PHP :: Bug #63055 :: Segfault in zend

Bug #63055

Segfault in zend_gc with SF2 testsuite

Submitted:

2012-09-10 11:56 UTC

Modified:

2012-10-18 08:53 UTC

Votes:	2
Avg. Score:	4.0 ± 1.0
Reproduced:	1 of 1 (100.0%)
Same Version:	0 (0.0%)
Same OS:	0 (0.0%)

From:

php at wallbash dot com

Assigned:

laruence (profile)

Status:

Closed

Package:

*General Issues

PHP Version:

5.4.6

OS:

CentOS 6.3

Private report:

CVE-ID:

None

View Developer Edit

[2012-09-10 11:56 UTC] php at wallbash dot com

Description:
------------
Reproduceable with php-master & 5.4.6

I'm sorry for not being able to break that down. Only running the segfaulting test works without an issue and even generating more output during the execution doesn't lead to the issue :(

The best I can come with is providing all the instructions to run the whole thing.

Configure: 

'./configure'  '--prefix=/opt/php-master' '--without-pear' '--with-zlib' '--with-xsl' '--enable-debug'

Test script:
---------------
git clone https://github.com/symfony/symfony.git
git checkout 4dc197c3e1ea227e36cab7ea93877fa44ecc569b
curl -s http://getcomposer.org/installer | php
COMPOSER_ROOT_VERSION=dev-master php composer.phar --dev install
php src/Symfony/Component/Locale/Resources/data/build-data.php
export USE_INTL_ICU_DATA_VERSION=1

pear config-set auto_discover 1
pear install --alldeps pear.phpunit.de/phpunit-3.7.0RC3
pear install --alldeps pear.phpunit.de/php_codecoverage-1.2.0RC3
pear install --alldeps pear.phpunit.de/punit_mockobject-1.2.0RC4

phpunit

Expected result:
----------------
No segfault

Actual result:
--------------
Core with 5.4.6

CORE 5.4.6:
-----------

gdb /opt/php-5.4.6/bin/php /tmp/cores/core-php.17245 

This GDB was configured as "x86_64-redhat-linux-gnu".

Reading symbols from /opt/php-5.4.6/bin/php...done.
[New LWP 17245]
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib64/libthread_db.so.1".
Core was generated by `/opt/php-5.4.6/bin/php /usr/bin/phpunit'.
Program terminated with signal 11, Segmentation fault.
#0  0x00000000007e493f in zval_mark_grey (pz=0x12adf328) at /opt/php-5.4.6/Zend/zend_gc.c:425
425				pz = *(zval**)p->pData;
(gdb) bt
#0  0x00000000007e493f in zval_mark_grey (pz=0x12adf328) at /opt/php-5.4.6/Zend/zend_gc.c:425
#1  0x00000000007e4c6e in gc_mark_roots () at /opt/php-5.4.6/Zend/zend_gc.c:501
#2  0x00000000007e57cd in gc_collect_cycles () at /opt/php-5.4.6/Zend/zend_gc.c:793
#3  0x00000000007e3e96 in gc_zval_possible_root (zv=0x12adf9e8) at /opt/php-5.4.6/Zend/zend_gc.c:166
#4  0x00000000007a689e in gc_zval_check_possible_root (z=0x12adf9e8) at /opt/php-5.4.6/Zend/zend_gc.h:183
#5  _zval_ptr_dtor (zval_ptr=0x12adff00, __zend_filename=0xca8750 "/opt/php-5.4.6/Zend/zend_variables.c", __zend_lineno=180) at /opt/php-5.4.6/Zend/zend_execute_API.c:448
#6  0x00000000007b9354 in _zval_ptr_dtor_wrapper (zval_ptr=0x12adff00) at /opt/php-5.4.6/Zend/zend_variables.c:180
#7  0x00000000007cd5da in zend_hash_destroy (ht=0x12adf6a0) at /opt/php-5.4.6/Zend/zend_hash.c:560
#8  0x00000000007b8f19 in _zval_dtor_func (zvalue=0x12adf328, __zend_filename=0x97e728 "/opt/php-5.4.6/ext/pcre/php_pcre.c", __zend_lineno=550) at /opt/php-5.4.6/Zend/zend_variables.c:43
#9  0x000000000049daee in _zval_dtor (__zend_lineno=<optimized out>, __zend_filename=0x97e728 "/opt/php-5.4.6/ext/pcre/php_pcre.c", zvalue=0x12adf328)
    at /opt/php-5.4.6/Zend/zend_variables.h:35
#10 php_pcre_match_impl (pce=0x5a32e10, 
    subject=0x12adf4f0 "/**\n * Note that there are some values written like -2147483647 - 1. This is the lower 32bit int max and is a known\n * behavior of PHP.\n */\n/**\n     * @dataProvider formatCurrencyWithCurrencyStyleSwis"..., subject_len=225, return_value=0x12adf740, subpats=0x12adf328, global=1, use_flags=0, flags=0, start_offset=0)
    at /opt/php-5.4.6/ext/pcre/php_pcre.c:550
#11 0x000000000049da3b in php_do_pcre_match (ht=3, return_value=0x12adf740, return_value_ptr=0x0, this_ptr=0x0, return_value_used=1, global=1) at /opt/php-5.4.6/ext/pcre/php_pcre.c:520
#12 0x000000000049e850 in zif_preg_match_all (ht=3, return_value=0x12adf740, return_value_ptr=0x0, this_ptr=0x0, return_value_used=1) at /opt/php-5.4.6/ext/pcre/php_pcre.c:780
#13 0x00000000007fa7cc in zend_do_fcall_common_helper_SPEC (execute_data=0x7fc29eb16ea8) at /opt/php-5.4.6/Zend/zend_vm_execute.h:642
#14 0x0000000000801854 in ZEND_DO_FCALL_SPEC_CONST_HANDLER (execute_data=0x7fc29eb16ea8) at /opt/php-5.4.6/Zend/zend_vm_execute.h:2219
#15 0x00000000007f91ab in execute (op_array=0x13b37c8) at /opt/php-5.4.6/Zend/zend_vm_execute.h:410
#16 0x00000000007bc486 in zend_execute_scripts (type=8, retval=0x0, file_count=3) at /opt/php-5.4.6/Zend/zend.c:1289
#17 0x0000000000731340 in php_execute_script (primary_file=0x7fff1493dfb0) at /opt/php-5.4.6/main/main.c:2473
#18 0x00000000009020e2 in do_cli (argc=2, argv=0x7fff1493e368) at /opt/php-5.4.6/sapi/cli/php_cli.c:988
#19 0x000000000090318a in main (argc=2, argv=0x7fff1493e368) at /opt/php-5.4.6/sapi/cli/php_cli.c:1364

Core with master:

gdb /opt/php-master/bin/php /tmp/cores/core-php.22349 

This GDB was configured as "x86_64-redhat-linux-gnu".
Reading symbols from /opt/php-master/bin/php...done.
BFD: Warning: /tmp/cores/core-php.22349 is truncated: expected core file size >= 194351104, found: 122478592.
[New LWP 22349]
Cannot access memory at address 0x3053823268
Failed to read a valid object file image from memory.

Core was generated by `/opt/php-master/bin/php -c /etc/php.ini /usr/bin/phpunit'.
Program terminated with signal 11, Segmentation fault.
#0  zval_mark_grey (pz=0xb9ca2a8) at /opt/php-src/Zend/zend_gc.c:421
(gdb) bt
#0  zval_mark_grey (pz=0xb9ca2a8) at /opt/php-src/Zend/zend_gc.c:421
Cannot access memory at address 0x7fff7174b4a8
(gdb) .
Core was generated by `/opt/php-5.4.6/bin/php /usr/bin/phpunit'.
Program terminated with signal 11, Segmentation fault.
#0  0x00000000007e493f in zval_mark_grey (pz=0x12adf328) at /opt/php-5.4.6/Zend/zend_gc.c:425
425				pz = *(zval**)p-

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2012-09-10 12:19 UTC] php at wallbash dot com

Initially I ran into this issue with 5.3.16 but I didn't include a coredump for it. Just added it to make clear it might not be something new in 5.4

Regards,
Edorian

[2012-09-10 12:24 UTC] laruence@php.net

you mean , you are running with 5.3?

[2012-09-10 12:41 UTC] php at wallbash dot com

He laruence,

i meant the segfault happens with 5.3.16, 5.4.6 and with master but I only included two coredumps.

The included coredump that produced a meaningful stacktrace is from 5.4.6 like noted.

[2012-09-10 12:53 UTC] laruence@php.net

I can not reproduce this with 5.4-branch...

could you try to make a small reproduce test script ?  thanks

[2012-09-10 16:34 UTC] php at wallbash dot com

Like stated on pecl: I sadly can't. Every output i generate or just executing that one test case make the segfault go away.

I'm really sorry I can't provide anything more helpful but with issues like that (see the last time I ran into something like that: https://bugs.php.net/bug.php?id=60825) getting a good repro is really hard for me. I've tried for a couple of hours but gave up.

I totally understand if this is not fixable for you of course but asking in php.pecl encouraged me to post it anyways :)

[2012-09-11 06:53 UTC] reeze dot xia at gmail dot com

From the backtrace this seems a test for ext: intl, 
I can't install intl ext in my box because of compile issue.

@larucene, do you see some test skip for intl or did you enabled intl extsion?

[2012-09-11 06:56 UTC] reeze dot xia at gmail dot com

Hi wallbash,
  when you got a backtrace, you could source php-src's backtrace of php script

gdb > source path/to/php-src/.gdbinit
gdb > zbactrace 
then you may see a php level script, then we could find where cause the php crash

[2012-09-11 06:57 UTC] reeze dot xia at gmail dot com

gdb > zbactrace   --->  gdb > zbacktrace   missing a 'k' :)

[2012-09-11 08:48 UTC] laruence@php.net

-Status: Open +Status: Feedback

[2012-09-11 08:48 UTC] laruence@php.net

intl

Internationalization support => enabled
version => 1.1.0
ICU version => 3.6

[2012-09-11 08:49 UTC] laruence@php.net

-Assigned To: +Assigned To: laruence

[2012-09-11 14:28 UTC] php at wallbash dot com

Fixed reproduce instructions: https://gist.github.com/3690351; Maybe that helps you laruence.

I've misspelled the phpunit mock object dependency and it doesn't work with newer versions (as it, i assume, involves object cloning that newer versions have turned off). Any other minor versions don't lead to the segfault.


@reeze,

(gdb) zbacktrace

(gdb) [0x7ff1428d4ea8] preg_match_all("/@requires\s+(?P<name>function|extension)\s(?P<value>([^\40]+))\r?$/m", "/**\12\40*\40Note\40that\40there\40are\40some\40values\40written\40like\40-2147483647\40-\401.\40This\40is\40the\40lower\4032bit\40int\40max\40and\40is\40a\40known\12\40*\40behavior\40of\40PHP.\12\40*/\12/**\12\40\40\40\40\40*\40@dataProvider\40formatCurrencyWithCurrencyStyleBrazilianRealRoundingProvider\12\40\40\40\40\40*/", array(7)[0x14916c30]) /usr/share/pear/PHPUnit/Util/Test.php:126 
[0x7ff1428d4ab0] getRequirements("Symfony\Component\Locale\Tests\Stub\StubNumberFormatterTest", "testFormatCurrencyWithCurrencyStyleBrazilianRealRoundingStub") /usr/share/pear/PHPUnit/Framework/TestCase.php:558 
[0x7ff1428d4378] setRequirementsFromAnnotation() /usr/share/pear/PHPUnit/Framework/TestCase.php:586 
[0x7ff1428d31b0] checkRequirements() /usr/share/pear/PHPUnit/Framework/TestCase.php:823 
[0x7ff1428d1d38] runBare() /usr/share/pear/PHPUnit/Framework/TestResult.php:649 
[0x7ff1428d0dd8] run(object[0x747e368]) /usr/share/pear/PHPUnit/Framework/TestCase.php:770 
[0x7ff1428d0cd8] run(object[0xa6fcfe0]) /usr/share/pear/PHPUnit/Framework/TestSuite.php:776 
[0x7ff1428cf980] runTest(object[0x747e368], object[0xa6fcfe0]) /usr/share/pear/PHPUnit/Framework/TestSuite.php:746 
[0x7ff1428ce610] run(object[0xa6fcfe0], false, array(0)[0xa6fa9e8], array(1)[0xa7390a8], false) /usr/share/pear/PHPUnit/Framework/TestSuite.php:706 
[0x7ff1428cd2a0] run(object[0xa6fcfe0], false, array(0)[0x14735b38], array(1)[0x14735cf0], false) /usr/share/pear/PHPUnit/Framework/TestSuite.php:706 
[0x7ff1428caea0] run(object[0xa6fcfe0], false, array(0)[0xab473f0], array(1)[0xab475a8], false) /usr/share/pear/PHPUnit/TextUI/TestRunner.php:325 
[0x7ff1428ca528] doRun(object[0x7ff13c2c3ed8], array(5)[0xab48718]) /usr/share/pear/PHPUnit/TextUI/Command.php:177 
[0x7ff1428ca360] run(array(1)[0x6b7c498], true) /usr/share/pear/PHPUnit/TextUI/Command.php:130 
[0x7ff1428ca0e8] main() /usr/bin/phpunit:46 
(gdb) 

Hope that helps :)

[2012-09-11 14:28 UTC] php at wallbash dot com

-Status: Feedback +Status: Assigned

[2012-09-12 03:57 UTC] laruence@php.net

still can not reproduce it,

php at wallbash.com ,  could you give me a access to your testing box? that will 
be useful.. :)

[2012-10-15 18:19 UTC] imprec at gmail dot com

Hello, got the same issue, see backtrace here https://travis-
ci.org/#!/romainneutron/Phraseanet/jobs/2799781

I can provide a debug box,  laruence@php.net are you interested ?

[2012-10-18 07:18 UTC] laruence@php.net

FINALLY, I am able to make a reproduce script, thanks very much for your box 
@imprec ..

[2012-10-18 07:50 UTC] laruence@php.net

-Status: Assigned +Status: Closed

[2012-10-18 07:50 UTC] laruence@php.net

Automatic comment on behalf of laruence
Revision: http://git.php.net/?p=php-src.git;a=commit;h=ccc519b7a92bfe4b191c0e2e3869516171247ac2
Log: Fixed bug #63055 (Segfault in zend_gc with SF2 testsuite)

[2012-10-18 07:53 UTC] laruence@php.net

Automatic comment on behalf of laruence
Revision: http://git.php.net/?p=php-src.git;a=commit;h=ccc519b7a92bfe4b191c0e2e3869516171247ac2
Log: Fixed bug #63055 (Segfault in zend_gc with SF2 testsuite)

[2012-10-18 08:44 UTC] laruence@php.net

-Status: Closed +Status: Re-Opened

[2012-10-18 08:44 UTC] laruence@php.net

the fix is not right for non-debug mode, we need find another way out.

[2012-10-18 08:53 UTC] laruence@php.net

-Status: Re-Opened +Status: Critical

[2012-10-18 08:53 UTC] laruence@php.net

I'd like mark this as a critical one, 

any usage of zval_dtor with recursive array may trigger this segfault.

but I can not find a way to fix this without inconsistent field. for now.

thanks

[2012-10-18 09:27 UTC] imprec at gmail dot com

It seems this bug is reproduceable on 5.3.17 as seen on this backtrace 
https://travis-ci.org/#!/alchemy-fr/Phraseanet/jobs/2837260 , should the version 
be updated ?

[2012-10-18 09:31 UTC] laruence@php.net

-Status: Critical +Status: Closed

[2012-10-18 09:31 UTC] laruence@php.net

Automatic comment on behalf of laruence
Revision: http://git.php.net/?p=php-src.git;a=commit;h=8bd5e15ff7a57791956c4017ee8fb4a8ac0d8d2e
Log: Fixed bug #63055 (Segfault in zend_gc with SF2 testsuite)

[2012-10-18 09:33 UTC] laruence@php.net

Automatic comment on behalf of laruence
Revision: http://git.php.net/?p=php-src.git;a=commit;h=8bd5e15ff7a57791956c4017ee8fb4a8ac0d8d2e
Log: Fixed bug #63055 (Segfault in zend_gc with SF2 testsuite)

[2012-10-18 09:35 UTC] laruence@php.net

Automatic comment on behalf of laruence
Revision: http://git.php.net/?p=php-src.git;a=commit;h=8bd5e15ff7a57791956c4017ee8fb4a8ac0d8d2e
Log: Fixed bug #63055 (Segfault in zend_gc with SF2 testsuite)

[2013-07-30 01:34 UTC] ww dot galen at gmail dot com

Related To: Bug #63287

[2014-10-07 23:21 UTC] stas@php.net

Automatic comment on behalf of laruence
Revision: http://git.php.net/?p=php-src-security.git;a=commit;h=8bd5e15ff7a57791956c4017ee8fb4a8ac0d8d2e
Log: Fixed bug #63055 (Segfault in zend_gc with SF2 testsuite)

[2014-10-07 23:21 UTC] stas@php.net

Automatic comment on behalf of laruence
Revision: http://git.php.net/?p=php-src-security.git;a=commit;h=ccc519b7a92bfe4b191c0e2e3869516171247ac2
Log: Fixed bug #63055 (Segfault in zend_gc with SF2 testsuite)

[2014-10-07 23:32 UTC] stas@php.net

Automatic comment on behalf of laruence
Revision: http://git.php.net/?p=php-src-security.git;a=commit;h=8bd5e15ff7a57791956c4017ee8fb4a8ac0d8d2e
Log: Fixed bug #63055 (Segfault in zend_gc with SF2 testsuite)

[2014-10-07 23:32 UTC] stas@php.net

Automatic comment on behalf of laruence
Revision: http://git.php.net/?p=php-src-security.git;a=commit;h=ccc519b7a92bfe4b191c0e2e3869516171247ac2
Log: Fixed bug #63055 (Segfault in zend_gc with SF2 testsuite)

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Thu Nov 21 10:01:29 2024 UTC