PHP :: Bug #65451 :: Segmentation fault on compiling the script

[2013-08-14 17:09 UTC] chupaka at gmail dot com

Description:
------------
I faced the problem after upgrading from php-5.3 to php-5.4, and now it continues 
in php-5.5 on Apache 2.4.6.

The script (thumb.php) works correctly almost all the time (clients open webpage 
normally), but in Apache logs, there are messages:
[Wed Aug 14 19:33:31.106671 2013] [core:notice] [pid 9968] AH00052: child pid 
21804 exit signal Segmentation fault (11)
[Wed Aug 14 19:33:31.106736 2013] [core:notice] [pid 9968] AH00052: child pid 
23371 exit signal Segmentation fault (11)
[Wed Aug 14 19:33:31.106762 2013] [core:notice] [pid 9968] AH00052: child pid 
23373 exit signal Segmentation fault (11)


Test script:
---------------
thumb.php (it's the only file I saw so far that provokes segfaults):

<?
  if (!isset($_GET['m'], $_GET['n'])) {
    echo "No parameters in thumb.php, _GET is ".var_export($_GET, true)."!";
    die();
  }
  $m = (integer)$_GET['m'];
  $n = (integer)$_GET['n'];
  
  $dn = (floor($m / 100))."/";
  $fn = $dn."$m-$n.jpg";
  if (!file_exists($fn)) die("No frame found!");
  if (!file_exists("thumbs/".$fn) or (filemtime($fn) > filemtime("thumbs/".$fn)) or (filesize("thumbs/".$fn) == 0)) {
    if (!file_exists("thumbs/".$dn)) mkdir("thumbs/".$dn);
    
    $img = imagecreatefromjpeg($fn);
    $size = getimagesize($fn);
    $nimg = imagecreatetruecolor(80, 40);
    imagecopyresampled($nimg, $img, 0, 0, 0, 0, 80, 40, $size[0], $size[1]);
    imagejpeg($nimg, "thumbs/".$fn, 85);
  }
  
  readfile("thumbs/".$fn);
?>

Expected result:
----------------
No Segmentation faults

Actual result:
--------------
gdb attached to a child shows this after failure:

Program received signal SIGSEGV, Segmentation fault.
0xb6a40af2 in zend_stack_push (stack=stack@entry=0xb6c0d3d0 
<compiler_globals+368>,
    element=element@entry=0xb6c0d3ac <compiler_globals+332>, size=size@entry=36)
    at /usr/src/debug/php-5.5.1/Zend/zend_stack.c:42
42              stack->elements[stack->top] = (void *) emalloc(size);
(gdb) backtrace
#0  0xb6a40af2 in zend_stack_push (stack=stack@entry=0xb6c0d3d0 
<compiler_globals+368>,
    element=element@entry=0xb6c0d3ac <compiler_globals+332>, size=size@entry=36)
    at /usr/src/debug/php-5.5.1/Zend/zend_stack.c:42
#1  0xb6a09eca in compile_file (file_handle=file_handle@entry=0xbfa206f8, 
type=type@entry=2)
    at Zend/zend_language_scanner.l:586
#2  0xb6a30f56 in dtrace_compile_file (file_handle=0xbfa206f8, type=2)
    at /usr/src/debug/php-5.5.1/Zend/zend_dtrace.c:40
#3  0xb6a4390a in zend_execute_scripts (type=type@entry=2, 
retval=retval@entry=0x0,
    file_count=file_count@entry=1) at /usr/src/debug/php-5.5.1/Zend/zend.c:1308
#4  0xb6afeccf in php_handler (r=0xb9938c48)
    at /usr/src/debug/php-5.5.1/sapi/apache2handler/sapi_apache2.c:669
(gdb) backtrace full
#0  0xb6a40af2 in zend_stack_push (stack=stack@entry=0xb6c0d3d0 
<compiler_globals+368>,
    element=element@entry=0xb6c0d3ac <compiler_globals+332>, size=size@entry=36)
    at /usr/src/debug/php-5.5.1/Zend/zend_stack.c:42
No locals.
#1  0xb6a09eca in compile_file (file_handle=file_handle@entry=0xbfa206f8, 
type=type@entry=2)
    at Zend/zend_language_scanner.l:586
        original_lex_state = {yy_leng = 0, yy_start = 0x0, yy_text = 0x0, 
yy_cursor = 0x0, yy_marker = 0x0,
          yy_limit = 0x0, yy_state = 0, state_stack = {top = 0, max = 0, 
elements = 0x0},
          heredoc_label_stack = {top = 0, max = 0, elements = 0x0, top_element = 
0x0, persistent = 0 '\000'},
          in = 0x0, lineno = 0, filename = 0x0, script_org = 0x0, 
script_org_size = 0, script_filtered = 0x0,
          script_filtered_size = 0, input_filter = 0x0, output_filter = 0x0, 
script_encoding = 0x0}
        op_array = 0xb662112c
        original_active_op_array = 0x0
        retval = 0xb662112c
        compiler_result = <optimized out>
        compilation_successful = 0 '\000'
        retval_znode = {op_type = 1, u = {op = {constant = 1, var = 1, num = 1, 
hash = 1, opline_num = 1,
              jmp_addr = 0x1, zv = 0x1, literal = 0x1, ptr = 0x1}, constant = 
{value = {lval = 1,
                dval = -1.4312713536766795e+179, str = {val = 0x1 <Address 0x1 
out of bounds>,
                  len = -450778880}, ht = 0x1, obj = {handle = 1, handlers = 
0xe521a900}}, refcount__gc = 1,
              type = 1 '\001', is_ref__gc = 0 '\000'}, op_array = 0x1}, EA = 
3073921433}
        original_in_compilation = 0 '\000'
#2  0xb6a30f56 in dtrace_compile_file (file_handle=0xbfa206f8, type=2)
    at /usr/src/debug/php-5.5.1/Zend/zend_dtrace.c:40
        res = 0xb6621b88
#3  0xb6a4390a in zend_execute_scripts (type=type@entry=2, 
retval=retval@entry=0x0,
    file_count=file_count@entry=1) at /usr/src/debug/php-5.5.1/Zend/zend.c:1308
        files = 0xbfa206d0 "\031P-·QQ-·"
        i = 0
        file_handle = 0xbfa206f8
        orig_op_array = 0x0
        orig_retval_ptr_ptr = 0x0
        orig_interactive = 0
#4  0xb6afeccf in php_handler (r=0xb9938c48)
    at /usr/src/debug/php-5.5.1/sapi/apache2handler/sapi_apache2.c:669
        zfd = {type = ZEND_HANDLE_MAPPED,
          filename = 0xb9939f30 
"/var/www/system/video.infolan.by/frames/thumb.php",
          opened_path = 0xb6621204 
"/var/www/system/video.infolan.by/frames/thumb.php", handle = {
            fd = -1235086660, fp = 0xb66212bc, stream = {handle = 0xb66212bc, 
isatty = 0, mmap = {len = 745,
                pos = 0, map = 0x0,
                buf = 0xb70a6000 "<?\n  if (!isset($_GET['m'], $_GET['n'])) {\n    
echo \"No parameters in thumb.php, _GET is \".var_export($_GET, true).\"!\";\n    
die();\n  }\n  $m = (integer)$_GET['m'];\n  $n = (integer)$_GET['n'];\n  \n  $dn 
"..., old_handle = 0x0, old_closer = 0x0}, reader = 0xb69f5690 
<_php_stream_read>,
              fsizer = 0xb69da0a0 <php_zend_stream_fsizer>,
              closer = 0xb69da060 <php_zend_stream_mmap_closer>}}, free_filename 
= 0 '\000'}
        __orig_bailout = 0x0
        __bailout = {{__jmpbuf = {-1228988416, -1183831224, -1229662672, 
-1181512632, -1770762997,
              -1917897447}, __mask_was_saved = 0, __saved_mask = {__val = 
{3111136096, 3113461616,
                3071472077, 3071483740, 3111264800, 3113454664, 3071483904, 
3071473021, 3109372568, 1,
                3073921433, 3070734156, 3113454664, 3111265368, 3109399248, 
3070717099, 3113454600,
                4294967295, 3073885849, 3070496172, 3113454664, 4294967295, 
3113454664, 3070442654,
                3113457088, 3070480937, 3109424016, 3844188416, 3113454664, 
3109424016, 3070279966,
                3064982056}}}}
        ctx = 0xb9950f08
        conf = <optimized out>
        brigade = 0xb9969368
        bucket = <optimized out>
        rv = <optimized out>
        parent_req = 0xb994f3f8

[2013-08-15 17:15 UTC] ab@php.net

-Status: Open +Status: Feedback

[2013-08-15 17:15 UTC] ab@php.net

About the reproduce script - any chance to get rid of GET parameters and 
external file dependency? Whereby it might be not that important as it crashes 
just compiling.

I've just tried on windows and (ubuntu with and without dtrace), no crash. Maybe 
that's dtrace version, dunno. Is it reproduceable if you compile without dtrace 
support, could you please try?

[2013-09-18 12:26 UTC] tim at bortnik dot org

Similar problem was caused by apc for me.
Increased apc.shm_size up to 512M (that may vary in different setups) and it is 
gone.

[2013-10-15 11:54 UTC] php-bugs at lists dot php dot net

No feedback was provided. The bug is being suspended because
we assume that you are no longer experiencing the problem.
If this is not the case and you are able to provide the
information that was requested earlier, please do so and
change the status of the bug back to "Re-Opened". Thank you.

Patches

Pull Requests

History

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Sat Apr 20 14:01:29 2024 UTC