php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #61757 Apache Segfault zend_hash_quick_find
Submitted: 2012-04-17 17:16 UTC Modified: 2012-04-26 21:21 UTC
From: joe at creativeanvil dot com Assigned:
Status: Closed Package: Apache2 related
PHP Version: 5.4.0 OS: CentOS 6.2
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.
(description)
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: joe at creativeanvil dot com
New email:
PHP Version: OS:

 

 [2012-04-17 17:16 UTC] joe at creativeanvil dot com
Description:
------------
Appears that in certain cases when trying to access an array key that does not 
exist, apache segfaults.

Test script:
---------------
$this->line_item_array = array('14441454');

foreach($this->line_item_array as $line_num => $line_item) {
					if($line_item['pallets'] > 0) {
						$pallets = " on {$line_item['pallets']} pallet(s)";
					} else {
						$pallets = '';
					}
					$line_num += 1;
					$handling_unit = strtolower($line_item['handling_unit']);
					$dims = (!empty($line_item['length'])) ? ", {$line_item['length']}x{$line_item['width']}x{$line_item['height']}" : '';
					$text .= "{$line_item['pieces']} $handling_unit$pallets$dims\n";
				}

Expected result:
----------------
Notices and warnings thrown about non-existent indexes, not a segfault.

Actual result:
--------------
Loaded symbols for /lib64/libkrb5support.so.0
Reading symbols from /lib64/libkeyutils.so.1...(no debugging symbols 
found)...done.
Loaded symbols for /lib64/libkeyutils.so.1
Reading symbols from /usr/lib64/apr-util-1/apr_ldap-1.so...(no debugging symbols 
found)...done.
Loaded symbols for /usr/lib64/apr-util-1/apr_ldap-1.so
Core was generated by `/usr/sbin/httpd -k start'.
Program terminated with signal 11, Segmentation fault.
#0  0x00007f7683eb9d71 in zend_hash_quick_find (ht=0x7f76912e0f48, 
arKey=0x7f768e9a25a0 "handling_unit", nKeyLength=14, h=12662310260902317513, 
pData=0x7fffa613be18) at /usr/local/src/php-5.4.0/Zend/zend_hash.c:950
950		p = ht->arBuckets[nIndex];


Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2012-04-17 17:20 UTC] joe at creativeanvil dot com
Sorry, forgot config line on report:

./configure --with-apxs2=/usr/sbin/apxs --enable-cli --enable-exif --enable-mbstring --enable-mbregex --enable-sockets --with-mysql --with-mysqli=/usr/bin/mysql_config --with-pdo-
mysql --with-libdir=lib64 --with-zlib --with-gd --with-jpeg-dir=/usr/lib64 --enable-soap --enable-calendar --with-freetype-dir=/usr/lib64 --with-libexpat-dir --enable-ftp --enable-
calendar --with-curl
 [2012-04-17 20:22 UTC] joe at creativeanvil dot com
Also, tried the latest 5.4 build and still have the same issue. 5.3.10 does not 
produce the same problem. Additional backtrace info on latest 5.4 build:

#0  0x00007f5604d87661 in gc_zval_possible_root (zv=0x7f5611cabf20) at 
/usr/local/src/php5.4-201204171930/Zend/zend_gc.c:143
#1  0x00007f5604d9aabd in gc_zval_check_possible_root 
(execute_data=0x7f560f922aa0) at /usr/local/src/php5.4-
201204171930/Zend/zend_gc.h:183
#2  i_zval_ptr_dtor (execute_data=0x7f560f922aa0) at /usr/local/src/php5.4-
201204171930/Zend/zend_execute.h:97
#3  zend_leave_helper_SPEC (execute_data=0x7f560f922aa0) at 
/usr/local/src/php5.4-201204171930/Zend/zend_vm_execute.h:468
#4  0x00007f5604dd0700 in execute (op_array=0x7f5611e80f10) at 
/usr/local/src/php5.4-201204171930/Zend/zend_vm_execute.h:410
#5  0x00007f5604d678cf in zend_execute_scripts (type=8, retval=0x0, file_count=3) 
at /usr/local/src/php5.4-201204171930/Zend/zend.c:1272
#6  0x00007f5604d0b3e7 in php_execute_script (primary_file=0x7fff71019fc0) at 
/usr/local/src/php5.4-201204171930/main/main.c:2473
#7  0x00007f5604e11765 in php_handler (r=0x7f5611c6d348) at 
/usr/local/src/php5.4-201204171930/sapi/apache2handler/sapi_apache2.c:667
#8  0x00007f560fa14b00 in ap_run_handler ()
#9  0x00007f560fa183be in ap_invoke_handler ()
#10 0x00007f560fa23a30 in ap_process_request ()
#11 0x00007f560fa208f8 in ?? ()
#12 0x00007f560fa1c608 in ap_run_process_connection ()
#13 0x00007f560fa28807 in ?? ()
#14 0x00007f560fa28b1a in ?? ()
#15 0x00007f560fa28e4b in ap_mpm_run ()
#16 0x00007f560fa00900 in main ()
 [2012-04-17 20:50 UTC] johannes@php.net
-Status: Open +Status: Feedback
 [2012-04-17 20:50 UTC] johannes@php.net
Thank you for this bug report. To properly diagnose the problem, we
need a short but complete example script to be able to reproduce
this bug ourselves. 

A proper reproducing script starts with <?php and ends with ?>,
is max. 10-20 lines long and does not require any external 
resources such as databases, etc. If the script requires a 
database to demonstrate the issue, please make sure it creates 
all necessary tables, stored procedures etc.

Please avoid embedding huge scripts into the report.

GC issues require a full reproduce case for being tracked down properly. Please try to reduce your codebase as much as possible (it doesn't bring much to send us a large program, as you know the code better than we, I assume, and can strip it down better) and make that available. Thanks.
 [2012-04-26 21:21 UTC] joe at creativeanvil dot com
Just upgraded to 5.4.1 and am not seeing this issue any longer. Thank you.
 [2012-04-26 21:21 UTC] joe at creativeanvil dot com
-Status: Feedback +Status: Closed
 [2013-05-20 10:33 UTC] Junk at Army dot ca
I'm seeing this same issue on php 5.4.14, Fedora 17:

Core was generated by `/usr/sbin/httpd -k start'.
Program terminated with signal 11, Segmentation fault.
#0  0x00007fae904dc298 in zend_hash_quick_find (ht=ht@entry=0x7fae9eb26698,
    arKey=0x7fae9f9d3290 "mbstring", nKeyLength=9, h=h@entry=249897825911322699,
    pData=pData@entry=0x7fffdc759548) at /usr/src/debug/php-
5.4.14/Zend/zend_hash.c:950
950             p = ht->arBuckets[nIndex];

Packages:
httpd-2.2.23-1.fc17.x86_64
php-5.4.14-1.fc17.x86_64
php-common-5.4.14-1.fc17.x86_64
php-imap-5.4.14-1.fc17.x86_64
php-pecl-apc-debuginfo-3.1.15-0.3.svn329913.fc17.x86_64
php-pspell-5.4.14-1.fc17.x86_64
php-debuginfo-5.4.14-1.fc17.x86_64
php-pdo-5.4.14-1.fc17.x86_64
php-mysql-5.4.14-1.fc17.x86_64
php-mbstring-5.4.14-1.fc17.x86_64
php-mcrypt-5.4.14-1.fc17.x86_64
php-pear-1.9.4-7.fc17.2.noarch
php-Kohana-2.4-1.rc2.fc17.3.noarch
php-cli-5.4.14-1.fc17.x86_64
php-pgsql-5.4.14-1.fc17.x86_64
php-xml-5.4.14-1.fc17.x86_64
php-gd-5.4.14-1.fc17.x86_64
php-pecl-apc-3.1.15-0.3.svn329913.fc17.x86_64

I have not located the source script yet.
 [2013-05-24 11:02 UTC] Junk at Army dot ca
Removing these packages seems to have cleared up the issue:

php-pecl-apc-3.1.15-0.3.svn329913.fc17.x86_64
php-pear-1.9.4-7.fc17.2.noarch
 
PHP Copyright © 2001-2021 The PHP Group
All rights reserved.
Last updated: Thu Dec 02 13:03:33 2021 UTC