PHP :: Bug #61133 :: segfault in tests/apc_bin

Bug #61133

segfault in tests/apc_bin_002.phpt

Submitted:

2012-02-18 07:27 UTC

Modified:

2012-08-12 15:26 UTC

Votes:	2
Avg. Score:	5.0 ± 0.0
Reproduced:	2 of 2 (100.0%)
Same Version:	1 (50.0%)
Same OS:	2 (100.0%)

From:

remi@php.net

Assigned:

ab (profile)

Status:

Closed

Package:

APC (PECL)

PHP Version:

5.4.0RC8

OS:

GNU/Linux (Fedora 16)

Private report:

CVE-ID:

None

View Developer Edit

[2012-02-18 07:27 UTC] remi@php.net

Description:
------------
Here is the backtrace get with PHP 5.4.0RC8 and APC rev 322617

(gdb) run  -n -d extension_dir=../modules -d extension=apc.so -d apc.enabled=1 -d apc.enable_cli=1 -d apc.stat=0 apc_bin_002.php
Starting program: /usr/bin/php -n -d extension_dir=../modules -d extension=apc.so -d apc.enabled=1 -d apc.enable_cli=1 -d apc.stat=0 apc_bin_002.php
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib64/libthread_db.so.1".

Program received signal SIGSEGV, Segmentation fault.
my_copy_zval (dst=0x7fffef9cc650, src=0x2725, ctxt=0x7fffffffb450) at /usr/include/bits/string3.h:52
52	  return __builtin___memcpy_chk (__dest, __src, __len, __bos0 (__dest));


(gdb) bt
#0  my_copy_zval (dst=0x7fffef9cc650, src=0x2725, ctxt=0x7fffffffb450) at /usr/include/bits/string3.h:52
#1  0x00007ffff15d10d7 in my_copy_zval_ptr (dst=0x7fffef9cc8b0, src=0x7fffef58252d, ctxt=0x7fffffffb450) at /home/rpmbuild/BUILD/php-pecl-apc-3.1.9/APC-3.1.9/apc_compile.c:219
#2  0x00007ffff15d1dbc in my_copy_class_entry (dst=0x7fffef9cc270, src=0x7fffef588801, ctxt=0x7fffffffb450) at /home/rpmbuild/BUILD/php-pecl-apc-3.1.9/APC-3.1.9/apc_compile.c:721
#3  0x00007ffff15db74a in apc_bin_load (bd=0x7fffef5867e0, flags=<optimized out>) at /home/rpmbuild/BUILD/php-pecl-apc-3.1.9/APC-3.1.9/apc_bin.c:925
#4  0x00007ffff15cb269 in zif_apc_bin_load (ht=<optimized out>, return_value=0x7ffff7d975e0, return_value_ptr=<optimized out>, this_ptr=<optimized out>, 
    return_value_used=<optimized out>) at /home/rpmbuild/BUILD/php-pecl-apc-3.1.9/APC-3.1.9/php_apc.c:1482
#5  0x0000000000669529 in zend_do_fcall_common_helper_SPEC (execute_data=<optimized out>) at /usr/src/debug/php-5.4.0RC8/Zend/zend_vm_execute.h:642
#6  0x000000000062847f in execute (op_array=0x7ffff7d97f20) at /usr/src/debug/php-5.4.0RC8/Zend/zend_vm_execute.h:410
#7  0x00000000005c4500 in zend_execute_scripts (type=8, retval=0x0, file_count=3) at /usr/src/debug/php-5.4.0RC8/Zend/zend.c:1272
#8  0x00000000005644a3 in php_execute_script (primary_file=0x7fffffffdca0) at /usr/src/debug/php-5.4.0RC8/main/main.c:2473
#9  0x000000000066bbd1 in do_cli (argc=13, argv=0x7fffffffdfb8) at /usr/src/debug/php-5.4.0RC8/sapi/cli/php_cli.c:983
#10 0x000000000042599e in main (argc=13, argv=0x7fffffffdfb8) at /usr/src/debug/php-5.4.0RC8/sapi/cli/php_cli.c:1356



Test script:
---------------
Running provided tests or

$ LANG=C php -n -d extension_dir=../modules -d extension=apc.so -d apc.enabled=1 -d apc.enable_cli=1 -d apc.stat=0 apc_bin_002.php


Expected result:
----------------
Test OK

Actual result:
--------------
segfault

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2012-03-07 22:14 UTC] ab@php.net

-Assigned To: +Assigned To: ab

[2012-03-08 08:46 UTC] ab@php.net

-Status: Assigned +Status: Verified

[2012-03-08 08:46 UTC] ab@php.net

Confirmed, a simple call on the debug build says:


/usr/bin/php -n -d extension_dir=.libs -d extension=apc.so -d apc.enabled=1 -d 
apc.enable_cli=1 -d apc.stat=0 tests/apc_bin_002.php
php: /usr/local/src/apc/apc_compile.c:371: my_copy_zval: Assertion `0' failed.
Aborted

And the valgrind outs:

==31016== Invalid write of size 4
==31016==    at 0x47E561B: sma_allocate (apc_sma.c:258)
==31016==    by 0x47E5C2C: apc_sma_malloc_ex (apc_sma.c:453)
==31016==    by 0x47E619F: apc_sma_malloc (apc_sma.c:517)
==31016==    by 0x47E8F5F: create_pool_block (apc_pool.c:217)
==31016==    by 0x47E90DA: apc_realpool_alloc (apc_pool.c:274)
==31016==    by 0x47DF1FA: apc_copy_op_array (apc_compile.c:1097)
==31016==    by 0x47EED21: apc_bin_load (apc_bin.c:878)
==31016==    by 0x47D8321: zif_apc_bin_load (php_apc.c:1482)
==31016==    by 0x82C6CED: zend_do_fcall_common_helper_SPEC 
(zend_vm_execute.h:642)
==31016==    by 0x82CEB4F: ZEND_DO_FCALL_SPEC_CONST_HANDLER 
(zend_vm_execute.h:2219)
==31016==    by 0x82C4FAB: execute (zend_vm_execute.h:410)
==31016==    by 0x8286127: zend_execute_scripts (zend.c:1272)
==31016==  Address 0x4bff378 is 8 bytes after a block of size 584 alloc'd
==31016==    at 0x47E5DFF: apc_sma_malloc_ex (apc_sma.c:467)
==31016==    by 0x47E619F: apc_sma_malloc (apc_sma.c:517)
==31016==    by 0x47E9352: apc_realpool_create (apc_pool.c:435)
==31016==    by 0x47E8DD1: apc_pool_create (apc_pool.c:57)
==31016==    by 0x47EEC31: apc_bin_load (apc_bin.c:856)
==31016==    by 0x47D8321: zif_apc_bin_load (php_apc.c:1482)
==31016==    by 0x82C6CED: zend_do_fcall_common_helper_SPEC 
(zend_vm_execute.h:642)
==31016==    by 0x82CEB4F: ZEND_DO_FCALL_SPEC_CONST_HANDLER 
(zend_vm_execute.h:2219)
==31016==    by 0x82C4FAB: execute (zend_vm_execute.h:410)
==31016==    by 0x8286127: zend_execute_scripts (zend.c:1272)
==31016==    by 0x81E0EAF: php_execute_script (main.c:2473)
==31016==    by 0x83D7C06: do_cli (php_cli.c:983)
==31016== 
==31016== Invalid read of size 4
==31016==    at 0x47E562B: sma_allocate (apc_sma.c:261)
==31016==    by 0x47E5C2C: apc_sma_malloc_ex (apc_sma.c:453)
==31016==    by 0x47E619F: apc_sma_malloc (apc_sma.c:517)
==31016==    by 0x47E8F5F: create_pool_block (apc_pool.c:217)
==31016==    by 0x47E90DA: apc_realpool_alloc (apc_pool.c:274)
==31016==    by 0x47DF1FA: apc_copy_op_array (apc_compile.c:1097)
==31016==    by 0x47EED21: apc_bin_load (apc_bin.c:878)
==31016==    by 0x47D8321: zif_apc_bin_load (php_apc.c:1482)
==31016==    by 0x82C6CED: zend_do_fcall_common_helper_SPEC 
(zend_vm_execute.h:642)
==31016==    by 0x82CEB4F: ZEND_DO_FCALL_SPEC_CONST_HANDLER 
(zend_vm_execute.h:2219)
==31016==    by 0x82C4FAB: execute (zend_vm_execute.h:410)
==31016==    by 0x8286127: zend_execute_scripts (zend.c:1272)
==31016==  Address 0x4bff370 is 0 bytes after a block of size 584 alloc'd
==31016==    at 0x47E5DFF: apc_sma_malloc_ex (apc_sma.c:467)
==31016==    by 0x47E619F: apc_sma_malloc (apc_sma.c:517)
==31016==    by 0x47E9352: apc_realpool_create (apc_pool.c:435)
==31016==    by 0x47E8DD1: apc_pool_create (apc_pool.c:57)
==31016==    by 0x47EEC31: apc_bin_load (apc_bin.c:856)
==31016==    by 0x47D8321: zif_apc_bin_load (php_apc.c:1482)
==31016==    by 0x82C6CED: zend_do_fcall_common_helper_SPEC 
(zend_vm_execute.h:642)
==31016==    by 0x82CEB4F: ZEND_DO_FCALL_SPEC_CONST_HANDLER 
(zend_vm_execute.h:2219)
==31016==    by 0x82C4FAB: execute (zend_vm_execute.h:410)
==31016==    by 0x8286127: zend_execute_scripts (zend.c:1272)
==31016==    by 0x81E0EAF: php_execute_script (main.c:2473)
==31016==    by 0x83D7C06: do_cli (php_cli.c:983)
==31016== 
==31016== Invalid write of size 4
==31016==    at 0x47E5638: sma_allocate (apc_sma.c:266)
==31016==    by 0x47E5C2C: apc_sma_malloc_ex (apc_sma.c:453)
==31016==    by 0x47E619F: apc_sma_malloc (apc_sma.c:517)
==31016==    by 0x47E8F5F: create_pool_block (apc_pool.c:217)
==31016==    by 0x47E90DA: apc_realpool_alloc (apc_pool.c:274)
==31016==    by 0x47DF1FA: apc_copy_op_array (apc_compile.c:1097)
==31016==    by 0x47EED21: apc_bin_load (apc_bin.c:878)
==31016==    by 0x47D8321: zif_apc_bin_load (php_apc.c:1482)
==31016==    by 0x82C6CED: zend_do_fcall_common_helper_SPEC 
(zend_vm_execute.h:642)
==31016==    by 0x82CEB4F: ZEND_DO_FCALL_SPEC_CONST_HANDLER 
(zend_vm_execute.h:2219)
==31016==    by 0x82C4FAB: execute (zend_vm_execute.h:410)
==31016==    by 0x8286127: zend_execute_scripts (zend.c:1272)
==31016==  Address 0x4bff380 is not stack'd, malloc'd or (recently) free'd

[2012-03-08 12:53 UTC] ab@php.net

Much simplier test scenario

one.php:
<?php

apc_compile_file('two.php');
$data = apc_bin_dump(NULL, NULL);
apc_clear_cache();

apc_bin_load($data, APC_BIN_VERIFY_MD5 | APC_BIN_VERIFY_CRC32);

two.php:
<?php

$a = 'uuu';

The fail happens in the apc_bin_load but the data seem to be already corrupted.

[2012-08-12 15:20 UTC] laruence@php.net

Automatic comment from SVN on behalf of laruence
Revision: http://svn.php.net/viewvc/?view=revision&amp;revision=327074
Log: Fixed bug #61133 (segfault in tests/apc_bin_002.phpt)

[2012-08-12 15:22 UTC] laruence@php.net

-Status: Verified +Status: Closed

[2012-08-12 15:22 UTC] laruence@php.net

This bug has been fixed in SVN.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.

 For Windows:

http://windows.php.net/snapshots/
 
Thank you for the report, and for helping us make PHP better.

[2012-08-12 15:26 UTC] laruence@php.net

fixed,  all test script passed in my box(regardless the memleaks),  cheers! :)

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2025 The PHP Group All rights reserved.	Last updated: Thu Nov 20 22:00:01 2025 UTC