php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #69674 SIGSEGV array.c:953
Submitted: 2015-05-20 15:08 UTC Modified: 2015-07-29 08:09 UTC
Votes:2
Avg. Score:4.5 ± 0.5
Reproduced:2 of 2 (100.0%)
Same Version:2 (100.0%)
Same OS:2 (100.0%)
From: opitz dot alexander at googlemail dot com Assigned: laruence
Status: Closed Package: *General Issues
PHP Version: 7.0.0beta2 OS: *
Private report: No CVE-ID:
 [2015-05-20 15:08 UTC] opitz dot alexander at googlemail dot com
Description:
------------
I'm running TYPO3 Unit tests with PHP7, which leads to this SIGSEGV while running the RequestBuilderTest.

>>>
Starting test 'TYPO3\CMS\Extbase\Tests\Unit\Mvc\Web\RequestBuilderTest::buildThrowsExceptionIfControllerConfigurationIsEmptyOrNotSet'.
Segmentation fault
<<<

Running the test alone (and not all tests inside the file) works fine.

Output of gdb

Program received signal SIGSEGV, Segmentation fault.
0x000000000081e8ca in zif_current (execute_data=0x7fffef0191a0, return_value=0x7fffef0190d0) at /php7/ext/standard/array.c:953
953             RETURN_ZVAL_FAST(entry);
(gdb) zbacktrace
[0x7fffef0191a0] current(Es gibt kein Mitglied mit dem Namen ht.
(gdb) backtrace
#0  0x000000000081e8ca in zif_current (execute_data=0x7fffef0191a0, return_value=0x7fffef0190d0) at /php7/ext/standard/array.c:953
#1  0x00000000009e62e4 in ZEND_DO_FCALL_BY_NAME_SPEC_HANDLER () at /php7/Zend/zend_vm_execute.h:692
#2  0x00000000009e5745 in execute_ex (ex=0x7fffef018900) at /php7/Zend/zend_vm_execute.h:394
#3  0x0000000000971df2 in zend_call_function (fci=0x7fffffffa490, fci_cache=0x7fffffffa460) at /php7/Zend/zend_execute_API.c:841
#4  0x00000000007bb533 in zim_reflection_method_invokeArgs (execute_data=0x7fffef018880, return_value=0x7fffef018580) at /php7/ext/reflection/php_reflection.c:3222
#5  0x00000000009e68f8 in ZEND_DO_FCALL_SPEC_HANDLER () at /php7/Zend/zend_vm_execute.h:821
#6  0x00000000009e5745 in execute_ex (ex=0x7fffef014030) at /php7/Zend/zend_vm_execute.h:394
#7  0x00000000009e585b in zend_execute (op_array=0x7fffef084000, return_value=0x0) at /php7/Zend/zend_vm_execute.h:434
#8  0x000000000098a1e5 in zend_execute_scripts (type=8, retval=0x0, file_count=3) at /php7/Zend/zend.c:1389
#9  0x00000000008f5666 in php_execute_script (primary_file=0x7fffffffcc40) at /php7/main/main.c:2479
#10 0x0000000000a56413 in do_cli (argc=4, argv=0x1384840) at /php7/sapi/cli/php_cli.c:967
#11 0x0000000000a575cb in main (argc=4, argv=0x1384840) at /php7/sapi/cli/php_cli.c:1334

Expected result:
----------------
No SIGSEGV

Actual result:
--------------
Crash with SIGSEGV

Patches

ZEND_HASH_FILL_END (last revision 2015-07-28 21:49 UTC) by cmb@php.net)

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2015-05-21 03:07 UTC] laruence@php.net
-Status: Open +Status: Feedback
 [2015-05-21 03:07 UTC] laruence@php.net
Thank you for this bug report. To properly diagnose the problem, we
need a short but complete example script to be able to reproduce
this bug ourselves. 

A proper reproducing script starts with <?php and ends with ?>,
is max. 10-20 lines long and does not require any external 
resources such as databases, etc. If the script requires a 
database to demonstrate the issue, please make sure it creates 
all necessary tables, stored procedures etc.

Please avoid embedding huge scripts into the report.


 [2015-05-21 07:15 UTC] opitz dot alexander at googlemail dot com
-Status: Feedback +Status: Open
 [2015-05-21 07:15 UTC] opitz dot alexander at googlemail dot com
ATM I don't have the time to write the given testfile inclusive phpunit in 10-20 lines nor do I've the possibilities to drag this issue down to get this crash into 10-20 lines.
As you can see "zbacktrace" don't give a hint and a normal backtrace is attached.
The source of TYPO3 can be found on https://github.com/TYPO3/TYPO3.CMS in branch master. The testfile themself is located here: https://github.com/TYPO3/TYPO3.CMS/blob/master/typo3/sysext/extbase/Tests/Unit/Mvc/Web/RequestBuilderTest.php
 [2015-05-22 09:55 UTC] laruence@php.net
okey, I have cloned the TYPO3 , how could I run the test?
 [2015-05-22 10:25 UTC] opitz dot alexander at googlemail dot com
I run it normaly with

phpunit -c typo3/sysext/core/Build/UnitTests.xml

At the moment I use PHPUnit 4.6.6
 [2015-06-05 12:18 UTC] opitz dot alexander at googlemail dot com
Example of output for running the tests.

https://travis-ci.org/TYPO3/TYPO3.CMS/jobs/65556246
 [2015-06-23 13:26 UTC] opitz dot alexander at googlemail dot com
Dragged this down a bit further.

The crash happens on following line:
https://github.com/TYPO3/TYPO3.CMS/blob/master/typo3/sysext/extbase/Classes/Mvc/Web/RequestBuilder.php#L110

$this->defaultControllerName = current(array_keys($configuration['controllerConfiguration']));

in the crashing test, this is an empty array. But trying this in a 10 lines test doesn't fail.
 [2015-06-23 13:38 UTC] opitz dot alexander at googlemail dot com
Snippet to crash PHP7.

Without the unset, $var isn't changed and returns same content as before.
If array is empty in the first assignment you get a notice that $var is an uninitialized var.

<?php
    $configuration = array(
        'controllerConfiguration' => array(
            'TheFirstController' => array(
            ),
        )
    );
    $var = current(array_keys($configuration['controllerConfiguration']));
    var_dump($var);

    unset($configuration['controllerConfiguration']['TheFirstController']);

    $configuration['controllerConfiguration'] = array();
    $var = current(array_keys($configuration['controllerConfiguration']));
    var_dump($var);
 [2015-06-23 14:30 UTC] opitz dot alexander at googlemail dot com
Output of other PHP versions:

http://3v4l.org/UO3aI
 [2015-07-28 11:43 UTC] opitz dot alexander at googlemail dot com
-PHP Version: master-Git-2015-05-20 (Git) +PHP Version: 7.0.0beta2
 [2015-07-28 11:43 UTC] opitz dot alexander at googlemail dot com
This issue still exists with beta2.
What is needed to get this fixed?
 [2015-07-28 21:10 UTC] cmb@php.net
-Status: Open +Status: Verified -Operating System: Linux +Operating System: * -Assigned To: +Assigned To: laruence
 [2015-07-28 21:10 UTC] cmb@php.net
Thanks for the reproduce script. I can confirm the segfault on
Windows and Linux.

For some reason when current() is called the second time,
array->htInternalPointer == 0 for the empty array (instead of
0xffffffff), so zend_hash_get_current_data() returns an
uninitialized entry instead of NULL.

Laruence, could you please have a look at this issue.
 [2015-07-28 21:49 UTC] cmb@php.net
The following patch has been added/updated:

Patch Name: ZEND_HASH_FILL_END
Revision:   1438120153
URL:        https://bugs.php.net/patch-display.php?bug=69674&patch=ZEND_HASH_FILL_END&revision=1438120153
 [2015-07-28 21:51 UTC] cmb@php.net
It seems that's a general issue in ZEND_HASH_FILL_END[1], where
nInternalPointer is always set to zero, instead of 0xffffffff for
empty arrays (see the attached patch "ZEND_HASH_FILL_END").

[1] <https://github.com/php/php-src/blob/php-7.0.0beta2/Zend/zend_hash.h#L887>
 [2015-07-29 02:55 UTC] laruence@php.net
Automatic comment on behalf of laruence
Revision: http://git.php.net/?p=php-src.git;a=commit;h=7d5fb7bbf3c27017fa3bed462474aaa8d4746e72
Log: Fixed bug #69674 (SIGSEGV array.c:953)
 [2015-07-29 02:55 UTC] laruence@php.net
-Status: Verified +Status: Closed
 [2015-07-29 02:59 UTC] laruence@php.net
@cmb, thanks the patch looks fine. I committed it here: https://github.com/php/php-src/commit/7d5fb7bbf3c27017fa3bed462474aaa8d4746e72
 [2015-07-29 08:09 UTC] opitz dot alexander at googlemail dot com
Verified, works now. Many Thanks.
 [2015-08-04 20:54 UTC] ab@php.net
Automatic comment on behalf of laruence
Revision: http://git.php.net/?p=php-src.git;a=commit;h=7d5fb7bbf3c27017fa3bed462474aaa8d4746e72
Log: Fixed bug #69674 (SIGSEGV array.c:953)
 [2016-07-20 11:37 UTC] davey@php.net
Automatic comment on behalf of laruence
Revision: http://git.php.net/?p=php-src.git;a=commit;h=7d5fb7bbf3c27017fa3bed462474aaa8d4746e72
Log: Fixed bug #69674 (SIGSEGV array.c:953)
 
PHP Copyright © 2001-2017 The PHP Group
All rights reserved.
Last updated: Fri Jul 21 06:01:37 2017 UTC