PHP :: Bug #69820 :: CLI crashes at start with various extensions enabled

Bug #69820	CLI crashes at start with various extensions enabled
Submitted:	2015-06-13 17:01 UTC	Modified:	2015-06-14 11:12 UTC
From:	maikgreubel at gmail dot com	Assigned:	ab (profile)
Status:	Closed	Package:	Reproducible crash
PHP Version:	7.0.0alpha1	OS:	Windows 7 64bit
Private report:	No	CVE-ID:	None

View Add Comment Developer Edit

[2015-06-13 17:01 UTC] maikgreubel at gmail dot com

Description:
------------
Activating php_fileinfo.dll, php_mbstring.dll, php_pdo_mysql.dll and php_pdo_sqlite.dll in php.ini results in reproducable crash. I tried a couple of combinations. If I activate only 3 extensions or 3 + 1 which can not be activated for reason of missing dependencies (e.g. php_mysql.dll) the crash does not appear.

It does also not crash when I start php-win.exe or php-cgi.exe.

I used 7.0.0alpha1 x64 TS.

Test script:
---------------
Script parser is not triggered, cli crashes at startup without providing any script file.

But I have a stacktrace and other informations:

0:000> g
(1d60.1b94): Access violation - code c0000005 (!!! second chance !!!)
php7ts!zend_startup_module_ex+0x1d:
000007fe`de4dc4a5 83b98800000000  cmp     dword ptr [rcx+88h],0 ds:feeefeee`feeeff76=????????
0:000> lm
start             end                 module name
00000000`0f000000 00000000`0f006000   detoured   (deferred)             
00000000`777d0000 00000000`778ca000   USER32     (deferred)             
00000000`778d0000 00000000`779ef000   kernel32   (export symbols)       C:\Windows\system32\kernel32.dll
00000000`779f0000 00000000`77b99000   ntdll      (export symbols)       C:\Windows\SYSTEM32\ntdll.dll
00000000`77bc0000 00000000`77bc7000   PSAPI      (deferred)             
00000001`3f1d0000 00000001`3f1f4000   php        (private pdb symbols)  d:\dbg-symbols\php.pdb
000007fe`de4c0000 000007fe`decdb000   php7ts     (private pdb symbols)  d:\dbg-symbols\php7ts.pdb
000007fe`e2ae0000 000007fe`e2de4000   php_fileinfo   (deferred)             
000007fe`e3af0000 000007fe`e3bcb000   php_pdo_sqlite   (deferred)             
000007fe`e3bd0000 000007fe`e3d32000   php_mbstring   (deferred)             
000007fe`e3fa0000 000007fe`e4098000   ucrtbase   (deferred)             
000007fe`f0730000 000007fe`f0733000   api_ms_win_crt_utility_l1_1_0   (deferred)             
000007fe`f0880000 000007fe`f0883000   api_ms_win_crt_time_l1_1_0   (deferred)             
000007fe`f92c0000 000007fe`f92e2000   nvdxgiwrapx   (deferred)             
000007fe`f92f0000 000007fe`f9321000   nvd3d9wrapx   (deferred)             
000007fe`f9b40000 000007fe`f9b4b000   php_pdo_mysql   (deferred)             
000007fe`f9b70000 000007fe`f9b73000   api_ms_win_crt_locale_l1_1_0   (deferred)             
000007fe`f9b80000 000007fe`f9b83000   api_ms_win_crt_filesystem_l1_1_0   (deferred)             
000007fe`f9e40000 000007fe`f9e45000   api_ms_win_crt_math_l1_1_0   (deferred)             
000007fe`f9e50000 000007fe`f9e53000   api_ms_win_crt_environment_l1_1_0   (deferred)             
000007fe`f9e60000 000007fe`f9e64000   api_ms_win_crt_stdio_l1_1_0   (deferred)             
000007fe`f9e70000 000007fe`f9e74000   api_ms_win_crt_convert_l1_1_0   (deferred)             
000007fe`f9e80000 000007fe`f9e84000   api_ms_win_crt_string_l1_1_0   (deferred)             
000007fe`f9e90000 000007fe`f9e93000   api_ms_win_crt_heap_l1_1_0   (deferred)             
000007fe`f9ea0000 000007fe`f9ea3000   api_ms_win_core_file_l1_2_0   (deferred)             
000007fe`f9eb0000 000007fe`f9eb3000   api_ms_win_core_processthreads_l1_1_1   (deferred)             
000007fe`fa980000 000007fe`fa983000   api_ms_win_core_synch_l1_2_0   (deferred)             
000007fe`faae0000 000007fe`faae3000   api_ms_win_core_localization_l1_2_0   (deferred)             
000007fe`fad80000 000007fe`fad83000   api_ms_win_core_file_l2_1_0   (deferred)             
000007fe`fae60000 000007fe`fae64000   api_ms_win_crt_runtime_l1_1_0   (deferred)             
000007fe`fae70000 000007fe`fae87000   VCRUNTIME140   (deferred)             
000007fe`faf20000 000007fe`faf23000   api_ms_win_core_timezone_l1_1_0   (deferred)             
000007fe`fcd70000 000007fe`fcdcb000   DNSAPI     (deferred)             
000007fe`fd6c0000 000007fe`fd6cc000   VERSION    (deferred)             
000007fe`fd6d0000 000007fe`fd701000   nvinitx    (deferred)             
000007fe`fd8b0000 000007fe`fd91c000   KERNELBASE   (deferred)             
000007fe`fd930000 000007fe`fd966000   CFGMGR32   (deferred)             
000007fe`fd9b0000 000007fe`fd9ca000   DEVOBJ     (deferred)             
000007fe`fdb60000 000007fe`fdbc7000   GDI32      (deferred)             
000007fe`fdbd0000 000007fe`fdcab000   ADVAPI32   (deferred)             
000007fe`fdcb0000 000007fe`fdcfd000   WS2_32     (deferred)             
000007fe`fdd00000 000007fe`fdf03000   ole32      (deferred)             
000007fe`fe010000 000007fe`fe119000   MSCTF      (deferred)             
000007fe`fef50000 000007fe`fef6f000   sechost    (deferred)             
000007fe`fef70000 000007fe`fef78000   NSI        (deferred)             
000007fe`fef80000 000007fe`ff01f000   msvcrt     (deferred)             
000007fe`ff320000 000007fe`ff4f7000   SETUPAPI   (deferred)             
000007fe`ff690000 000007fe`ff767000   OLEAUT32   (deferred)             
000007fe`ffac0000 000007fe`ffb89000   USP10      (deferred)             
000007fe`ffb90000 000007fe`ffbbe000   IMM32      (deferred)             
000007fe`ffbc0000 000007fe`ffced000   RPCRT4     (deferred)             
000007fe`ffcf0000 000007fe`ffcfe000   LPK        (deferred)             
0:000> kp
Child-SP          RetAddr           Call Site
00000000`040cf6c0 000007fe`de4dc2f0 php7ts!zend_startup_module_ex(struct _zend_module_entry * module = 0xfeeefeee`feeefeee, <Type information missing error> str = <Type information missing error>, unsigned int64 len = <Value unavailable error>)+0x1d [c:\php-sdk\php70dev\vc14\x64\php-7.0.0alpha1-ts\zend\zend_api.c @ 1818]
00000000`040cf700 000007fe`de4db0a8 php7ts!zend_hash_apply(struct _zend_array * ht = 0x000007fe`dec8db00, <function> * apply_func = 0x000007fe`de4dc480, struct _zend_string * s = <Value unavailable error>)+0x58 [c:\php-sdk\php70dev\vc14\x64\php-7.0.0alpha1-ts\zend\zend_hash.c @ 1434]
00000000`040cf750 000007fe`de4e94c7 php7ts!zend_startup_modules(void)+0x30 [c:\php-sdk\php70dev\vc14\x64\php-7.0.0alpha1-ts\zend\zend_api.c @ 1987]
00000000`040cf780 00000001`3f1d15df php7ts!php_module_startup(struct _sapi_module_struct * sf = 0x00000001`00000004, struct _zend_module_entry * additional_modules = 0x00000000`00000070, unsigned int num_additional_modules = 1, <Type information missing error> l = <Type information missing error>, struct _zend_module_entry * ptr = 0x00000000`00000000, int count = 0n0)+0xa3b [c:\php-sdk\php70dev\vc14\x64\php-7.0.0alpha1-ts\main\main.c @ 2201]
00000000`040cfc80 00000001`3f1d142e php!php_cli_startup(struct _sapi_module_struct * sapi_module = 0xfeeefeee`feeefeee)+0xf [c:\php-sdk\php70dev\vc14\x64\php-7.0.0alpha1-ts\sapi\cli\php_cli.c @ 419]
00000000`040cfcb0 00000001`3f1d26c4 php!main(int argc = 0n1, char ** argv = 0x00000000`042827e0)+0x37e [c:\php-sdk\php70dev\vc14\x64\php-7.0.0alpha1-ts\sapi\cli\php_cli.c @ 1314]
00000000`040cfeb0 00000000`778e59cd php!__scrt_common_main_seh(void)+0x124 [f:\dd\vctools\crt\vcstartup\src\startup\exe_common.inl @ 264]
00000000`040cfef0 00000000`77a1b981 kernel32!BaseThreadInitThunk+0xd
00000000`040cff20 00000000`00000000 ntdll!RtlUserThreadStart+0x21


ZEND_API int zend_startup_module_ex(zend_module_entry *module) /* {{{ */
{
	size_t name_len;
	zend_string *lcname;

	if (module->module_started) {  // Crash


Expected result:
----------------
CLI starts by executing php.exe, I can exit it by pressing CTRL+C

Actual result:
--------------
By executing php.exe windows opens crash popup and performs a core dump using werfault.exe.

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports

[2015-06-13 18:11 UTC] ab@php.net

-Status: Open +Status: Verified

[2015-06-13 18:12 UTC] ab@php.net

Thanks for the report, might be related to #69814 and #69819.

[2015-06-13 20:10 UTC] ab@php.net

Related To: Bug #69814

[2015-06-13 20:59 UTC] maikgreubel at gmail dot com

The crash is also not reproducable with my local 32bit build with configuration

configure --enable-mbstring=shared --with-pdo-mysql=shared --with-pdo-sqlite=shared --enable-fileinfo=shared --enable-pdo

The same configuration for x64 does also not crash.

[2015-06-13 21:43 UTC] ab@php.net

@maikgreubel, thanks for the further investigation. Yeah, an issue seems to lay on the way how the mhash bc module is registered. As long as you don't enable ext/hash, everything should be fine.

Thanks.

[2015-06-13 21:44 UTC] ab@php.net

-Assigned To: +Assigned To: ab

[2015-06-13 22:11 UTC] maikgreubel at gmail dot com

You are welcome. But, ext/hash is enabled in my configuration:


D:\tmp\php-7.0.0alpha1-src>configure --enable-mbstring=shared --with-pdo-mysql=shared --with-pdo-sqlite=shared --enable-fileinfo=shared --enable-pdo
Saving configure options to config.nice.bat
Checking for cl.exe ...  <in default path>
  Detected compiler MSVC14 (Visual C++ 2015)
  Detected 64-bit compiler
Checking for link.exe ...  C:\Program Files (x86)\Microsoft Visual Studio 14.0\VC\BIN\amd64
Checking for nmake.exe ...  <in default path>
Checking for lib.exe ...  <in default path>
Checking for bison.exe ...  <in default path>
Checking for re2c.exe ...  <in default path>
  Detected re2c version 0.13.5
Checking for zip.exe ...  <in default path>
Checking for lemon.exe ...  <not found>
Checking for mc.exe ...  C:\Program Files (x86)\Windows Kits\8.1\bin\x64
Checking for mt.exe ...  C:\Program Files (x86)\Windows Kits\8.1\bin\x64
Enabling multi process build

Build dir: D:\tmp\php-7.0.0alpha1-src\x64\Release_TS
PHP Core:  php7ts.dll and php7ts.lib

Checking for wspiapi.h ...  <in default path>
Enabling IPv6 support
Enabling SAPI sapi\cgi
Enabling SAPI sapi\cli
Enabling extension ext\bcmath
Enabling extension ext\calendar
Checking for library oleaut32.lib ... <in LIB path> OleAut32.Lib
Enabling extension ext\com_dotnet
Checking for mscoree.h ...  <in default path>
Enabling extension ext\ctype
Enabling extension ext\date
Enabling extension ext\fileinfo [shared]
Enabling extension ext\filter
Enabling extension ext\ftp [shared]
Checking for openssl/ssl.h ...  <not found>
Checking for openssl/ssl.h ...  <not found>
Checking for library libjpeg_a.lib;libjpeg.lib ... <not found>
WARNING: gd not enabled; libraries and headers not found

Enabling extension ext\hash
Checking for library libiconv_a.lib ... <not found>
Checking for library libiconv.lib ... <not found>
Checking for library iconv_a.lib ... <not found>
Checking for library iconv.lib ... <not found>
WARNING: iconv support can't be enabled, libraries or headers are missing

Enabling extension ext\json
Enabling extension ext\mbstring [shared]
Using bundled libmbfl...
Checking for library ws2_32.lib ... <in LIB path> WS2_32.Lib
Enabling extension ext\mysqlnd
Checking for zlib.h ...  <not found>
Checking for zlib.h ...  <not found>
Enabling extension ext\opcache [shared]
Enabling extension ext\pcre
Enabling extension ext\reflection
Enabling extension ext\session
Enabling extension ext\spl
Checking for timelib_config.h ...  ext/date/lib
Enabling extension ext\standard
Enabling extension ext\tokenizer
Checking for zlib.h ...  <not found>
Checking for zlib.h ...  <not found>
WARNING: zip not enabled; libraries and headers not found

Checking for library zlib_a.lib;zlib.lib ... <not found>
WARNING: zlib support can't be enabled, zlib is missing

Checking for library libxml2_a_dll.lib;libxml2_a.lib ... <not found>
WARNING: libxml support can't be enabled, iconv or libxml are missing

WARNING: dom support can't be enabled, libxml is not enabled

Enabling extension ext\pdo
INFO: mysqlnd build
Enabling extension ext\pdo_mysql [shared]
Enabling extension ext\pdo_sqlite [shared]
Enabling extension ext\phar
        Native OpenSSL support in Phar disabled
WARNING: simplexml not enabled; libraries and headers not found

WARNING: xml support can't be enabled, libraries or headers are missing


Creating build dirs...
Generating files...
Generating Makefile
Generating main/internal_functions.c
        [content unchanged; skipping]
Generating main/config.w32.h
Generating phpize
Done.



Enabled extensions:
-----------------------
| Extension  | Mode   |
-----------------------
| bcmath     | static |
| calendar   | static |
| com_dotnet | static |
| ctype      | static |
| date       | static |
| fileinfo   | shared |
| filter     | static |
| ftp        | shared |
| hash       | static |
| json       | static |
| mbstring   | shared |
| mysqlnd    | static |
| opcache    | shared |
| pcre       | static |
| pdo        | static |
| pdo_mysql  | shared |
| pdo_sqlite | shared |
| phar       | static |
| reflection | static |
| session    | static |
| spl        | static |
| standard   | static |
| tokenizer  | static |
-----------------------


Enabled SAPI:
-------------
| Sapi Name |
-------------
| cgi       |
| cli       |
-------------


----------------------------------------------
|                 |                          |
----------------------------------------------
| Build type      | Release                  |
| Thread Safety   | Yes                      |
| Compiler        | MSVC14 (Visual C++ 2015) |
| Architecture    | x64                      |
| Optimization    | PGO disabled             |
| Static analyzer | disabled                 |
----------------------------------------------


Type 'nmake' to build PHP



Because it is also not disabled in binaries downloadable at qa, I have the same configuration on that point.

[2015-06-13 22:29 UTC] ab@php.net

Ok, this is ... interesting. But seems you don't use the deps package vor vc14 (available at windows.php.net/downloads). I use them, and the behavior i've described depends on ext/hash. 

But this could mean to me - we have something terrible in the dependency libraries, and that screws the memory at some point. Can you tell the same after you've fetched the vc14 deps and they're available for your build?

Btw, do you have the same crash when enabling all the available exts?

Thanks.

[2015-06-14 08:27 UTC] maikgreubel at gmail dot com

I added the deps from deps-7.0-vc14-x64.7z and compiled with the same options than qa build. The result is not runnable due to missing pgort140.dll. So I disabled

--enable-pgi

and got no crash with the same extensions enabled in php.ini. I also enabled more extensions:

extension=php_fileinfo.dll
extension=php_mbstring.dll
extension=php_mysqli.dll
extension=php_pdo_mysql.dll
extension=php_pdo_sqlite.dll
extension=php_shmop.dll
extension=php_sockets.dll


And still no crash.

Optimizitation issue?

[2015-06-14 10:01 UTC] ab@php.net

Thanks for the followup. Yeah, --enable-pgi is a part of the PGO build scenario, not needed if you don't do it. 

But something strange happens. Yesterday I was able to reproduce your initial report using 

x64\Release_TS\php.exe -n -d extension_dir=x64\Release_TS -d extension=php_fileinfo.dll -d extension=php_mbstring.dll -d extension=php_pdo_mysql.dll -d extension=php_pdo_sqlite.dll

But this doesn't crash when I've fetched and rebuilt today. Not doing PGO build as well. But that's why i guess it's not an optimization issue, still quite strange. Maybe you can repro it with this configure line?

cscript /nologo configure.js  "--enable-snapshot-build" "--enable-debug-pack" "--enable-com-dotnet=shared"

That picks up literally everything. But of course, maybe that's just PGO, so probably were worth to check it (but need setup for scenarios). Also, it might be a vc14 issue as it's still RC. Whereby I seem have not received any vc14 updates over the night.

Thanks.

[2015-06-14 10:25 UTC] ab@php.net

@maikgreubel, yeah, see bug #69823. My insight about ext/hash was correct. I think we're done here. Please fetch the latest master to check this.

Thanks.

[2015-06-14 10:31 UTC] maikgreubel at gmail dot com

Going back to qa-build binary and debugging.

+		&p->val	0x000000000417bf80 {value={lval=112 dval=5.533535233422e-322#DEN counted=0x0000000000000070 {refcount=...} ...} ...}	_zval_struct *
		apply_func	0x000007fede71c480 {php7ts.dll!zend_startup_module_zval(_zval_struct *)}	int (_zval_struct *) *
+		ht	0x000007fedeecdb00 {php7ts.dll!_zend_array module_registry} {gc={refcount=1 u={v={type=7 '\a' flags=...} ...} } ...}	_zend_array *
+		ht->arData	0x00000000060a2800 {val={value={lval=68645888 dval=3.391557498907e-316#DEN counted=0x0000000004177400 {...} ...} ...} ...}	_Bucket *
		ht->nNumUsed	33	unsigned int
		idx	8	unsigned int
+		p	0x000000000417bf80 {val={value={lval=112 dval=5.533535233422e-322#DEN counted=0x0000000000000070 {refcount=...} ...} ...} ...}	_Bucket *
+		p->val	{value={lval=112 dval=5.533535233422e-322#DEN counted=0x0000000000000070 {refcount=??? u={v={type=??? ...} ...} } ...} ...}	_zval_struct
		result	0	int

Due to optimization I can not add conditional breakpoint at for-loop iteration of HashTable in zend_hash_apply to find out, which module entry causes the problem. I try to investigate the scope where the module_registry HashTable is filled with entries and what happens between initialization of HT and the module activation.

[2015-06-14 10:43 UTC] ab@php.net

@maikgreubel, or alternatively - just check this snapshot http://windows.php.net/downloads/snaps/ostc/69814/ (built from the latest master).

Thanks.

[2015-06-14 10:50 UTC] maikgreubel at gmail dot com

Tested the snapshot build and et'voila, crash does not appear.

Thank you, nice done.

[2015-06-14 11:12 UTC] ab@php.net

-Status: Verified +Status: Closed

[2015-06-14 11:12 UTC] ab@php.net

Thanks for checking the alpha1 and for the good backtrace :)

Can be closed then.

Thanks.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Wed Apr 24 21:01:29 2024 UTC