/Helper/ViewRenderer.php:960 
[0x386f0458] postDispatch() /web/lib/zend/ZendFramework-1.11.10-
minimal/library/Zend/Controller/Action/HelperBroker.php:277 
[0x386efdd0] notifyPostDispatch() /web/lib/zend/ZendFramework-1.11.10-
minimal/library/Zend/Controller/Action.php:527 
[0x386eefb8] dispatch() /web/lib/zend/ZendFramework-1.11.10-
minimal/library/Zend/Controller/Dispatcher/Standard.php:295 
[0x386ed590] dispatch() /web/lib/zend/ZendFramework-1.11.10-
minimal/library/Zend/Controller/Front.php:954 
[0x386ed190] dispatch() /web/lib/zend/ZendFramework-1.11.10-
minimal/library/Zend/Application/Bootstrap/Bootstrap.php:97 
[0x386ed050] run() /web/lib/zend/ZendFramework-1.11.10-
minimal/library/Zend/Application.php:366 
[0x386ec068] run() 
/web/vhosts/imac.michael.dev.bluehawk.evanta.com/website/public/index.php:69

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2011-10-28 16:10 UTC] michael dot irey at gmail dot com

Added more detail in the summary

[2011-10-28 16:10 UTC] michael dot irey at gmail dot com

-Summary: Segmentation fault +Summary: Segmentation fault in _zend_mm_free_canary_int

[2011-10-28 16:14 UTC] felipe@php.net

zend_alloc_canary.c is from Suhosin project, not PHP.

So, try reproduce the crash in a clean PHP build.

[2011-10-28 16:14 UTC] felipe@php.net

-Status: Open +Status: Bogus

[2011-10-31 18:47 UTC] michael dot irey at gmail dot com

-PHP Version: 5.3.8 +PHP Version: 5.3.x

[2011-10-31 18:47 UTC] michael dot irey at gmail dot com

Ok, I have reproduced the bug from a clean PHP build using 5.3.8

Here is the new gdb details:


Program terminated with signal 11, Segmentation fault.
#0  0x00007fabd4b288b6 in _zval_dtor_func (zvalue=0x7fff0a50eb70, 
__zend_filename=0x7fabd4ea8558 "/root/downloads/php-
5.3.8/Zend/zend_object_handlers.c", __zend_lineno=441)
    at /root/downloads/php-5.3.8/Zend/zend_variables.c:35
35				CHECK_ZVAL_STRING_REL(zvalue);
(gdb) dump_bt executor_globals.current_execute_data
[0xd8959e80] setElement() /web/lib/zend/ZendFramework-1.11.10-
minimal/library/Zend/Form/Decorator/Abstract.php:186 
[0xd8959b18] setElement() /web/lib/zend/ZendFramework-1.11.10-
minimal/library/Zend/Form/Element.php:2030 
[0xd8959940] render() /web/lib/zend/ZendFramework-1.11.10-
minimal/library/Zend/Form/Element.php:2046 
[0x0a50eec0] __toString() 
[0xd89580d0] ??? 
/web/vhosts/imac.michael.dev.bluehawk.evanta.com/website/application/views/scrip
ts/contacts/duplicate.phtml:62 
[0xd8957ed0] ??? /web/lib/zend/ZendFramework-1.11.10-
minimal/library/Zend/View.php:108 
[0xd8957c88] _run() /web/lib/zend/ZendFramework-1.11.10-
minimal/library/Zend/View/Abstract.php:888 
[0xd89579b8] render() /web/lib/zend/ZendFramework-1.11.10-
minimal/library/Zend/Controller/Action/Helper/ViewRenderer.php:900 
[0xd89577b0] renderScript() /web/lib/zend/ZendFramework-1.11.10-
minimal/library/Zend/Controller/Action/Helper/ViewRenderer.php:921 
[0xd8957670] render() /web/lib/zend/ZendFramework-1.11.10-
minimal/library/Zend/Controller/Action/Helper/ViewRenderer.php:960 
[0xd89574a8] postDispatch() /web/lib/zend/ZendFramework-1.11.10-
minimal/library/Zend/Controller/Action/HelperBroker.php:277 
[0xd8956e20] notifyPostDispatch() /web/lib/zend/ZendFramework-1.11.10-
minimal/library/Zend/Controller/Action.php:527 
[0xd8956008] dispatch() /web/lib/zend/ZendFramework-1.11.10-
minimal/library/Zend/Controller/Dispatcher/Standard.php:295 
[0xd89545e0] dispatch() /web/lib/zend/ZendFramework-1.11.10-
minimal/library/Zend/Controller/Front.php:954 
[0xd89541e0] dispatch() /web/lib/zend/ZendFramework-1.11.10-
minimal/library/Zend/Application/Bootstrap/Bootstrap.php:97 
[0xd89540a0] run() /web/lib/zend/ZendFramework-1.11.10-
minimal/library/Zend/Application.php:366 
[0xd8953090] run() 
/web/vhosts/imac.michael.dev.bluehawk.evanta.com/website/public/index.php:69

[2011-10-31 18:49 UTC] michael dot irey at gmail dot com

Updated the summary line to contain zend_variables.c

[2011-10-31 18:49 UTC] michael dot irey at gmail dot com

-Summary: Segmentation fault in _zend_mm_free_canary_int +Summary: Segmentation fault in zend_variables.c

[2011-10-31 19:51 UTC] michael dot irey at gmail dot com

Changed the package description

[2011-10-31 19:51 UTC] michael dot irey at gmail dot com

-Package: Apache2 related +Package: Scripting Engine problem

[2011-10-31 20:13 UTC] pajoye@php.net

-Status: Bogus +Status: Feedback

[2011-10-31 20:13 UTC] pajoye@php.net

Thank you for this bug report. To properly diagnose the problem, we
need a short but complete example script to be able to reproduce
this bug ourselves. 

A proper reproducing script starts with <?php and ends with ?>,
is max. 10-20 lines long and does not require any external 
resources such as databases, etc. If the script requires a 
database to demonstrate the issue, please make sure it creates 
all necessary tables, stored procedures etc.

Please avoid embedding huge scripts into the report.

[2011-10-31 21:02 UTC] michael dot irey at gmail dot com

I would really like to provide a short example script to reproduce the problem. 
However, the problem only seems to pop up on when a large amount of objects are 
used, but that is only a guess.

We use ZendFramework 1.11.x. I have re-compiled PHP with --enable-debug and when 
I execute the script that caused the seg fault I get this:

Unknown(0) : Warning - String is not zero-terminated (APPLICATION_PATH??
bZZZZZZZZZZZ?b) (source: /root/downloads/php-5.3.8/Zend/zend_opcode.c:261)
[Mon Oct 31 12:17:52 2011]  Script:  
'/web/vhosts/imac.michael.dev.bluehawk.evanta.com/website/public/index.php'
---------------------------------------
/root/downloads/php-5.3.8/Zend/zend_opcode.c(261) : Block 0x7f88250c2ab0 status:
/root/downloads/php-5.3.8/Zend/zend_variables.c(36) : Actual location (location 
was relayed)
Beginning:  	OK (allocated on Zend/zend_language_scanner.l:1695, 17 bytes)
    Start:	OK
      End:	Overflown (magic=0x0000002B instead of 0x62D3082C)
          	1 byte(s) overflown
---------------------------------------
[Mon Oct 31 12:17:52 2011]  Script:  
'/web/vhosts/imac.michael.dev.bluehawk.evanta.com/website/public/index.php'
Zend/zend_language_scanner.l(1695) :  Freeing 0x7F88250C2AB0 (17 bytes), 
script=/web/vhosts/imac.michael.dev.bluehawk.evanta.com/website/public/index.php
=== Total 1 memory leaks detected ===
Unknown(0) : Warning - String is not zero-terminated (APPLICATION_PATH??
bZZZZZZZZZZZ?b) (source: /root/downloads/php-5.3.8/Zend/zend_opcode.c:261)
[Mon Oct 31 12:18:09 2011]  Script:  
'/web/vhosts/imac.michael.dev.bluehawk.evanta.com/website/public/index.php'
---------------------------------------
/root/downloads/php-5.3.8/Zend/zend_opcode.c(261) : Block 0x7f88250c2ab0 status:
/root/downloads/php-5.3.8/Zend/zend_variables.c(36) : Actual location (location 
was relayed)
Beginning:  	OK (allocated on Zend/zend_language_scanner.l:1695, 17 bytes)
    Start:	OK
      End:	Overflown (magic=0x0000002B instead of 0x62D3082C)
          	1 byte(s) overflown
---------------------------------------
[Mon Oct 31 12:18:09 2011]  Script:  
'/web/vhosts/imac.michael.dev.bluehawk.evanta.com/website/public/index.php'
Zend/zend_language_scanner.l(1695) :  Freeing 0x7F88250C2AB0 (17 bytes), 
script=/web/vhosts/imac.michael.dev.bluehawk.evanta.com/website/public/index.php
=== Total 1 memory leaks detected ===


Is there anything else I can do to help diagnose and resolve this issue?

[2011-10-31 21:02 UTC] michael dot irey at gmail dot com

-Status: Feedback +Status: Open

[2011-10-31 21:14 UTC] pajoye@php.net

I would suggest to report this issue at zend framework or zend directly then. They 
can help you to figure out the issue.

[2011-10-31 21:14 UTC] pajoye@php.net

-Status: Open +Status: Suspended

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2025 The PHP Group All rights reserved.	Last updated: Fri Nov 07 11:00:01 2025 UTC