PHP :: Bug #70616 :: SIGSEGV while lex

Bug #70616

SIGSEGV while lex_scan-ning

Submitted:

2015-10-01 18:55 UTC

Modified:

2020-11-01 04:22 UTC

Votes:	3
Avg. Score:	4.7 ± 0.5
Reproduced:	3 of 3 (100.0%)
Same Version:	0 (0.0%)
Same OS:	2 (66.7%)

From:

roctom at gmail dot com

Assigned:

cmb (profile)

Status:

No Feedback

Package:

Reproducible crash

PHP Version:

5.6.13

OS:

Cygwin

Private report:

CVE-ID:

None

View Add Comment Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If this is not your bug, you can add a comment by following this link.
If this is your bug, but you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	roctom at gmail dot com
New email:
PHP Version:		OS:

New Comment:

[2015-10-01 18:55 UTC] roctom at gmail dot com

Description:
------------
Under cygwin:

PHP 5.6.13 (cli) (built: Sep  4 2015 12:40:08)
Copyright (c) 1997-2015 The PHP Group
Zend Engine v2.6.0, Copyright (c) 1998-2015 Zend Technologies

I get the following reproducible SIGSEGV after installing the phpunit/phpunit package.



Test script:
---------------
In a composer.json file

{
	"require": {
		"phpunit/phpunit": "~4"
	}
}

Then run php composer.phar install. It should segfault just after you can read "Generating autoload files".

Expected result:
----------------
No "Program received signal SIGSEGV, Segmentation fault.".

The program completes without crashing.

Actual result:
--------------
Here is a backtrace in gdb:

Program received signal SIGSEGV, Segmentation fault.
lex_scan (zendlval=zendlval@entry=0x228cd0) at Zend/zend_language_scanner.c:2636
2636    Zend/zend_language_scanner.c: No such file or directory.
(gdb) bt
#0  lex_scan (zendlval=zendlval@entry=0x228cd0) at Zend/zend_language_scanner.c:2636
#1  0x00000003f689a69c in zend_strip () at /usr/src/debug/php-5.6.13-1/Zend/zend_highlight.c:174
#2  0x00000003f67c056a in zif_php_strip_whitespace (ht=<optimized out>, return_value=0x6fffeff2798, return_value_ptr=<optimized out>, this_ptr=<optimized out>, return_value_used=1)
    at /usr/src/debug/php-5.6.13-1/ext/standard/basic_functions.c:5241
#3  0x00000003f694c66c in zend_do_fcall_common_helper_SPEC (execute_data=<optimized out>) at /usr/src/debug/php-5.6.13-1/Zend/zend_vm_execute.h:558
#4  0x00000003f68dcb58 in execute_ex (execute_data=0x6fffffbe2f0) at /usr/src/debug/php-5.6.13-1/Zend/zend_vm_execute.h:363
#5  0x00000003f68a80ed in zend_execute_scripts (type=8, retval=0x0, file_count=3) at /usr/src/debug/php-5.6.13-1/Zend/zend.c:1341
#6  0x00000003f6845c8a in php_execute_script (primary_file=0x22b858) at /usr/src/debug/php-5.6.13-1/main/main.c:2597
#7  0x0000000100402729 in do_cli (argc=3, argv=0x22cb10) at /usr/src/debug/php-5.6.13-1/sapi/cli/php_cli.c:994
#8  0x000000010040b6fb in main (argc=3, argv=0x22cb10) at /usr/src/debug/php-5.6.13-1/sapi/cli/php_cli.c:1378

The zval given to lex_scan:

(gdb) p *(zval *) 0x228cd0
$1 = {value = {lval = 7696551907325, dval = 3.802601888843204e-311, str = {val = 0x6fffe3e0ffd "\n}\n"<error: Cannot access memory at address 0x6fffe3e1000>, len = 1}, ht = 0x6fffe3e0ffd,
    obj = {handle = 4265480189, handlers = 0x1}, ast = 0x6fffe3e0ffd}, refcount__gc = 4278048360, type = 0 '\000', is_ref__gc = 6 '\006'}

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports

[2015-11-03 00:53 UTC] vangel dot attila at gmail dot com

I got a crash in lex_scan() when trying to use the arcanist tool under cygwin x86 (on Windows 7 64 bit).

To get the stack trace I ran php from gdb:

$ gdb php

then in gdb:

r /path/to/arcanist.php install-certificate

Starting program: /usr/bin/php /path/to/arcanist.php install-certificate
[New Thread 14820.0x39dc]
[New Thread 14820.0x2210]

Program received signal SIGSEGV, Segmentation fault.
0x58e364c7 in lex_scan () from /usr/bin/cygphp5-5-6.dll
(gdb) bt
#0  0x58e364c7 in lex_scan () from /usr/bin/cygphp5-5-6.dll
#1  0x58e504bf in zendlex () from /usr/bin/cygphp5-5-6.dll
#2  0x58e2b41c in zendparse () from /usr/bin/cygphp5-5-6.dll
#3  0x58e315ba in cygphp5-5-6!compile_file () from /usr/bin/cygphp5-5-6.dll
#4  0x58eca897 in execute_ex () from /usr/bin/cygphp5-5-6.dll
#5  0x58e9aea7 in execute_ex () from /usr/bin/cygphp5-5-6.dll
#6  0x58eca273 in execute_ex () from /usr/bin/cygphp5-5-6.dll
#7  0x58e58755 in zend_call_function () from /usr/bin/cygphp5-5-6.dll
#8  0x58e7d03b in zend_call_method () from /usr/bin/cygphp5-5-6.dll
#9  0x58d44685 in zif_spl_autoload_call () from /usr/bin/cygphp5-5-6.dll
#10 0x58e586bd in zend_call_function () from /usr/bin/cygphp5-5-6.dll
#11 0x58e58f8e in zend_lookup_class_ex () from /usr/bin/cygphp5-5-6.dll
#12 0x58e5989a in zend_fetch_class () from /usr/bin/cygphp5-5-6.dll
#13 0x58eb05ed in execute_ex () from /usr/bin/cygphp5-5-6.dll
#14 0x58e9aea7 in execute_ex () from /usr/bin/cygphp5-5-6.dll
#15 0x58eca273 in execute_ex () from /usr/bin/cygphp5-5-6.dll
#16 0x58e67eb2 in zend_execute_scripts () from /usr/bin/cygphp5-5-6.dll
#17 0x58e05bdb in php_execute_script () from /usr/bin/cygphp5-5-6.dll
#18 0x004026c0 in php_register_internal_extensions ()
#19 0x0040b537 in php!main ()
(gdb)


$ php -version
PHP 5.6.14 (cli) (built: Oct 18 2015 04:16:10)
Copyright (c) 1997-2015 The PHP Group
Zend Engine v2.6.0, Copyright (c) 1998-2015 Zend Technologies

[2015-11-03 00:58 UTC] vangel dot attila at gmail dot com

Sorry, I forgot to mention that by the arcanist tool I meant this one:
https://secure.phabricator.com/book/phabricator/article/arcanist/

arcanist.php is normally run via the 'arc' wrapper script, however I needed to call that directly from gdb.

[2016-06-20 14:47 UTC] cmb@php.net

-Operating System: Windows 7 +Operating System: Cygwin

[2020-10-21 10:21 UTC] cmb@php.net

-Status: Open +Status: Feedback -Assigned To: +Assigned To: cmb

[2020-10-21 10:21 UTC] cmb@php.net

Does this still reproduce with any of the actively supported PHP
versions[1]?

[1] <https://www.php.net/supported-versions.php>

[2020-11-01 04:22 UTC] php-bugs at lists dot php dot net

No feedback was provided. The bug is being suspended because
we assume that you are no longer experiencing the problem.
If this is not the case and you are able to provide the
information that was requested earlier, please do so and
change the status of the bug back to "Re-Opened". Thank you.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2022 The PHP Group All rights reserved.	Last updated: Fri Sep 30 19:05:53 2022 UTC