php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Thanks for voting! Your vote should be reflected in the statistics below.
Bug #63191 SIGSEGV (phpunit)
Submitted: 2012-09-30 19:55 UTC Modified: 2013-02-18 00:36 UTC
Votes:4
Avg. Score:4.5 ± 0.9
Reproduced:4 of 4 (100.0%)
Same Version:3 (75.0%)
Same OS:2 (50.0%)
From: sh at isecure dot cz Assigned:
Status: No Feedback Package: Unknown/Other Function
PHP Version: Irrelevant OS: Freebsd 9 & Ubuntu 12.04
Private report: No CVE-ID:
 [2012-09-30 19:55 UTC] sh at isecure dot cz
Description:
------------
Crash with Symfony 2 & phpunit use. Can't localize root cause of problem, same 
error shows on freebsd 9 with PHP 5.4.6 also in Ubuntus PHP 5.3.10-1

Actual result:
--------------
(gdb) r
Starting program: /usr/local/bin/php /usr/local/bin/phpunit -c app 
src/Foo/ShopBundle/Demo/DemoCreationTest
[New LWP 108705]
[New Thread 80217a400 (LWP 108705/php)]
PHPUnit 3.6.10 by Sebastian Bergmann.

Configuration read from /home/sh/public_html/eshop/app/phpunit.xml.dist


Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 80217a400 (LWP 108705/php)]
0x000000000069b7d2 in zend_std_object_get_class (object=0x80fabc6f8) at 
/usr/ports/lang/php5/work/php-5.4.6/Zend/zend_object_handlers.c:1454
1454		return zobj->ce;
(gdb) 


(gdb) bt full
#0  0x000000000069b7d2 in zend_std_object_get_class (object=0x80fabc6f8) at 
/usr/ports/lang/php5/work/php-5.4.6/Zend/zend_object_handlers.c:1454
	zobj = (zend_object *) 0x800000763
#1  0x0000000000663745 in zend_get_class_entry (zobject=0x80fabc6f8) at 
/usr/ports/lang/php5/work/php-5.4.6/Zend/zend_API.c:238
No locals.
#2  0x00000000006f7998 in ZEND_INIT_METHOD_CALL_SPEC_VAR_CONST_HANDLER 
(execute_data=0x80203fff0) at zend_vm_execute.h:13450
	opline = (zend_op *) 0x80dea2a10
	function_name = (zval *) 0x80dea3a08
	function_name_strval = 0x802092578 "format"
	function_name_strlen = 6
	free_op1 = {var = 0x0}
#3  0x00000000006a1071 in execute (op_array=0x80ded34f0) at 
zend_vm_execute.h:410
	ret = 3
	execute_data = (zend_execute_data *) 0x80203fff0
	nested = 1 '\001'
	original_in_execution = 1 '\001'
#4  0x000000000064d3ff in zend_call_function (fci=0x7fffffffa550, 
fci_cache=0x7fffffffa4e0) at /usr/ports/lang/php5/work/php-
5.4.6/Zend/zend_execute_API.c:958
	i = 0
	original_return_value = (zval **) 0x0
	calling_symbol_table = (HashTable *) 0x0
	original_op_array = (zend_op_array *) 0x80ea99b58
	original_opline_ptr = (zend_op **) 0x80203dcd8
	current_scope = (zend_class_entry *) 0x0
	current_called_scope = (zend_class_entry *) 0x80226d200
	calling_scope = (zend_class_entry *) 0x80e1d3e60
	called_scope = (zend_class_entry *) 0x80e1d3e60
	current_this = (zval *) 0x8109ec370
	execute_data = {opline = 0x0, function_state = {function = 0x80e1deb80, 
arguments = 0x80203efb8}, fbc = 0x0, called_scope = 0x3, op_array = 0x0, 
  object = 0x810a89d28, Ts = 0x80203de88, CVs = 0x80203dd68, symbol_table = 0x0, 
prev_execute_data = 0x80203dcd8, old_error_reporting = 0x0, 
  nested = 1 '\001', original_return_value = 0x8109ec370, current_scope = 
0x80ea7edc0, current_called_scope = 0x80ea7edc0, current_this = 0x8109ef510, 
  current_object = 0x0}
	fci_cache_local = {initialized = 208 '�', function_handler = 0x68e437, 
calling_scope = 0x1ffffa1e0, called_scope = 0x80f513510, 
  object_ptr = 0x80f3c0c70}
#5  0x0000000000683141 in zend_call_method (object_pp=0x7fffffffa650, 
obj_ce=0x80e1d3e60, fn_proxy=0x7fffffffa658, function_name=0x84e866 
"__destruct", 
    function_name_len=10, retval_ptr_ptr=0x0, param_count=0, arg1=0x0, arg2=0x0) 
at /usr/ports/lang/php5/work/php-5.4.6/Zend/zend_interfaces.c:97
	fcic = {initialized = 1 '\001', function_handler = 0x80e1deb80, 
calling_scope = 0x80e1d3e60, called_scope = 0x80e1d3e60, object_ptr = 
0x810a89d28}
	result = 0
	fci = {size = 72, function_table = 0x3b10064a618, function_name = 
0x7fffffffa530, symbol_table = 0x0, retval_ptr_ptr = 0x7fffffffa528, 
  param_count = 0, params = 0x7fffffffa510, object_ptr = 0x810a89d28, 
no_separation = 1 '\001'}
	z_fname = {value = {lval = 8691136, dval = 4.2939917209341081e-317, str 
= {
      val = 0x849dc0 "/usr/ports/lang/php5/work/php-
5.4.6/Zend/zend_execute_API.c", len = 279485768}, ht = 0x849dc0, obj = {handle = 
8691136, 
      handlers = 0x810a89d48}}, refcount__gc = 8710008, type = 0 '\0', 
is_ref__gc = 0 '\0'}
	retval = (zval *) 0x0
	function_table = (HashTable *) 0x80e1d3e88
	params = {0x7fffffffa5d8, 0x7fffffffa5e0}
#6  0x000000000069187a in zend_objects_destroy_object (object=0x80fa8e540, 
handle=945) at /usr/ports/lang/php5/work/php-5.4.6/Zend/zend_objects.c:123
	old_exception = (zval *) 0x0
	obj = (zval *) 0x810a89d28
	obj_bucket = (zend_object_store_bucket *) 0x810095ca0
	destructor = (zend_function *) 0x80e1deb80
#7  0x000000000068e9dc in gc_collect_cycles () at /usr/ports/lang/php5/work/php-
5.4.6/Zend/zend_gc.c:814
	p = (zval_gc_info *) 0x80fa8e048
	q = (zval_gc_info *) 0x84f478
	orig_free_list = (zval_gc_info *) 0x0
	orig_next_to_free = (zval_gc_info *) 0x0
	count = 10689
#8  0x000000000068ceda in gc_zobj_possible_root (zv=0x8109ec370) at 
/usr/ports/lang/php5/work/php-5.4.6/Zend/zend_gc.c:221
	newRoot = (gc_root_buffer *) 0x0
	obj = (struct _store_object *) 0x8100a47a8
#9  0x000000000068cbac in gc_zval_possible_root (zv=0x8109ec370) at 
/usr/ports/lang/php5/work/php-5.4.6/Zend/zend_gc.c:143
No locals.
#10 0x00000000006a35b6 in zend_do_fcall_common_helper_SPEC 
(execute_data=0x80203dcd8) at zend_gc.h:183
	opline = (zend_op *) 0x80eaa29e0
	should_change_scope = 1 '\001'
	fbc = (zend_function *) 0x80228a800
#11 0x00000000006a3e15 in ZEND_DO_FCALL_BY_NAME_SPEC_HANDLER 
(execute_data=0x80203dcd8) at zend_vm_execute.h:752
No locals.
#12 0x00000000006a1071 in execute (op_array=0x80ea99b58) at 
zend_vm_execute.h:410
	ret = 0
	execute_data = (zend_execute_data *) 0x80203dcd8
	nested = 1 '\001'
	original_in_execution = 1 '\001'
#13 0x000000000064d3ff in zend_call_function (fci=0x7fffffffaed0, 
fci_cache=0x7fffffffaea0) at /usr/ports/lang/php5/work/php-
5.4.6/Zend/zend_execute_API.c:958
	i = 0
	original_return_value = (zval **) 0x80203a788
	calling_symbol_table = (HashTable *) 0x0
	original_op_array = (zend_op_array *) 0x80d437d68
	original_opline_ptr = (zend_op **) 0x80203a838
	current_scope = (zend_class_entry *) 0x80d434170
	current_called_scope = (zend_class_entry *) 0x80d43e7c0
	calling_scope = (zend_class_entry *) 0x810505f78
	called_scope = (zend_class_entry *) 0x810505f78
	current_this = (zval *) 0x8108fdeb0
	execute_data = {opline = 0x0, function_state = {function = 0x8104cf500, 
arguments = 0x80203b300}, fbc = 0x0, called_scope = 0x0, op_array = 0x0, 
  object = 0x810a30770, Ts = 0x80203a948, CVs = 0x80203a8c8, symbol_table = 0x0, 
prev_execute_data = 0x80203a838, old_error_reporting = 0x0, 
  nested = 1 '\001', original_return_value = 0x80203a788, current_scope = 
0x80d434170, current_called_scope = 0x80d43e7c0, current_this = 0x8108fdeb0, 
  current_object = 0x0}
	fci_cache_local = {initialized = 0 '\0', function_handler = 
0xc7500000048, calling_scope = 0x84b258, called_scope = 0x0, object_ptr = 
0x80200d600}
#14 0x00000000004d4bbc in zif_call_user_func_array (ht=2, 
return_value=0x810a5e478, return_value_ptr=0x0, this_ptr=0x0, 
return_value_used=1)
    at /usr/ports/lang/php5/work/php-5.4.6/ext/standard/basic_functions.c:4749
	params = (zval *) 0x810a5c858
	retval_ptr = (zval *) 0x0
	fci = {size = 72, function_table = 0x810505fa0, function_name = 
0x810a70150, symbol_table = 0x0, retval_ptr_ptr = 0x7fffffffaf20, param_count = 
0, 
  params = 0x810a53400, object_ptr = 0x810a30770, no_separation = 1 '\001'}
	fci_cache = {initialized = 1 '\001', function_handler = 0x8104cf500, 
calling_scope = 0x810505f78, called_scope = 0x810505f78, 
  object_ptr = 0x810a30770}
#15 0x00000000006a2a90 in zend_do_fcall_common_helper_SPEC 
(execute_data=0x80203a838) at zend_vm_execute.h:642
	ret = (temp_variable *) 0x80203aea8
	opline = (zend_op *) 0x80d43ca08
	should_change_scope = 0 '\0'
	fbc = (zend_function *) 0x8021f3a00
#16 0x00000000006a3e15 in ZEND_DO_FCALL_BY_NAME_SPEC_HANDLER 
(execute_data=0x80203a838) at zend_vm_execute.h:752
No locals.
#17 0x00000000006a1071 in execute (op_array=0x80df5cd00) at 
zend_vm_execute.h:410
	ret = 0
	execute_data = (zend_execute_data *) 0x80203a838
	nested = 1 '\001'
	original_in_execution = 1 '\001'
#18 0x000000000064d3ff in zend_call_function (fci=0x7fffffffb710, 
fci_cache=0x7fffffffb6e0) at /usr/ports/lang/php5/work/php-
5.4.6/Zend/zend_execute_API.c:958
	i = 0
	original_return_value = (zval **) 0x802037248
	calling_symbol_table = (HashTable *) 0x0
	original_op_array = (zend_op_array *) 0x80d9f5380

	original_opline_ptr = (zend_op **) 0x802037ec8
	current_scope = (zend_class_entry *) 0x0
	current_called_scope = (zend_class_entry *) 0x80226cf00
	calling_scope = (zend_class_entry *) 0x80d915018
	called_scope = (zend_class_entry *) 0x80d915018
	current_this = (zval *) 0x80da58b40
	execute_data = {opline = 0x0, function_state = {function = 0x80d9152a8, 
arguments = 0x802038800}, fbc = 0x0, called_scope = 0x0, op_array = 0x0, 
  object = 0x80da628b8, Ts = 0x802037fa8, CVs = 0x802037f58, symbol_table = 0x0, 
prev_execute_data = 0x802037ec8, old_error_reporting = 0x0, 
  nested = 1 '\001', original_return_value = 0x0, current_scope = 0x80d9163d0, 
current_called_scope = 0x80d915018, current_this = 0x80da628b8, 
  current_object = 0x0}
	fci_cache_local = {initialized = 240 '�', function_handler = 
0x9e100000000, calling_scope = 0x847268, called_scope = 0x200000002, object_ptr 
= 0x0}
#19 0x0000000000479632 in zim_reflection_method_invokeArgs (ht=2, 
return_value=0x80da58890, return_value_ptr=0x0, this_ptr=0x80da58b40, 
return_value_used=1)
    at /usr/ports/lang/php5/work/php-5.4.6/ext/reflection/php_reflection.c:3024
	retval_ptr = (zval *) 0x0
	params = (zval ***) 0x802067758
	object = (zval *) 0x80da628b8
	intern = (reflection_object *) 0x80da0a778
	mptr = (zend_function *) 0x80d9152a8
	argc = 0
	result = 8
	fci = {size = 72, function_table = 0x0, function_name = 0x0, 
symbol_table = 0x0, retval_ptr_ptr = 0x7fffffffb768, param_count = 0, 
  params = 0x802067758, object_ptr = 0x80da628b8, no_separation = 1 '\001'}
	fcc = {initialized = 1 '\001', function_handler = 0x80d9152a8, 
calling_scope = 0x80d915018, called_scope = 0x80d915018, object_ptr = 
0x80da628b8}
	obj_ce = (zend_class_entry *) 0x80d915018
	param_array = (zval *) 0x80da585d8
#20 0x00000000006a2a90 in zend_do_fcall_common_helper_SPEC 
(execute_data=0x802037ec8) at zend_vm_execute.h:642
	ret = (temp_variable *) 0x802038288
	opline = (zend_op *) 0x80d92af50
	should_change_scope = 1 '\001'
	fbc = (zend_function *) 0x802288c00
#21 0x00000000006a3e15 in ZEND_DO_FCALL_BY_NAME_SPEC_HANDLER 
(execute_data=0x802037ec8) at zend_vm_execute.h:752
No locals.
#22 0x00000000006a1071 in execute (op_array=0x80d9f5380) at 
zend_vm_execute.h:410
	ret = 0
	execute_data = (zend_execute_data *) 0x802037ec8
	nested = 1 '\001'
	original_in_execution = 0 '\0'
#23 0x0000000000662a79 in zend_execute_scripts (type=8, retval=0x0, 
file_count=3) at /usr/ports/lang/php5/work/php-5.4.6/Zend/zend.c:1289
	files = {{gp_offset = 40, fp_offset = 48, overflow_arg_area = 
0x7fffffffbd10, reg_save_area = 0x7fffffffbc50}}
	i = 1
	file_handle = (zend_file_handle *) 0x7fffffffd840
	orig_op_array = (zend_op_array *) 0x0
	orig_retval_ptr_ptr = (zval **) 0x0
	orig_interactive = 0
#24 0x00000000005cad46 in php_execute_script (primary_file=0x7fffffffd840) at 
/usr/ports/lang/php5/work/php-5.4.6/main/main.c:2473
	realfile = 
"/usr/local/bin/phpunit\000\000\002\000\000\000\001\000\000\0008W\006\002\b\000\
000\000�E�\000\003\000\000\000�����
\177\000\000�~g\000\000\000\000\000@V\006\002\b\000\000\000\020\000\000\000\002
\000\000\000@V\006\002\b", '\0' <repeats 11 times>, 
"h\233\203\000\000\000\000\000�\000\000\000\003\000\000\000\200����
\177\000\000;\\^\000\000\000\000\000��@\000\000\000\000\000\026", '\0' 
<repeats 15 times>, 
"@\223\000\000\000\000\000\000@V\006\002\b\000\000\000@V\006\002\b\000\000\000�
\214\202\000\000\000\000\000�U\006\002r\001\000\000@V\006\002\b\000\000\000�
\211\000\000\002\000"...
	__orig_bailout = (sigjmp_buf *) 0x7fffffffd790
	__bailout = {{_sjb = {6072965, 5, 140737488338184, 140737488343808, 
140737488345912, 140737488345864, 0, 0, 140737488290431, 6453169, 34584016184, 
      0}}}
	prepend_file_p = (zend_file_handle *) 0x0
	append_file_p = (zend_file_handle *) 0x0
	prepend_file = {type = ZEND_HANDLE_FILENAME, filename = 0x0, opened_path 
= 0x0, handle = {fd = 0, fp = 0x0, stream = {handle = 0x0, isatty = 0, 
      mmap = {len = 0, pos = 0, map = 0x0, buf = 0x0, old_handle = 0x0, 
old_closer = 0}, reader = 0, fsizer = 0, closer = 0}}, free_filename = 0 '\0'}

	append_file = {type = ZEND_HANDLE_FILENAME, filename = 0x0, opened_path 
= 0x0, handle = {fd = 0, fp = 0x0, stream = {handle = 0x0, isatty = 0, 
      mmap = {len = 0, pos = 0, map = 0x0, buf = 0x0, old_handle = 0x0, 
old_closer = 0}, reader = 0, fsizer = 0, closer = 0}}, free_filename = 0 '\0'}
	old_cwd = 0x7fffffffbd30 ""
	use_heap = 0 '\0'
	retval = 0
#25 0x00000000007ba584 in do_cli (argc=5, argv=0x7fffffffdb08) at 
/usr/ports/lang/php5/work/php-5.4.6/sapi/cli/php_cli.c:988
	__orig_bailout = (sigjmp_buf *) 0x7fffffffd9e0
	__bailout = {{_sjb = {8100629, 5, 140737488343816, 140737488345504, 
140737488345912, 140737488345864, 0, 0, 895, 8605600, 8605648, 0}}}
	c = -1
	file_handle = {type = ZEND_HANDLE_MAPPED, filename = 0x7fffffffdd73 
"/usr/local/bin/phpunit", opened_path = 0x0, handle = {fd = 33971248, 
    fp = 0x802065c30, stream = {handle = 0x802065c30, isatty = 0, mmap = {len = 
2031, pos = 0, map = 0x800b17000, 
        buf = 0x800b17015 <Error reading address 0x800b17015: Bad address>, 
old_handle = 0x801f12d40, old_closer = 0x681d00 <zend_stream_stdio_closer>}, 
      reader = 0x681cd0 <zend_stream_stdio_reader>, fsizer = 0x681d40 
<zend_stream_stdio_fsizer>, closer = 0x681ea0 <zend_stream_mmap_closer>}}, 
  free_filename = 0 '\0'}
	behavior = 1
	reflection_what = 0x0
	request_started = 1
	exit_status = 0
	php_optarg = 0x0
	orig_optarg = 0x0
	php_optind = 2
	orig_optind = 1
	exec_direct = 0x0
	exec_run = 0x0
	exec_begin = 0x0
	exec_end = 0x0
	arg_free = 0x7fffffffdd73 "/usr/local/bin/phpunit"
	arg_excp = (char **) 0x7fffffffdb10
	script_file = 0x7fffffffdd73 "/usr/local/bin/phpunit"
	translated_path = 0x80d5d6260 "/usr/local/bin/phpunit"
	interactive = 0
	lineno = 2
	param_error = 0x0
	hide_argv = 0
#26 0x00000000007bb569 in main (argc=5, argv=0x7fffffffdb08) at 
/usr/ports/lang/php5/work/php-5.4.6/sapi/cli/php_cli.c:1364
	__orig_bailout = (sigjmp_buf *) 0x0
	__bailout = {{_sjb = {8107334, 5, 140737488345512, 140737488345776, 
140737488345912, 140737488345864, 0, 0, 895, 5, 140737488345824, 
      140733193388032}}}
	c = -1
	exit_status = 0
	module_started = 1
	sapi_started = 1
	php_optarg = 0x0
	php_optind = 1
	use_extended_info = 0
	ini_path_override = 0x0
	ini_entries = 0x8020080f0 
"html_errors=0\nregister_argc_argv=1\nimplicit_flush=1\noutput_buffering=0\nmax_
execution_time=0\nmax_input_time=-1\n"
	ini_entries_len = 110
	ini_ignore = 0
	sapi_module = (sapi_module_struct *) 0xb16940


Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2012-10-01 15:30 UTC] laruence@php.net
-Status: Open +Status: Feedback
 [2012-10-01 15:30 UTC] laruence@php.net
could you give us a reproduce script? thanks
 [2012-10-03 20:34 UTC] sh at isecure dot cz
-Status: Feedback +Status: Open
 [2012-10-03 20:34 UTC] sh at isecure dot cz
By Xdebug i steped on this line

if(!$this->formatter) {
    // irelevant
}

Expression itself throw sigsegv, but only after several itterations with almost 
same variables (this->formatter is always simple object - 
https://github.com/Seldaek/monolog/blob/master/src/Monolog/Formatter/LineFormatt
er.php)

If i change row to if(empty($this->formatter)), code miraculously works. 
I am 
unable to simulate it nor simplify current conditions to write example script. 
Please can you tell me how to investigate this bug more?
 [2012-10-18 14:31 UTC] dispyfree at googlemail dot com
I can confirm this issue. 
The interesting part is that this issue does only come up if you use a newer version than PHPUnit 3.7.1 - I guess they used a new feature starting from that version. 
I'm running PHP 5.3.10-1ubuntu3.4 with Suhosin-Patch (cli) on Linux version 3.2.0-32-generic-pae (buildd@roseapple) (gcc version 4.6.3 (Ubuntu/Linaro 4.6.3-1ubuntu5) ) #51-Ubuntu SMP Wed Sep 26 21:54:23 UTC 2012. 

And another one: the newest debian php binary does _not_ crash. 

Regards,
 [2012-10-18 15:56 UTC] dispyfree at googlemail dot com
I just tested PHP 5.4.7 I compiled from source - same behavior. Obviously, this issue has not been fixed yet. 

Regards
 [2012-10-18 16:33 UTC] laruence@php.net
Can you give us a reproduce script?
 [2012-10-18 20:25 UTC] dispyfree at googlemail dot com
TestCase: https://dl.dropbox.com/u/70134012/sigsegv_bug.tar.bz2
execute: "cd tests && phpunit functional/ReferenceTest" 

PHPInfo: https://dl.dropbox.com/u/70134012/phpinfo.txt

Thanks in advance!
 [2012-10-19 04:15 UTC] laruence@php.net
I can not reproduce this.
 [2012-10-19 17:26 UTC] dispyfree at googlemail dot com
I guess you have to try it on FreeBSD/Ubuntu to reproduce it - as afore-mentioned, it does not come up on Debian. 

Regards,
 [2012-10-20 04:37 UTC] laruence@php.net
$ uname -a
Linux laptop.laruence.com 3.0.0-12-generic #20-Ubuntu SMP Fri Oct 7 14:56:25 UTC 
2011 x86_64 x86_64 x86_64 GNU/Linux
 [2012-10-20 12:01 UTC] dispyfree at googlemail dot com
Because this bug tracking system is poorly written, I had to paste my post (my post became classified as spam every time):

http://pastebin.com/xYqteb7c
 [2012-10-20 12:06 UTC] pajoye@php.net
-Status: Open +Status: Feedback
 [2012-10-20 12:06 UTC] pajoye@php.net
Does it happen with an unpatched PHP? Aka without Suhosin.

Please try using the latest PHP release available from our download page.
 [2012-10-20 14:06 UTC] dispyfree at googlemail dot com
As you could have read above, the PHP versions are all patched with suhosin. I tried the newest PHP from php.net; it didn't work on Ubuntu so I can assume it won't on Debian too.

A downgrade of PHPUnit to 3.7.1 solves the problem for me. However I don't think that's what you'd be satisfied with ;D


Regards,
 [2013-02-18 00:36 UTC] php-bugs at lists dot php dot net
No feedback was provided. The bug is being suspended because
we assume that you are no longer experiencing the problem.
If this is not the case and you are able to provide the
information that was requested earlier, please do so and
change the status of the bug back to "Open". Thank you.
 
PHP Copyright © 2001-2014 The PHP Group
All rights reserved.
Last updated: Fri Apr 18 05:03:21 2014 UTC