PHP :: Bug #65928 :: Segfault when working with Soap

Bug #65928

Segfault when working with Soap

Submitted:

2013-10-18 10:30 UTC

Modified:

2024-05-29 19:13 UTC

Votes:	6
Avg. Score:	4.7 ± 0.5
Reproduced:	6 of 6 (100.0%)
Same Version:	3 (50.0%)
Same OS:	3 (50.0%)

From:

phil at propcom dot co dot uk

Assigned:

nielsdos (profile)

Status:

Closed

Package:

SOAP related

PHP Version:

5.5.5

OS:

CentOS

Private report:

CVE-ID:

None

View Developer Edit

[2013-10-18 10:30 UTC] phil at propcom dot co dot uk

Description:
------------
PHP Segfaults during a SOAP request.

Test script:
---------------
I unfortunately cannot put together anything remotely small enough to be considered a test case. Error is created deep within a 3rd party library working with a horrifically complex API.

More than happy to work with somebody to provide more useful debug logs.

Expected result:
----------------
Anything but a segfault

Actual result:
--------------
The segfault is triggered in zend_get_class_entry() on the following line:

if (Z_OBJ_HT_P(zobject)->get_class_entry)

I've stripped out some of the macros, to make the trace more useful, such that the function is as follows:

ZEND_API zend_class_entry *zend_get_class_entry(const zval *zobject TSRMLS_DC) /* {{{ */
{
        zend_object_value foo = Z_OBJVAL(*zobject);

        if ((foo.handlers)->get_class_entry) {
                return Z_OBJ_HT_P(zobject)->get_class_entry(zobject TSRMLS_CC);
        } else {
                zend_error(E_ERROR, "Class entry requested for an object without PHP class");
                return NULL;
        }
}

`bt full` of the above fn is as follows and basically suggests that foo.handlers is a null pointer.

#0  0x0000000000a10677 in zend_get_class_entry (zobject=0x1b4ee40) at /root/php-5.5.5/Zend/zend_API.c:239
        foo = {handle = 0, handlers = 0x0}
#1  0x00000000007ad112 in set_zval_property (object=0x1b4ee40, name=0x1e92500 "entityId", val=0x1b53058) at /root/php-5.5.5/ext/soap/php_encoding.c:1230
        old_scope = 0x0
#2  0x00000000007adeea in model_to_zval_object (ret=0x1b4ee40, model=0x1ea3720, data=0x1a49eb0, sdl=0x218cb10) at /root/php-5.5.5/ext/soap/php_encoding.c:1438
        val = 0x1b53058
        r_node = 0x1a4a320
        node = 0x0
#3  0x00000000007adf4f in model_to_zval_object (ret=0x1b4ee40, model=0x1ea30a8, data=0x1a49eb0, sdl=0x218cb10) at /root/php-5.5.5/ext/soap/php_encoding.c:1454
        tmp = 0x1ea37a8
        pos = 0x1ea3790
        any = 0x0
#4  0x00000000007aea4f in to_zval_object_ex (type=0x224ed38, data=0x1a49eb0, pce=0x0) at /root/php-5.5.5/ext/soap/php_encoding.c:1584
        ret = 0x1b4ee40
        trav = 0x1b43407
        sdl = 0x218cb10
        sdlType = 0x2405708
        ce = 0x13a12b0
        redo_any = 0x0
#5  0x00000000007af133 in to_zval_object (type=0x224ed38, data=0x1a49eb0) at /root/php-5.5.5/ext/soap/php_encoding.c:1687
No locals.
#6  0x00000000007b8275 in sdl_guess_convert_zval (enc=0x224ed38, data=0x1a49eb0) at /root/php-5.5.5/ext/soap/php_encoding.c:3329
        type = 0x2405708
#7  0x00000000007aa36c in master_to_zval_int (encode=0x224ed38, data=0x1a49eb0) at /root/php-5.5.5/ext/soap/php_encoding.c:581
        ret = 0x0
#8  0x00000000007aa4b4 in master_to_zval (encode=0x224ed38, data=0x1a49eb0) at /root/php-5.5.5/ext/soap/php_encoding.c:617
No locals.
#9  0x00000000007adb14 in model_to_zval_object (ret=0x1b53d90, model=0x22f1420, data=0x1a49cd0, sdl=0x218cb10) at /root/php-5.5.5/ext/soap/php_encoding.c:1398
        val = 0x4c200a40208
        r_node = 0x1a49eb0
        node = 0x1a49eb0
#10 0x00000000007adf4f in model_to_zval_object (ret=0x1b53d90, model=0x22f1310, data=0x1a49cd0, sdl=0x218cb10) at /root/php-5.5.5/ext/soap/php_encoding.c:1454
        tmp = 0x22f1540
        pos = 0x22f1528
        any = 0x0
#11 0x00000000007aea4f in to_zval_object_ex (type=0x206c8d8, data=0x1a49cd0, pce=0x0) at /root/php-5.5.5/ext/soap/php_encoding.c:1584
        ret = 0x1b53d90
        trav = 0x1b43407
        sdl = 0x218cb10
        sdlType = 0x231e080
        ce = 0x13a12b0
        redo_any = 0x0
#12 0x00000000007af133 in to_zval_object (type=0x206c8d8, data=0x1a49cd0) at /root/php-5.5.5/ext/soap/php_encoding.c:1687
No locals.
#13 0x00000000007b8275 in sdl_guess_convert_zval (enc=0x206c8d8, data=0x1a49cd0) at /root/php-5.5.5/ext/soap/php_encoding.c:3329
        type = 0x231e080
#14 0x00000000007aa36c in master_to_zval_int (encode=0x206c8d8, data=0x1a49cd0) at /root/php-5.5.5/ext/soap/php_encoding.c:581
        ret = 0x0
#15 0x00000000007aa4b4 in master_to_zval (encode=0x206c8d8, data=0x1a49cd0) at /root/php-5.5.5/ext/soap/php_encoding.c:617
No locals.
#16 0x00000000007adb14 in model_to_zval_object (ret=0x1b36da0, model=0x22ec878, data=0x1a33a10, sdl=0x218cb10) at /root/php-5.5.5/ext/soap/php_encoding.c:1398
        val = 0x4c201b4e9d8
        r_node = 0x1a49cd0
        node = 0x1a49cd0
#17 0x00000000007adf4f in model_to_zval_object (ret=0x1b36da0, model=0x20478f0, data=0x1a33a10, sdl=0x218cb10) at /root/php-5.5.5/ext/soap/php_encoding.c:1454
        tmp = 0x22ec900
        pos = 0x22ec8e8
        any = 0x0
#18 0x00000000007aea4f in to_zval_object_ex (type=0x22eaee0, data=0x1a33a10, pce=0x0) at /root/php-5.5.5/ext/soap/php_encoding.c:1584
        ret = 0x1b36da0
        trav = 0x1b42ec7
        sdl = 0x218cb10
        sdlType = 0x231e500
---Type <return> to continue, or q <return> to quit---
        ce = 0x13a12b0
        redo_any = 0x0
#19 0x00000000007af133 in to_zval_object (type=0x22eaee0, data=0x1a33a10) at /root/php-5.5.5/ext/soap/php_encoding.c:1687
No locals.
#20 0x00000000007b8275 in sdl_guess_convert_zval (enc=0x22eaee0, data=0x1a33a10) at /root/php-5.5.5/ext/soap/php_encoding.c:3329
        type = 0x231e500
#21 0x00000000007aa36c in master_to_zval_int (encode=0x22eaee0, data=0x1a33a10) at /root/php-5.5.5/ext/soap/php_encoding.c:581
        ret = 0x0
#22 0x00000000007aa4b4 in master_to_zval (encode=0x22eaee0, data=0x1a33a10) at /root/php-5.5.5/ext/soap/php_encoding.c:617
No locals.
#23 0x00000000007adb14 in model_to_zval_object (ret=0x1b42810, model=0x22b3b50, data=0x1a338c0, sdl=0x218cb10) at /root/php-5.5.5/ext/soap/php_encoding.c:1398
        val = 0x4c200a40208
        r_node = 0x1a33a10
        node = 0x1a33a10
#24 0x00000000007adf4f in model_to_zval_object (ret=0x1b42810, model=0x22b3ae0, data=0x1a338c0, sdl=0x218cb10) at /root/php-5.5.5/ext/soap/php_encoding.c:1454
        tmp = 0x22b3bd8
        pos = 0x22b3bc0
        any = 0x0
#25 0x00000000007aea4f in to_zval_object_ex (type=0x20a1298, data=0x1a338c0, pce=0x0) at /root/php-5.5.5/ext/soap/php_encoding.c:1584
        ret = 0x1b42810
        trav = 0x1b42ec7
        sdl = 0x218cb10
        sdlType = 0x2196d48
        ce = 0x13a12b0
        redo_any = 0x0
#26 0x00000000007af133 in to_zval_object (type=0x20a1298, data=0x1a338c0) at /root/php-5.5.5/ext/soap/php_encoding.c:1687
No locals.
#27 0x00000000007b8275 in sdl_guess_convert_zval (enc=0x20a1298, data=0x1a338c0) at /root/php-5.5.5/ext/soap/php_encoding.c:3329
        type = 0x2196d48
#28 0x00000000007aa36c in master_to_zval_int (encode=0x20a1298, data=0x1a338c0) at /root/php-5.5.5/ext/soap/php_encoding.c:581
        ret = 0x0
#29 0x00000000007aa4b4 in master_to_zval (encode=0x20a1298, data=0x1a338c0) at /root/php-5.5.5/ext/soap/php_encoding.c:617
No locals.
#30 0x00000000007cb8f4 in parse_packet_soap (this_ptr=0x229fa80,
    buffer=0x1b55410 "<?xml version=\"1.0\" encoding=\"utf-8\"?><soapenv:Envelope xmlns:soapenv=\"http://schemas.xmlsoap.org/soap/envelope/\" xmlns:xsd=\"http://www.w3.org/2001/XMLSchema\" xmlns:xsi=\"http://www.w3.org/2001/XMLSche"..., buffer_size=30360, fn=0x3084000, fn_name=0x0, return_value=0x1b6f300, soap_headers=0x1b397f8) at /root/php-5.5.5/ext/soap/php_packet_soap.c:328
        param = 0x3085528
        val = 0x1a338c0
        tmp = 0xf32190
        h_param = 0x3085650
        name = 0x2fb6410 "searchResponse"
        ns = 0x2fb6478 "urn:messages_2011_2.platform.webservices.netsuite.com"
        fnb = 0x3084268
        res_count = 1
        envelope_ns = 0xf331b0 "http://schemas.xmlsoap.org/soap/envelope/"
        response = 0x1a33010
        trav = 0x0
        env = 0x1a33250
        head = 0x1a33430
        body = 0x1a337c0
        resp = 0x1a338c0
        cur = 0x1a338c0
        fault = 0x0
        attr = 0x0
        param_count = 0
        soap_version = 1
        hdrs = 0x3084e38
#31 0x000000000079775c in do_soap_call (this_ptr=0x229fa80, function=0x7ffff7eebea8 "search", function_len=6, arg_count=1, real_args=0x1b76f68, return_value=0x1b6f300,
    location=0x16247f0 "https://webservices.netsuite.com/services/NetSuitePort_2011_2", soap_action=0x0, call_uri=0x0, soap_headers=0x1b3cf60, output_headers=0x1b397f8) at /root/php-5.5.5/ext/soap/soap.c:2725
        binding = 0x306fe38
        one_way = 0
        __orig_bailout = 0x7fffffffcf50
        __bailout = {{__jmpbuf = {140737353006760, 2946715318515956408, 4393648, 140737488348784, 0, 0, 2946715318555802296, -2946714295451092296}, __mask_was_saved = 0, __saved_mask = {__val = {10562667, 0, 28191520, 1, 4393648,
---Type <return> to continue, or q <return> to quit---
                4294943760, 140737488331792, 15931114, 18446744069414584320, 592705486968, 15931114, 524014201632, 8589934597, 5, 140737353789296, 21474836600}}}}
        tmp = 0x231ebb8
        trace = 0x2158888
        sdl = 0x218cb10
        old_sdl = 0x0
        fn = 0x3084000
        request = 0x1a32a80
        ret = 1
        soap_version = 1
        response = {value = {lval = 28660752, dval = 1.4160292947175799e-316, str = {
              val = 0x1b55410 "<?xml version=\"1.0\" encoding=\"utf-8\"?><soapenv:Envelope xmlns:soapenv=\"http://schemas.xmlsoap.org/soap/envelope/\" xmlns:xsd=\"http://www.w3.org/2001/XMLSchema\" xmlns:xsi=\"http://www.w3.org/2001/XMLSche"..., len = 30360}, ht = 0x1b55410, obj = {handle = 28660752, handlers = 0x7698}}, refcount__gc = 1, type = 6 '\006', is_ref__gc = 0 '\000'}
        old_encoding = 0x0
        old_class_map = 0x0
        old_features = 0
        old_typemap = 0x0
        typemap = 0x212e178
        _old_handler = 0 '\000'
        _old_error_code = 0x0
        _old_error_object = 0x0
        _old_soap_version = 1
        _old_in_compilation = 0 '\000'
        _old_in_execution = 1 '\001'
        _old_current_execute_data = 0x7ffff7faadd0
        _old_stack_top = 0x7ffff7faaf80
        _bailout = 0
#32 0x0000000000798f4b in zim_SoapClient___call (ht=5, return_value=0x1b6f300, return_value_ptr=0x0, this_ptr=0x229fa80, return_value_used=1) at /root/php-5.5.5/ext/soap/soap.c:2929
        function = 0x7ffff7eebea8 "search"
        location = 0x0
        soap_action = 0x0
        uri = 0x0
        function_len = 6
        i = 1
        soap_headers = 0x1b3cf60
        options = 0x0
        headers = 0x1ae2b20
        output_headers = 0x1b397f8
        args = 0x1b3ce88
        real_args = 0x1b76f68
        param = 0x1b3cb00
        arg_count = 1
        tmp = 0x1b6f320
        free_soap_headers = 0 '\000'
        pos = 0x0
#33 0x0000000000a4efaa in zend_do_fcall_common_helper_SPEC (execute_data=0x7ffff7faadd0) at /root/php-5.5.5/Zend/zend_vm_execute.h:550
        ret = 0x7ffff7faacf0
        opline = 0x7fffe9e3c600
        should_change_scope = 1 '\001'
        fbc = 0x15193c0
#34 0x0000000000a4f782 in ZEND_DO_FCALL_BY_NAME_SPEC_HANDLER (execute_data=0x7ffff7faadd0) at /root/php-5.5.5/Zend/zend_vm_execute.h:685
No locals.
#35 0x0000000000a4e6a2 in execute_ex (execute_data=0x7ffff7faadd0) at /root/php-5.5.5/Zend/zend_vm_execute.h:363
        ret = 0
        original_in_execution = 1 '\001'
#36 0x0000000000a4e725 in zend_execute (op_array=0x15c8510) at /root/php-5.5.5/Zend/zend_vm_execute.h:388
No locals.
#37 0x00000000009fb260 in zend_call_function (fci=0x7fffffffa8f0, fci_cache=0x7fffffffa8c0) at /root/php-5.5.5/Zend/zend_execute_API.c:939
        i = 0
        original_return_value = 0x7fffffffac78
        calling_symbol_table = 0x7fffea0168d8
        original_op_array = 0x161b6b0
        original_opline_ptr = 0x7ffff7fa8010
        current_scope = 0x1607518
---Type <return> to continue, or q <return> to quit---
        current_called_scope = 0x1607518
        calling_scope = 0x7fffe9ab7b88
        called_scope = 0x7fffe9ab7b88
        current_this = 0x0
        execute_data = {opline = 0x0, function_state = {function = 0x15c8510, arguments = 0x7ffff7fa81d8}, op_array = 0x0, object = 0x7fffe9b3c0c8, symbol_table = 0x7fffea0168d8, prev_execute_data = 0x7ffff7fa8010,
          old_error_reporting = 0x0, nested = 0 '\000', original_return_value = 0x7fffffffac78, current_scope = 0x1607518, current_called_scope = 0x1607518, current_this = 0x0, fast_ret = 0x7ffff7fe1dc8, call_slots = 0x7ffff7fa8160,
          call = 0x7ffff7fa8160}
        fci_cache_local = {initialized = 120 'x', function_handler = 0xf3f176, calling_scope = 0x7fffffffa880, called_scope = 0xa12fa7, object_ptr = 0xf3f176}
#38 0x000000000085411f in zif_call_user_func_array (ht=2, return_value=0x21bfb58, return_value_ptr=0x0, this_ptr=0x0, return_value_used=1) at /root/php-5.5.5/ext/standard/basic_functions.c:4805
        params = 0x15c4a78
        retval_ptr = 0x0
        fci = {size = 72, function_table = 0x7fffe9ab7bb0, function_name = 0x24628c8, symbol_table = 0x0, retval_ptr_ptr = 0x7fffffffa940, param_count = 0, params = 0x1619560, object_ptr = 0x7fffe9b3c0c8, no_separation = 1 '\001'}
        fci_cache = {initialized = 1 '\001', function_handler = 0x15c8510, calling_scope = 0x7fffe9ab7b88, called_scope = 0x7fffe9ab7b88, object_ptr = 0x7fffe9b3c0c8}
#39 0x0000000000a4efaa in zend_do_fcall_common_helper_SPEC (execute_data=0x7ffff7fa8010) at /root/php-5.5.5/Zend/zend_vm_execute.h:550
        ret = 0x7ffff7fa75f0
        opline = 0x24134c8
        should_change_scope = 0 '\000'
        fbc = 0x137e090
#40 0x0000000000a4f782 in ZEND_DO_FCALL_BY_NAME_SPEC_HANDLER (execute_data=0x7ffff7fa8010) at /root/php-5.5.5/Zend/zend_vm_execute.h:685
No locals.
#41 0x0000000000a4e6a2 in execute_ex (execute_data=0x7ffff7fa8010) at /root/php-5.5.5/Zend/zend_vm_execute.h:363
        ret = 0
        original_in_execution = 1 '\001'
#42 0x0000000000a4e725 in zend_execute (op_array=0x161b6b0) at /root/php-5.5.5/Zend/zend_vm_execute.h:388
No locals.
#43 0x00000000009fb260 in zend_call_function (fci=0x7fffffffac30, fci_cache=0x7fffffffac00) at /root/php-5.5.5/Zend/zend_execute_API.c:939
        i = 2
        original_return_value = 0x0
        calling_symbol_table = 0x0
        original_op_array = 0x1622138
        original_opline_ptr = 0x7ffff7fa7438
        current_scope = 0x1575ab0
        current_called_scope = 0x1575ab0
        calling_scope = 0x1607518
        called_scope = 0x1607518
        current_this = 0x0
        execute_data = {opline = 0x0, function_state = {function = 0x161b6b0, arguments = 0x7ffff7fa75a8}, op_array = 0x0, object = 0x0, symbol_table = 0x0, prev_execute_data = 0x7ffff7fa7438, old_error_reporting = 0x0,
          nested = 1 '\001', original_return_value = 0x0, current_scope = 0x1575ab0, current_called_scope = 0x1575ab0, current_this = 0x0, fast_ret = 0x0, call_slots = 0x7ffff7fa7538, call = 0x7ffff7fa7538}
        fci_cache_local = {initialized = 160 '\240', function_handler = 0xf3f173, calling_scope = 0x7fffffffabc0, called_scope = 0xa12fa7, object_ptr = 0xf3f173}
#44 0x0000000000853f60 in zif_call_user_func (ht=3, return_value=0x161b4d8, return_value_ptr=0x0, this_ptr=0x0, return_value_used=0) at /root/php-5.5.5/ext/standard/basic_functions.c:4780
        retval_ptr = 0x0
        fci = {size = 72, function_table = 0x1607540, function_name = 0x7fffe9e595a8, symbol_table = 0x0, retval_ptr_ptr = 0x7fffffffac78, param_count = 2, params = 0x15ecdd0, object_ptr = 0x0, no_separation = 1 '\001'}
        fci_cache = {initialized = 1 '\001', function_handler = 0x161b6b0, calling_scope = 0x1607518, called_scope = 0x1607518, object_ptr = 0x0}
#45 0x0000000000a4efaa in zend_do_fcall_common_helper_SPEC (execute_data=0x7ffff7fa7438) at /root/php-5.5.5/Zend/zend_vm_execute.h:550
        ret = 0x7ffff7fa6cf8
        opline = 0x203dad8
        should_change_scope = 0 '\000'
        fbc = 0x137df40
#46 0x0000000000a4f782 in ZEND_DO_FCALL_BY_NAME_SPEC_HANDLER (execute_data=0x7ffff7fa7438) at /root/php-5.5.5/Zend/zend_vm_execute.h:685
No locals.
#47 0x0000000000a4e6a2 in execute_ex (execute_data=0x7ffff7fa7438) at /root/php-5.5.5/Zend/zend_vm_execute.h:363
        ret = 0
        original_in_execution = 0 '\000'
#48 0x0000000000a4e725 in zend_execute (op_array=0x7ffff7fdc578) at /root/php-5.5.5/Zend/zend_vm_execute.h:388
No locals.
#49 0x0000000000a0f1d0 in zend_execute_scripts (type=8, retval=0x0, file_count=3) at /root/php-5.5.5/Zend/zend.c:1320
        files = {{gp_offset = 40, fp_offset = 48, overflow_arg_area = 0x7fffffffaf10, reg_save_area = 0x7fffffffae40}}
        i = 1
        file_handle = 0x7fffffffe2c0
        orig_op_array = 0x0
        orig_retval_ptr_ptr = 0x0
        orig_interactive = 0
#50 0x00000000009788ef in php_execute_script (primary_file=0x7fffffffe2c0) at /root/php-5.5.5/main/main.c:2489
---Type <return> to continue, or q <return> to quit---
        realfile = "/mnt/data1/vhosts/test.orlebarbrown.com/includes/oil\000\000\000\000\200\372/\001\000\000\000\000@\320\377\377\377\177\000\000\260\nC\000\000\000\000\000p\346\377\377\377\177\000\000\025\027\337\367\000\000\000\000@\261\060\001\000\000\000\000hp-5.5.1\000\000\000\000\000\000\000\000\200\372/\001\000\000\000\000@\320\377\377\377\177\000\000\260\nC\000\000\000\000\000p\346\377\377\377\177", '\000' <repeats 18 times>, "\002\071\227\000\000\000\000\000\060\241\060\001\000\000\000\000\200\372/\001\000\000\000\000\000\200\376\367\377\177\000\000Ð
                                                                                            \376\367\377\177\000\000\240\211\376\367\377\177\000\000\000p\376\367\377\177\000\000\310t\376\367\377\177\000\000\330\324r\362\377\177\000\000\000\260\376\367\377\177\000\000\000\000\000\000\000\000\000\000\004\000\000\000\377\177\000\000\001", '\000' <repeats 15 times>...
        __orig_bailout = 0x7fffffffe1a0
        __bailout = {{__jmpbuf = {140737488343072, 2946715320264981176, 4393648, 140737488348784, 0, 0, 2946715318719380152, -2946714080377144648}, __mask_was_saved = 0, __saved_mask = {__val = {16236160, 140737353987944, 19922368,
                140737353987864, 22296848, 120, 4, 19922552, 140733193388034, 16206168, 140737353987944, 140737488343104, 10313569, 19921488, 0, 0}}}}
        prepend_file_p = 0x0
        append_file_p = 0x0
        prepend_file = {type = ZEND_HANDLE_FILENAME, filename = 0x0, opened_path = 0x0, handle = {fd = 0, fp = 0x0, stream = {handle = 0x0, isatty = 0, mmap = {len = 0, pos = 0, map = 0x0, buf = 0x0, old_handle = 0x0, old_closer = 0},
              reader = 0, fsizer = 0, closer = 0}}, free_filename = 0 '\000'}
        append_file = {type = ZEND_HANDLE_FILENAME, filename = 0x0, opened_path = 0x0, handle = {fd = 0, fp = 0x0, stream = {handle = 0x0, isatty = 0, mmap = {len = 0, pos = 0, map = 0x0, buf = 0x0, old_handle = 0x0, old_closer = 0},
              reader = 0, fsizer = 0, closer = 0}}, free_filename = 0 '\000'}
        old_cwd = 0x7fffffffaf30 ""
        use_heap = 0 '\000'
        retval = 0
#51 0x0000000000ac0d39 in do_cli (argc=4, argv=0x12ffa50) at /root/php-5.5.5/sapi/cli/php_cli.c:994
        __orig_bailout = 0x7fffffffe450
        __bailout = {{__jmpbuf = {19921488, 2946715320625691320, 4393648, 140737488348784, 0, 0, 2946715320267078328, -2946713843996394824}, __mask_was_saved = 0, __saved_mask = {__val = {16132847, 16132871, 16132884, 16132901,
                16132922, 16132942, 16132959, 16132980, 16132990, 16133004, 16133026, 16133045, 16133072, 16133101, 0, 140737488347456}}}}
        c = -1
        file_handle = {type = ZEND_HANDLE_MAPPED, filename = 0x12ffaa0 "oil", opened_path = 0x0, handle = {fd = -134363408, fp = 0x7ffff7fdc6f0, stream = {handle = 0x7ffff7fdc6f0, isatty = 0, mmap = {len = 996, pos = 0,
                map = 0x7ffff7e31000, buf = 0x7ffff7e31000 <Address 0x7ffff7e31000 out of bounds>, old_handle = 0x15432a0, old_closer = 0xa2e40f <zend_stream_stdio_closer>}, reader = 0xa2e3e0 <zend_stream_stdio_reader>,
              fsizer = 0xa2e443 <zend_stream_stdio_fsizer>, closer = 0xa2e555 <zend_stream_mmap_closer>}}, free_filename = 0 '\000'}
        behavior = 1
        reflection_what = 0x0
        request_started = 1
        exit_status = 0
        php_optarg = 0x0
        orig_optarg = 0x0
        php_optind = 2
        orig_optind = 1
        exec_direct = 0x0
        exec_run = 0x0
        exec_begin = 0x0
        exec_end = 0x0
        arg_free = 0x12ffaa0 "oil"
        arg_excp = 0x12ffa58
        script_file = 0x12ffaa0 "oil"
        translated_path = 0x15434e0 "/mnt/data1/vhosts/test.orlebarbrown.com/includes/oil"
        interactive = 0
        lineno = 1
        param_error = 0x0
        hide_argv = 0
#52 0x0000000000ac1dce in main (argc=4, argv=0x12ffa50) at /root/php-5.5.5/sapi/cli/php_cli.c:1378
        __orig_bailout = 0x0
        __bailout = {{__jmpbuf = {19921488, 2946715320682314424, 4393648, 140737488348784, 0, 0, 2946715320627788472, -2946713843237881160}, __mask_was_saved = 0, __saved_mask = {__val = {140737354129800, 140737298895856, 19918864, 0,
                140737488348568, 0, 140737354130656, 140737488348512, 140737354048728, 140737488348536, 8589934591, 140737298469336, 4295509, 2109656, 4294967295, 140737488348832}}}}
        c = -1
        exit_status = 0
        module_started = 1
        sapi_started = 1
        php_optarg = 0x0
        php_optind = 1
        use_extended_info = 0
        ini_path_override = 0x0
        ini_entries = 0x12ffd20 "html_errors=0\nregister_argc_argv=1\nimplicit_flush=1\noutput_buffering=0\nmax_execution_time=0\nmax_input_time=-1\n"
        ini_entries_len = 110
        ini_ignore = 0
        sapi_module = 0x12d9980

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2013-10-21 18:14 UTC] cpriest@php.net

-Status: Open +Status: Verified

[2013-10-23 00:32 UTC] cpriest@php.net

Just a comment here, we were running into soap/curl segfault issues on 5.5.3 through 5.5.1 off remi's repo.  Through some digging we found that updating our libcurl (and associated dependencies) on CentOS 6.4 we were able to eliminate the segfaults on our test server.  

We obtained these updates through the www.city-fan.org repo (cannot vouch for it's reliability, it's new to me).  The repo is mirrored in several locations, here is a more reliable link: http://nervion.us.es/city-fan/yum-repo/HEADER.html

I'll post more here if I find the above to not be correct on our other servers.

[2014-12-09 15:21 UTC] jeremiah dot j dot dansand at lawrence dot edu

We are experiencing this problem with a Wordpress theme on PHP 5.5.14, RedHat Enterprise Linux 6.5, and Wordpress 4.0.1.  I can reproduce in both PHP CLI and mod_php, and with Zend opcache enabled and disabled.  The request is standard GET to a Wordpress post with comments.

The problem line is:
  $wp_query->comments_by_type = &separate_comments($wp_query->comments);

Specifically, the ampersand.  Removing the ampersand solves the problem.

Most of those parameters don't matter, so a more straight-forward form is:
  $empty_comments_array = array();
  $empty_query_object = new WP_Query();
  $separate_comments_reduced_function = function(&$dummy_not_used) { return array('comment' => array(), 'trackback' => array(), 'pingback' => array(), 'pings' => array()); };
  $empty_query_object->dummy_value_does_not_matter = &$separate_comments_reduced_function($empty_comments_array);

The WP_Query() object has no magic __set() method, but for some reason does matter a lot. Assigning ->dummy_value_does_not_matter on an empty stdObject does not segfault.

GDB output from the crash (when using CLI):

Program received signal SIGSEGV, Segmentation fault.
0x00000000007e5688 in zend_get_class_entry (zobject=0xd1e1a20, tsrm_ls=0x106c1c0)
    at /path/to/php/source/Zend/zend_API.c:237
237             if (Z_OBJ_HT_P(zobject)->get_class_entry) {

[2024-05-29 19:13 UTC] nielsdos@php.net

-Status: Verified +Status: Closed -Assigned To: +Assigned To: nielsdos

[2024-05-29 19:13 UTC] nielsdos@php.net

Not enough information was provided for us to be able
to handle this bug. Please re-read the instructions at
http://bugs.php.net/how-to-report.php

If you can provide more information, feel free to add it
to this bug and change the status back to "Open".

Thank you for your interest in PHP.

Since there is no reproducer it's not possible to do anything here. Furthermore, this is pre-PHP-7 so this is possibly fixed already in current versions.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2025 The PHP Group All rights reserved.	Last updated: Sat Oct 25 04:00:01 2025 UTC