php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #60158 Segmentation fault in zend_variables.c
Submitted: 2011-10-28 16:05 UTC Modified: 2011-10-31 21:14 UTC
Votes:1
Avg. Score:5.0 ± 0.0
Reproduced:1 of 1 (100.0%)
Same Version:0 (0.0%)
Same OS:0 (0.0%)
From: michael dot irey at gmail dot com Assigned:
Status: Suspended Package: Scripting Engine problem
PHP Version: 5.3.x OS: Ubuntu 10.04.3 LTS
Private report: No CVE-ID: None
Have you experienced this issue?
Rate the importance of this bug to you:

 [2011-10-28 16:05 UTC] michael dot irey at gmail dot com
Description:
------------
Using ZendFramework-1.11.10. Seg fault occurs also in 5.3.2 as well as 5.3.8. Does 
not occur in 5.2.4.  Difficult to reproduce, but I will include the gdb backtrace. 
Basically assigning the value of variable to another, causes the seg fault. I can 
not determine why. The line $this->_element = $element; causes the seg fault.

Test script:
---------------
    public function setElement($element)
    {
        if ((!$element instanceof Zend_Form_Element)
            && (!$element instanceof Zend_Form)
            && (!$element instanceof Zend_Form_DisplayGroup))
        {
            require_once 'Zend/Form/Decorator/Exception.php';
            throw new Zend_Form_Decorator_Exception('Invalid element type passed to decorator');
        }

        $this->_element = $element;
        return $this;
    }

Expected result:
----------------
Not this: exit signal Segmentation fault (11)

Actual result:
--------------
Program terminated with signal 11, Segmentation fault.
#0  0x00007ffd348abe53 in _zend_mm_free_canary_int (heap=0x7ffd39b11130, 
p=0x21143c453bb97f0f) at /build/buildd/php5-5.3.2/Zend/zend_alloc_canary.c:2090
2090	/build/buildd/php5-5.3.2/Zend/zend_alloc_canary.c: No such file or 
directory.
	in /build/buildd/php5-5.3.2/Zend/zend_alloc_canary.c




(gdb) dump_bt executor_globals.current_execute_data
[0x386f2e30] setElement() /web/lib/zend/ZendFramework-1.11.10-
minimal/library/Zend/Form/Decorator/Abstract.php:186 
[0x386f2ac8] setElement() /web/lib/zend/ZendFramework-1.11.10-
minimal/library/Zend/Form/Element.php:2030 
[0x386f28f0] render() /web/lib/zend/ZendFramework-1.11.10-
minimal/library/Zend/Form/Element.php:2046 
[0xa59d03f0] __toString() 
[0x386f1080] ??? 
/web/vhosts/imac.michael.dev.bluehawk.evanta.com/website/application/views/scrip
ts/contacts/duplicate.phtml:186 
[0x386f0e80] ??? /web/lib/zend/ZendFramework-1.11.10-
minimal/library/Zend/View.php:108 
[0x386f0c38] _run() /web/lib/zend/ZendFramework-1.11.10-
minimal/library/Zend/View/Abstract.php:888 
[0x386f0968] render() /web/lib/zend/ZendFramework-1.11.10-
minimal/library/Zend/Controller/Action/Helper/ViewRenderer.php:900 
[0x386f0760] renderScript() /web/lib/zend/ZendFramework-1.11.10-
minimal/library/Zend/Controller/Action/Helper/ViewRenderer.php:921 
[0x386f0620] render() /web/lib/zend/ZendFramework-1.11.10-
minimal/library/Zend/Controller/Action/Helper/ViewRenderer.php:960 
[0x386f0458] postDispatch() /web/lib/zend/ZendFramework-1.11.10-
minimal/library/Zend/Controller/Action/HelperBroker.php:277 
[0x386efdd0] notifyPostDispatch() /web/lib/zend/ZendFramework-1.11.10-
minimal/library/Zend/Controller/Action.php:527 
[0x386eefb8] dispatch() /web/lib/zend/ZendFramework-1.11.10-
minimal/library/Zend/Controller/Dispatcher/Standard.php:295 
[0x386ed590] dispatch() /web/lib/zend/ZendFramework-1.11.10-
minimal/library/Zend/Controller/Front.php:954 
[0x386ed190] dispatch() /web/lib/zend/ZendFramework-1.11.10-
minimal/library/Zend/Application/Bootstrap/Bootstrap.php:97 
[0x386ed050] run() /web/lib/zend/ZendFramework-1.11.10-
minimal/library/Zend/Application.php:366 
[0x386ec068] run() 
/web/vhosts/imac.michael.dev.bluehawk.evanta.com/website/public/index.php:69 


Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2011-10-28 16:10 UTC] michael dot irey at gmail dot com
Added more detail in the summary
 [2011-10-28 16:10 UTC] michael dot irey at gmail dot com
-Summary: Segmentation fault +Summary: Segmentation fault in _zend_mm_free_canary_int
 [2011-10-28 16:14 UTC] felipe@php.net
zend_alloc_canary.c is from Suhosin project, not PHP.

So, try reproduce the crash in a clean PHP build.
 [2011-10-28 16:14 UTC] felipe@php.net
-Status: Open +Status: Bogus
 [2011-10-31 18:47 UTC] michael dot irey at gmail dot com
-PHP Version: 5.3.8 +PHP Version: 5.3.x
 [2011-10-31 18:47 UTC] michael dot irey at gmail dot com
Ok, I have reproduced the bug from a clean PHP build using 5.3.8

Here is the new gdb details:


Program terminated with signal 11, Segmentation fault.
#0  0x00007fabd4b288b6 in _zval_dtor_func (zvalue=0x7fff0a50eb70, 
__zend_filename=0x7fabd4ea8558 "/root/downloads/php-
5.3.8/Zend/zend_object_handlers.c", __zend_lineno=441)
    at /root/downloads/php-5.3.8/Zend/zend_variables.c:35
35				CHECK_ZVAL_STRING_REL(zvalue);
(gdb) dump_bt executor_globals.current_execute_data
[0xd8959e80] setElement() /web/lib/zend/ZendFramework-1.11.10-
minimal/library/Zend/Form/Decorator/Abstract.php:186 
[0xd8959b18] setElement() /web/lib/zend/ZendFramework-1.11.10-
minimal/library/Zend/Form/Element.php:2030 
[0xd8959940] render() /web/lib/zend/ZendFramework-1.11.10-
minimal/library/Zend/Form/Element.php:2046 
[0x0a50eec0] __toString() 
[0xd89580d0] ??? 
/web/vhosts/imac.michael.dev.bluehawk.evanta.com/website/application/views/scrip
ts/contacts/duplicate.phtml:62 
[0xd8957ed0] ??? /web/lib/zend/ZendFramework-1.11.10-
minimal/library/Zend/View.php:108 
[0xd8957c88] _run() /web/lib/zend/ZendFramework-1.11.10-
minimal/library/Zend/View/Abstract.php:888 
[0xd89579b8] render() /web/lib/zend/ZendFramework-1.11.10-
minimal/library/Zend/Controller/Action/Helper/ViewRenderer.php:900 
[0xd89577b0] renderScript() /web/lib/zend/ZendFramework-1.11.10-
minimal/library/Zend/Controller/Action/Helper/ViewRenderer.php:921 
[0xd8957670] render() /web/lib/zend/ZendFramework-1.11.10-
minimal/library/Zend/Controller/Action/Helper/ViewRenderer.php:960 
[0xd89574a8] postDispatch() /web/lib/zend/ZendFramework-1.11.10-
minimal/library/Zend/Controller/Action/HelperBroker.php:277 
[0xd8956e20] notifyPostDispatch() /web/lib/zend/ZendFramework-1.11.10-
minimal/library/Zend/Controller/Action.php:527 
[0xd8956008] dispatch() /web/lib/zend/ZendFramework-1.11.10-
minimal/library/Zend/Controller/Dispatcher/Standard.php:295 
[0xd89545e0] dispatch() /web/lib/zend/ZendFramework-1.11.10-
minimal/library/Zend/Controller/Front.php:954 
[0xd89541e0] dispatch() /web/lib/zend/ZendFramework-1.11.10-
minimal/library/Zend/Application/Bootstrap/Bootstrap.php:97 
[0xd89540a0] run() /web/lib/zend/ZendFramework-1.11.10-
minimal/library/Zend/Application.php:366 
[0xd8953090] run() 
/web/vhosts/imac.michael.dev.bluehawk.evanta.com/website/public/index.php:69
 [2011-10-31 18:49 UTC] michael dot irey at gmail dot com
Updated the summary line to contain zend_variables.c
 [2011-10-31 18:49 UTC] michael dot irey at gmail dot com
-Summary: Segmentation fault in _zend_mm_free_canary_int +Summary: Segmentation fault in zend_variables.c
 [2011-10-31 19:51 UTC] michael dot irey at gmail dot com
Changed the package description
 [2011-10-31 19:51 UTC] michael dot irey at gmail dot com
-Package: Apache2 related +Package: Scripting Engine problem
 [2011-10-31 20:13 UTC] pajoye@php.net
-Status: Bogus +Status: Feedback
 [2011-10-31 20:13 UTC] pajoye@php.net
Thank you for this bug report. To properly diagnose the problem, we
need a short but complete example script to be able to reproduce
this bug ourselves. 

A proper reproducing script starts with <?php and ends with ?>,
is max. 10-20 lines long and does not require any external 
resources such as databases, etc. If the script requires a 
database to demonstrate the issue, please make sure it creates 
all necessary tables, stored procedures etc.

Please avoid embedding huge scripts into the report.


 [2011-10-31 21:02 UTC] michael dot irey at gmail dot com
I would really like to provide a short example script to reproduce the problem. 
However, the problem only seems to pop up on when a large amount of objects are 
used, but that is only a guess.

We use ZendFramework 1.11.x. I have re-compiled PHP with --enable-debug and when 
I execute the script that caused the seg fault I get this:

Unknown(0) : Warning - String is not zero-terminated (APPLICATION_PATH??
bZZZZZZZZZZZ?b) (source: /root/downloads/php-5.3.8/Zend/zend_opcode.c:261)
[Mon Oct 31 12:17:52 2011]  Script:  
'/web/vhosts/imac.michael.dev.bluehawk.evanta.com/website/public/index.php'
---------------------------------------
/root/downloads/php-5.3.8/Zend/zend_opcode.c(261) : Block 0x7f88250c2ab0 status:
/root/downloads/php-5.3.8/Zend/zend_variables.c(36) : Actual location (location 
was relayed)
Beginning:  	OK (allocated on Zend/zend_language_scanner.l:1695, 17 bytes)
    Start:	OK
      End:	Overflown (magic=0x0000002B instead of 0x62D3082C)
          	1 byte(s) overflown
---------------------------------------
[Mon Oct 31 12:17:52 2011]  Script:  
'/web/vhosts/imac.michael.dev.bluehawk.evanta.com/website/public/index.php'
Zend/zend_language_scanner.l(1695) :  Freeing 0x7F88250C2AB0 (17 bytes), 
script=/web/vhosts/imac.michael.dev.bluehawk.evanta.com/website/public/index.php
=== Total 1 memory leaks detected ===
Unknown(0) : Warning - String is not zero-terminated (APPLICATION_PATH??
bZZZZZZZZZZZ?b) (source: /root/downloads/php-5.3.8/Zend/zend_opcode.c:261)
[Mon Oct 31 12:18:09 2011]  Script:  
'/web/vhosts/imac.michael.dev.bluehawk.evanta.com/website/public/index.php'
---------------------------------------
/root/downloads/php-5.3.8/Zend/zend_opcode.c(261) : Block 0x7f88250c2ab0 status:
/root/downloads/php-5.3.8/Zend/zend_variables.c(36) : Actual location (location 
was relayed)
Beginning:  	OK (allocated on Zend/zend_language_scanner.l:1695, 17 bytes)
    Start:	OK
      End:	Overflown (magic=0x0000002B instead of 0x62D3082C)
          	1 byte(s) overflown
---------------------------------------
[Mon Oct 31 12:18:09 2011]  Script:  
'/web/vhosts/imac.michael.dev.bluehawk.evanta.com/website/public/index.php'
Zend/zend_language_scanner.l(1695) :  Freeing 0x7F88250C2AB0 (17 bytes), 
script=/web/vhosts/imac.michael.dev.bluehawk.evanta.com/website/public/index.php
=== Total 1 memory leaks detected ===


Is there anything else I can do to help diagnose and resolve this issue?
 [2011-10-31 21:02 UTC] michael dot irey at gmail dot com
-Status: Feedback +Status: Open
 [2011-10-31 21:14 UTC] pajoye@php.net
I would suggest to report this issue at zend framework or zend directly then. They 
can help you to figure out the issue.
 [2011-10-31 21:14 UTC] pajoye@php.net
-Status: Open +Status: Suspended
 
PHP Copyright © 2001-2017 The PHP Group
All rights reserved.
Last updated: Sun Nov 19 01:31:42 2017 UTC