PHP :: Bug #66675 :: sometimes segfault while processing .js as .php

Bug #66675

sometimes segfault while processing .js as .php

Submitted:

2014-02-08 20:25 UTC

Modified:

2020-02-09 04:22 UTC

Votes:	5
Avg. Score:	3.2 ± 1.3
Reproduced:	3 of 4 (75.0%)
Same Version:	2 (66.7%)
Same OS:	1 (33.3%)

From:

phpreq at byom dot de

Assigned:

cmb (profile)

Status:

No Feedback

Package:

Reproducible crash

PHP Version:

5.5.9

OS:

Debian 7.2 x64

Private report:

CVE-ID:

None

View Developer Edit

[2014-02-08 20:25 UTC] phpreq at byom dot de

Description:
------------
Hi,


In my setup (Debian Wheezy 64 Bit, Kernel 3.12, Apache 2.4.7, php 5.5.9, gcc Debian 4.7.2-5)
I let php also parse and execute .js - files as some very few contain php-code to have dynamically created .js files.

Done with: AddType application/x-httpd-php js

Apache segfaults about 5-6 times a day.

Doing a backtrace shows me that only files that end with .js cause the segfault.
The files are typically stock .js-files from a wordpress 3.8.1 installation. Parsing them by php shouldn't be a problem, especially as they don't contain any <? ?>. But it seems there is a problem with the file-buf as seen in gdb's frame 4: error: Cannot access memory at address 0x100000001.

See the output of gdb:


Program terminated with signal SIGSEGV, Segmentation fault.
#0  0x00007f653a6948ef in i_create_execute_data_from_op_array (nested=0 '\000', op_array=0x7f6540403148)
    at /usr/local/src/php-5.5.9/Zend/zend_execute.c:1631
1631                    EX(prev_execute_data) = EG(current_execute_data);


(gdb) bt
#0  0x00007f653a6948ef in i_create_execute_data_from_op_array (nested=0 '\000', op_array=0x7f6540403148)
    at /usr/local/src/php-5.5.9/Zend/zend_execute.c:1631
#1  zend_execute (op_array=0x7f6540403148) at /usr/local/src/php-5.5.9/Zend/zend_vm_execute.h:388
#2  zend_execute (op_array=0x7f6540403148) at /usr/local/src/php-5.5.9/Zend/zend_vm_execute.h:383
#3  0x00007f653a5e7b69 in zend_execute_scripts (type=type@entry=2, retval=0x0, retval@entry=0x2201a60,
    file_count=file_count@entry=1) at /usr/local/src/php-5.5.9/Zend/zend.c:1316
#4  0x00007f653a698105 in php_handler (r=0x21f1770)
    at /usr/local/src/php-5.5.9/sapi/apache2handler/sapi_apache2.c:669
#5  0x000000000044ee50 in ap_run_handler (r=0x21f1770) at config.c:170
#6  0x000000000044f42b in ap_invoke_handler (r=r@entry=0x21f1770) at config.c:439
#7  0x000000000046354a in ap_process_async_request (r=0x21f1770) at http_request.c:317
#8  0x00000000004637ff in ap_process_request (r=r@entry=0x21f1770) at http_request.c:363
#9  0x000000000045fe05 in ap_process_http_sync_connection (c=0x21e18e0) at http_core.c:190
#10 ap_process_http_connection (c=0x21e18e0) at http_core.c:231
#11 0x0000000000458460 in ap_run_process_connection (c=0x21e18e0) at connection.c:41
#12 0x0000000000458860 in ap_process_connection (c=c@entry=0x21e18e0, csd=<optimized out>) at connection.c:202
#13 0x000000000046986b in child_main (child_num_arg=child_num_arg@entry=2) at prefork.c:704
#14 0x0000000000469a77 in make_child (s=0x1eaf538, slot=2) at prefork.c:800
#15 0x000000000046a842 in perform_idle_server_maintenance (p=<optimized out>) at prefork.c:902
#16 prefork_run (_pconf=<optimized out>, plog=<optimized out>, s=<optimized out>) at prefork.c:1090
#17 0x0000000000435a0e in ap_run_mpm (pconf=0x1e86138, plog=0x1eb3378, s=0x1eaf538) at mpm_common.c:98
#18 0x000000000042f12b in main (argc=3, argv=0x7fff5542e328) at main.c:777


(gdb) bt full
#0  0x00007f653a6948ef in i_create_execute_data_from_op_array (nested=0 '\000', op_array=0x7f6540403148)
    at /usr/local/src/php-5.5.9/Zend/zend_execute.c:1631
        execute_data = 0x0
        CVs_size = 0
        Ts_size = <optimized out>
        stack_size = <optimized out>
        total_size = <optimized out>
        call_slots_size = <optimized out>
#1  zend_execute (op_array=0x7f6540403148) at /usr/local/src/php-5.5.9/Zend/zend_vm_execute.h:388
No locals.
#2  zend_execute (op_array=0x7f6540403148) at /usr/local/src/php-5.5.9/Zend/zend_vm_execute.h:383
No locals.
#3  0x00007f653a5e7b69 in zend_execute_scripts (type=type@entry=2, retval=0x0, retval@entry=0x2201a60,
    file_count=file_count@entry=1) at /usr/local/src/php-5.5.9/Zend/zend.c:1316
        files = {{gp_offset = 32, fp_offset = 28, overflow_arg_area = 0x7fff5542dba0,
            reg_save_area = 0x7fff5542db30}}
        i = <optimized out>
        file_handle = 0x7fff5542dc00
        orig_op_array = 0x0
        orig_retval_ptr_ptr = 0x0
        orig_interactive = 0
#4  0x00007f653a698105 in php_handler (r=0x21f1770)
    at /usr/local/src/php-5.5.9/sapi/apache2handler/sapi_apache2.c:669
        zfd = {type = ZEND_HANDLE_FILENAME,
          filename = 0x21f2ef0 "/home/www/htdocs/wp-includes/js/jquery/jquery.js",
          opened_path = 0x0, handle = {fd = 1067612014, fp = 0x7f653fa2776e <apr_table_unset+158>, stream = {
              handle = 0x7f653fa2776e <apr_table_unset+158>, isatty = 35598064, mmap = {len = 36590244,
                pos = 35591928, map = 0x6440073f370,
                buf = 0x100000001 <error: Cannot access memory at address 0x100000001>, old_handle = 0x1,
                old_closer = 0x7180567}, reader = 0x902, fsizer = 0x1, closer = 0x21e18e0}},
          free_filename = 0 '\000'}
        __orig_bailout = 0x0
        __bailout = {{__jmpbuf = {32654544, 6444143732774364179, 35592048, 35526880, 32175416, 0,
              -6444483869346667501, -6366886698566065133}, __mask_was_saved = 0, __saved_mask = {__val = {
                32257640, 32563064, 35799832, 1, 32563064, 35799840, 0, 35526880, 32175416, 0, 140072810773443, 0,
                0, 0, 0, 0}}}}
        ctx = 0x21e9c48
        conf = 0x1ee6160
        brigade = 0x0
        bucket = <optimized out>
        rv = <optimized out>
        parent_req = 0x2201a60
#5  0x000000000044ee50 in ap_run_handler (r=0x21f1770) at config.c:170
        pHook = 0x1f244d0
        n = 4
        rv = 0
#6  0x000000000044f42b in ap_invoke_handler (r=r@entry=0x21f1770) at config.c:439
        handler = <optimized out>
        p = <optimized out>
        result = <optimized out>
        old_handler = 0x0
        ignore = <optimized out>
#7  0x000000000046354a in ap_process_async_request (r=0x21f1770) at http_request.c:317
        c = 0x21e18e0
        access_status = 0
#8  0x00000000004637ff in ap_process_request (r=r@entry=0x21f1770) at http_request.c:363
        bb = <optimized out>
        b = <optimized out>
        c = 0x21e18e0
        rv = <optimized out>
#9  0x000000000045fe05 in ap_process_http_sync_connection (c=0x21e18e0) at http_core.c:190
        r = 0x21f1770
        cs = 0x0
        csd = 0x21e16f0
        mpm_state = 1
#10 ap_process_http_connection (c=0x21e18e0) at http_core.c:231
No locals.
#11 0x0000000000458460 in ap_run_process_connection (c=0x21e18e0) at connection.c:41
        pHook = 0x1f2eaa0
        n = 1
        rv = 0
#12 0x0000000000458860 in ap_process_connection (c=c@entry=0x21e18e0, csd=<optimized out>) at connection.c:202
        rc = <optimized out>
#13 0x000000000046986b in child_main (child_num_arg=child_num_arg@entry=2) at prefork.c:704
        current_conn = 0x21e18e0
        csd = 0x21e16f0
        thd = 0x20aff70
        osthd = 140072847148864
        ptrans = 0x21e1678
        allocator = 0x20afb70
        status = <optimized out>
        i = <optimized out>
        lr = <optimized out>
        pollset = 0x20b0050
        sbh = 0x20b0048
        bucket_alloc = 0x21e5698
        last_poll_idx = 1
        lockfile = <optimized out>
#14 0x0000000000469a77 in make_child (s=0x1eaf538, slot=2) at prefork.c:800
        pid = 0
#15 0x000000000046a842 in perform_idle_server_maintenance (p=<optimized out>) at prefork.c:902
        i = <optimized out>
        idle_count = <optimized out>
        ws = <optimized out>
        free_length = <optimized out>
        free_slots = {2, 7, 12, 14, 28, 29, 30, 31, 32, 33, 34, 35, 36, 38, 39, 40, 57, 58, 59, 60, 61, 62, 63, 64,
          65, 66, 67, 68, 69, 70, 71, 72}
        last_non_dead = <optimized out>
        total_non_dead = <optimized out>
#16 prefork_run (_pconf=<optimized out>, plog=<optimized out>, s=<optimized out>) at prefork.c:1090
        status = 0
        pid = {pid = -1, in = 0x7f653aaf582d, out = 0x7f653efa8e60, err = 0x20}
        child_slot = <optimized out>
        exitwhy = APR_PROC_EXIT
        processed_status = <optimized out>
        index = <optimized out>
        remaining_children_to_start = 0
        rv = <optimized out>
#17 0x0000000000435a0e in ap_run_mpm (pconf=0x1e86138, plog=0x1eb3378, s=0x1eaf538) at mpm_common.c:98
        pHook = 0x1f2ebc8
        n = 0
        rv = 0
#18 0x000000000042f12b in main (argc=3, argv=0x7fff5542e328) at main.c:777
        c = 0 '\000'
        showcompile = 0
        showdirectives = 0
        confname = 0x46c1f0 "/usr/local/apache/conf/httpd.conf"
        def_server_root = 0x46b8f8 "/usr/local/apache/2.4.7"
        temp_error_log = <optimized out>
        error = <optimized out>
        process = 0x1e84218
        pconf = 0x1e86138
        plog = 0x1eb3378
        ptemp = 0x1eb1348
        pcommands = 0x1ea8248
        opt = 0x1ea8338
        rv = <optimized out>
        mod = 0x689ac0 <ap_prelinked_modules+32>
        opt_arg = 0x1e84128 "\b\001\350\001"
        signal_server = <optimized out>



(gdb) frame 1
#1  zend_execute (op_array=0x7f6540403148) at /usr/local/src/php-5.5.9/Zend/zend_vm_execute.h:388
388             zend_execute_ex(i_create_execute_data_from_op_array(op_array, 0 TSRMLS_CC) TSRMLS_CC);
(gdb)

(gdb) frame 4
#4  0x00007f653a698105 in php_handler (r=0x2376c90)
    at /usr/local/src/php-5.5.9/sapi/apache2handler/sapi_apache2.c:669
669                             zend_execute_scripts(ZEND_INCLUDE TSRMLS_CC, NULL, 1, &zfd);

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2014-02-08 20:29 UTC] pajoye@php.net

-Status: Open +Status: Feedback

[2014-02-08 20:29 UTC] pajoye@php.net

Thank you for this bug report. To properly diagnose the problem, we
need a short but complete example script to be able to reproduce
this bug ourselves. 

A proper reproducing script starts with <?php and ends with ?>,
is max. 10-20 lines long and does not require any external 
resources such as databases, etc. If the script requires a 
database to demonstrate the issue, please make sure it creates 
all necessary tables, stored procedures etc.

Please avoid embedding huge scripts into the report.

[2014-02-08 20:40 UTC] phpreq at byom dot de

I am unable to provide a script as a real php-script is not involved here.
Associate .js-files in Apache with php as seen above and download again and again a stock .js-script of your choice, e.g. jquery.js or jquery-migrate.min.js, but it needs some thousand requests until the segfault is hit.

I haven't hit a segfault with a script having a .php-file extension, maybe it is something trivial like a file-extension check fixed to 3 digits or so summing up after some thousand hits...

[2014-10-02 23:28 UTC] michael at alphageek dot com dot au

I have also experienced this.  Here's my backtrace:

#0  0x00007f034cd0996d in zend_stack_push (stack=stack@entry=0x7f034d4cfca0 <compiler_globals+608>, element=element@entry=0x7f034d4cfc78 <compiler_globals+568>, size=size@entry=40) at /build/buildd/php5-5.5.9+dfsg/Zend/zend_stack.c:42
No locals.
#1  0x00007f034ccd530e in compile_file (file_handle=file_handle@entry=0x7fff94794c10, type=2) at Zend/zend_language_scanner.l:586
        original_lex_state = {yy_leng = 0, yy_start = 0x0, yy_text = 0x0, yy_cursor = 0x0, yy_marker = 0x0, yy_limit = 0x0, yy_state = 0, state_stack = {top = 0, max = 0, elements = 0x0}, heredoc_label_stack = {top = 0, max = 0,
            elements = 0x0, top_element = 0x0, persistent = 0 '\000'}, in = 0x0, lineno = 0, filename = 0x0, script_org = 0x0, script_org_size = 0, script_filtered = 0x0, script_filtered_size = 0, input_filter = 0x0,
          output_filter = 0x0, script_encoding = 0x0}
        op_array = 0x7f0350d40040
        original_active_op_array = 0x0
        retval = 0x7f0350d40040
        compiler_result = <optimized out>
        compilation_successful = 0 '\000'
        retval_znode = {op_type = 1, u = {op = {constant = 1, var = 1, num = 1, hash = 1, opline_num = 1, jmp_addr = 0x1, zv = 0x1, literal = 0x1, ptr = 0x1}, constant = {value = {lval = 1, dval = 4.9406564584124654e-324, str = {
                  val = 0x1 <error: Cannot access memory at address 0x1>, len = 1355599370}, ht = 0x1, obj = {handle = 1, handlers = 0x7f0350ccce0a}}, refcount__gc = 1, type = 1 '\001', is_ref__gc = 0 '\000'}, op_array = 0x1},
          EA = 1352782496}
        original_in_compilation = 0 '\000'
#2  0x00007f034ccfaaea in dtrace_compile_file (file_handle=0x7fff94794c10, type=<optimized out>) at /build/buildd/php5-5.5.9+dfsg/Zend/zend_dtrace.c:40
        res = 0x7f0350d41218
#3  0x00007f034cb83cb4 in phar_compile_file (file_handle=<optimized out>, type=<optimized out>) at /build/buildd/php5-5.5.9+dfsg/ext/phar/phar.c:3383
        __orig_bailout = 0x7fff94794c90
        __bailout = {{__jmpbuf = {139652217134240, 1560366938000916389, 140735684365136, 140735684365328, 139652158519872, 0, -1560319682279440475, -1467874381389299803}, __mask_was_saved = 0, __saved_mask = {__val = {139652217126952,
                0, 0, 139652217132542, 139652217128344, 139652217127072, 9, 139652217128728, 139652209727463, 139652219264008, 206158430232, 140735684365152, 140735684364960, 139652217228296, 140735684365056, 80}}}}
        res = <optimized out>
        name = 0x0
        failed = 0
        phar = 0x7f0350cb4028
#4  0x00007f034cd0c56f in zend_execute_scripts (type=type@entry=2, retval=retval@entry=0x0, file_count=file_count@entry=1) at /build/buildd/php5-5.5.9+dfsg/Zend/zend.c:1308
        files = {{gp_offset = 32, fp_offset = 32515, overflow_arg_area = 0x7fff94794be0, reg_save_area = 0x7fff94794b70}}
        i = 0
        file_handle = 0x7fff94794c10
        orig_op_array = 0x0
        orig_retval_ptr_ptr = 0x0
        orig_interactive = 0
#5  0x00007f034cdbc4ed in php_handler (r=<optimized out>) at /build/buildd/php5-5.5.9+dfsg/sapi/apache2handler/sapi_apache2.c:669
        zfd = {type = ZEND_HANDLE_MAPPED, filename = 0x7f0350cb5ca0 "/var/www/html/site_details_removed/js/stumble.js.php",
          opened_path = 0x7f0350d401a8 "/var/www/html/site_details_removed/js/stumble.js.php", handle = {fd = 1356071640, fp = 0x7f0350d402d8, stream = {handle = 0x7f0350d402d8, isatty = 0, mmap = {len = 309,
                pos = 0, map = 0x0, buf = 0x7f0350cb8000 <error: Cannot access memory at address 0x7f0350cb8000>, old_handle = 0x0, old_closer = 0x0}, reader = 0x7f034ccc24d0 <_php_stream_read>,
              fsizer = 0x7f034cca8cd0 <php_zend_stream_fsizer>, closer = 0x7f034cca8cb0 <php_zend_stream_mmap_closer>}}, free_filename = 0 '\000'}
        __orig_bailout = 0x0
        __bailout = {{__jmpbuf = {139652217127072, 1560366938000654245, 139652217127072, 139652221501312, 0, 139652217270928, -1560319682222817371, -1467873582333755483}, __mask_was_saved = 0, __saved_mask = {__val = {139652218377176,
                139652218107936, 139652217229512, 1, 139652218107936, 139652217229520, 139652217270432, 139652221501312, 0, 139652217270928, 139652164910243, 139652217134314, 2, 139652217229520, 139652217127072, 139652217988304}}}}
        ctx = 0x7f0350cbced8
        conf = <optimized out>
        brigade = 0x7f0350cb6620
        bucket = <optimized out>
        rv = <optimized out>
        parent_req = 0x7f0350cb90a0
#6  0x00007f0350e9b680 in ap_run_handler (r=0x7f0350cb40a0) at config.c:169
        pHook = 0x7f0350d864f8
        n = 2
        rv = 1356075544
#7  0x00007f0350e9bbc9 in ap_invoke_handler (r=r@entry=0x7f0350cb40a0) at config.c:439
        handler = <optimized out>
        p = <optimized out>
        result = <optimized out>
        old_handler = 0x7f0350d98828 "application/x-httpd-php"
        ignore = <optimized out>
#8  0x00007f0350eb116a in ap_process_async_request (r=0x7f0350cb40a0) at http_request.c:317
        access_status = 0
#9  0x00007f0350eb1444 in ap_process_request (r=r@entry=0x7f0350cb40a0) at http_request.c:363
        bb = <optimized out>
        b = <optimized out>
        c = 0x7f0350cd7290
        rv = <optimized out>
#10 0x00007f0350eadf02 in ap_process_http_sync_connection (c=0x7f0350cd7290) at http_core.c:190
        r = 0x7f0350cb40a0
        cs = 0x0
        csd = 0x7f0350cd70a0
        mpm_state = 1
#11 ap_process_http_connection (c=0x7f0350cd7290) at http_core.c:231
No locals.
#12 0x00007f0350ea4cc0 in ap_run_process_connection (c=0x7f0350cd7290) at connection.c:41
        pHook = 0x7f0350d86a40
        n = 0
        rv = 1356075544
#13 0x00007f0350ea50a8 in ap_process_connection (c=c@entry=0x7f0350cd7290, csd=<optimized out>) at connection.c:202
        rc = <optimized out>
#14 0x00007f034d6dc767 in child_main (child_num_arg=child_num_arg@entry=30) at prefork.c:704
        current_conn = 0x7f0350cd7290
        csd = 0x7f0350cd70a0
        thd = 0x7f0350cd90a0
        osthd = 139652218701696
        ptrans = 0x7f0350cd7028
        allocator = 0x7f035186d4b0
        status = <optimized out>
        i = <optimized out>
        lr = <optimized out>
        pollset = 0x7f0350cd9158
        sbh = 0x7f0350cd9150
        bucket_alloc = 0x7f0350cd3028
        last_poll_idx = 0
        lockfile = <optimized out>
#15 0x00007f034d6dc9a6 in make_child (s=0x7f0350e0ade0, slot=30) at prefork.c:800
        pid = 0
#16 0x00007f034d6dd60e in perform_idle_server_maintenance (p=<optimized out>) at prefork.c:902
        i = <optimized out>
        idle_count = <optimized out>
        ws = <optimized out>
        free_length = <optimized out>
        free_slots = {28, 30, 34, 35, 38, 39, 40, 41, 42, 43, 44, 45, 46, 47, 48, 49, 50, 51, 52, 53, 54, 55, 56, 57, 58, 59, 60, 61, 62, 63, 64, 65}
        last_non_dead = <optimized out>
        total_non_dead = <optimized out>
#17 prefork_run (_pconf=<optimized out>, plog=<optimized out>, s=<optimized out>) at prefork.c:1090
        status = 0
        pid = {pid = -1, in = 0x7f0350ebc048, out = 0xa, err = 0x7f035059aff6}
        child_slot = <optimized out>
        exitwhy = APR_PROC_EXIT
        processed_status = <optimized out>
        index = <optimized out>
        remaining_children_to_start = 0
        rv = <optimized out>
#18 0x00007f0350e8269e in ap_run_mpm (pconf=0x7f0350e32028, plog=0x7f0350e06028, s=0x7f0350e0ade0) at mpm_common.c:96
        pHook = 0x7f0350d86da8
        n = 0
        rv = 1356075544
#19 0x00007f0350e7be36 in main (argc=3, argv=0x7fff94795318) at main.c:777
        c = 0 '\000'
        showcompile = 0
        showdirectives = 0
        confname = 0x7f0350ebb607 "apache2.conf"
        def_server_root = 0x7f0350ebb5fa "/etc/apache2"
        temp_error_log = 0x0
        error = <optimized out>
        process = 0x7f0350e3a118
        pconf = 0x7f0350e32028
        plog = 0x7f0350e06028
        ptemp = 0x7f0350e08028
        pcommands = 0x7f0350e10028
        opt = 0x7f0350e10118
        rv = <optimized out>
        mod = 0x7f03510dd160 <ap_prelinked_modules+64>
        opt_arg = 0x7f0350e3a028 "(\340\343P\003\177"
        signal_server = <optimized out>



Additionally, here's the script that is causing the error:

<?php
header('Content-type: text/javascript');
?>
function bfb_doStumbleShare(url)
{
	window.open(
		'http://www.stumbleupon.com/submit?'+
			'url='+url,
		'sharer',
		'top=' + (screen.height/2 - 160).toString() + ',left=' + (screen.width/2 - 290).toString() + ',toolbar=0,status=0,width=580,height=325'
	);
}

[2014-12-30 10:42 UTC] php-bugs at lists dot php dot net

No feedback was provided. The bug is being suspended because
we assume that you are no longer experiencing the problem.
If this is not the case and you are able to provide the
information that was requested earlier, please do so and
change the status of the bug back to "Re-Opened". Thank you.

[2015-03-04 16:34 UTC] marting at skillset dot co dot uk

We are also seeing the same issue.  You have stated that there was "No Feedback", despite other people confirming the issue.  What feedback do you require to reopen and address the issue?  For reference, it is happening on our Ubuntu 14.04 LTS with PHP 5.5.9, Apache 2.4.7.

[2015-03-04 19:34 UTC] aharvey@php.net

-Status: No Feedback +Status: Open -Package: *General Issues +Package: Reproducible crash

[2015-03-04 19:34 UTC] aharvey@php.net

Reopened — the "No Feedback" update is a bot which can get confused if feedback is provided but the status isn't updated.

[2020-01-27 11:23 UTC] cmb@php.net

-Status: Open +Status: Feedback -Assigned To: +Assigned To: cmb

[2020-01-27 11:23 UTC] cmb@php.net

Does this issue still occur on any of the actively supported PHP
versions[1]?

<https://www.php.net/supported-versions.php>

[2020-02-09 04:22 UTC] php-bugs at lists dot php dot net

No feedback was provided. The bug is being suspended because
we assume that you are no longer experiencing the problem.
If this is not the case and you are able to provide the
information that was requested earlier, please do so and
change the status of the bug back to "Re-Opened". Thank you.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2025 The PHP Group All rights reserved.	Last updated: Wed Nov 05 00:00:02 2025 UTC