php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #69326 SIGSEGV (signal 11, Segmentation fault) in zend_string.h
Submitted: 2015-03-29 05:28 UTC Modified: 2021-06-20 04:22 UTC
Votes:1
Avg. Score:3.0 ± 0.0
Reproduced:1 of 1 (100.0%)
Same Version:0 (0.0%)
Same OS:1 (100.0%)
From: pegasus at vaultwiki dot org Assigned: cmb (profile)
Status: No Feedback Package: Reproducible crash
PHP Version: master-Git-2015-03-29 (Git) OS: Centos 6 64-bit
Private report: No CVE-ID: None
View Add Comment Developer Edit
Have you experienced this issue?
Rate the importance of this bug to you:

 [2015-03-29 05:28 UTC] pegasus at vaultwiki dot org 
Description:
------------
A SIGSEGV appears in my php-fpm log files several times a day. I don't know which script is causing it, or what other effects it might be having. I managed to get the following backtrace.

Note that I am unable to follow the instructions for "Locating which function call caused a segfault" here: https://bugs.php.net/bugs-generating-backtrace.php

It seems that these instructions are either outdated or are not relevant for this particular segfault. Any ideas?

Actual result:
--------------
#0  0x0000000000967202 in zend_mm_alloc_small (heap=0x7f44bd800040,
    size=64, bin_num=7,
    __zend_filename=0xf98a68 "/root/php-src-1646e0e/Zend/zend_string.h",
    __zend_lineno=97, __zend_orig_filename=0x0, __zend_orig_lineno=0)
    at /root/php-src-1646e0e/Zend/zend_alloc.c:1232
#1  0x0000000000967469 in zend_mm_alloc_heap (heap=0x7f44bd800040,
    size=64,
    __zend_filename=0xf98a68 "/root/php-src-1646e0e/Zend/zend_string.h",
    __zend_lineno=97, __zend_orig_filename=0x0, __zend_orig_lineno=0)
    at /root/php-src-1646e0e/Zend/zend_alloc.c:1299
#2  0x00000000009696be in _emalloc (size=32,
    __zend_filename=0xf98a68 "/root/php-src-1646e0e/Zend/zend_string.h",
    __zend_lineno=97, __zend_orig_filename=0x0, __zend_orig_lineno=0)
    at /root/php-src-1646e0e/Zend/zend_alloc.c:2208
#3  0x0000000000989787 in zend_string_alloc (len=6, persistent=0)
    at /root/php-src-1646e0e/Zend/zend_string.h:97
#4  0x00000000009927c0 in concat_function (result=0x7f44bd828a70,
    op1=0x7f44bd828980, op2=0x7f4480831e10)
    at /root/php-src-1646e0e/Zend/zend_operators.c:1555
#5  0x0000000000a3903e in ZEND_CONCAT_SPEC_CV_CONST_HANDLER (
    execute_data=0x7f44bd828920)
    at /root/php-src-1646e0e/Zend/zend_vm_execute.h:27768
#6  0x00000000009f181c in execute_ex (ex=0x7f44bd827030)
    at /root/php-src-1646e0e/Zend/zend_vm_execute.h:394
#7  0x00000000009f1972 in zend_execute (op_array=0x7f44bd871000,
    return_value=0x0) at /root/php-src-1646e0e/Zend/zend_vm_execute.h:434
#8  0x000000000099b34c in zend_execute_scripts (type=8, retval=0x0,
    file_count=3) at /root/php-src-1646e0e/Zend/zend.c:1355
#9  0x000000000090a8cb in php_execute_script (primary_file=0x7fff4d767490)
    at /root/php-src-1646e0e/main/main.c:2519
#10 0x0000000000a702b3 in main (argc=8, argv=0x7fff4d7676b8)
    at /root/php-src-1646e0e/sapi/fpm/fpm/fpm_main.c:1891

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2015-03-29 07:16 UTC] laruence@php.net
-Status: Open +Status: Feedback
 [2015-03-29 07:16 UTC] laruence@php.net 
Thank you for this bug report. To properly diagnose the problem, we
need a short but complete example script to be able to reproduce
this bug ourselves. 

A proper reproducing script starts with <?php and ends with ?>,
is max. 10-20 lines long and does not require any external 
resources such as databases, etc. If the script requires a 
database to demonstrate the issue, please make sure it creates 
all necessary tables, stored procedures etc.

Please avoid embedding huge scripts into the report.

if no reproduce script, we can't do much thing on this...
 [2015-03-29 08:59 UTC] nikic@php.net 
To get a userland backtrace, switch to the execute_ex frame "f 6", load gdb macros "source path/to/php-src/.gdbinit" and run "zbacktrace execute_data".
 [2015-03-29 13:29 UTC] pegasus at vaultwiki dot org 
Thanks for the info. After seeing the userland backtrace, I have little faith of being able to create a script that can reproduce this. According to the backtrace, the offending line is 195 in a particular script:
###
$obj_key = $type . '/' . $class;
###

Which appears in this context:
###
	public static function fetch_object($type, $class, $dependency = '', $always_instantiate = false)
	{
		static $object = array();

		$obj_key = $type . '/' . $class; // SEGFAULT?

		if ($dependency AND $class != 'Dependency')
		{
			$obj_key .= '/' . $dependency;
		}
###

The backtrace claims that $type = 'Model' and $class = 'Node' when it is passed to ::fetch_object
From a userland perspective, anything above this context in the stack should not have an effect here.

Since not only does this code run in production flawlessly 99.9% of the time for this and other arguments, I cannot see being able to concatenate any simple string like this in an attempt to cause a segfault for a test script without understanding the way the internals work.

Further, this is going off of the line numbers provided by the backtrace that in some cases are blatantly wrong. I have noticed in recent builds of PHP that line numbers associated with errors in general tend to be completely wrong. Hoping you sort out the issue with line numbers soon.
 [2015-03-30 10:49 UTC] nikic@php.net 
The linenos in zbacktrace may well be wrong - the implementation is not very complete. But I'm not aware of incorrect line numbers for normal errors. Can you maybe post an example?
 [2015-04-01 20:02 UTC] pegasus at vaultwiki dot org 
Apologies, the line numbering issue I had noted was actually an issue with the way my code viewer counted lines. I have switched viewers, and the line numbers given by userland errors are now correct.

In my last reply I mentioned the segfault occurred on line 195 in my script. Using the correct line numbers, line 195 is the closing brace in the last line of the snippet I provided.

I should also mention that in this case, the backtrace claims that $dependency is passed explicitly as "" (not just using the default value).

I believe I have located the site URL that leads to this the segfault, so I can start stepping through the calling script and see if there's anything unusual going on.
 [2015-04-02 04:05 UTC] pegasus at vaultwiki dot org 
I was able to resolve the segfault by making a small change to the script. Unfortunately, it is a very large script and the segfault seemed to occur only with certain data sets -- I could not reproduce the segfault on a separate installation or by using a smaller test script. I compared the data sets that segfaulted to sets that didn't and there were no differences or irregularities that I could see.

However, here is the test script I made that demonstrates the kinds of operations the script performs, as well as where the segfault occurs (while this test doesn't actually segfault):

###
class Info_Object
{
}

class Item_Object
{
	protected $infoid = 0;

	public function getInfoId()
	{
		$this->infoid = 1;

		return $this->infoid;
	}
}

function fetch_info(&$infoid)
{
	global $infocache;

	$infoid = intval($infoid);

	if (!isset($infocache["$infoid"]))
	{
		$infocache["$infoid"] = array(
			'contentid' => 1,
			'title' => 'Content'
		);

		$shortcut =& $infocache["$infoid"];
	}

	// other code here was the backtrace in the core dump
	// such as
	$infocache["$infoid"]['itemid'] = $infoid;

	// but when walking through, we learned that the segfault was later

	return $infocache["$infoid"]; // segfault
}

$view = new Info_Object();
$view->item = new Item_Object();
$view->infoid = $view->item->getInfoId();

if ($view->infoid)
{
	$info = fetch_info($view->infoid);
}

echo 'SUCCESS';
exit;
####

I was able to resolve the segfault by modifying this line:
####
$info = fetch_info($view->infoid);
####

So that the new line was like so:
####
$infoid = $view->infoid;
$info = fetch_info($infoid);
####

Hopefully this gives a clue as to where to look.
 [2015-04-12 04:22 UTC] php-bugs at lists dot php dot net 
No feedback was provided. The bug is being suspended because
we assume that you are no longer experiencing the problem.
If this is not the case and you are able to provide the
information that was requested earlier, please do so and
change the status of the bug back to "Re-Opened". Thank you.
 [2015-04-12 05:13 UTC] requinix@php.net
-Status: No Feedback +Status: Open
 [2021-06-09 14:24 UTC] cmb@php.net
-Status: Open +Status: Feedback -Assigned To: +Assigned To: cmb
 [2021-06-09 14:24 UTC] cmb@php.net 
Is this still an issue with any of the actively supported PHP
versions[1]?
 [2021-06-09 14:26 UTC] cmb@php.net 
[1] <https://www.php.net/supported-versions.php>
 [2021-06-20 04:22 UTC] php-bugs at lists dot php dot net 
No feedback was provided. The bug is being suspended because
we assume that you are no longer experiencing the problem.
If this is not the case and you are able to provide the
information that was requested earlier, please do so and
change the status of the bug back to "Re-Opened". Thank you.
 
PHP Copyright © 2001-2021 The PHP Group
All rights reserved. 		Last updated: Thu Oct 21 19:03:35 2021 UTC