php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #66778 Segmentation fault at ZEND_FETCH_CONSTANT_SPEC_UNUSED_CONST_HANDLER
Submitted: 2014-02-26 07:31 UTC Modified: 2014-02-26 07:42 UTC
From: tuomas dot tynjala at linkity dot net Assigned:
Status: Closed Package: Reproducible crash
PHP Version: 5.4.25 OS: Amazon Linux
Private report: No CVE-ID: None
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If this is not your bug, you can add a comment by following this link.
If this is your bug, but you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: tuomas dot tynjala at linkity dot net
New email:
PHP Version: OS:

 

 [2014-02-26 07:31 UTC] tuomas dot tynjala at linkity dot net
Description:
------------
Symtoms:

After updating software and clearing apc cache, the code crashes with segmentation fault. 

Problem produced with php 5.4.23 in amazon linux, however, looking at the code it seems the suspected fault would be present in the currently latest version 5.4.25 and also development snapshot of 5.4 too:

Regretfully the problem seems to be random at nature and does appear systematically. However, looking at gdb stacktrace and comparing to the php code reveals something that looks suspicious suspicious:

Ddb stacktrace of the crash:

Core was generated by `/usr/sbin/httpd'.
Program terminated with signal 11, Segmentation fault.
#0  ZEND_FETCH_CONSTANT_SPEC_UNUSED_CONST_HANDLER (execute_data=0x7f2a246c6b70) at /usr/src/debug/php-5.4.23/Zend/zend_vm_execute.h:22456
22456			ZVAL_COPY_VALUE(retval, &c->value);
(gdb) where
#0  ZEND_FETCH_CONSTANT_SPEC_UNUSED_CONST_HANDLER (execute_data=0x7f2a246c6b70) at /usr/src/debug/php-5.4.23/Zend/zend_vm_execute.h:22456
#1  0x00007f2a184041df in execute (op_array=0x7f2a25d08b08) at /usr/src/debug/php-5.4.23/Zend/zend_vm_execute.h:410
#2  0x00007f2a183907a8 in zend_call_function (fci=0x7fff99dcf030, fci_cache=<value optimized out>) at /usr/src/debug/php-5.4.23/Zend/zend_execute_API.c:956
#3  0x00007f2a182dc068 in zif_call_user_func_array (ht=<value optimized out>, return_value=0x7f2a25586398, return_value_ptr=<value optimized out>, 
    this_ptr=<value optimized out>, return_value_used=<value optimized out>) at /usr/src/debug/php-5.4.23/ext/standard/basic_functions.c:4750
#4  0x00007f2a18445a37 in zend_do_fcall_common_helper_SPEC (execute_data=<value optimized out>) at /usr/src/debug/php-5.4.23/Zend/zend_vm_execute.h:643
#5  0x00007f2a184041df in execute (op_array=0x7f2a246f7c58) at /usr/src/debug/php-5.4.23/Zend/zend_vm_execute.h:410
#6  0x00007f2a1839f428 in zend_execute_scripts (type=8, retval=0x0, file_count=3) at /usr/src/debug/php-5.4.23/Zend/zend.c:1319
#7  0x00007f2a1833ef03 in php_execute_script (primary_file=0x7fff99dd15f0) at /usr/src/debug/php-5.4.23/main/main.c:2502
#8  0x00007f2a1844789d in php_handler (r=0x7f2a253fc6a8) at /usr/src/debug/php-5.4.23/sapi/apache2handler/sapi_apache2.c:667
#9  0x00007f2a24752e88 in ap_run_handler (r=0x7f2a253fc6a8) at config.c:169
#10 0x00007f2a247532fe in ap_invoke_handler (r=0x7f2a253fc6a8) at config.c:432
#11 0x00007f2a24766f7c in ap_internal_redirect (new_uri=<value optimized out>, r=<value optimized out>) at http_request.c:644
#12 0x00007f2a1cf38945 in handler_redirect (r=0x7f2a253f8ea0) at mod_rewrite.c:5051
#13 0x00007f2a24752e88 in ap_run_handler (r=0x7f2a253f8ea0) at config.c:169
#14 0x00007f2a247532fe in ap_invoke_handler (r=0x7f2a253f8ea0) at config.c:432
#15 0x00007f2a24767d0a in ap_process_async_request (r=0x7f2a253f8ea0) at http_request.c:317
#16 0x00007f2a24767e6f in ap_process_request (r=0x7f2a253f8ea0) at http_request.c:363
#17 0x00007f2a247643a5 in ap_process_http_sync_connection (c=0x7f2a253e8dc0) at http_core.c:190
#18 ap_process_http_connection (c=0x7f2a253e8dc0) at http_core.c:231
#19 0x00007f2a2475c2b8 in ap_run_process_connection (c=0x7f2a253e8dc0) at connection.c:41
#20 0x00007f2a1a603633 in child_main (child_num_arg=<value optimized out>) at prefork.c:704
#21 0x00007f2a1a60388c in make_child (s=0x7f2a24fd8348, slot=2) at prefork.c:800
#22 0x00007f2a1a6038f7 in startup_children (number_to_start=3) at prefork.c:818
#23 0x00007f2a1a6043fe in prefork_run (_pconf=<value optimized out>, plog=0x7f2a2500c4e8, s=0x7f2a24fd8348) at prefork.c:976
#24 0x00007f2a24738686 in ap_run_mpm (pconf=0x7f2a24fad138, plog=0x7f2a2500c4e8, s=0x7f2a24fd8348) at mpm_common.c:98
#25 0x00007f2a24731c78 in main (argc=1, argv=0x7fff99dd1e18) at main.c:777

The crashing code is in the file zend_vm_execute.h is:

static int ZEND_FASTCALL  ZEND_FETCH_CONSTANT_SPEC_UNUSED_CONST_HANDLER(ZEND_OPCODE_HANDLER_ARGS)
{
	USE_OPLINE

	SAVE_OPLINE();
	if (IS_UNUSED == IS_UNUSED) {
		zend_constant *c;
		zval *retval;

		if (CACHED_PTR(opline->op2.literal->cache_slot)) {
			c = CACHED_PTR(opline->op2.literal->cache_slot);
		} else if ((c = zend_quick_get_constant(opline->op2.literal + 1, opline->extended_value TSRMLS_CC)) == NULL) {
			if ((opline->extended_value & IS_CONSTANT_UNQUALIFIED) != 0) {
				char *actual = (char *)zend_memrchr(Z_STRVAL_P(opline->op2.zv), '\\', Z_STRLEN_P(opline->op2.zv));
				if(!actual) {
					actual = Z_STRVAL_P(opline->op2.zv);
				} else {
					actual++;
				}
				/* non-qualified constant - allow text substitution */
				zend_error(E_NOTICE, "Use of undefined constant %s - assumed '%s'", actual, actual);
				ZVAL_STRINGL(&EX_T(opline->result.var).tmp_var, actual, Z_STRLEN_P(opline->op2.zv)-(actual - Z_STRVAL_P(opline->op2.zv)), 1);
				CHECK_EXCEPTION();
				ZEND_VM_NEXT_OPCODE();
			} else {
				zend_error_noreturn(E_ERROR, "Undefined constant '%s'", Z_STRVAL_P(opline->op2.zv));
			}
		} else {
			CACHE_PTR(opline->op2.literal->cache_slot, c); 
		}
		retval = &EX_T(opline->result.var).tmp_var;
		ZVAL_COPY_VALUE(retval, &c->value);
		zval_copy_ctor(retval);
		CHECK_EXCEPTION();
		ZEND_VM_NEXT_OPCODE();
	} else {
		/* class constant */
..

The crash happens at line 22456 e.g. line

		ZVAL_COPY_VALUE(retval, &c->value);

Looking at the code above it, it seems that if execution picks the 'else' path e.g. executing line 22453 .. which is ..

			CACHE_PTR(opline->op2.literal->cache_slot, c); 

.. the macro CACHE_PTR defined in zend_execute.h line 437 as ..

#define CACHE_PTR(num, ptr) do { \
		EG(active_op_array)->run_time_cache[(num)] = (ptr); \
	} while (0)

.. does not seemt to set any value for 2nd parameter. This means the value for c is left uninitialized and then evaluating &c->value in line 22456 causes segmentation fault.




Test script:
---------------
Regretfully not reproducable systematically.

Expected result:
----------------
No segmentation fault.

Actual result:
--------------
Segmentation fault happens.

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2014-02-26 07:42 UTC] tuomas dot tynjala at linkity dot net
-Status: Open +Status: Closed
 [2014-02-26 07:42 UTC] tuomas dot tynjala at linkity dot net
Closing as invalid. The 2nd else if sets the value for c.
 
PHP Copyright © 2001-2020 The PHP Group
All rights reserved.
Last updated: Thu Feb 27 15:01:28 2020 UTC