PHP :: Bug #64942 :: Segfault after Cannot declare self-referencing constant

Bug #64942	Segfault after Cannot declare self-referencing constant
Submitted:	2013-05-29 10:01 UTC	Modified:	2021-01-24 04:22 UTC
From:	j_schumann at gmx dot de	Assigned:	cmb (profile)
Status:	No Feedback	Package:	Unknown/Other Function
PHP Version:	5.4.15	OS:	Ubuntu 10.04.4 LTS
Private report:	No	CVE-ID:	None

View Developer Edit

[2013-05-29 10:01 UTC] j_schumann at gmx dot de

Description:
------------
This is a followup/duplicate to Bug #63669 as this is not mine and was suspended:

I get the same "PHP Fatal error: Cannot declare self-referencing constant" as the opener of #63669. But after this the process dies by a segmentation fault.

Debugging gave me the same error file/line, but I could reduce the number of possible sources: It only happens for me on instantiation of Zend_Validate_File_Count (http://framework.zend.com/svn/framework/standard/trunk/library/Zend/Validate/File/Count.php).


Environment:
PHP 5.4.11
APC 3.1.13 
Apache 2.2.14
Ubuntu 10.04.4 LTS

Test script:
---------------
I can not provide a reproduction script as this does not happen always, so maybe it is instead an APC problem.

Expected result:
----------------
PHP Shutdown after the fatal error instead of segmentation fault.

Actual result:
--------------
I can provide a backtrace from the coredump (still using 5.4.11, I could produce a newer trace if required):

#0  0x00007fab657aec05 in ?? () from /lib/x86_64-linux-gnu/libc.so.6
#1  0x00007fab6113c4e4 in xbuf_format_converter (xbuf=0x7fff625433b0, fmt=0x1 <Address 0x1 out of bounds>, ap=0x7fff62542b20)
    at /build/buildd/php5-5.4.11/main/spprintf.c:576
#2  0x00007fab6113d214 in vspprintf (pbuf=0x7fff62543450, max_len=1024, format=0xffffffffffbd1ad6 <Address 0xffffffffffbd1ad6 out of bounds>, ap=0x18)
    at /build/buildd/php5-5.4.11/main/spprintf.c:799
#3  0x00007fab611367a8 in php_error_cb (type=1,
    error_filename=0x7fab56404f80 "/var/www/application/library/Zend/File/Transfer/Adapter/Abstract.php", error_lineno=339,
    format=0x18 <Address 0x18 out of bounds>, args=0x7fff625436c8) at /build/buildd/php5-5.4.11/main/main.c:944
#4  0x00007fab61054710 in soap_error_handler (error_num=1447055232, error_filename=0x20 <Address 0x20 out of bounds>, error_lineno=32683,
    format=0x7fff62543be8 "\020", args=0x7fff62543de0) at /build/buildd/php5-5.4.11/ext/soap/soap.c:2171
#5  0x00007fab611993ec in zend_error (type=1, format=0x7fab6157c5b0 "Cannot declare self-referencing constant '%s'")
    at /build/buildd/php5-5.4.11/Zend/zend.c:1118
#6  0x00007fab6118a896 in zval_update_constant_ex (pp=0x7fab67731270, arg=0xffffffffffbd1ad6, scope=0x0)
    at /build/buildd/php5-5.4.11/Zend/zend_execute_API.c:502
#7  0x00007fab611a6d6a in zend_hash_apply_with_argument (ht=0x7fab67730b40, apply_func=0x7fab6118ad10 <zval_update_constant_inline_change>, argument=0x0)
    at /build/buildd/php5-5.4.11/Zend/zend_hash.c:740
#8  0x00007fab6118a732 in zval_update_constant_ex (pp=0x7fab67732918, arg=0xffffffffffbd1ad6, scope=0x0)
    at /build/buildd/php5-5.4.11/Zend/zend_execute_API.c:683
#9  0x00007fab6119bd8a in zend_update_class_constants (class_type=0x7fab67730f20) at /build/buildd/php5-5.4.11/Zend/zend_API.c:1037
#10 0x00007fab6119c02d in _object_and_properties_init (arg=0x7fab67730910, class_type=0x7fab67730f20, properties=0x0)
    at /build/buildd/php5-5.4.11/Zend/zend_API.c:1124
#11 0x00007fab611ff7d9 in ZEND_NEW_SPEC_HANDLER (execute_data=0x7fab6697a480) at /build/buildd/php5-5.4.11/Zend/zend_vm_execute.h:813
#12 0x00007fab611fa49f in execute (op_array=0x7fab67734dc8) at /build/buildd/php5-5.4.11/Zend/zend_vm_execute.h:410
#13 0x00007fab6119a208 in zend_execute_scripts (type=1178393146, retval=0x3, file_count=2049551044) at /build/buildd/php5-5.4.11/Zend/zend.c:1315
#14 0x00007fab611397e3 in php_execute_script (primary_file=0x0) at /build/buildd/php5-5.4.11/main/main.c:2492
#15 0x00007fab6124293d in php_handler (r=0x7fab6124293d) at /build/buildd/php5-5.4.11/sapi/apache2handler/sapi_apache2.c:682
#16 0x00007fab66527508 in ap_run_handler ()
#17 0x00007fab6652797e in ap_invoke_handler ()
#18 0x00007fab66536bdc in ap_internal_redirect ()
#19 0x00007fab5f45d5e5 in ?? () from /usr/lib/apache2/modules/mod_rewrite.so
#20 0x00007fab66527508 in ap_run_handler ()
#21 0x00007fab6652797e in ap_invoke_handler ()
#22 0x00007fab66537570 in ap_process_request ()
#23 0x00007fab66534398 in ?? ()
#24 0x00007fab6652dfa8 in ap_run_process_connection ()
#25 0x00007fab6653c1d0 in ?? ()
#26 0x00007fab6653c93a in ?? ()
#27 0x00007fab6653d4e7 in ap_mpm_run ()
#28 0x00007fab665124a4 in main ()

For my amateur view it looks like zend_error is called without the constant name which causes the segfault instead of an E_ERROR being thrown.

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2013-06-06 21:54 UTC] felipe@php.net

-Status: Open +Status: Feedback

[2013-06-06 21:54 UTC] felipe@php.net

Thank you for this bug report. To properly diagnose the problem, we
need a short but complete example script to be able to reproduce
this bug ourselves. 

A proper reproducing script starts with <?php and ends with ?>,
is max. 10-20 lines long and does not require any external 
resources such as databases, etc. If the script requires a 
database to demonstrate the issue, please make sure it creates 
all necessary tables, stored procedures etc.

Please avoid embedding huge scripts into the report.

[2013-06-10 16:56 UTC] j_schumann at gmx dot de

-Status: Feedback +Status: Open

[2013-06-10 16:56 UTC] j_schumann at gmx dot de

I'm sorry, as stated in the OP I'm unable to give an reproduction script as this problem occures not on all requests.

I could produce a new backtrace for 5.4.15 for the same issue (and same code) which looks completely different:

#0  _zend_mm_free_int (heap=0x7f1afbdda410, p=0x7f1afcfb78b0) at /build/buildd/php5-5.4.15/Zend/zend_alloc.c:2100
#1  0x00007f1af4f88085 in zend_hash_destroy (ht=0x7f1afcfb7180) at /build/buildd/php5-5.4.15/Zend/zend_hash.c:563
#2  0x00007f1af4f78cdb in _zval_dtor_func (zvalue=0x7f1afcfb71d8) at /build/buildd/php5-5.4.15/Zend/zend_variables.c:45
#3  0x00007f1af4f6ab4a in _zval_dtor (zvalue=<optimized out>) at /build/buildd/php5-5.4.15/Zend/zend_variables.h:35
#4  _zval_ptr_dtor (zval_ptr=0x7f1afcfbb9d8) at /build/buildd/php5-5.4.15/Zend/zend_execute_API.c:438
#5  _zval_ptr_dtor (zval_ptr=0x7f1afcfbb9d8) at /build/buildd/php5-5.4.15/Zend/zend_execute_API.c:427
#6  0x00007f1af4f9b487 in zend_object_std_dtor (object=0x7f1afcfb6fc0) at /build/buildd/php5-5.4.15/Zend/zend_objects.c:54
#7  0x00007f1af4f9b4b9 in zend_objects_free_object_storage (object=0x7f1afcfb6fc0) at /build/buildd/php5-5.4.15/Zend/zend_objects.c:137
#8  0x00007f1af4fa156f in zend_objects_store_del_ref_by_handle_ex (handle=781, handlers=<optimized out>)
    at /build/buildd/php5-5.4.15/Zend/zend_objects_API.c:221
#9  0x00007f1af4fa1593 in zend_objects_store_del_ref (zobject=0x7f1afcfb7040) at /build/buildd/php5-5.4.15/Zend/zend_objects_API.c:173
#10 0x00007f1af4f6ab4a in _zval_dtor (zvalue=<optimized out>) at /build/buildd/php5-5.4.15/Zend/zend_variables.h:35
#11 _zval_ptr_dtor (zval_ptr=0x7f1afcfbbb18) at /build/buildd/php5-5.4.15/Zend/zend_execute_API.c:438
#12 _zval_ptr_dtor (zval_ptr=0x7f1afcfbbb18) at /build/buildd/php5-5.4.15/Zend/zend_execute_API.c:427
#13 0x00007f1af4f88038 in zend_hash_destroy (ht=0x7f1afcfb4348) at /build/buildd/php5-5.4.15/Zend/zend_hash.c:560
#14 0x00007f1af4f78cdb in _zval_dtor_func (zvalue=0x7f1afcfb42a8) at /build/buildd/php5-5.4.15/Zend/zend_variables.c:45
#15 0x00007f1af4f6ab4a in _zval_dtor (zvalue=<optimized out>) at /build/buildd/php5-5.4.15/Zend/zend_variables.h:35
#16 _zval_ptr_dtor (zval_ptr=0x7f1afcf45730) at /build/buildd/php5-5.4.15/Zend/zend_execute_API.c:438
#17 _zval_ptr_dtor (zval_ptr=0x7f1afcf45730) at /build/buildd/php5-5.4.15/Zend/zend_execute_API.c:427
#18 0x00007f1af4f9b487 in zend_object_std_dtor (object=0x7f1afcfa2ec0) at /build/buildd/php5-5.4.15/Zend/zend_objects.c:54
#19 0x00007f1af4f9b4b9 in zend_objects_free_object_storage (object=0x7f1afcfa2ec0) at /build/buildd/php5-5.4.15/Zend/zend_objects.c:137
#20 0x00007f1af4fa156f in zend_objects_store_del_ref_by_handle_ex (handle=777, handlers=<optimized out>)
    at /build/buildd/php5-5.4.15/Zend/zend_objects_API.c:221
#21 0x00007f1af4fa1593 in zend_objects_store_del_ref (zobject=0x7f1afcfa34a8) at /build/buildd/php5-5.4.15/Zend/zend_objects_API.c:173
#22 0x00007f1af4f6ab4a in _zval_dtor (zvalue=<optimized out>) at /build/buildd/php5-5.4.15/Zend/zend_variables.h:35
#23 _zval_ptr_dtor (zval_ptr=0x7f1afcfbd030) at /build/buildd/php5-5.4.15/Zend/zend_execute_API.c:438
#24 _zval_ptr_dtor (zval_ptr=0x7f1afcfbd030) at /build/buildd/php5-5.4.15/Zend/zend_execute_API.c:427
#25 0x00007f1af4f88038 in zend_hash_destroy (ht=0x7f1afcfb6a58) at /build/buildd/php5-5.4.15/Zend/zend_hash.c:560
#26 0x00007f1af4f9b42c in zend_object_std_dtor (object=0x7f1afcfa1568) at /build/buildd/php5-5.4.15/Zend/zend_objects.c:44
#27 0x00007f1af4f9b4b9 in zend_objects_free_object_storage (object=0x7f1afcfa1568) at /build/buildd/php5-5.4.15/Zend/zend_objects.c:137
#28 0x00007f1af4fa10cf in zend_objects_store_free_object_storage (objects=0x7f1af56db3c0) at /build/buildd/php5-5.4.15/Zend/zend_objects_API.c:92
#29 0x00007f1af4f6b0a3 in shutdown_executor () at /build/buildd/php5-5.4.15/Zend/zend_execute_API.c:297
#30 0x00007f1af4f79cd5 in zend_deactivate () at /build/buildd/php5-5.4.15/Zend/zend.c:938
#31 0x00007f1af4f19657 in php_request_shutdown (dummy=<optimized out>) at /build/buildd/php5-5.4.15/main/main.c:1800
#32 0x00007f1af5024167 in php_apache_request_dtor (r=<optimized out>) at /build/buildd/php5-5.4.15/sapi/apache2handler/sapi_apache2.c:520
#33 php_handler (r=0x7f1af63cc3e0) at /build/buildd/php5-5.4.15/sapi/apache2handler/sapi_apache2.c:697
#34 0x00007f1afa359508 in ap_run_handler ()
#35 0x00007f1afa35997e in ap_invoke_handler ()
#36 0x00007f1afa368bdc in ap_internal_redirect ()
#37 0x00007f1af32275e5 in ?? () from /usr/lib/apache2/modules/mod_rewrite.so
#38 0x00007f1afa359508 in ap_run_handler ()
#39 0x00007f1afa35997e in ap_invoke_handler ()
#40 0x00007f1afa369570 in ap_process_request ()
#41 0x00007f1afa366398 in ?? ()
#42 0x00007f1afa35ffa8 in ap_run_process_connection ()
#43 0x00007f1afa36e1d0 in ?? ()
#44 0x00007f1afa36e93a in ?? ()
#45 0x00007f1afa36f4e7 in ap_mpm_run ()
#46 0x00007f1afa3444a4 in main ()

[2021-01-13 14:05 UTC] cmb@php.net

-Status: Open +Status: Feedback -Assigned To: +Assigned To: cmb

[2021-01-13 14:05 UTC] cmb@php.net

> […], so maybe it is instead an APC problem.

Not unlikely, and APC is superseeded by OPcache anyway[1].  Can
you still reproduce the segfault with any of the actively
supported PHP versions[2].

[1] <https://pecl.php.net/package/APC>
[2] <https://www.php.net/supported-versions.php>

[2021-01-24 04:22 UTC] php-bugs at lists dot php dot net

No feedback was provided. The bug is being suspended because
we assume that you are no longer experiencing the problem.
If this is not the case and you are able to provide the
information that was requested earlier, please do so and
change the status of the bug back to "Re-Opened". Thank you.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Sun Dec 22 05:01:30 2024 UTC