php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #51243 syntax error in autoload causes segmentation fault
Submitted: 2010-03-09 03:56 UTC Modified: 2014-07-13 02:27 UTC
Votes:13
Avg. Score:4.6 ± 0.7
Reproduced:8 of 9 (88.9%)
Same Version:4 (50.0%)
Same OS:3 (37.5%)
From: tsamukawa at maru dot jp Assigned: yohgaki (profile)
Status: Closed Package: Scripting Engine problem
PHP Version: 5.3.2, 5.3.3, 5.3.9RC OS: CentOS5.*
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.
(description)
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: tsamukawa at maru dot jp
New email:
PHP Version: OS:

 

 [2010-03-09 03:56 UTC] tsamukawa at maru dot jp 
Description:
------------
Segmentation fault was occured when the file was loaded by calling require() or 
inclede() inside of autoload function ,
and it contains some php syntax error.

It is often happend.
The most case is after make changes of script repeatedly.

Test script:
---------------
=== C.php ===
<?php

class C{
  funct ion pr(){ print 123; }  // <-- syntax error
}

==== test.php ====
<?php

class Loader{
  function autoload($classname){ require "$classname.php" ;}
}

$loader  = new Loader();
spl_autoload_register(array($loader,'autoload'));

$c = new C();
$c->pr();

Expected result:
----------------
Report syntax error.

Actual result:
--------------
Program received signal SIGSEGV, Segmentation fault.
0xb79dcb28 in zend_mm_check_ptr (heap=0x81b8a10, ptr=0x841fc78, silent=0, 
__zend_filename=0xb7f3234b "Zend/zend_language_scanner.l", __zend_lineno=685, 
__zend_orig_filename=0x0,
    __zend_orig_lineno=0) at /s/php-5.3.2/Zend/zend_alloc.c:1355
1355            if (p->info._prev != ZEND_MM_GUARD_BLOCK &&
(gdb) bt
#0  0xb79dcb28 in zend_mm_check_ptr (heap=0x81b8a10, ptr=0x841fc78, silent=0, 
__zend_filename=0xb7f3234b "Zend/zend_language_scanner.l", __zend_lineno=685, 
__zend_orig_filename=0x0,
    __zend_orig_lineno=0) at /s/php-5.3.2/Zend/zend_alloc.c:1355
#1  0xb79dcaff in zend_mm_check_ptr (heap=0x81b8a10, ptr=0x841fc78, silent=1, 
__zend_filename=0xb7f3234b "Zend/zend_language_scanner.l", __zend_lineno=685, 
__zend_orig_filename=0x0,
    __zend_orig_lineno=0) at /s/php-5.3.2/Zend/zend_alloc.c:1352
#2  0xb79de08c in _zend_mm_free_int (heap=0x81b8a10, p=0x841fc78, 
__zend_filename=0xb7f3234b "Zend/zend_language_scanner.l", __zend_lineno=685, 
__zend_orig_filename=0x0,
    __zend_orig_lineno=0) at /s/php-5.3.2/Zend/zend_alloc.c:1983
#3  0xb79df163 in _efree (ptr=0x841fc78, __zend_filename=0xb7f3234b 
"Zend/zend_language_scanner.l", __zend_lineno=685, __zend_orig_filename=0x0, 
__zend_orig_lineno=0)
    at /s/php-5.3.2/Zend/zend_alloc.c:2351
#4  0xb79c6105 in zend_multibyte_read_script (buf=0xb7157000 "<?php\n\nclass 
C{\n  funct ion pr(){ print 123; }\n}\n\n", n=50) at 
Zend/zend_language_scanner.l:685
#5  0xb79c5083 in open_file_for_scanning (file_handle=0xbf848aa0) at 
Zend/zend_language_scanner.l:263
#6  0xb79c5290 in compile_file (file_handle=0xbf848aa0, type=8) at 
Zend/zend_language_scanner.l:331
#7  0xb77d0015 in phar_compile_file (file_handle=0xbf848aa0, type=8) at /s/php-
5.3.2/ext/phar/phar.c:3390
#8  0xb6dabbba in xdebug_compile_file (file_handle=0xbf848aa0, type=8) at 
/s/xdebug-2.0.5/xdebug.c:2405
#9  0xb6d81060 in eaccelerator_compile_file (file_handle=0xbf848aa0, type=8) at 
/s/eaccelerator-0.9.6/eaccelerator.c:1252
#10 0xb79c546a in compile_filename (type=8, filename=0x8420ebc) at 
Zend/zend_language_scanner.l:386
#11 0xb7a33dd7 in ZEND_INCLUDE_OR_EVAL_SPEC_CONST_HANDLER 
(execute_data=0x8450258) at /s/php-5.3.2/Zend/zend_vm_execute.h:1916
#12 0xb7a2dbe4 in execute (op_array=0x842205c) at /s/php-
5.3.2/Zend/zend_vm_execute.h:104
#13 0xb6da9456 in xdebug_execute (op_array=0x842205c) at /s/xdebug-
2.0.5/xdebug.c:1562
#14 0xb79f2f5c in zend_call_function (fci=0xbf848ea4, fci_cache=0xbf848e74) at 
/s/php-5.3.2/Zend/zend_execute_API.c:947
#15 0xb7a1be08 in zend_call_method (object_pp=0x841d5d8, obj_ce=0x84208bc, 
fn_proxy=0x841d5d4, function_name=0x841f1c8 "x::autoload\001", 
function_name_len=16, retval_ptr_ptr=0xbf848f44,
    param_count=1, arg1=0x841eed8, arg2=0x0) at /s/php-
5.3.2/Zend/zend_interfaces.c:97
#16 0xb7871cfc in zif_spl_autoload_call (ht=1, return_value=0x841fd94, 
return_value_ptr=0xbf849130, this_ptr=0x0, return_value_used=1) at /s/php-
5.3.2/ext/spl/php_spl.c:395
#17 0xb79f30f4 in zend_call_function (fci=0xbf84910c, fci_cache=0xbf8490f8) at 
/s/php-5.3.2/Zend/zend_execute_API.c:969
#18 0xb79f385d in zend_lookup_class_ex (name=0x8422190 "C", name_length=1, 
use_autoload=1, ce=0xbf84919c) at /s/php-5.3.2/Zend/zend_execute_API.c:1100
#19 0xb79f44b0 in zend_fetch_class (class_name=0x8422190 "C", class_name_len=1, 
fetch_type=4) at /s/php-5.3.2/Zend/zend_execute_API.c:1542
#20 0xb7a30966 in ZEND_FETCH_CLASS_SPEC_CONST_HANDLER (execute_data=0x84501b8) 
at /s/php-5.3.2/Zend/zend_vm_execute.h:724
#21 0xb7a308df in ZEND_USER_OPCODE_SPEC_HANDLER (execute_data=0x84501b8) at 
/s/php-5.3.2/Zend/zend_vm_execute.h:703
#22 0xb7a2dbe4 in execute (op_array=0x841eb88) at /s/php-
5.3.2/Zend/zend_vm_execute.h:104
#23 0xb6da9456 in xdebug_execute (op_array=0x841eb88) at /s/xdebug-
2.0.5/xdebug.c:1562
#24 0xb7a0139d in zend_execute_scripts (type=8, retval=0x0, file_count=3) at 
/s/php-5.3.2/Zend/zend.c:1194
#25 0xb79954b6 in php_execute_script (primary_file=0xbf84b65c) at /s/php-
5.3.2/main/main.c:2260
#26 0xb7acb392 in php_handler (r=0x83a1538) at /s/php-
5.3.2/sapi/apache2handler/sapi_apache2.c:655
#27 0x0807f629 in ap_run_handler (r=0x83a1538) at config.c:157
---Type <return> to continue, or q <return> to quit---
#28 0x08082797 in ap_invoke_handler (r=0x83a1538) at config.c:372
#29 0x080d64f8 in ap_process_request (r=0x83a1538) at http_request.c:282
#30 0x080d36db in ap_process_http_connection (c=0x83e1af0) at http_core.c:190
#31 0x08086769 in ap_run_process_connection (c=0x83e1af0) at connection.c:43
#32 0x08104f1d in child_main (child_num_arg=<value optimized out>) at 
prefork.c:662
#33 0x08105163 in make_child (s=0x8152c98, slot=0) at prefork.c:702
#34 0x08105f3c in ap_mpm_run (_pconf=0x814a550, plog=0x81a47f8, s=0x8152c98) at 
prefork.c:978
#35 0x0806cf25 in main (argc=135562568, argv=0x83df910) at main.c:740

Patches

fix-segfault-when-enable-zend-multibyte (last revision 2011-03-30 09:38 UTC by ks dot 08651 at i-revo dot co dot jp)

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2010-03-09 21:40 UTC] kalle@php.net
-Status: Open +Status: Feedback
 [2010-03-09 21:40 UTC] kalle@php.net 
Try disable eaccelerator and/or xdebug and see if it stopped the segfault
 [2010-03-10 06:05 UTC] tsamukawa at maru dot jp 
I tested without using eaccelerator and xdebug mudule.
But problem does not fixed.
 [2010-03-10 06:18 UTC] tsamukawa at maru dot jp 
I tryed this script from CLI repeatedly, no segmentation fault was occured .
 [2010-03-10 22:13 UTC] jani@php.net
-Status: Open +Status: Feedback
 [2010-03-10 22:13 UTC] jani@php.net 
After disabling ALL 3rd party extensions (opcode caches, debuggers, etc.) provide a new backtrace of the crash.
 [2010-03-11 02:34 UTC] tsamukawa at maru dot jp 
I have 2 different backtraces generated.
1st bt is geneated by running same script as the sample.
2nd bt is by script uses calling spl_autoload_register() from inside of another user-defined function. 

---------------------------------------------------------------------------------------
Program received signal SIGSEGV, Segmentation fault.
0xb77c8b44 in autoload_func_info_dtor (alfi=0x7373616c) at /s/php-5.3.2/ext/spl/php_spl.c:362
362             if (alfi->obj) {
(gdb) bt
#0  0xb77c8b44 in autoload_func_info_dtor (alfi=0x7373616c) at /s/php-5.3.2/ext/spl/php_spl.c:362
#1  0xb7966728 in zend_hash_destroy (ht=0x8412154) at /s/php-5.3.2/Zend/zend_hash.c:526
#2  0xb77cb7a5 in zm_deactivate_spl (type=1, module_number=20) at /s/php-5.3.2/ext/spl/php_spl.c:904
#3  0xb795fffc in module_registry_cleanup (module=0x82abd10) at /s/php-5.3.2/Zend/zend_API.c:2150
#4  0xb7966f96 in zend_hash_reverse_apply (ht=0xb7ecaaa0, apply_func=0xb795ffcd <module_registry_cleanup>) at /s/php-
5.3.2/Zend/zend_hash.c:755
#5  0xb7957950 in zend_deactivate_modules () at /s/php-5.3.2/Zend/zend.c:866
#6  0xb78eb409 in php_request_shutdown (dummy=0x0) at /s/php-5.3.2/main/main.c:1607
#7  0xb7a21b2d in php_apache_request_dtor (r=0x83971e0) at /s/php-5.3.2/sapi/apache2handler/sapi_apache2.c:495
#8  0xb7a2241e in php_handler (r=0x83971e0) at /s/php-5.3.2/sapi/apache2handler/sapi_apache2.c:667
#9  0x0807f629 in ap_run_handler (r=0x83971e0) at config.c:157
#10 0x08082797 in ap_invoke_handler (r=0x83971e0) at config.c:372
#11 0x080d64f8 in ap_process_request (r=0x83971e0) at http_request.c:282
#12 0x080d36db in ap_process_http_connection (c=0x83d9810) at http_core.c:190
#13 0x08086769 in ap_run_process_connection (c=0x83d9810) at connection.c:43
#14 0x08104f1d in child_main (child_num_arg=<value optimized out>) at prefork.c:662
#15 0x08105163 in make_child (s=0x8152c98, slot=0) at prefork.c:702
#16 0x08105f3c in ap_mpm_run (_pconf=0x814a550, plog=0x81a47f8, s=0x8152c98) at prefork.c:978
#17 0x0806cf25 in main (argc=135562568, argv=0x83d7630) at main.c:740

---------------------------------------------------------------------------------------
Program received signal SIGSEGV, Segmentation fault.
0xb7ffb402 in __kernel_vsyscall ()
(gdb) bt
#0  0xb7ffb402 in __kernel_vsyscall ()
#1  0x459e61b6 in kill () from /lib/libc.so.6
#2  0xb79e15a1 in zend_mm_panic (message=0xb7f3a690 "zend_mm_heap corrupted") at /s/php-5.3.2/Zend/zend_alloc.c:92
#3  0xb79e3a2e in _zend_mm_alloc_int (heap=0x8284880, size=49, __zend_filename=0xb7f3834b "Zend/zend_language_scanner.l", 
__zend_lineno=690, __zend_orig_filename=0x0,
    __zend_orig_lineno=0) at /s/php-5.3.2/Zend/zend_alloc.c:1827
#4  0xb79e50ff in _emalloc (size=49, __zend_filename=0xb7f3834b "Zend/zend_language_scanner.l", __zend_lineno=690, 
__zend_orig_filename=0x0, __zend_orig_lineno=0)
    at /s/php-5.3.2/Zend/zend_alloc.c:2340
#5  0xb79cc147 in zend_multibyte_read_script (buf=0xb7fee000 "<?php\n\nclass C{\n  functio pr(){ print 123; }\n}\n\n", n=48) 
at Zend/zend_language_scanner.l:690
#6  0xb79cb083 in open_file_for_scanning (file_handle=0xbfe06a00) at Zend/zend_language_scanner.l:263
#7  0xb79cb290 in compile_file (file_handle=0xbfe06a00, type=8) at Zend/zend_language_scanner.l:331
#8  0xb77d6015 in phar_compile_file (file_handle=0xbfe06a00, type=8) at /s/php-5.3.2/ext/phar/phar.c:3390
#9  0xb79cb46a in compile_filename (type=8, filename=0x844809c) at Zend/zend_language_scanner.l:386
#10 0xb7a438d6 in ZEND_INCLUDE_OR_EVAL_SPEC_TMP_HANDLER (execute_data=0x8448048) at /s/php-5.3.2/Zend/zend_vm_execute.h:5184
#11 0xb7a33be4 in execute (op_array=0x8413e2c) at /s/php-5.3.2/Zend/zend_vm_execute.h:104
#12 0xb79f8f5c in zend_call_function (fci=0xbfe06d54, fci_cache=0xbfe06d24) at /s/php-5.3.2/Zend/zend_execute_API.c:947
#13 0xb7a21e08 in zend_call_method (object_pp=0x841363c, obj_ce=0x84139e4, fn_proxy=0x8413638, function_name=0x84113d4 
"loader::autoload\001", function_name_len=21, 
    retval_ptr_ptr=0xbfe06df4, param_count=1, arg1=0x8412060, arg2=0x0) at /s/php-5.3.2/Zend/zend_interfaces.c:97
#14 0xb7877cfc in zif_spl_autoload_call (ht=1, return_value=0x8411fd0, return_value_ptr=0xbfe06fe0, this_ptr=0x0, 
return_value_used=1) at /s/php-5.3.2/ext/spl/php_spl.c:395
#15 0xb79f90f4 in zend_call_function (fci=0xbfe06fbc, fci_cache=0xbfe06fa8) at /s/php-5.3.2/Zend/zend_execute_API.c:969
#16 0xb79f985d in zend_lookup_class_ex (name=0x8414cb0 "C", name_length=1, use_autoload=1, ce=0xbfe0704c) at /s/php-
5.3.2/Zend/zend_execute_API.c:1100
#17 0xb79fa4b0 in zend_fetch_class (class_name=0x8414cb0 "C", class_name_len=1, fetch_type=4) at /s/php-
5.3.2/Zend/zend_execute_API.c:1542
#18 0xb7a36966 in ZEND_FETCH_CLASS_SPEC_CONST_HANDLER (execute_data=0x8447f48) at /s/php-5.3.2/Zend/zend_vm_execute.h:724
#19 0xb7a33be4 in execute (op_array=0x83f4e60) at /s/php-5.3.2/Zend/zend_vm_execute.h:104
#20 0xb7a0739d in zend_execute_scripts (type=8, retval=0x0, file_count=3) at /s/php-5.3.2/Zend/zend.c:1194
#21 0xb799b4b6 in php_execute_script (primary_file=0xbfe0941c) at /s/php-5.3.2/main/main.c:2260
#22 0xb7ad1392 in php_handler (r=0x8401f40) at /s/php-5.3.2/sapi/apache2handler/sapi_apache2.c:655
#23 0x0807f629 in ap_run_handler (r=0x8401f40) at config.c:157
#24 0x08082797 in ap_invoke_handler (r=0x8401f40) at config.c:372
#25 0x080d64f8 in ap_process_request (r=0x8401f40) at http_request.c:282
#26 0x080d36db in ap_process_http_connection (c=0x83d9808) at http_core.c:190
#27 0x08086769 in ap_run_process_connection (c=0x83d9808) at connection.c:43
#28 0x08104f1d in child_main (child_num_arg=<value optimized out>) at prefork.c:662
#29 0x08105163 in make_child (s=0x8152c98, slot=0) at prefork.c:702
#30 0x08105f3c in ap_mpm_run (_pconf=0x814a550, plog=0x81a47f8, s=0x8152c98) at prefork.c:978
#31 0x0806cf25 in main (argc=135562568, argv=0x83d7628) at main.c:740
 [2010-04-23 19:40 UTC] felipe@php.net
-Package: Apache2 related +Package: Scripting Engine problem
 [2010-06-08 15:04 UTC] tony2001@php.net
-Status: Open +Status: Feedback
 [2010-06-08 15:04 UTC] tony2001@php.net 
Not reproducible.
The only result I'm able to get is this:
Parse error: syntax error, unexpected T_STRING, expecting T_FUNCTION in /tmp/C.php on line 4
 [2010-06-15 07:36 UTC] tsamukawa at maru dot jp
-Status: Feedback +Status: Open
 [2010-06-15 07:36 UTC] tsamukawa at maru dot jp 
I think this segfault would be occured by these steps:

First, An apache`s process receives a http request. Correct output is produced 
like "syntax error, unexpected ...". It`s seems to be no problem.
Next, the identical apache`s child process receives a request, It produces empty 
responce ("SYSSEGV" error message is saved in error_log).

Apache server version is 2.2.14.
 [2010-12-10 14:25 UTC] tsamukawa at maru dot jp
-PHP Version: 5.3.2 +PHP Version: 5.3.2, 5.3.3
 [2010-12-10 14:25 UTC] tsamukawa at maru dot jp 
This bug is also repoduced in the version of php 5.3.3.
 [2011-11-16 17:58 UTC] felipe@php.net
-Status: Open +Status: Feedback
 [2011-11-16 17:58 UTC] felipe@php.net 
Please try using this snapshot:

  http://snaps.php.net/php5.3-latest.tar.gz
 
For Windows:

  http://windows.php.net/snapshots/
 [2011-11-17 05:52 UTC] tsamukawa at maru dot jp
-Status: Feedback +Status: Open -PHP Version: 5.3.2, 5.3.3 +PHP Version: 5.3.2, 5.3.3, 5.3.9RC
 [2011-11-17 05:52 UTC] tsamukawa at maru dot jp 
> Please try using this snapshot:
>
>   http://snaps.php.net/php5.3-latest.tar.gz

 I tried it, but it does not solve the problem. 
(The name of extracted directory is "php5.3-201111170130", Is it right?)

 I found new another thing.
 SIGSEGV does not appeared if I do not compile php with
the configure script options
"--enable-mbstring --enable-mbregex --enable-zend-multibyte ".

hope this helps..
 [2012-04-07 07:50 UTC] crankycyclops at gmail dot com 
I can confirm that this is still an issue for me with PHP 5.3.10.  I'm running this on FreeBSD 9.  Like the last poster mentioned, I can fix the issue temporarily by compiling without zend-multibyte and mbstring.
 [2014-07-13 02:27 UTC] yohgaki@php.net 
Works for 5.4/5.5.
Closing.
 [2014-07-13 02:27 UTC] yohgaki@php.net
-Status: Open +Status: Closed -Assigned To: +Assigned To: yohgaki
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Thu Apr 25 12:01:31 2024 UTC