php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #47596 Bus error on parsing file
Submitted: 2009-03-08 09:37 UTC Modified: 2009-05-01 17:18 UTC
Votes:1
Avg. Score:3.0 ± 0.0
Reproduced:1 of 1 (100.0%)
Same Version:1 (100.0%)
Same OS:1 (100.0%)
From: pahan at hubbitus dot info Assigned: shire
Status: Closed Package: Reproducible crash
PHP Version: 5.3.0beta1 OS: Linux
Private report: No CVE-ID:
 [2009-03-08 09:37 UTC] pahan at hubbitus dot info
Description:
------------
On particular file php always crashes with Bus Error.
I'm try split file to get only sensible data, but I can't. ANY changes 
in it do predictable behavior and all works as expected. Even 
add/delete comment, any letter, space in any place...

$ php test.bus.error.php
Bus error

Its contain many external dependencies, but it is absolutely unneeded 
for reproducibility:
$ php -d"include_path=:::::" test.bus.error.php
Bus error

[pasha@x-www _SHARED_]$ ulimit -c unlimited
[pasha@x-www _SHARED_]$ php -d"include_path=/" test.bus.error.php
Bus error (core dumped)

This file is my working mess for test and sandboxing :), so, it is 
really not intended for any use outside and even any use except probes 
and examples. But as I can't even change 1 letter in it, I place it as 
is: http://ru.bir.ru/_temp/php-bugs/2/test.bus.error.php.gz
Coredump file also available for download: http://ru.bir.ru/_temp/php-
bugs/2/core.19581

Reproduce code:
---------------
http://ru.bir.ru/_temp/php-bugs/2/test.bus.error.php.gz
Sorry, I can't do that smaller.


Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2009-03-10 11:12 UTC] pahan at hubbitus dot info
This script completely self-contained reproducing script. But as I 
mention before, I can't make it smaller because it break 
reproducibility.
 [2009-03-10 18:23 UTC] scottmac@php.net
Looks like something in the re2c stuff that's causing it to overread.
 [2009-03-22 01:19 UTC] shire@php.net
This is being caused because of mis-use of mmap().  We are currently relying on mmap to pad the end of our mmap'd file with zeros for detection of EOF in the scanner and scanning ahead.  We specifically add ZEND_MMAP_AHEAD to the len passed to mmap in zend_stream_fixup():

/*  *buf[size] is zeroed automatically by the kernel */
*buf = mmap(0, size + ZEND_MMAP_AHEAD, PROT_READ, MAP_PRIVATE, fileno(file_handle->handle.fp), 0);
 
But AFAIK mmap does not support this usage of the len parameter, as it's a limit rather than able to extend the mmap region.  This appears to work under most cases as mmap will pad zeroes up to PAGESIZE.  This error will occur anytime we use mmap in this way on a file that is not ZEND_MMAP_AHEAD bytes less than PAGESIZE and therefore attempt to access a byte over PAGESIZE.

It will be easy to fix the mmap calls, however this will break the re2c scanner.  Originally for the EOF checks I was going to re-implement YYFILL to malloc additional space for the scanner after EOF, this may be an option to correct this.



 [2009-03-26 17:32 UTC] dmitry@php.net
This bug has been fixed in CVS.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.
 
Thank you for the report, and for helping us make PHP better.


 
PHP Copyright © 2001-2014 The PHP Group
All rights reserved.
Last updated: Wed Apr 23 14:02:33 2014 UTC