|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #47596 Bus error on parsing file
Submitted: 2009-03-08 09:37 UTC Modified: 2009-05-01 17:18 UTC
Avg. Score:3.0 ± 0.0
Reproduced:1 of 1 (100.0%)
Same Version:1 (100.0%)
Same OS:1 (100.0%)
From: pahan at hubbitus dot info Assigned: shire
Status: Closed Package: Reproducible crash
PHP Version: 5.3.0beta1 OS: Linux
Private report: No CVE-ID:
 [2009-03-08 09:37 UTC] pahan at hubbitus dot info
On particular file php always crashes with Bus Error.
I'm try split file to get only sensible data, but I can't. ANY changes 
in it do predictable behavior and all works as expected. Even 
add/delete comment, any letter, space in any place...

$ php test.bus.error.php
Bus error

Its contain many external dependencies, but it is absolutely unneeded 
for reproducibility:
$ php -d"include_path=:::::" test.bus.error.php
Bus error

[pasha@x-www _SHARED_]$ ulimit -c unlimited
[pasha@x-www _SHARED_]$ php -d"include_path=/" test.bus.error.php
Bus error (core dumped)

This file is my working mess for test and sandboxing :), so, it is 
really not intended for any use outside and even any use except probes 
and examples. But as I can't even change 1 letter in it, I place it as 
Coredump file also available for download:

Reproduce code:
Sorry, I can't do that smaller.


Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2009-03-10 11:12 UTC] pahan at hubbitus dot info
This script completely self-contained reproducing script. But as I 
mention before, I can't make it smaller because it break 
 [2009-03-10 18:23 UTC]
Looks like something in the re2c stuff that's causing it to overread.
 [2009-03-22 01:19 UTC]
This is being caused because of mis-use of mmap().  We are currently relying on mmap to pad the end of our mmap'd file with zeros for detection of EOF in the scanner and scanning ahead.  We specifically add ZEND_MMAP_AHEAD to the len passed to mmap in zend_stream_fixup():

/*  *buf[size] is zeroed automatically by the kernel */
*buf = mmap(0, size + ZEND_MMAP_AHEAD, PROT_READ, MAP_PRIVATE, fileno(file_handle->handle.fp), 0);
But AFAIK mmap does not support this usage of the len parameter, as it's a limit rather than able to extend the mmap region.  This appears to work under most cases as mmap will pad zeroes up to PAGESIZE.  This error will occur anytime we use mmap in this way on a file that is not ZEND_MMAP_AHEAD bytes less than PAGESIZE and therefore attempt to access a byte over PAGESIZE.

It will be easy to fix the mmap calls, however this will break the re2c scanner.  Originally for the EOF checks I was going to re-implement YYFILL to malloc additional space for the scanner after EOF, this may be an option to correct this.

 [2009-03-26 17:32 UTC]
This bug has been fixed in CVS.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
Thank you for the report, and for helping us make PHP better.

PHP Copyright © 2001-2015 The PHP Group
All rights reserved.
Last updated: Sat Nov 28 02:01:31 2015 UTC