php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #59049 Segmentation Fault happens on negation search error
Submitted: 2010-01-27 08:56 UTC Modified: 2010-05-14 01:14 UTC
From: rubi at metacafe dot com Assigned:
Status: Closed Package: sphinx (PECL)
PHP Version: 5.3.0 OS: Linux - Red Hat 4.5 & 5
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: rubi at metacafe dot com
New email:
PHP Version: OS:

 

 [2010-01-27 08:56 UTC] rubi at metacafe dot com
Description:
------------
When calling SphinxClient with a string causing a negation 
error (e.g not escaping it well) a segmentation fault happens.

An example of a query which generates this code:

[root@my_server]# ./search -i index_name -e 'bla - ( x /- y )'
Sphinx 0.9.8.1-release (r1533)
Copyright (c) 2001-2008, Andrew Aksyonoff

using config file '/usr/local/sphinx-
0.9.8.1/etc/sphinx.conf'...
index 'index_name': search error: query error: negation is 
only allowed at top level.

Expected result:
----------------
Handling the error result object without a segmentation fault

Actual result:
--------------
GDB Backtrace:

#0  0x0000002a971017ee in php_sphinx_result_to_array 
(c=0x2aa28bfde0, result=0x9b7c40, array=0x7fbfffccf8)
    at /usr/local/src/sphinx-1.0.3/sphinx.c:189
        tmp = Variable "tmp" is not available.
(gdb) bt
#0  0x0000002a971017ee in php_sphinx_result_to_array 
(c=0x2aa28bfde0, result=0x9b7c40, array=0x7fbfffccf8)
    at /usr/local/src/sphinx-1.0.3/sphinx.c:189
#1  0x0000002a97104b31 in zim_SphinxClient_runQueries 
(ht=Variable "ht" is not available.
) at /usr/local/src/sphinx-1.0.3/sphinx.c:1344
#2  0x0000002a95e7bf32 in zend_do_fcall_common_helper_SPEC 
(execute_data=0x2a9f469548)
    at /root/php53/php-5.3.0/Zend/zend_vm_execute.h:313
#3  0x0000002a95e7b349 in execute (op_array=0xc692b0) at 
/root/php53/php-5.3.0/Zend/zend_vm_execute.h:104
#4  0x0000002a95e4b8b7 in zend_call_function 
(fci=0x7fbfffd040, fci_cache=Variable "fci_cache" is not 
available.
) at /root/php53/php-5.3.0/Zend/zend_execute_API.c:936
#5  0x0000002a95e6cf39 in zend_call_method 
(object_pp=0x7fbfffd100, obj_ce=0x2a9f819a00, 
fn_proxy=0x2a9f819be0, 
    function_name=0x2a962f5b32 "__call", 
function_name_len=6, retval_ptr_ptr=Variable 
"retval_ptr_ptr" is not available.
) at /root/php53/php-5.3.0/Zend/zend_interfaces.c:97
#6  0x0000002a95e77494 in zend_std_call_user_call 
(ht=Variable "ht" is not available.
) at /root/php53/php-5.3.0/Zend/zend_object_handlers.c:682
#7  0x0000002a95e7bf32 in zend_do_fcall_common_helper_SPEC 
(execute_data=0x2a9f459a98)
    at /root/php53/php-5.3.0/Zend/zend_vm_execute.h:313
#8  0x0000002a95e7b349 in execute (op_array=0x2a9f9a9b28) at 
/root/php53/php-5.3.0/Zend/zend_vm_execute.h:104
#9  0x0000002a95e59815 in zend_execute_scripts (type=8, 
retval=0x0, file_count=3) at /root/php53/php-
5.3.0/Zend/zend.c:1188
#10 0x0000002a95e07b35 in php_execute_script 
(primary_file=0x7fbffff6f0) at /root/php53/php-
5.3.0/main/main.c:2196
#11 0x0000002a95edf9c9 in php_handler (r=0x99b608) at 
/root/php53/php-5.3.0/sapi/apache2handler/sapi_apache2.c:648
#12 0x000000000043cbd3 in ap_run_handler (r=0x99b608) at 
config.c:157
#13 0x000000000043d071 in ap_invoke_handler (r=0x99b608) at 
config.c:372
#14 0x000000000046a2e0 in ap_process_request (r=0x99b608) at 
http_request.c:282
#15 0x00000000004679fd in ap_process_http_connection 
(c=0x9955b8) at http_core.c:190
#16 0x0000000000443693 in ap_run_process_connection 
(c=0x9955b8) at connection.c:43
#17 0x0000000000484870 in child_main (child_num_arg=Variable 
"child_num_arg" is not available.
) at prefork.c:662
#18 0x0000000000484ac4 in make_child (s=0x5d9990, slot=43) 
at prefork.c:758
#19 0x0000000000485649 in ap_mpm_run (_pconf=Variable 
"_pconf" is not available.
) at prefork.c:893
#20 0x000000000042a5b5 in main (argc=Variable "argc" is not 
available.
) at main.c:740

(gdb) print *result
$2 = {error = 0xb21e17 "index exact: query error: negation 
is only allowed at top level", warning = 0x0, status = 1, 
  num_fields = 0, fields = 0x0, num_attrs = 10190000, 
attr_names = 0x0, attr_types = 0x0, num_matches = 10189552, 
  values_pool = 0x0, total = 0, total_found = 0, time_msec = 
1601724781, num_words = 1701995617, words = 0x0}

As can be seen below, if the result is the above error 
(error = 0xb21e17 "index exact: query error: negation is 
only allowed at top level"), a segmentation fault happens 
and the Apache server crashes.

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2010-01-31 11:11 UTC] santiago739 at gmail dot com
It seems this issue has the same cause as in http://pecl.php.net/bugs/bug.php?id=17007
Please, try this patch
http://dev.daylessday.org/diff/pecl_bug17007.diff
 [2010-02-14 05:16 UTC] rubi at metacafe dot com
Thank you Santiago.

It reduced the number of errors but haven't resolved it 
completely. I will post here once I have a GDB backtrace 
information.
 [2010-02-26 11:18 UTC] santiago739 at gmail dot com
Please try newer Sphinx client library version first. If problem still exists it would be nice if you rebuild the library with CFLAGS="-g2 -O0", the extension (and PHP) with --enable-debug and post `bt full` result here.
 [2010-05-14 01:14 UTC] santiago739 at gmail dot com
No feedback was provided. The bug is being suspended because
we assume that you are no longer experiencing the problem.
If this is not the case and you are able to provide the
information that was requested earlier, please do so and
change the status of the bug back to "Open". Thank you.


 
PHP Copyright © 2001-2021 The PHP Group
All rights reserved.
Last updated: Tue Nov 30 02:03:13 2021 UTC