PHP :: Bug #55867 :: segfault while declaring function

Bug #55867

segfault while declaring function

Submitted:

2011-10-07 17:21 UTC

Modified:

2013-10-15 11:54 UTC

Votes:	7
Avg. Score:	4.4 ± 0.9
Reproduced:	5 of 6 (83.3%)
Same Version:	1 (20.0%)
Same OS:	2 (40.0%)

From:

savetheinternet at omegasdg dot com

Assigned:

Status:

No Feedback

Package:

Unknown/Other Function

PHP Version:

5.3.8

OS:

Debian 2.6.26-26lenny3

Private report:

CVE-ID:

None

View Developer Edit

[2011-10-07 17:21 UTC] savetheinternet at omegasdg dot com

Description:
------------
Although I do have a short code sample, I'm not sure where exactly or what 
conditions causes the segfault; I am 
unable to reproduce it myself. The backtrace indicates that this is indeed where 
the bug occurs.

The code sample below is an extract from a file that is included various times 
throughout a much larger 
application. fhash is not defined anywhere else.

Test script:
---------------
if(!function_exists('fhash')) {
    function fhash($file) {
         system('optipng ' . escapeshellarg(preg_replace('/src\/(\d+)\.(.+)$/', 'thumb/$1.png', $file)) . ' > /dev/null');
         return sha1_file($file);
    }
}

Expected result:
----------------
To ensure that fhash() is not declared multiple times as this file may be 
included multiple times.

Actual result:
--------------
(gdb) bt
#0  0xb6f2ed5c in memcpy () from /lib/i686/cmov/libc.so.6
#0  0xb6f2ed5c in memcpy () from /lib/i686/cmov/libc.so.6
#1  0x084e9e17 in _zend_hash_add_or_update (ht=0x9bb7498, arKey=0xb49e3c98 
"fhash", nKeyLength=6, pData=0x0, 
    nDataSize=144, pDest=0x0, flag=2, 
    __zend_filename=0x88aa40c "/home/<user>/php-5.3.8/Zend/zend_compile.c", 
__zend_lineno=2956)
    at /home/<user>/php-5.3.8/Zend/zend_hash.c:256
#2  0x084c3d48 in do_bind_function (opline=0xb49e88fc, function_table=0x9bb7498, 
compile_time=0 '\0')
    at /home/<user>/php-5.3.8/Zend/zend_compile.c:2956
#3  0x0850aa49 in ZEND_DECLARE_FUNCTION_SPEC_HANDLER (execute_data=0x9d79da8)
    at /home/<user>/php-5.3.8/Zend/zend_vm_execute.h:586
#4  0x08508506 in execute (op_array=0x9d5ceac) at /home/<user>/php-
5.3.8/Zend/zend_vm_execute.h:107
#5  0x084dcf8d in zend_execute_scripts (type=8, retval=0x0, file_count=3)
    at /home/<user>/php-5.3.8/Zend/zend.c:1236
#6  0x08472037 in php_execute_script (primary_file=0xbfc62428)
    at /home/<user>/php-5.3.8/main/main.c:2284
#7  0x085a504e in main (argc=3, argv=0xbfc62594) at /home/<user>/php-
5.3.8/sapi/cgi/cgi_main.c:2112

(gdb) print (char *)executor_globals.active_op_array->filename
$2 = 0xb49e34d0 "/var/www/inc/instance-config.php"

(gdb) frame 4
#4  0x08508506 in execute (op_array=0x9d5ceac) at /home/<user>/php-
5.3.8/Zend/zend_vm_execute.h:107
107			if ((ret = EX(opline)->handler(execute_data TSRMLS_CC)) 
> 0) {

(gdb) frame 2
#2  0x084c3d48 in do_bind_function (opline=0xb49e88fc, function_table=0x9bb7498, 
compile_time=0 '\0')
    at /home/<user>/php-5.3.8/Zend/zend_compile.c:2956
2956		if (zend_hash_add(function_table, opline-
>op2.u.constant.value.str.val, opline-
>op2.u.constant.value.str.len+1, function, sizeof(zend_function), 
NULL)==FAILURE) {

(gdb) print (char*)opline->op2.u.constant.value.str.val
$1 = 0xb49e3c98 "fhash"

(gdb) frame 1
#1  0x084e9e17 in _zend_hash_add_or_update (ht=0x9bb7498, arKey=0xb49e3c98 
"fhash", nKeyLength=6, pData=0x0, 
nDataSize=144, pDest=0x0, 
    flag=2, __zend_filename=0x88aa40c "/home/<user>/php-
5.3.8/Zend/zend_compile.c", __zend_lineno=2956)
    at /home/<user>/php-5.3.8/Zend/zend_hash.c:256
256		INIT_DATA(ht, p, pData, nDataSize);

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2011-10-08 06:19 UTC] pajoye@php.net

Can you paste the short example please? As in not only the place where it occurs.

[2011-10-08 06:19 UTC] pajoye@php.net

-Status: Open +Status: Feedback

[2011-10-08 08:33 UTC] savetheinternet at omegasdg dot com

-Status: Feedback +Status: Open

[2011-10-08 08:33 UTC] savetheinternet at omegasdg dot com

Well, the file that short extract is from is quite a large file. It is a 
configuration file for https://github.com/savetheinternet/Tinyboard. Aside 
from the fhash function, all the file does is modify an associative array which 
is originally defined elsewhere.

---------------
<?php
$config['something'] = false;
$config['something_else']['foo'] = 'bar';
// [...]
if(!function_exists('fhash')) {
---------------

As I said, I'm not able to reproduce this bug manually so I'm not sure where 
exactly it goes wrong, but I don't think anything else in the file is 
relevant.

When it happens, my syslog is filled up with the below, and I am forced to 
restart fastcgi.

> Oct  8 10:32:30 kernel: [9364589.325832] php-cgi[28124]: segfault at 0 ip 
b6f67d5c sp bf844b6c error 4 in libc-2.7.so[b6ef0000+155000]
> Oct  8 10:32:30 kernel: [9364589.330222] php-cgi[28125]: segfault at 0 ip 
b6f67d5c sp bf844b6c error 4 in libc-2.7.so[b6ef0000+155000]
> Oct  8 10:32:30 kernel: [9364589.335009] php-cgi[28126]: segfault at 0 ip 
b6f67d5c sp bf844b6c error 4 in libc-2.7.so[b6ef0000+155000]
> Oct  8 10:32:30 kernel: [9364589.337822] php-cgi[28127]: segfault at 0 ip 
b6f67d5c sp bf844b6c error 4 in libc-2.7.so[b6ef0000+155000]

[2011-10-10 18:16 UTC] goingbackayear at hotmail dot com

I'll tell you what's wrong with the code STI when you ban Lazare and all the other Paulberg spammers.

[2012-04-20 10:19 UTC] vnsavage at gmail dot com

Do you still get this? What is your PHP setup? 
Configuration parameters and modules? Do you use APC?

[2013-03-02 19:00 UTC] reeze@php.net

Please try using this snapshot:

  http://snaps.php.net/php5.3-latest.tar.gz
 
For Windows:

  http://windows.php.net/snapshots/

[2013-03-02 19:00 UTC] reeze@php.net

-Status: Open +Status: Feedback

[2013-08-19 09:05 UTC] admin at dvaslona dot ru

Got same issue with PHP 5.3.27 on FreeBSD 8.3

Backtrace:

#0  0x00000008015b5266 in memcpy () from /lib/libc.so.7
#1  0x00000008042f34ba in _zend_hash_add_or_update () from /usr/local/libexec/apache22/libphp5.so
#2  0x00000008042c994c in do_bind_function () from /usr/local/libexec/apache22/libphp5.so
#3  0x000000080430a52c in ZEND_DECLARE_FUNCTION_SPEC_HANDLER () from /usr/local/libexec/apache22/libphp5.so
#4  0x000000080430ddc0 in execute () from /usr/local/libexec/apache22/libphp5.so
#5  0x00000008042d95f5 in zend_call_function () from /usr/local/libexec/apache22/libphp5.so
#6  0x000000080421dd47 in zif_call_user_func_array () from /usr/local/libexec/apache22/libphp5.so
#7  0x000000080433792a in zend_do_fcall_common_helper_SPEC () from /usr/local/libexec/apache22/libphp5.so
#8  0x000000080430ddc0 in execute () from /usr/local/libexec/apache22/libphp5.so
#9  0x00000008042d95f5 in zend_call_function () from /usr/local/libexec/apache22/libphp5.so
#10 0x000000080421dd47 in zif_call_user_func_array () from /usr/local/libexec/apache22/libphp5.so
#11 0x000000080433792a in zend_do_fcall_common_helper_SPEC () from /usr/local/libexec/apache22/libphp5.so
#12 0x000000080430ddc0 in execute () from /usr/local/libexec/apache22/libphp5.so
#13 0x00000008042e460e in zend_execute_scripts () from /usr/local/libexec/apache22/libphp5.so
#14 0x000000080428f4c7 in php_execute_script () from /usr/local/libexec/apache22/libphp5.so
#15 0x00000008043707fe in php_handler () from /usr/local/libexec/apache22/libphp5.so


Sadly we don't know what PHP code cause this.

[2013-10-15 11:54 UTC] php-bugs at lists dot php dot net

No feedback was provided. The bug is being suspended because
we assume that you are no longer experiencing the problem.
If this is not the case and you are able to provide the
information that was requested earlier, please do so and
change the status of the bug back to "Re-Opened". Thank you.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Sat Dec 21 14:01:32 2024 UTC