php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #64913 Segfault in zend_hash_find
Submitted: 2013-05-24 06:21 UTC Modified: 2016-07-25 09:59 UTC
Votes:1
Avg. Score:4.0 ± 0.0
Reproduced:1 of 1 (100.0%)
Same Version:1 (100.0%)
Same OS:1 (100.0%)
From: slusarz at curecanti dot org Assigned: cmb (profile)
Status: Closed Package: Reproducible crash
PHP Version: 5.4.15 OS: Linux
Private report: No CVE-ID: None
View Add Comment Developer Edit
 [2013-05-24 06:21 UTC] slusarz at curecanti dot org 
Description:
------------
(Mostly) reproducible segfault:

[353713.319612] php-fpm[24273]: segfault at 30 ip 0000000000742b28 sp 00007fff3f5f3950 error 4 in php-fpm[400000+970000]

Verified occuring if either APC, ZendOPcache, or neither is active.

Appears to be happening in shutdown code.  Main actions in code is successful, but valid response is never sent back to browser.

Test script:
---------------
Script causing segfault is Spam message reporting in IMP (http://www.horde.org/imp/).  90% of time script crashes, although spam reporting is successful.  However, 10% of time script is successful with no segfault.  Additionally, saw this for months, upgraded OS (using Arch Linux) - had no issues for a month.  Recently rebooted (after several further upgrades) and am seeing again.

Actual result:
--------------
Core was generated by `php-fpm: pool www          '.
Program terminated with signal 11, Segmentation fault.
#0  0x0000000000742b28 in zend_hash_find (ht=0x2ef2358,
    arKey=arKey@entry=0xc13e40 "stream", nKeyLength=nKeyLength@entry=7,
    pData=pData@entry=0x7fff3f5f39e8)
    at /disk2/src/php-5.4.15/Zend/zend_hash.c:924
924             p = ht->arBuckets[nIndex];
(gdb) bt full
#0  0x0000000000742b28 in zend_hash_find (ht=0x2ef2358,
    arKey=arKey@entry=0xc13e40 "stream", nKeyLength=nKeyLength@entry=7,
    pData=pData@entry=0x7fff3f5f39e8)
    at /disk2/src/php-5.4.15/Zend/zend_hash.c:924
        h = 229483039115121
        nIndex = 0
        p = <optimized out>
#1  0x00000000006b0b30 in userfilter_filter (stream=0x3072540,
    thisfilter=<optimized out>, buckets_in=0x7fff3f5f3aa0,
    buckets_out=0x7fff3f5f3ab0, bytes_consumed=0x7fff3f5f3a98, flags=2)
    at /disk2/src/php-5.4.15/ext/standard/user_filters.c:183
        ret = 0
        obj = 0x2ef96d0
        func_name = {value = {lval = 49225688, dval = 2.43207213336997e-316,
            str = {val = 0x2ef1fd8 "\220\376\355\002", len = 3},
            ht = 0x2ef1fd8, obj = {handle = 49225688, handlers = 0x3}},
          refcount__gc = 24, type = 0 '\000', is_ref__gc = 0 '\000'}
        retval = 0x0
        args = {0x0, 0x7f3c4d876770, 0x7f3c4d876808,
          0x75a5c4 <zend_objects_store_del_ref_by_handle_ex+564>}
        zclosing = 0x710c48 <_zend_mm_free_int+200>
        zconsumed = 0x2ef5058
        zin = 0x710c48 <_zend_mm_free_int+200>
        zout = 0x2f75eb0
        zstream = 0x710c48 <_zend_mm_free_int+200>
        zpropname = {value = {lval = 49225688, dval = 2.43207213336997e-316,
            str = {val = 0x2ef1fd8 "\220\376\355\002", len = 7408712},
            ht = 0x2ef1fd8, obj = {handle = 49225688,
              handlers = 0x710c48 <_zend_mm_free_int+200>}},
          refcount__gc = 49349512, type = 0 '\000', is_ref__gc = 0 '\000'}
        call_result = <optimized out>
#2  0x00000000006eeff4 in _php_stream_write_filtered (
    stream=stream@entry=0x3072540, buf=buf@entry=0x0, count=count@entry=0,
    flags=2) at /disk2/src/php-5.4.15/main/streams/streams.c:1177
        consumed = 0
        bucket = <optimized out>
        brig_in = {head = 0x0, tail = 0x0}
        brig_out = {head = 0x0, tail = 0x0}
        brig_inp = 0x7fff3f5f3aa0
        brig_outp = 0x7fff3f5f3ab0
        brig_swap = <optimized out>
        status = PSFS_ERR_FATAL
        filter = 0x2efb298
#3  0x00000000006f065c in _php_stream_flush (stream=0x3072540,
    closing=<optimized out>)
    at /disk2/src/php-5.4.15/main/streams/streams.c:1226
No locals.
#4  0x00000000006f224a in _php_stream_free (stream=<optimized out>,
    close_options=11) at /disk2/src/php-5.4.15/main/streams/streams.c:461
        ret = 1
        preserve_handle = 0
        release_cast = 1
        context = 0x0
#5  0x00000000006f2521 in stream_resource_regular_dtor (rsrc=<optimized out>)
    at /disk2/src/php-5.4.15/main/streams/streams.c:1616
        stream = <optimized out>
#6  0x000000000074404e in list_entry_destructor (ptr=0x2efa320)
    at /disk2/src/php-5.4.15/Zend/zend_list.c:183
        le = 0x2efa320
        ld = 0x27aaae0
#7  0x0000000000741efe in zend_hash_del_key_or_index (
    ht=0xfa0410 <executor_globals+656>, arKey=arKey@entry=0x0,
    nKeyLength=nKeyLength@entry=0, h=h@entry=89, flag=flag@entry=1)
    at /disk2/src/php-5.4.15/Zend/zend_hash.c:531
        nIndex = <optimized out>
        p = 0x2efa360
#8  0x00000000007441f7 in _zend_list_delete (id=<optimized out>)
    at /disk2/src/php-5.4.15/Zend/zend_list.c:57
        le = 0x2efa320
#9  0x00000000007269b2 in _zval_dtor (zvalue=<optimized out>)
    at /disk2/src/php-5.4.15/Zend/zend_variables.h:35
No locals.
#10 _zval_ptr_dtor (zval_ptr=0x2ef7d80)
    at /disk2/src/php-5.4.15/Zend/zend_execute_API.c:438
        zval_ptr = 0x2ef7d80
#11 0x0000000000754917 in zend_object_std_dtor (object=0x2ef4810)
    at /disk2/src/php-5.4.15/Zend/zend_objects.c:54
        i = 2
#12 0x0000000000754949 in zend_objects_free_object_storage (object=0x2ef4810)
    at /disk2/src/php-5.4.15/Zend/zend_objects.c:137
No locals.
#13 0x000000000075a5c4 in zend_objects_store_del_ref_by_handle_ex (handle=259,
    handlers=<optimized out>)
    at /disk2/src/php-5.4.15/Zend/zend_objects_API.c:221
        __orig_bailout = 0x7fff3f5f3e20
        __bailout = {{__jmpbuf = {49237376, -7765129602178683652, 49376136,
              139896975484784, 139896975484936, 139896975484496,
              7764993663327071484, -7765135061082247940},
            __mask_was_saved = 0, __saved_mask = {__val = {7408712, 49732072,
                7408712, 49403632, 16385040, 90, 49262568, 0, 7408712,
                49348960, 49348616, 0, 7408712, 49348568, 7408712, 49349168}}}}
        obj = 0x7f3c4d89b8c0
        failure = 0
#14 0x000000000075a5e3 in zend_objects_store_del_ref (zobject=0x2ef4d80)
    at /disk2/src/php-5.4.15/Zend/zend_objects_API.c:173
        handle = <optimized out>
#15 0x00000000007269b2 in _zval_dtor (zvalue=<optimized out>)
    at /disk2/src/php-5.4.15/Zend/zend_variables.h:35
No locals.
#16 _zval_ptr_dtor (zval_ptr=0x2f13e78)
    at /disk2/src/php-5.4.15/Zend/zend_execute_API.c:438
        zval_ptr = 0x2f13e78
#17 0x0000000000742008 in zend_hash_destroy (ht=0x2f12500)
    at /disk2/src/php-5.4.15/Zend/zend_hash.c:560
        p = 0x2f16b88
        q = 0x2f13e60
#18 0x0000000000734172 in _zval_dtor_func (zvalue=0x2f10358)
    at /disk2/src/php-5.4.15/Zend/zend_variables.c:45
No locals.
#19 0x00000000007269b2 in _zval_dtor (zvalue=<optimized out>)
    at /disk2/src/php-5.4.15/Zend/zend_variables.h:35
No locals.
#20 _zval_ptr_dtor (zval_ptr=0x2f0ef58)
    at /disk2/src/php-5.4.15/Zend/zend_execute_API.c:438
        zval_ptr = 0x2f0ef58
#21 0x0000000000754917 in zend_object_std_dtor (object=0x2ef0bf8)
    at /disk2/src/php-5.4.15/Zend/zend_objects.c:54
        i = 7
#22 0x0000000000754949 in zend_objects_free_object_storage (object=0x2ef0bf8)
    at /disk2/src/php-5.4.15/Zend/zend_objects.c:137
No locals.
#23 0x000000000075a1a8 in zend_objects_store_free_object_storage (
    objects=0xfa0540 <executor_globals+960>)
    at /disk2/src/php-5.4.15/Zend/zend_objects_API.c:92
        obj = <optimized out>
        i = 255
#24 0x0000000000726e8a in shutdown_executor ()
    at /disk2/src/php-5.4.15/Zend/zend_execute_API.c:297
        __orig_bailout = 0x7fff3f5f4290
        __bailout = {{__jmpbuf = {45348848, -7765133929708458756, 1,
              139896975484784, 139896975484936, 139896975484496,
              7764993663387888892, -7765135110167925508},
            __mask_was_saved = 0, __saved_mask = {__val = {8, 0, 7408712,
                139896975728504, 7408712, 139895674765312, 50744240, 44795704,
                7408712, 49366816, 44795704, 0, 44253864, 16382864, 16382864,
                1}}}}
#25 0x0000000000735076 in zend_deactivate ()
    at /disk2/src/php-5.4.15/Zend/zend.c:938
No locals.
#26 0x00000000006d8a20 in php_request_shutdown (dummy=dummy@entry=0x0)
    at /disk2/src/php-5.4.15/main/main.c:1800
        report_memleaks = 1 '\001'
#27 0x0000000000435a51 in main (argc=<optimized out>, argv=<optimized out>)
    at /disk2/src/php-5.4.15/sapi/fpm/fpm/fpm_main.c:1952
        primary_script = <optimized out>
        __orig_bailout = 0x0
        __bailout = {{__jmpbuf = {0, -7765135777435554564, 70, 4294967295,
              4294967295, 0, 7764993662408518908, -7765135255906882308},
            __mask_was_saved = 0, __saved_mask = {__val = {
                0 <repeats 16 times>}}}}
        exit_status = 0
        c = <optimized out>
        use_extended_info = 0
        file_handle = {type = ZEND_HANDLE_MAPPED,
          filename = 0x7f3c4d877818 " \237}\002", opened_path = 0x0, handle = {
            fd = 1300922880, fp = 0x7f3c4d8a8200, stream = {
              handle = 0x7f3c4d8a8200, isatty = 0, mmap = {len = 2713,
                pos = 0, map = 0x0,
                buf = 0x7f3c4d8db000 <Address 0x7f3c4d8db000 out of bounds>,
                old_handle = 0x0, old_closer = 0x0},
              reader = 0x6efe80 <_php_stream_read>,
              fsizer = 0x6d6960 <php_zend_stream_fsizer>,
              closer = 0x6d6940 <php_zend_stream_mmap_closer>}},
          free_filename = 0 '\000'}
        orig_optind = 1
        orig_optarg = 0x0
        ini_entries_len = <optimized out>
        max_requests = 0
        requests = 200
        fcgi_fd = <optimized out>
        request = {listen_socket = 0, fd = 3, id = 1, keep = 0, closed = 0,
          in_len = 0, in_pad = 0, out_hdr = 0x7fff3f5f4460,
          out_pos = 0x7fff3f5f475e "n line 835\nPHP message: PHP Strict Standards:  Non-static method serendipity_plugin_api::probePlugin() should not be called statically in /httpd/s9y/include/plugin_api.inc.php on line 542\nPHP message:"...,
          out_buf = "\001\006\000\001\f\267\001\000Expires: Thu, 19 Nov 1981 08:52:00 GMT\r\nCache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0\r\nPragma: no-cache\r\nContent-Type: application/json\r\nContent-Encoding: gzip\r"..., reserved = '\000' <repeats 15 times>, env = 0x7f3c4d876040}
        fpm_config = 0x0
        fpm_prefix = 0x0
        fpm_pid = 0x0
        test_conf = 0
        force_daemon = <optimized out>
        php_information = 0
        php_allow_to_run_as_root = 0
        __func__ = "main"

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2013-06-06 22:03 UTC] felipe@php.net
-Status: Open +Status: Feedback
 [2013-06-06 22:03 UTC] felipe@php.net 
Please try using this snapshot:

  http://snaps.php.net/php-trunk-latest.tar.gz
 
For Windows:

  http://windows.php.net/snapshots/
 [2013-06-11 04:54 UTC] slusarz at curecanti dot org
-Status: Feedback +Status: Open
 [2013-06-11 04:54 UTC] slusarz at curecanti dot org 
We discovered the PHP code that was triggering the segfault.  In factory code initializing an SMTP object, this code:

$ob->getSMTPObject()->setDebug(true, array($this, 'smtpDebug'));

was causing the segfault.  The smtpDebug method accessed a protected member variable of $this that was a stream resource to a file.

Adding a register_shutdown_function() to code that explicitly closes the stream resource fixed the issue.

See: https://github.com/horde/horde/commit/b6fe1f8143ef9e769e708f40b82bc83db30f4132#imp/lib/Factory/Mail.php

Since I have no way of testing the broken code anymore, this bug should be closed.
 [2016-07-25 09:59 UTC] cmb@php.net
-Status: Open +Status: Closed -Assigned To: +Assigned To: cmb
 [2016-07-25 09:59 UTC] cmb@php.net 
Closing on request of reporter.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Wed Apr 24 23:01:34 2024 UTC