php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #68135 SIGABRT on eval($static_variable_code_string)
Submitted: 2014-10-02 19:36 UTC Modified: 2014-10-03 19:11 UTC
From: pegasus at vaultwiki dot org Assigned: nikic (profile)
Status: Closed Package: Reproducible crash
PHP Version: master-Git-2014-10-02 (Git) OS: Centos 6 64-bit
Private report: No CVE-ID: None
 [2014-10-02 19:36 UTC] pegasus at vaultwiki dot org
Description:
------------
I don't know what causes this, but the current build of the master branch is completely unusable on my site. SIGABRT is triggered on every single request that routes through PHP-FPM. For now, I've rolled back to PHP 5.6.0.

Expected result:
----------------
No SIGABRT.

Actual result:
--------------
#0  0x0000003f3e232635 in raise () from /lib64/libc.so.6
#1  0x0000003f3e233e15 in abort () from /lib64/libc.so.6
#2  0x0000003f3e22b75e in __assert_fail_base () from /lib64/libc.so.6
#3  0x0000003f3e22b820 in __assert_fail () from /lib64/libc.so.6
#4  0x0000000000983cda in _convert_to_string (op=0x7fff3b272790,
    __zend_filename=0xf62af8 "/root/php-src/Zend/zend_vm_execute.h",
    __zend_lineno=33522) at /root/php-src/Zend/zend_operators.c:596
#5  0x0000000000a39897 in ZEND_INCLUDE_OR_EVAL_SPEC_CV_HANDLER (
    execute_data=0x7fe9b30375d0) at /root/php-src/Zend/zend_vm_execute.h:33522
#6  0x00000000009e1c40 in execute_ex (execute_data=0x7fe9b30375d0)
    at /root/php-src/Zend/zend_vm_execute.h:352
#7  0x000000000097c2ae in zend_call_function (fci=0x7fff3b272ac0,
    fci_cache=0x7fff3b272a60) at /root/php-src/Zend/zend_execute_API.c:849
#8  0x00000000009b786d in zend_call_method (object=0x7fe9b3032660,
    obj_ce=0x7fe9b2370718, fn_proxy=0x7fe9b2370848,
    function_name=0xf6139f "__tostring", function_name_len=10,
    retval_ptr=0x7fff3b272bc0, param_count=0, arg1=0x0, arg2=0x0)
    at /root/php-src/Zend/zend_interfaces.c:101
#9  0x00000000009d3118 in zend_std_cast_object_tostring (
    readobj=0x7fe9b3032660, writeobj=0x7fff3b272c70, type=6)
    at /root/php-src/Zend/zend_object_handlers.c:1564
#10 0x0000000000984f48 in _zval_get_string_func (op=0x7fe9b3032660)
    at /root/php-src/Zend/zend_operators.c:851


Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2014-10-02 19:38 UTC] pegasus at vaultwiki dot org
Just noticed there was more to the backtrace:


#11 0x00000000009924e8 in zend_make_printable_zval (expr=0x7fe9b3032660,
    expr_copy=0x7fff3b272d10) at /root/php-src/Zend/zend.c:220
#12 0x000000000098b97b in concat_function (result=0x7fe9b3032670,
    op1=0x7fe9b1e7bb70, op2=0x7fe9b3032660)
    at /root/php-src/Zend/zend_operators.c:1541
#13 0x00000000009ef6d9 in ZEND_CONCAT_SPEC_CONST_VAR_HANDLER (
    execute_data=0x7fe9b302cb90) at /root/php-src/Zend/zend_vm_execute.h:6053
#14 0x00000000009e1c40 in execute_ex (execute_data=0x7fe9b302cb90)
    at /root/php-src/Zend/zend_vm_execute.h:352
#15 0x00000000009e1d7d in zend_execute (op_array=0x7fe9b3075000,
    return_value=0x0) at /root/php-src/Zend/zend_vm_execute.h:381
#16 0x0000000000994826 in zend_execute_scripts (type=8, retval=0x0,
    file_count=3) at /root/php-src/Zend/zend.c:1290
#17 0x00000000009059b3 in php_execute_script (primary_file=0x7fff3b277430)
    at /root/php-src/main/main.c:2560
#18 0x0000000000a634ba in main (argc=8, argv=0x7fff3b277658)
    at /root/php-src/sapi/fpm/fpm/fpm_main.c:1948
 [2014-10-02 21:12 UTC] pegasus at vaultwiki dot org
I think I have narrowed down the issue.

I believe the SEGABRT is triggered when an eval is performed on the contents of a function's static variable.

====
function statically_eval()
{
	static $code = '$i = 1;';

	if ($code)
	{
		eval($code);
	}
}

statically_eval();
===

However, as soon as the code is change like so:
===
function statically_eval()
{
	static $code = '$i = 1;';

	if ($code)
	{
		eval(strval($code));
	}
}

statically_eval();
===
Then it works as expected (note the extra strval in the eval call). Moving the strval to a separate line does not fix the problem, only when nested is the SIGABRT avoided.
 [2014-10-02 21:22 UTC] pegasus at vaultwiki dot org
-Summary: PHP-FPM children SIGABRT on every request +Summary: SIGABRT on eval($static_variable_code_string)
 [2014-10-02 21:22 UTC] pegasus at vaultwiki dot org
updated title
 [2014-10-03 19:09 UTC] nikic@php.net
Automatic comment on behalf of nikic
Revision: http://git.php.net/?p=php-src.git;a=commit;h=e7623f470f3c43396db4adcceeb63bd7029bc5ff
Log: Fix bug #68133 and bug #68135
 [2014-10-03 19:11 UTC] nikic@php.net
-Status: Open +Status: Closed -Assigned To: +Assigned To: nikic
 [2014-10-05 17:50 UTC] ab@php.net
Automatic comment on behalf of nikic
Revision: http://git.php.net/?p=php-src.git;a=commit;h=e7623f470f3c43396db4adcceeb63bd7029bc5ff
Log: Fix bug #68133 and bug #68135
 [2016-07-20 11:40 UTC] davey@php.net
Automatic comment on behalf of nikic
Revision: http://git.php.net/?p=php-src.git;a=commit;h=e7623f470f3c43396db4adcceeb63bd7029bc5ff
Log: Fix bug #68133 and bug #68135
 
PHP Copyright © 2001-2021 The PHP Group
All rights reserved.
Last updated: Fri Jan 22 17:01:23 2021 UTC