php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #65510 5.5.2 crashes in _get_zval_ptr_ptr_var
Submitted: 2013-08-22 16:16 UTC Modified: 2013-08-29 08:09 UTC
Votes:1
Avg. Score:5.0 ± 0.0
Reproduced:1 of 1 (100.0%)
Same Version:1 (100.0%)
Same OS:0 (0.0%)
From: php at cscott dot net Assigned: laruence
Status: Closed Package: Reproducible crash
PHP Version: 5.5.2 OS: Debian Linux
Private report: No CVE-ID:
 [2013-08-22 16:16 UTC] php at cscott dot net
Description:
------------
See http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=720433

Package: libapache2-mod-php5
Version: 5.5.2+dfsg-1
Severity: important

After upgrading php and apache this afternoon, I receive many segfaults
from my local MediaWiki installation. Downgrading libapache2-mod-php5
and the various php5-* packages to 5.5.1+dfsg-2 fixes the problem.

For example, loading the following URL from my mediawiki installation reliably 
causes a segfault:
http://localhost/~cananian/mediawiki/load.php?
debug=false&lang=en&modules=ext.visualEditor.core%2Cexperimental%2Cicons-
vector%2CspecialMessages%7Cext.visualEditor.viewPageTarget.icons-
vector%7Cjquery.uls%7Cjquery.uls.compact%2Cdata%2Cgrid%7Crangy&skin=vector&versi
on=20130822T035438Z&*


Expected result:
----------------
The request should succeed.

Actual result:
--------------
Backtrace:

(gdb) c
Continuing.

Program received signal SIGSEGV, Segmentation fault.
_get_zval_ptr_ptr_var (should_free=<synthetic pointer>, 
execute_data=0x7faba65d4990, var=<optimized out>) at /tmp/buildd/php5-
5.5.2+dfsg/Zend/zend_execute.c:384
384     /tmp/buildd/php5-5.5.2+dfsg/Zend/zend_execute.c: No such file or 
directory.
(gdb) bt
#0  _get_zval_ptr_ptr_var (should_free=<synthetic pointer>, 
execute_data=0x7faba65d4990, var=<optimized out>) at /tmp/buildd/php5-
5.5.2+dfsg/Zend/zend_execute.c:384
#1  ZEND_FETCH_DIM_R_SPEC_VAR_CONST_HANDLER (execute_data=0x7faba65d4990) at 
/tmp/buildd/php5-5.5.2+dfsg/Zend/zend_vm_execute.h:14783
#2  0x00007faba3a3e578 in execute_ex (execute_data=0x7faba65d4990) at 
/tmp/buildd/php5-5.5.2+dfsg/Zend/zend_vm_execute.h:356
#3  0x00007faba3a163b0 in zend_execute_scripts (type=type@entry=8, 
retval=retval@entry=0x0, file_count=file_count@entry=3) at /tmp/buildd/php5-
5.5.2+dfsg/Zend/zend.c:1316
#4  0x00007faba39b67f5 in php_execute_script 
(primary_file=primary_file@entry=0x7fff6285dff0) at /tmp/buildd/php5-
5.5.2+dfsg/main/main.c:2484
#5  0x00007faba3ac651a in php_handler (r=<optimized out>) at /tmp/buildd/php5-
5.5.2+dfsg/sapi/apache2handler/sapi_apache2.c:667
#6  0x00007faba6700350 in ap_run_handler (r=0x7faba64b40a0) at config.c:175
#7  0x00007faba67008a9 in ap_invoke_handler (r=r@entry=0x7faba64b40a0) at 
config.c:445
#8  0x00007faba67156fa in ap_process_async_request (r=0x7faba64b40a0) at 
http_request.c:317
#9  0x00007faba67159e4 in ap_process_request (r=r@entry=0x7faba64b40a0) at 
http_request.c:363
#10 0x00007faba6712492 in ap_process_http_sync_connection (c=0x7faba64b8290) at 
http_core.c:190
#11 ap_process_http_connection (c=0x7faba64b8290) at http_core.c:231
#12 0x00007faba6709420 in ap_run_process_connection (c=0x7faba64b8290) at 
connection.c:41
#13 0x00007faba6709808 in ap_process_connection (c=c@entry=0x7faba64b8290, csd=
<optimized out>) at connection.c:202
#14 0x00007faba419e767 in child_main (child_num_arg=child_num_arg@entry=0) at 
prefork.c:704
#15 0x00007faba419e9a6 in make_child (s=0x7faba666be30, slot=slot@entry=0) at 
prefork.c:800
#16 0x00007faba419ea06 in startup_children (number_to_start=5) at prefork.c:818
#17 0x00007faba419f6f0 in prefork_run (_pconf=<optimized out>, 
plog=0x7faba6665028, s=0x7faba666be30) at prefork.c:976
#18 0x00007faba66e75ee in ap_run_mpm (pconf=0x7faba669f028, plog=0x7faba6665028, 
s=0x7faba666be30) at mpm_common.c:96
#19 0x00007faba66e0df6 in main (argc=3, argv=0x7fff6285e718) at main.c:777
(gdb)

-- Package-specific info:
==== Additional PHP 5 information ====

++++ PHP 5 SAPI (php5query -S): ++++
cli
apache2

++++ PHP 5 Extensions (php5query -M -v): ++++
pdo_mysql (Enabled for cli by maintainer script)
pdo_mysql (Enabled for apache2 by maintainer script)
pdo (Enabled for cli by maintainer script)
pdo (Enabled for apache2 by maintainer script)
intl (Enabled for cli by maintainer script)
intl (Enabled for apache2 by maintainer script)
pdo_pgsql (Enabled for cli by maintainer script)
pdo_pgsql (Enabled for apache2 by maintainer script)
mysql (Enabled for cli by maintainer script)
mysql (Enabled for apache2 by maintainer script)
readline (Enabled for cli by local administrator)
readline (Enabled for apache2 by local administrator)
curl (Enabled for cli by maintainer script)
curl (Enabled for apache2 by maintainer script)
mcrypt (Enabled for cli by maintainer script)
mcrypt (Enabled for apache2 by maintainer script)
opcache (Enabled for cli by maintainer script)
opcache (Enabled for apache2 by maintainer script)
gd (Enabled for cli by maintainer script)
gd (Enabled for apache2 by maintainer script)
pgsql (Enabled for cli by maintainer script)
pgsql (Enabled for apache2 by maintainer script)
json (Enabled for cli by local administrator)
json (Enabled for apache2 by local administrator)
mysqli (Enabled for cli by maintainer script)
mysqli (Enabled for apache2 by maintainer script)

++++ Configuration files: ++++
[PHP]
engine = On
short_open_tag = Off
asp_tags = Off
precision = 14
output_buffering = 4096
zlib.output_compression = Off
implicit_flush = Off
unserialize_callback_func =
serialize_precision = 17
disable_functions = 
pcntl_alarm,pcntl_fork,pcntl_waitpid,pcntl_wait,pcntl_wifexited,pcntl_wifstopped
,pcntl_wifsignaled,pcntl_wexitstatus,pcntl_wtermsig,pcntl_wstopsig,pcntl_signal,
pcntl_signal_dispatch,pcntl_get_last_error,pcntl_strerror,pcntl_sigprocmask,pcnt
l_sigwaitinfo,pcntl_sigtimedwait,pcntl_exec,pcntl_getpriority,pcntl_setpriority,
disable_classes =
zend.enable_gc = On
expose_php = On
max_execution_time = 30
max_input_time = 60
memory_limit = 128M
error_reporting = E_ALL & ~E_DEPRECATED & ~E_STRICT
display_errors = Off
display_startup_errors = Off
log_errors = On
log_errors_max_len = 1024
ignore_repeated_errors = Off
ignore_repeated_source = Off
report_memleaks = On
track_errors = Off
html_errors = On
variables_order = "GPCS"
request_order = "GP"
register_argc_argv = Off
auto_globals_jit = On
post_max_size = 8M
auto_prepend_file =
auto_append_file =
default_mimetype = "text/html"
doc_root =
user_dir =
enable_dl = Off
file_uploads = On
upload_max_filesize = 2M
max_file_uploads = 20
allow_url_fopen = On
allow_url_include = Off
default_socket_timeout = 60
[CLI Server]
cli_server.color = On
[Date]
[filter]
[iconv]
[intl]
[sqlite]
[sqlite3]
[Pcre]
[Pdo]
[Pdo_mysql]
pdo_mysql.cache_size = 2000
pdo_mysql.default_socket=
[Phar]
[mail function]
SMTP = localhost
smtp_port = 25
mail.add_x_header = On
[SQL]
sql.safe_mode = Off
[ODBC]
odbc.allow_persistent = On
odbc.check_persistent = On
odbc.max_persistent = -1
odbc.max_links = -1
odbc.defaultlrl = 4096
odbc.defaultbinmode = 1
[Interbase]
ibase.allow_persistent = 1
ibase.max_persistent = -1
ibase.max_links = -1
ibase.timestampformat = "%Y-%m-%d %H:%M:%S"
ibase.dateformat = "%Y-%m-%d"
ibase.timeformat = "%H:%M:%S"
[MySQL]
mysql.allow_local_infile = On
mysql.allow_persistent = On
mysql.cache_size = 2000
mysql.max_persistent = -1
mysql.max_links = -1
mysql.default_port =
mysql.default_socket =
mysql.default_host =
mysql.default_user =
mysql.default_password =
mysql.connect_timeout = 60
mysql.trace_mode = Off
[MySQLi]
mysqli.max_persistent = -1
mysqli.allow_persistent = On
mysqli.max_links = -1
mysqli.cache_size = 2000
mysqli.default_port = 3306
mysqli.default_socket =
mysqli.default_host =
mysqli.default_user =
mysqli.default_pw =
mysqli.reconnect = Off
[mysqlnd]
mysqlnd.collect_statistics = On
mysqlnd.collect_memory_statistics = Off
[OCI8]
[PostgreSQL]
pgsql.allow_persistent = On
pgsql.auto_reset_persistent = Off
pgsql.max_persistent = -1
pgsql.max_links = -1
pgsql.ignore_notice = 0
pgsql.log_notice = 0
[Sybase-CT]
sybct.allow_persistent = On
sybct.max_persistent = -1
sybct.max_links = -1
sybct.min_server_severity = 10
sybct.min_client_severity = 10
[bcmath]
bcmath.scale = 0
[browscap]
[Session]
session.save_handler = files
session.use_cookies = 1
session.use_only_cookies = 1
session.name = PHPSESSID
session.auto_start = 0
session.cookie_lifetime = 0
session.cookie_path = /
session.cookie_domain =
session.cookie_httponly =
session.serialize_handler = php
session.gc_probability = 0
session.gc_divisor = 1000
session.gc_maxlifetime = 1440
session.bug_compat_42 = Off
session.bug_compat_warn = Off
session.referer_check =
session.cache_limiter = nocache
session.cache_expire = 180
session.use_trans_sid = 0
session.hash_function = 0
session.hash_bits_per_character = 5
url_rewriter.tags = "a=href,area=href,frame=src,input=src,form=fakeentry"
[MSSQL]
mssql.allow_persistent = On
mssql.max_persistent = -1
mssql.max_links = -1
mssql.min_error_severity = 10
mssql.min_message_severity = 10
mssql.compatibility_mode = Off
mssql.secure_connection = Off
[Assertion]
[COM]
[mbstring]
[gd]
[exif]
[Tidy]
tidy.clean_output = Off
[soap]
soap.wsdl_cache_enabled=1
soap.wsdl_cache_dir="/tmp"
soap.wsdl_cache_ttl=86400
soap.wsdl_cache_limit = 5
[sysvshm]
[ldap]
ldap.max_links = -1
[mcrypt]
[dba]
[opcache]
[curl]

**** /etc/php5/apache2/conf.d/20-mysql.ini ****
extension=mysql.so

**** /etc/php5/apache2/conf.d/20-gd.ini ****
extension=gd.so

**** /etc/php5/apache2/conf.d/20-mcrypt.ini ****
extension=mcrypt.so

**** /etc/php5/apache2/conf.d/20-readline.ini ****
extension=readline.so

**** /etc/php5/apache2/conf.d/05-opcache.ini ****
zend_extension=opcache.so

**** /etc/php5/apache2/conf.d/20-pgsql.ini ****
extension=pgsql.so

**** /etc/php5/apache2/conf.d/20-mysqli.ini ****
extension=mysqli.so

**** /etc/php5/apache2/conf.d/20-pdo_mysql.ini ****
extension=pdo_mysql.so

**** /etc/php5/apache2/conf.d/10-pdo.ini ****
extension=pdo.so

**** /etc/php5/apache2/conf.d/20-pdo_pgsql.ini ****
extension=pdo_pgsql.so

**** /etc/php5/apache2/conf.d/20-curl.ini ****
extension=curl.so

**** /etc/php5/apache2/conf.d/20-intl.ini ****
extension=intl.so

**** /etc/php5/apache2/conf.d/20-json.ini ****
extension=json.so


-- System Information:
Debian Release: jessie/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (500, 'testing'), (102, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 3.10.4 (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages libapache2-mod-php5 depends on:
ii  apache2                             2.4.6-3
ii  apache2-bin [apache2-api-20120211]  2.4.6-3
ii  libbz2-1.0                          1.0.6-5
ii  libc6                               2.17-92
ii  libcomerr2                          1.42.8-1
ii  libdb5.1                            5.1.29-7
ii  libgssapi-krb5-2                    1.10.1+dfsg-6.1
ii  libk5crypto3                        1.10.1+dfsg-6.1
ii  libkrb5-3                           1.10.1+dfsg-6.1
ii  libmagic1                           1:5.14-2
ii  libonig2                            5.9.1-1
ii  libpcre3                            1:8.31-2
ii  libqdbm14                           1.8.78-2
ii  libssl1.0.0                         1.0.1e-3
ii  libstdc++6                          4.8.1-9
ii  libxml2                             2.9.1+dfsg1-3
ii  mime-support                        3.54
ii  php5-common                         5.5.2+dfsg-1
ii  tzdata                              2013d-1
ii  ucf                                 3.0027+nmu1
ii  zlib1g                              1:1.2.8.dfsg-1

Versions of packages libapache2-mod-php5 recommends:
ii  php5-cli  5.5.2+dfsg-1

Versions of packages libapache2-mod-php5 suggests:
ii  php-pear  5.5.2+dfsg-1

Versions of packages php5-common depends on:
ii  libc6   2.17-92
ii  lsof    4.86+dfsg-1
ii  psmisc  22.20-1
ii  sed     4.2.2-2
ii  ucf     3.0027+nmu1

Versions of packages php5-common recommends:
ii  php5-json  1.3.1+dfsg-3

Versions of packages php5-common suggests:
pn  php5-user-cache  <none>

-- no debconf information


Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2013-08-23 06:22 UTC] laruence@php.net
-Status: Open +Status: Feedback
 [2013-08-23 06:22 UTC] laruence@php.net
Thank you for this bug report. To properly diagnose the problem, we
need a short but complete example script to be able to reproduce
this bug ourselves. 

A proper reproducing script starts with <?php and ends with ?>,
is max. 10-20 lines long and does not require any external 
resources such as databases, etc. If the script requires a 
database to demonstrate the issue, please make sure it creates 
all necessary tables, stored procedures etc.

Please avoid embedding huge scripts into the report.


 [2013-08-23 13:29 UTC] php at cscott dot net
-Status: Feedback +Status: Open
 [2013-08-23 13:29 UTC] php at cscott dot net
Just to be clear: I do not intend to 
construct the requested test case. I 
spent my quota of time filing the bug 
report, in Debian and here.  This is a 
serious regression, hopefully the next 
person who tries to use mediawiki on 
5.5.2 will be able to contribute to 
minimization.  As for me, I just 
downgraded to 5.5.1 and got back to work.
 [2013-08-28 07:48 UTC] i at mudkip dot me
I have the same issue with PHP 5.5.2/5.5.3 and MediaWiki 1.21.1

I'm using Arch Linux. Any MediaWiki search request would cause a segfault in php-
fpm when opcache is enabled. Sorry I have no time to figure out which part of 
MediaWiki caused this crash.

But when I downgraded the opcache.so to the old version (7.0.2), and still using 
PHP 5.5.3, this problem could be solved. I believe this is caused by some recent 
changes of opcache.

As for me, I'm now using PHP5.5.3 with this older version of opcache.so
 [2013-08-28 21:18 UTC] ole dot hattebol at swipnet dot se
I am trying to configure MediaWiki 1.21.1 and have PHP-5.5.2. Operating system is Windows Small Business Server 2011 Essentials. The web server is IIS 7.5. I get error 500 when I click "set up the wiki" on the configuration start page. I have tried the various recommended permission settings to no help.
 [2013-08-29 05:51 UTC] roctom at gmail dot com
I have a similar issue with PHP 5.5.2/3 but running piwik with the opcache of 
version 5.5.2/3. If I run PHP 5.5.3 with the compiled opcache.so of 5.5.1 there is 
no issue.

Thus it points to a regression of the opcache code between 5.5.1 and 5.5.2.
 [2013-08-29 07:57 UTC] dmitry@php.net
Automatic comment on behalf of dmitry@zend.com
Revision: http://git.php.net/?p=php-src.git;a=commit;h=5015c4af6c1d2af992e0525f10e93b01043730e1
Log: Fixed bug #65510 (5.5.2 crashes in _get_zval_ptr_ptr_var)
 [2013-08-29 07:57 UTC] dmitry@php.net
-Status: Open +Status: Closed
 [2013-08-29 08:01 UTC] dmitry@php.net
-Status: Closed +Status: Open
 [2013-08-29 08:01 UTC] dmitry@php.net
The fix for this bug has been committed.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.

 For Windows:

http://windows.php.net/snapshots/
 
Thank you for the report, and for helping us make PHP better.


 [2013-08-29 08:09 UTC] laruence@php.net
-Status: Open +Status: Closed -Assigned To: +Assigned To: laruence
 [2013-08-29 23:38 UTC] roctom at gmail dot com
Hi,

I've tested the 5.5 snapshot of Aug 29, 2013 22:30 UTC and the fix works for me.

Thanks!
 [2013-11-17 09:30 UTC] laruence@php.net
Automatic comment on behalf of dmitry@zend.com
Revision: http://git.php.net/?p=php-src.git;a=commit;h=5015c4af6c1d2af992e0525f10e93b01043730e1
Log: Fixed bug #65510 (5.5.2 crashes in _get_zval_ptr_ptr_var)
 
PHP Copyright © 2001-2014 The PHP Group
All rights reserved.
Last updated: Fri Apr 18 08:02:55 2014 UTC