php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #66752 Segfault when using local variables
Submitted: 2014-02-21 21:10 UTC Modified: 2017-10-24 23:03 UTC
Votes:4
Avg. Score:4.5 ± 0.9
Reproduced:3 of 4 (75.0%)
Same Version:3 (100.0%)
Same OS:2 (66.7%)
From: mariano dot perez dot rodriguez at gmail dot com Assigned:
Status: Suspended Package: operator (PECL)
PHP Version: 5.5.9 OS: #1 SMP Debian 3.12.9-1 (2014-02-
Private report: No CVE-ID: None
View Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
If you reported this bug, you can edit this bug over here.
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: mariano dot perez dot rodriguez at gmail dot com
New email:
PHP Version: OS:

 

 [2014-02-21 21:10 UTC] mariano dot perez dot rodriguez at gmail dot com
Description:
------------
When this extension is loaded, using ANY local variables AT ALL produces a segmentation fault.


operator version: master from https://git.php.net/repository/pecl/php/operator.git


PHP --version:

PHP 5.5.9-1 (cli) (built: Feb  7 2014 18:09:20) 
Copyright (c) 1997-2014 The PHP Group
Zend Engine v2.5.0, Copyright (c) 1998-2014 Zend Technologies
    with XCache v3.1.0, Copyright (c) 2005-2013, by mOo
    with Zend OPcache v7.0.3, Copyright (c) 1999-2014, by Zend Technologies
    with XCache Optimizer v3.1.0, Copyright (c) 2005-2013, by mOo
    with XCache Cacher v3.1.0, Copyright (c) 2005-2013, by mOo
    with XCache Coverager v3.1.0, Copyright (c) 2005-2013, by mOo


Test script:
---------------
<?php

class A {
  public function doIt() {
    echo "Shows\n";
    $temp = 0;
    echo "Does not show\n";
  }
}

$a = new A();
$a->doIt();


Expected result:
----------------
Expected output:

Shows
Does not show

Actual result:
--------------
Actual result:

> Shows

valgrind php testscript.php:

==5601== Memcheck, a memory error detector
==5601== Copyright (C) 2002-2012, and GNU GPL'd, by Julian Seward et al.
==5601== Using Valgrind-3.8.1 and LibVEX; rerun with -h for copyright info
==5601== Command: php testscript.php
==5601== 
Shows
==5601== Invalid read of size 4
==5601==    at 0x6DDBB1: zend_hash_quick_find (in /usr/bin/php5)
==5601==    by 0x8FA3656: _php_operator_binary_assign_op (operator.c:93)
==5601==    by 0x6F8F27: execute_ex (in /usr/bin/php5)
==5601==    by 0x6BF218: dtrace_execute_ex (in /usr/bin/php5)
==5601==    by 0x77F97B: ??? (in /usr/bin/php5)
==5601==    by 0x6F8F27: execute_ex (in /usr/bin/php5)
==5601==    by 0x6BF218: dtrace_execute_ex (in /usr/bin/php5)
==5601==    by 0x6D0BFF: zend_execute_scripts (in /usr/bin/php5)
==5601==    by 0x670DE4: php_execute_script (in /usr/bin/php5)
==5601==    by 0x78135D: ??? (in /usr/bin/php5)
==5601==    by 0x4603AF: main (in /usr/bin/php5)
==5601==  Address 0x4 is not stack'd, malloc'd or (recently) free'd
==5601== 
==5601== 
==5601== Process terminating with default action of signal 11 (SIGSEGV)
==5601==  Access not within mapped region at address 0x4
==5601==    at 0x6DDBB1: zend_hash_quick_find (in /usr/bin/php5)
==5601==    by 0x8FA3656: _php_operator_binary_assign_op (operator.c:93)
==5601==    by 0x6F8F27: execute_ex (in /usr/bin/php5)
==5601==    by 0x6BF218: dtrace_execute_ex (in /usr/bin/php5)
==5601==    by 0x77F97B: ??? (in /usr/bin/php5)
==5601==    by 0x6F8F27: execute_ex (in /usr/bin/php5)
==5601==    by 0x6BF218: dtrace_execute_ex (in /usr/bin/php5)
==5601==    by 0x6D0BFF: zend_execute_scripts (in /usr/bin/php5)
==5601==    by 0x670DE4: php_execute_script (in /usr/bin/php5)
==5601==    by 0x78135D: ??? (in /usr/bin/php5)
==5601==    by 0x4603AF: main (in /usr/bin/php5)
==5601==  If you believe this happened as a result of a stack
==5601==  overflow in your program's main thread (unlikely but
==5601==  possible), you can try to increase the size of the
==5601==  main thread stack using the --main-stacksize= flag.
==5601==  The main thread stack size used in this run was 8388608.
==5601== 
==5601== HEAP SUMMARY:
==5601==     in use at exit: 4,772,565 bytes in 26,664 blocks
==5601==   total heap usage: 28,123 allocs, 1,459 frees, 4,989,666 bytes allocated
==5601== 
==5601== LEAK SUMMARY:
==5601==    definitely lost: 0 bytes in 0 blocks
==5601==    indirectly lost: 0 bytes in 0 blocks
==5601==      possibly lost: 0 bytes in 0 blocks
==5601==    still reachable: 4,772,565 bytes in 26,664 blocks
==5601==         suppressed: 0 bytes in 0 blocks
==5601== Rerun with --leak-check=full to see details of leaked memory
==5601== 
==5601== For counts of detected and suppressed errors, rerun with: -v
==5601== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 2 from 2)
[1]    5601 segmentation fault  valgrind php testscript.php


Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2014-02-24 19:59 UTC] krakjoe@php.net
You have more than one opcode cache and optimizer loaded, is there a reason for that ??

It's reasonable to assume that nobody expects this to happen, this is probably not the root cause of the problem, but it makes me cringe still ...
 [2014-02-24 20:01 UTC] krakjoe@php.net
-Assigned To: +Assigned To: gabrielwu84
 [2014-02-24 20:01 UTC] krakjoe@php.net
The beta version on pecl is ahead of master ... http://pecl.php.net/package/operator v0.4.1 is latest and the last version to receive updates.

Assigning to the new lead to get some attention ...
 [2014-02-24 20:44 UTC] mariano dot perez dot rodriguez at gmail dot com
Sorry about that, actually, uninstalling xcache did the trick... I don't know how it got installed in the first place.

One way or another, I don't know whether this should still be considered a bug...
 [2014-02-24 20:51 UTC] mariano dot perez dot rodriguez at gmail dot com
Actually, trying to 'pecl install channel://pecl.php.net/operator-0.4.1' causes:

/bin/bash /tmp/pear/temp/pear-build-rootgdOeP0/operator-0.4.1/libtool --mode=compile cc  -I. -I/tmp/pear/temp/operator -DPHP_ATOM_INC -I/tmp/pear/temp/pear-build-rootgdOeP0/operator-0.4.1/include -I/tmp/pear/temp/pear-build-rootgdOeP0/operator-0.4.1/main -I/tmp/pear/temp/operator -I/usr/include/php5 -I/usr/include/php5/main -I/usr/include/php5/TSRM -I/usr/include/php5/Zend -I/usr/include/php5/ext -I/usr/include/php5/ext/date/lib  -DHAVE_CONFIG_H  -g -O2   -c /tmp/pear/temp/operator/operator.c -o operator.lo
libtool: compile:  cc -I. -I/tmp/pear/temp/operator -DPHP_ATOM_INC -I/tmp/pear/temp/pear-build-rootgdOeP0/operator-0.4.1/include -I/tmp/pear/temp/pear-build-rootgdOeP0/operator-0.4.1/main -I/tmp/pear/temp/operator -I/usr/include/php5 -I/usr/include/php5/main -I/usr/include/php5/TSRM -I/usr/include/php5/Zend -I/usr/include/php5/ext -I/usr/include/php5/ext/date/lib -DHAVE_CONFIG_H -g -O2 -c /tmp/pear/temp/operator/operator.c  -fPIC -DPIC -o .libs/operator.o
/tmp/pear/temp/operator/operator.c: In function 'php_operator_zval_ptr':
/tmp/pear/temp/operator/operator.c:44:74: error: 'zend_execute_data' has no member named 'Ts'
 #define PHP_OPERATOR_EX_T(offset) (*(temp_variable *)((char*)execute_data->Ts + offset))
                                                                          ^
/tmp/pear/temp/operator/operator.c:76:11: note: in expansion of macro 'PHP_OPERATOR_EX_T'
    return PHP_OPERATOR_EX_T(node->var).var.ptr;
           ^
/tmp/pear/temp/operator/operator.c:44:74: error: 'zend_execute_data' has no member named 'Ts'
 #define PHP_OPERATOR_EX_T(offset) (*(temp_variable *)((char*)execute_data->Ts + offset))
                                                                          ^
/tmp/pear/temp/operator/operator.c:78:32: note: in expansion of macro 'PHP_OPERATOR_EX_T'
    return (should_free->var = &PHP_OPERATOR_EX_T(node->var).tmp_var);
                                ^
/tmp/pear/temp/operator/operator.c:82:31: error: 'zend_execute_data' has no member named 'CVs'
    zval ***ret = &execute_data->CVs[node->var];
                               ^
/tmp/pear/temp/operator/operator.c: In function 'php_operator_zval_ptr_ptr':
/tmp/pear/temp/operator/operator.c:44:74: error: 'zend_execute_data' has no member named 'Ts'
 #define PHP_OPERATOR_EX_T(offset) (*(temp_variable *)((char*)execute_data->Ts + offset))
                                                                          ^
/tmp/pear/temp/operator/operator.c:138:11: note: in expansion of macro 'PHP_OPERATOR_EX_T'
    return PHP_OPERATOR_EX_T(node->var).var.ptr_ptr;
           ^
/tmp/pear/temp/operator/operator.c:142:31: error: 'zend_execute_data' has no member named 'CVs'
    zval ***ret = &execute_data->CVs[node->var];
                               ^
/tmp/pear/temp/operator/operator.c: In function 'php_operator_get_result_ptr':
/tmp/pear/temp/operator/operator.c:44:74: error: 'zend_execute_data' has no member named 'Ts'
 #define PHP_OPERATOR_EX_T(offset) (*(temp_variable *)((char*)execute_data->Ts + offset))
                                                                          ^
/tmp/pear/temp/operator/operator.c:196:12: note: in expansion of macro 'PHP_OPERATOR_EX_T'
    return &PHP_OPERATOR_EX_T(opline->result.var).tmp_var;
            ^
/tmp/pear/temp/operator/operator.c: In function 'php_operator_set_result_ptr':
/tmp/pear/temp/operator/operator.c:44:74: error: 'zend_execute_data' has no member named 'Ts'
 #define PHP_OPERATOR_EX_T(offset) (*(temp_variable *)((char*)execute_data->Ts + offset))
                                                                          ^
/tmp/pear/temp/operator/operator.c:215:4: note: in expansion of macro 'PHP_OPERATOR_EX_T'
    PHP_OPERATOR_EX_T(opline->result.var).var.ptr = result;
    ^
/tmp/pear/temp/operator/operator.c:44:74: error: 'zend_execute_data' has no member named 'Ts'
 #define PHP_OPERATOR_EX_T(offset) (*(temp_variable *)((char*)execute_data->Ts + offset))
                                                                          ^
/tmp/pear/temp/operator/operator.c:216:4: note: in expansion of macro 'PHP_OPERATOR_EX_T'
    PHP_OPERATOR_EX_T(opline->result.var).var.ptr_ptr = &PHP_OPERATOR_EX_T(opline->result.var).var.ptr;
    ^
/tmp/pear/temp/operator/operator.c:44:74: error: 'zend_execute_data' has no member named 'Ts'
 #define PHP_OPERATOR_EX_T(offset) (*(temp_variable *)((char*)execute_data->Ts + offset))
                                                                          ^
/tmp/pear/temp/operator/operator.c:216:57: note: in expansion of macro 'PHP_OPERATOR_EX_T'
    PHP_OPERATOR_EX_T(opline->result.var).var.ptr_ptr = &PHP_OPERATOR_EX_T(opline->result.var).var.ptr;
                                                         ^
/tmp/pear/temp/operator/operator.c: In function '_php_operator_binary_assign_op':
/tmp/pear/temp/operator/operator.c:427:5: error: too few arguments to function 'object->value.obj.handlers->get_property_ptr_ptr'
     zval **varpp = Z_OBJ_HT_P(object)->get_property_ptr_ptr(object, prop, 0 TSRMLS_CC);
     ^
/tmp/pear/temp/operator/operator.c: In function '_php_operator_unary_assign_obj_op':
/tmp/pear/temp/operator/operator.c:591:3: error: too few arguments to function 'obj->value.obj.handlers->get_property_ptr_ptr'
   zval **varpp = Z_OBJ_HT_P(obj)->get_property_ptr_ptr(obj, prop, 0 TSRMLS_CC);
   ^
make: *** [operator.lo] Error 1
ERROR: `make' failed
 [2014-02-25 16:15 UTC] mariano dot perez dot rodriguez at gmail dot com
I've dedicated some time to this, and here are my findings:

1. The version in http://pecl.php.net/package/operator does NOT seem to ahead of the one at https://git.php.net/repository/pecl/php/operator.git,
2. I've managed to pin down the bug to commit 8d08917aad74a8d1f05efb1bd0a09f0fdc327e23 "Add overloading for direct assignment." (which just so happens, it is the last one), everything works as expected if you check out the previous one (for reference: 63f17c8743a928d2b9a9406ec6e6c69c5348df32 "Apply patch from Bug#56904 because it can't hurt."),
3. Fiddling around, it would look like zend treats assignment differently than other opertation+assignment operators, hence the bug
 [2017-10-24 07:07 UTC] kalle@php.net
-Status: Assigned +Status: Open -Assigned To: gabrielwu84 +Assigned To:
 [2017-10-24 23:03 UTC] kalle@php.net
-Status: Open +Status: Suspended
 [2017-10-24 23:03 UTC] kalle@php.net
The operator PECL package have not had a release for 4 years and development activity seems to have ceased, if a new maintainer picks up this package, then this report should be re-opened
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Tue Nov 12 17:01:33 2024 UTC