php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #53347 Segfault in zend_is_inconsistent()
Submitted: 2010-11-18 20:03 UTC Modified: 2010-11-23 11:23 UTC
Votes:1
Avg. Score:3.0 ± 0.0
Reproduced:1 of 1 (100.0%)
Same Version:1 (100.0%)
Same OS:1 (100.0%)
From: sebastian@php.net Assigned: dmitry (profile)
Status: Closed Package: Reproducible crash
PHP Version: trunk-SVN-2010-11-18 (SVN) OS: Linux
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.
(description)
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: sebastian@php.net
New email:
PHP Version: OS:

 

 [2010-11-18 20:03 UTC] sebastian@php.net 
Description:
------------
PHP 5.3.99 (current trunk) segfaults in zend_is_inconsistent().

Test script:
---------------
The segfault is triggered by code that is part of ezcConsoleTools, for instance by just invoking phploc on the commandline. Unfortunately, I was not able to reduce this further, yet.

Expected result:
----------------
No segfault.

Actual result:
--------------
sb@thinkpad ~ % USE_ZEND_ALLOC=0 valgrind --leak-check=full php /usr/local/src/phploc/phploc.php
==1760== Memcheck, a memory error detector
==1760== Copyright (C) 2002-2010, and GNU GPL'd, by Julian Seward et al.
==1760== Using Valgrind-3.6.0.SVN-Debian and LibVEX; rerun with -h for copyright info
==1760== Command: php /usr/local/src/phploc/phploc.php
==1760== 
==1760== Invalid read of size 4
==1760==    at 0x92C021: _zend_is_inconsistent (zend_hash.c:54)
==1760==    by 0x92EDAE: zend_hash_quick_find (zend_hash.c:929)
==1760==    by 0xA49488: zend_fetch_var_address_helper_SPEC_CV_UNUSED (zend_vm_execute.h:33194)
==1760==    by 0xA49DEF: ZEND_FETCH_IS_SPEC_CV_UNUSED_HANDLER (zend_vm_execute.h:33294)
==1760==    by 0x957F02: execute (zend_vm_execute.h:410)
==1760==    by 0x91CD93: zend_execute_scripts (zend.c:1195)
==1760==    by 0x89661E: php_execute_script (main.c:2341)
==1760==    by 0xA57D89: main (php_cli.c:1254)
==1760==  Address 0x44 is not stack'd, malloc'd or (recently) free'd
==1760== 
==1760== 
==1760== Process terminating with default action of signal 11 (SIGSEGV)
==1760==  Access not within mapped region at address 0x44
==1760==    at 0x92C021: _zend_is_inconsistent (zend_hash.c:54)
==1760==    by 0x92EDAE: zend_hash_quick_find (zend_hash.c:929)
==1760==    by 0xA49488: zend_fetch_var_address_helper_SPEC_CV_UNUSED (zend_vm_execute.h:33194)
==1760==    by 0xA49DEF: ZEND_FETCH_IS_SPEC_CV_UNUSED_HANDLER (zend_vm_execute.h:33294)
==1760==    by 0x957F02: execute (zend_vm_execute.h:410)
==1760==    by 0x91CD93: zend_execute_scripts (zend.c:1195)
==1760==    by 0x89661E: php_execute_script (main.c:2341)
==1760==    by 0xA57D89: main (php_cli.c:1254)
==1760==  If you believe this happened as a result of a stack
==1760==  overflow in your program's main thread (unlikely but
==1760==  possible), you can try to increase the size of the
==1760==  main thread stack using the --main-stacksize= flag.
==1760==  The main thread stack size used in this run was 8388608.
==1760== 
==1760== HEAP SUMMARY:
==1760==     in use at exit: 3,823,481 bytes in 18,002 blocks
==1760==   total heap usage: 34,509 allocs, 16,507 frees, 5,584,071 bytes allocated
==1760== 
==1760== LEAK SUMMARY:
==1760==    definitely lost: 0 bytes in 0 blocks
==1760==    indirectly lost: 0 bytes in 0 blocks
==1760==      possibly lost: 0 bytes in 0 blocks
==1760==    still reachable: 3,823,481 bytes in 18,002 blocks
==1760==         suppressed: 0 bytes in 0 blocks
==1760== Reachable blocks (those to which a pointer was found) are not shown.
==1760== To see them, rerun with: --leak-check=full --show-reachable=yes
==1760== 
==1760== For counts of detected and suppressed errors, rerun with: -v
==1760== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 4 from 4)
zsh: segmentation fault  USE_ZEND_ALLOC=0 valgrind --leak-check=full php 




sb@thinkpad ~ % gdb php
GNU gdb (GDB) 7.2-ubuntu
Copyright (C) 2010 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu".
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>...
Reading symbols from /usr/local/php-5.4/bin/php...done.
(gdb) r /usr/local/src/phploc/phploc.php
Starting program: /usr/local/php-5.4/bin/php /usr/local/src/phploc/phploc.php
[Thread debugging using libthread_db enabled]

Program received signal SIGSEGV, Segmentation fault.
0x000000000092c021 in _zend_is_inconsistent (ht=0x0, file=0xf8d9e8 "/usr/local/src/php/src/php/php-src/trunk/Zend/zend_hash.c", line=929)
    at /usr/local/src/php/src/php/php-src/trunk/Zend/zend_hash.c:54
54		if (ht->inconsistent==HT_OK) {
(gdb) bt
#0  0x000000000092c021 in _zend_is_inconsistent (ht=0x0, file=0xf8d9e8 "/usr/local/src/php/src/php/php-src/trunk/Zend/zend_hash.c", line=929)
    at /usr/local/src/php/src/php/php-src/trunk/Zend/zend_hash.c:54
#1  0x000000000092edaf in zend_hash_quick_find (ht=0x0, arKey=0x7ffff7ecc7e0 "color", nKeyLength=6, h=6953399188164, pData=0x7fffffffbe80)
    at /usr/local/src/php/src/php/php-src/trunk/Zend/zend_hash.c:929
#2  0x0000000000a49489 in zend_fetch_var_address_helper_SPEC_CV_UNUSED (type=3, execute_data=0x7ffff7f92338)
    at /usr/local/src/php/src/php/php-src/trunk/Zend/zend_vm_execute.h:33194
#3  0x0000000000a49df0 in ZEND_FETCH_IS_SPEC_CV_UNUSED_HANDLER (execute_data=0x7ffff7f92338) at /usr/local/src/php/src/php/php-src/trunk/Zend/zend_vm_execute.h:33294
#4  0x0000000000957f03 in execute (op_array=0x7ffff3627810) at /usr/local/src/php/src/php/php-src/trunk/Zend/zend_vm_execute.h:410
#5  0x000000000091cd94 in zend_execute_scripts (type=8, retval=0x0, file_count=3) at /usr/local/src/php/src/php/php-src/trunk/Zend/zend.c:1195
#6  0x000000000089661f in php_execute_script (primary_file=0x7fffffffe520) at /usr/local/src/php/src/php/php-src/trunk/main/main.c:2341
#7  0x0000000000a57d8a in main (argc=2, argv=0x7fffffffe788) at /usr/local/src/php/src/php/php-src/trunk/sapi/cli/php_cli.c:1254

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2010-11-18 20:09 UTC] pajoye@php.net
-Status: Open +Status: Feedback
 [2010-11-18 20:09 UTC] pajoye@php.net 
Thank you for this bug report. To properly diagnose the problem, we
need a short but complete example script to be able to reproduce
this bug ourselves. 

A proper reproducing script starts with <?php and ends with ?>,
is max. 10-20 lines long and does not require any external 
resources such as databases, etc. If the script requires a 
database to demonstrate the issue, please make sure it creates 
all necessary tables, stored procedures etc.

Please avoid embedding huge scripts into the report.
 [2010-11-19 11:47 UTC] sebastian@php.net
-Status: Feedback +Status: Open
 [2010-11-19 11:47 UTC] sebastian@php.net 
The following script reproduces the issue:

<?php
class ezcConsoleOutput
{
    protected static $color = array( 'gray' => 30 );

    public static function isValidFormatCode( $type, $key )
    {
        return isset( self::${$type}[$key] );
    }
}

var_dump( ezcConsoleOutput::isValidFormatCode( 'color', 'gray' ) );
?>

This does not print bool(true) but instead segfaults. Works fine with PHP_5_3, btw.


sb@thinkpad ~ % USE_ZEND_ALLOC=0 valgrind --leak-check=full php 53347.php                       
==22840== Memcheck, a memory error detector
==22840== Copyright (C) 2002-2010, and GNU GPL'd, by Julian Seward et al.
==22840== Using Valgrind-3.6.0.SVN-Debian and LibVEX; rerun with -h for copyright info
==22840== Command: php 53347.php
==22840== 
==22840== Invalid read of size 4
==22840==    at 0x92C021: _zend_is_inconsistent (zend_hash.c:54)
==22840==    by 0x92EDAE: zend_hash_quick_find (zend_hash.c:929)
==22840==    by 0xA49488: zend_fetch_var_address_helper_SPEC_CV_UNUSED (zend_vm_execute.h:33194)
==22840==    by 0xA49DEF: ZEND_FETCH_IS_SPEC_CV_UNUSED_HANDLER (zend_vm_execute.h:33294)
==22840==    by 0x957F02: execute (zend_vm_execute.h:410)
==22840==    by 0x91CD93: zend_execute_scripts (zend.c:1195)
==22840==    by 0x89661E: php_execute_script (main.c:2341)
==22840==    by 0xA57D89: main (php_cli.c:1254)
==22840==  Address 0x44 is not stack'd, malloc'd or (recently) free'd
==22840== 
==22840== 
==22840== Process terminating with default action of signal 11 (SIGSEGV)
==22840==  Access not within mapped region at address 0x44
==22840==    at 0x92C021: _zend_is_inconsistent (zend_hash.c:54)
==22840==    by 0x92EDAE: zend_hash_quick_find (zend_hash.c:929)
==22840==    by 0xA49488: zend_fetch_var_address_helper_SPEC_CV_UNUSED (zend_vm_execute.h:33194)
==22840==    by 0xA49DEF: ZEND_FETCH_IS_SPEC_CV_UNUSED_HANDLER (zend_vm_execute.h:33294)
==22840==    by 0x957F02: execute (zend_vm_execute.h:410)
==22840==    by 0x91CD93: zend_execute_scripts (zend.c:1195)
==22840==    by 0x89661E: php_execute_script (main.c:2341)
==22840==    by 0xA57D89: main (php_cli.c:1254)
==22840==  If you believe this happened as a result of a stack
==22840==  overflow in your program's main thread (unlikely but
==22840==  possible), you can try to increase the size of the
==22840==  main thread stack using the --main-stacksize= flag.
==22840==  The main thread stack size used in this run was 8388608.
==22840== 
==22840== HEAP SUMMARY:
==22840==     in use at exit: 3,289,698 bytes in 16,177 blocks
==22840==   total heap usage: 19,718 allocs, 3,541 frees, 3,484,743 bytes allocated
==22840== 
==22840== LEAK SUMMARY:
==22840==    definitely lost: 0 bytes in 0 blocks
==22840==    indirectly lost: 0 bytes in 0 blocks
==22840==      possibly lost: 0 bytes in 0 blocks
==22840==    still reachable: 3,289,698 bytes in 16,177 blocks
==22840==         suppressed: 0 bytes in 0 blocks
==22840== Reachable blocks (those to which a pointer was found) are not shown.
==22840== To see them, rerun with: --leak-check=full --show-reachable=yes
==22840== 
==22840== For counts of detected and suppressed errors, rerun with: -v
==22840== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 4 from 4)
zsh: segmentation fault  USE_ZEND_ALLOC=0 valgrind --leak-check=full php 53347.php


sb@thinkpad ~ % gdb php
GNU gdb (GDB) 7.2-ubuntu
Copyright (C) 2010 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu".
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>...
Reading symbols from /usr/local/php-5.4/bin/php...done.
(gdb) r 53347.php
Starting program: /usr/local/php-5.4/bin/php 53347.php
[Thread debugging using libthread_db enabled]

Program received signal SIGSEGV, Segmentation fault.
0x000000000092c021 in _zend_is_inconsistent (ht=0x0, file=0xf8d9e8 "/usr/local/src/php/src/php/php-src/trunk/Zend/zend_hash.c", line=929)
    at /usr/local/src/php/src/php/php-src/trunk/Zend/zend_hash.c:54
54		if (ht->inconsistent==HT_OK) {
(gdb) bt
#0  0x000000000092c021 in _zend_is_inconsistent (ht=0x0, file=0xf8d9e8 "/usr/local/src/php/src/php/php-src/trunk/Zend/zend_hash.c", line=929)
    at /usr/local/src/php/src/php/php-src/trunk/Zend/zend_hash.c:54
#1  0x000000000092edaf in zend_hash_quick_find (ht=0x0, arKey=0x7ffff7ebb380 "color", nKeyLength=6, h=6953399188164, pData=0x7fffffffbe90)
    at /usr/local/src/php/src/php/php-src/trunk/Zend/zend_hash.c:929
#2  0x0000000000a49489 in zend_fetch_var_address_helper_SPEC_CV_UNUSED (type=3, execute_data=0x7ffff7f901f0)
    at /usr/local/src/php/src/php/php-src/trunk/Zend/zend_vm_execute.h:33194
#3  0x0000000000a49df0 in ZEND_FETCH_IS_SPEC_CV_UNUSED_HANDLER (execute_data=0x7ffff7f901f0) at /usr/local/src/php/src/php/php-src/trunk/Zend/zend_vm_execute.h:33294
#4  0x0000000000957f03 in execute (op_array=0x7ffff7fca668) at /usr/local/src/php/src/php/php-src/trunk/Zend/zend_vm_execute.h:410
#5  0x000000000091cd94 in zend_execute_scripts (type=8, retval=0x0, file_count=3) at /usr/local/src/php/src/php/php-src/trunk/Zend/zend.c:1195
#6  0x000000000089661f in php_execute_script (primary_file=0x7fffffffe530) at /usr/local/src/php/src/php/php-src/trunk/main/main.c:2341
#7  0x0000000000a57d8a in main (argc=2, argv=0x7fffffffe798) at /usr/local/src/php/src/php/php-src/trunk/sapi/cli/php_cli.c:1254
 [2010-11-19 12:09 UTC] felipe@php.net
-Status: Open +Status: Assigned -Assigned To: +Assigned To: dmitry
 [2010-11-23 11:23 UTC] dmitry@php.net
-Status: Assigned +Status: Closed
 [2010-11-23 11:23 UTC] dmitry@php.net 
This bug has been fixed in SVN.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.
 
Thank you for the report, and for helping us make PHP better.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Sat May 11 00:01:31 2024 UTC