php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #70398 SIGSEGV, Segmentation fault zend_ast_destroy_ex
Submitted: 2015-09-01 08:58 UTC Modified: 2015-09-02 16:58 UTC
From: opitz dot alexander at googlemail dot com Assigned: laruence
Status: Closed Package: *General Issues
PHP Version: 7.0.0RC1 OS: Linux
Private report: No CVE-ID:
 [2015-09-01 08:58 UTC] opitz dot alexander at googlemail dot com
Description:
------------
While trying to run the TYPO3 functional tests I get several core dumps.

Expected result:
----------------
No core dump by SIGSEGV

Actual result:
--------------
core dump with SIGSEGV

Backtrace:
#0  0x0000000000a26bab in zend_ast_destroy_ex (ast=0xffffffff00000002, free=1 '\001') at /php7/Zend/zend_ast.c:452
#1  0x0000000000a26d8e in zend_ast_destroy_and_free (ast=0xffffffff00000002) at /php7/Zend/zend_ast.c:501
#2  0x00000000009e141b in _zval_dtor_func (p=0x7f0cafccb070, __zend_filename=0x1050580 "/php7/Zend/zend_constants.c", __zend_lineno=36) at /php7/Zend/zend_variables.c:50
#3  0x00000000009c802e in _zval_dtor (zvalue=0x7f0cafca7940, __zend_filename=0x1050580 "/php7/Zend/zend_constants.c", __zend_lineno=36) at /php7/Zend/zend_variables.h:44
#4  0x00000000009c813f in free_zend_constant (zv=0x7ffe99c7e4e0) at /php7/Zend/zend_constants.c:36
#5  0x00000000009fa293 in _zend_hash_del_el_ex (ht=0x1f8af90, idx=1880, p=0x20a4690, prev=0x0) at /php7/Zend/zend_hash.c:958
#6  0x00000000009fa372 in _zend_hash_del_el (ht=0x1f8af90, idx=1880, p=0x20a4690) at /php7/Zend/zend_hash.c:982
#7  0x00000000009fbbb3 in zend_hash_reverse_apply (ht=0x1f8af90, apply_func=0x9c82db <clean_non_persistent_constant>) at /php7/Zend/zend_hash.c:1555
#8  0x00000000009c8773 in clean_non_persistent_constants () at /php7/Zend/zend_constants.c:161
#9  0x00000000009cb659 in shutdown_executor () at /php7/Zend/zend_execute_API.c:378
#10 0x00000000009e3df7 in zend_deactivate () at /php7/Zend/zend.c:969
#11 0x000000000094c602 in php_request_shutdown (dummy=0x0) at /php7/main/main.c:1810
#12 0x0000000000aab98c in do_cli (argc=1, argv=0x1f6e360) at /php7/sapi/cli/php_cli.c:1139
#13 0x0000000000aac207 in main (argc=1, argv=0x1f6e360) at /php7/sapi/cli/php_cli.c:1338

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2015-09-01 09:09 UTC] opitz dot alexander at googlemail dot com
Missing information:

- the segfaults are sporadic
- checkout was git master branch at commit 66770f9c37e3821582b02f77867bf09141e59a51
 [2015-09-01 09:36 UTC] laruence@php.net
-Status: Open +Status: Feedback
 [2015-09-01 09:36 UTC] laruence@php.net
Thank you for this bug report. To properly diagnose the problem, we
need a short but complete example script to be able to reproduce
this bug ourselves. 

A proper reproducing script starts with <?php and ends with ?>,
is max. 10-20 lines long and does not require any external 
resources such as databases, etc. If the script requires a 
database to demonstrate the issue, please make sure it creates 
all necessary tables, stored procedures etc.

Please avoid embedding huge scripts into the report.

or an way to reproduce it with TYPO3(reproduce instructions)
 [2015-09-01 09:52 UTC] opitz dot alexander at googlemail dot com
-Status: Feedback +Status: Open
 [2015-09-01 09:52 UTC] opitz dot alexander at googlemail dot com
As the crashs are sporadic I can't provide any test script.

To run TYPO3 functional tests you need to checkout TYPO3 master branch, add vendor data via composer and have a MySQL database.

mkdir typo3
cd typo3
git clone git://git.typo3.org/Packages/TYPO3.CMS.git .
composer.phar install

To get TYPO3 ready. Running the functional tests:

typo3DatabaseName="typo3_phpunit" typo3DatabaseUsername="typo3" typo3DatabasePassword="typo3typo3" typo3DatabaseHost="localhost" bin/phpunit -c typo3/sysext/core/Build/FunctionalTests.xml

Please change the DB connection data to your settings. To speed up the database side of the functional tests have a look at: https://wiki.typo3.org/Functional_testing#Using_a_ram_disk_for_the_database
 [2015-09-02 01:49 UTC] laruence@php.net
hmm, it's sad, composer is blocked at my country (china)... :<
 [2015-09-02 06:33 UTC] opitz dot alexander at googlemail dot com
Hi laruence,

is http://getcomposer.org/ or https://packagist.org/ blocked?
I could provide a complete package from my master system, if this helps.
 [2015-09-02 09:26 UTC] laruence@php.net
-Assigned To: +Assigned To: bwoebi
 [2015-09-02 09:26 UTC] laruence@php.net
@ opitz , I asked bob to look into this one, and he already can reproduce it. but maybe fixed tomorrow. let's wait and see, thanks :)
 [2015-09-02 12:33 UTC] bwoebi@php.net
-Assigned To: bwoebi +Assigned To: laruence
 [2015-09-02 12:33 UTC] bwoebi@php.net
./sapi/cli/php -r 'define("TEST", fopen("php://temp", "w+b"));'

gives me a few invalid reads with valgrind.

The fix is actually simple: In shutdown_executor(), move the call to clean_non_persistent_constants(); a few lines up above zend_close_rsrc_list(&EG(regular_list));

Though, I'm not sure if that might have side-effects [AFAIK, misordering in shutdown often causes subtle breaks] … so, can you please verify, Xinchen?
 [2015-09-02 15:15 UTC] laruence@php.net
it can not work, since resource dtor may call some user function that uses constants
 [2015-09-02 15:22 UTC] laruence@php.net
could you please verify whether the following patch fixed the problem?

diff --git a/Zend/zend_builtin_functions.c b/Zend/zend_builtin_functions.c
index fc834df..5dceaae 100644
--- a/Zend/zend_builtin_functions.c
+++ b/Zend/zend_builtin_functions.c
@@ -864,6 +864,10 @@ repeat:
        }

        ZVAL_DUP(&c.value, val);
+       if (Z_TYPE_INFO(c.value) == IS_RESOURCE_EX) {
+               /* disable resource constant destruction */
+               Z_TYPE_INFO(c.value) = IS_RESOURCE;
+       }
        zval_ptr_dtor(&val_free);
 register_constant:
        c.flags = case_sensitive; /* non persistent */
 [2015-09-02 16:39 UTC] bwoebi@php.net
That fixes the issue, but is it safe? There might be places directly operating on the zend_resource * and manipulating its refcount [under the assumption that all resources are refcounted].

Also, even if it should be safe, copy_constant_array() needs to be patched too.
 [2015-09-02 16:54 UTC] bwoebi@php.net
Hence, I propose this alternative patch (assuming constants are only ever freed at the end of the run):

diff --git a/Zend/zend_constants.c b/Zend/zend_constants.c
index 8d1be74..10648e4 100644
--- a/Zend/zend_constants.c
+++ b/Zend/zend_constants.c
@@ -33,7 +33,9 @@ void free_zend_constant(zval *zv)
        zend_constant *c = Z_PTR_P(zv);
 
        if (!(c->flags & CONST_PERSISTENT)) {
-               zval_dtor(&c->value);
+               if (Z_TYPE(c->value) != IS_RESOURCE) {
+                       zval_dtor(&c->value);
+               }
        } else {
                zval_internal_dtor(&c->value);
        }
 [2015-09-02 16:58 UTC] bwoebi@php.net
hmm, forget that, in case of an array, it'll fail, because the arrays have the ZVAL_PTR_DTOR as destructor... So, not sure yet, what's best.
 [2015-09-03 05:07 UTC] laruence@php.net
Automatic comment on behalf of laruence@gmail.com
Revision: http://git.php.net/?p=php-src.git;a=commit;h=6815c08e2939f49a2ac9087924d58448edb401ba
Log: Fixed bug #70398 (SIGSEGV, Segmentation fault zend_ast_destroy_ex)
 [2015-09-03 05:07 UTC] laruence@php.net
-Status: Assigned +Status: Closed
 [2015-09-03 18:10 UTC] ab@php.net
Automatic comment on behalf of laruence@gmail.com
Revision: http://git.php.net/?p=php-src.git;a=commit;h=6815c08e2939f49a2ac9087924d58448edb401ba
Log: Fixed bug #70398 (SIGSEGV, Segmentation fault zend_ast_destroy_ex)
 [2016-07-20 11:36 UTC] davey@php.net
Automatic comment on behalf of laruence@gmail.com
Revision: http://git.php.net/?p=php-src.git;a=commit;h=6815c08e2939f49a2ac9087924d58448edb401ba
Log: Fixed bug #70398 (SIGSEGV, Segmentation fault zend_ast_destroy_ex)
 
PHP Copyright © 2001-2017 The PHP Group
All rights reserved.
Last updated: Tue Aug 29 15:01:52 2017 UTC