php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #71443 Segfault using built-in webserver with intl using symfony
Submitted: 2016-01-25 00:28 UTC Modified: 2016-01-26 04:07 UTC
From: wegvonhier+phpbugs at gmail dot com Assigned: laruence
Status: Closed Package: Reproducible crash
PHP Version: master-Git-2016-01-25 (Git) OS: Linux
Private report: No CVE-ID:
 [2016-01-25 00:28 UTC] wegvonhier+phpbugs at gmail dot com
Description:
------------
Using master@319e82838
Compiled using ./configure --enable-debug --enable-intl (Removing intl solves the issue; Not sure if this should be filed under pecl/intl or reproducible crash, as the crash happens in zend_ini/zend_string)

php.ini content:
zend_extension=<path>opcache.so
opcache.file_cache_only=1
opcache.file_cache=<path>php-op-cache
opcache.enable_cli=0


Test script:
---------------
Steps to reproduce:
Using a clean symfony 3 app generated using 'symfony new proj-name'.
Go to web/app_dev.php; Comment the call to Debug::enable(); and set the first parameter of the AppKernel ctor to 'prod', but leave the second parameter set to true.

Start the webserver using php -S <addr> in the web directory and request <addr>/app_dev.php

If other files have been requested before the request behaves as expected. If app_dev.php is the first file requested the php process crashes with the backtrace posted below.

Actual result:
--------------
(gdb) run -S 127.0.0.1:8182
Starting program: /home/vm-user/php-src/sapi/cli/php -S 127.0.0.1:8182
Traceback (most recent call last):
PHP 7.1.0-dev Development Server started at Mon Jan 25 00:16:35 2016
Listening on http://127.0.0.1:8182
Document root is /home/vm-user/symf-proj/web
Press Ctrl-C to quit.
[Mon Jan 25 00:16:43 2016] 127.0.0.1:60070 [200]: /app_dev.php

Program received signal SIGSEGV, Segmentation fault.
0x00000000008aed40 in zend_string_release (s=0x7ffff3698dd8)
    at /home/vm-user/php-src/Zend/zend_string.h:269
269		if (!ZSTR_IS_INTERNED(s)) {
(gdb) bt
#0  0x00000000008aed40 in zend_string_release (s=0x7ffff3698dd8)
    at /home/vm-user/php-src/Zend/zend_string.h:269
#1  0x00000000008af033 in zend_restore_ini_entry_cb (ini_entry=0x117d850, 
    stage=8) at /home/vm-user/php-src/Zend/zend_ini.c:67
#2  0x00000000008af0b7 in zend_restore_ini_entry_wrapper (el=0x7ffff42634a0)
    at /home/vm-user/php-src/Zend/zend_ini.c:82
#3  0x00000000008a24ea in zend_hash_apply (ht=0x7ffff425b420, 
    apply_func=0x8af08f <zend_restore_ini_entry_wrapper>)
    at /home/vm-user/php-src/Zend/zend_hash.c:1521
#4  0x00000000008af25d in zend_ini_deactivate ()
    at /home/vm-user/php-src/Zend/zend_ini.c:142
#5  0x000000000088be74 in zend_deactivate ()
    at /home/vm-user/php-src/Zend/zend.c:989
#6  0x00000000007f8808 in php_request_shutdown (dummy=0x0)
    at /home/vm-user/php-src/main/main.c:1823
#7  0x000000000095746f in php_cli_server_request_shutdown (
    server=0x11049c0 <server>, client=0x12981b0)
    at /home/vm-user/php-src/sapi/cli/php_cli_server.c:2025
#8  0x0000000000957857 in php_cli_server_dispatch (server=0x11049c0 <server>, 
    client=0x12981b0) at /home/vm-user/php-src/sapi/cli/php_cli_server.c:2106
#9  0x0000000000958071 in php_cli_server_recv_event_read_request (
    server=0x11049c0 <server>, client=0x12981b0)
    at /home/vm-user/php-src/sapi/cli/php_cli_server.c:2315



Different run:
Breakpoint 1, zend_restore_ini_entry_cb (ini_entry=0x117d850, stage=8)
    at /home/vm-user/php-src/Zend/zend_ini.c:51
51		int result = FAILURE;
(gdb) print *ini_entry
$6 = {name = 0x117d8b0, on_modify = 0x8b024d <OnUpdateStringUnempty>, 
  mh_arg1 = 0x10, mh_arg2 = 0x11054c0 <intl_globals>, mh_arg3 = 0x0, 
  value = 0x7ffff3698dd8, orig_value = 0x0, displayer = 0x0, modifiable = 7, 
  orig_modifiable = 7, modified = 1, module_number = 12}
(gdb) print *ini_entry->value
Cannot access memory at address 0x7ffff3698dd8
(gdb) continue
Continuing.

Program received signal SIGSEGV, Segmentation fault.
0x00000000008aed40 in zend_string_release (s=0x7ffff3698dd8)
    at /home/vm-user/php-src/Zend/zend_string.h:269
269		if (!ZSTR_IS_INTERNED(s)) {


Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2016-01-25 03:54 UTC] laruence@php.net
-Assigned To: +Assigned To: laruence
 [2016-01-25 03:54 UTC] laruence@php.net
from the backtrace, this is very similar to #71425.

anyway, I am get trouble using symfony, could you please try with valgrind?

startup php-cli server with valgrind:

USE_ZEND_ALLOC=0 valgrind php7  -S 127.0.0.1:8182

and see if there is anything ouputed

thanks
 [2016-01-25 13:44 UTC] wegvonhier+phpbugs at gmail dot com
Updated master to 52d89557f3

valgrind output:
~/symf-proj/web $ USE_ZEND_ALLOC=0 valgrind /home/vm-user/php-src/sapi/cli/php -S 127.0.0.1:8182
==21380== Memcheck, a memory error detector
==21380== Copyright (C) 2002-2013, and GNU GPL'd, by Julian Seward et al.
==21380== Using Valgrind-3.10.1 and LibVEX; rerun with -h for copyright info
==21380== Command: /home/vm-user/php-src/sapi/cli/php -S 127.0.0.1:8182
==21380== 
PHP 7.1.0-dev Development Server started at Mon Jan 25 14:40:42 2016
Listening on http://127.0.0.1:8182
Document root is /home/vm-user/symf-proj/web
Press Ctrl-C to quit.
[Mon Jan 25 14:40:47 2016] 127.0.0.1:52069 [200]: /app_dev.php
==21380== Invalid read of size 1
==21380==    at 0x8AE860: zend_string_release (zend_string.h:269)
==21380==    by 0x8AEB52: zend_restore_ini_entry_cb (zend_ini.c:67)
==21380==    by 0x8AEBD6: zend_restore_ini_entry_wrapper (zend_ini.c:82)
==21380==    by 0x8A2009: zend_hash_apply (zend_hash.c:1521)
==21380==    by 0x8AED7C: zend_ini_deactivate (zend_ini.c:142)
==21380==    by 0x88B993: zend_deactivate (zend.c:989)
==21380==    by 0x7F8327: php_request_shutdown (main.c:1823)
==21380==    by 0x956F8E: php_cli_server_request_shutdown (php_cli_server.c:2025)
==21380==    by 0x957376: php_cli_server_dispatch (php_cli_server.c:2106)
==21380==    by 0x957B90: php_cli_server_recv_event_read_request (php_cli_server.c:2315)
==21380==    by 0x957EB8: php_cli_server_do_event_for_each_fd_callback (php_cli_server.c:2395)
==21380==    by 0x9540BA: php_cli_server_poller_iter_on_active (php_cli_server.c:834)
==21380==  Address 0x941c7c5 is 322,853 bytes inside a block of size 1,292,960 free'd
==21380==    at 0x4C2BDEC: free (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==21380==    by 0x858ABD: _efree (zend_alloc.c:2453)
==21380==    by 0x85A67C: zend_arena_destroy (zend_arena.h:48)
==21380==    by 0x85B3A4: shutdown_compiler (zend_compile.c:350)
==21380==    by 0x88B929: zend_deactivate (zend.c:970)
==21380==    by 0x7F8327: php_request_shutdown (main.c:1823)
==21380==    by 0x956F8E: php_cli_server_request_shutdown (php_cli_server.c:2025)
==21380==    by 0x957376: php_cli_server_dispatch (php_cli_server.c:2106)
==21380==    by 0x957B90: php_cli_server_recv_event_read_request (php_cli_server.c:2315)
==21380==    by 0x957EB8: php_cli_server_do_event_for_each_fd_callback (php_cli_server.c:2395)
==21380==    by 0x9540BA: php_cli_server_poller_iter_on_active (php_cli_server.c:834)
==21380==    by 0x957F75: php_cli_server_do_event_for_each_fd (php_cli_server.c:2418)
==21380== 
==21380== Invalid read of size 1
==21380==    at 0x89D4AE: zend_string_release (zend_string.h:269)
==21380==    by 0x8A0AC7: _zend_hash_del_el_ex (zend_hash.c:1007)
==21380==    by 0x8A0BF5: _zend_hash_del_el (zend_hash.c:1037)
==21380==    by 0x8A202B: zend_hash_apply (zend_hash.c:1524)
==21380==    by 0x8AED7C: zend_ini_deactivate (zend_ini.c:142)
==21380==    by 0x88B993: zend_deactivate (zend.c:989)
==21380==    by 0x7F8327: php_request_shutdown (main.c:1823)
==21380==    by 0x956F8E: php_cli_server_request_shutdown (php_cli_server.c:2025)
==21380==    by 0x957376: php_cli_server_dispatch (php_cli_server.c:2106)
==21380==    by 0x957B90: php_cli_server_recv_event_read_request (php_cli_server.c:2315)
==21380==    by 0x957EB8: php_cli_server_do_event_for_each_fd_callback (php_cli_server.c:2395)
==21380==    by 0x9540BA: php_cli_server_poller_iter_on_active (php_cli_server.c:834)
==21380==  Address 0x949d20d is 849,773 bytes inside a block of size 1,292,960 free'd
==21380==    at 0x4C2BDEC: free (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==21380==    by 0x858ABD: _efree (zend_alloc.c:2453)
==21380==    by 0x85A67C: zend_arena_destroy (zend_arena.h:48)
==21380==    by 0x85B3A4: shutdown_compiler (zend_compile.c:350)
==21380==    by 0x88B929: zend_deactivate (zend.c:970)
==21380==    by 0x7F8327: php_request_shutdown (main.c:1823)
==21380==    by 0x956F8E: php_cli_server_request_shutdown (php_cli_server.c:2025)
==21380==    by 0x957376: php_cli_server_dispatch (php_cli_server.c:2106)
==21380==    by 0x957B90: php_cli_server_recv_event_read_request (php_cli_server.c:2315)
==21380==    by 0x957EB8: php_cli_server_do_event_for_each_fd_callback (php_cli_server.c:2395)
==21380==    by 0x9540BA: php_cli_server_poller_iter_on_active (php_cli_server.c:834)
==21380==    by 0x957F75: php_cli_server_do_event_for_each_fd (php_cli_server.c:2418)
==21380== 
[Mon Jan 25 14:40:51 2016] 127.0.0.1:52072 [200]: /app_dev.php
^C==21380== 
==21380== HEAP SUMMARY:
==21380==     in use at exit: 27,127 bytes in 1,013 blocks
==21380==   total heap usage: 50,278 allocs, 49,265 frees, 19,687,216 bytes allocated
==21380== 
==21380== LEAK SUMMARY:
==21380==    definitely lost: 24,224 bytes in 982 blocks
==21380==    indirectly lost: 0 bytes in 0 blocks
==21380==      possibly lost: 0 bytes in 0 blocks
==21380==    still reachable: 2,903 bytes in 31 blocks
==21380==         suppressed: 0 bytes in 0 blocks
==21380== Rerun with --leak-check=full to see details of leaked memory
==21380== 
==21380== For counts of detected and suppressed errors, rerun with: -v
==21380== ERROR SUMMARY: 6 errors from 2 contexts (suppressed: 0 from 0)
 [2016-01-26 04:07 UTC] laruence@php.net
okey, a simple reproduce case is:
<?php
ini_set("include_path", "/tmp");
?>

run with php -d opcache.file_cache_only=1 opcache.file_cache=/tmp/ test.php
 [2016-01-26 07:58 UTC] laruence@php.net
Automatic comment on behalf of laruence@gmail.com
Revision: http://git.php.net/?p=php-src.git;a=commit;h=9ff08ae17cc6092810268b647dd9966e33fdc0a6
Log: Fixed bug #71443 (Segfault using built-in webserver with intl using symfony)
 [2016-01-26 07:58 UTC] laruence@php.net
-Status: Assigned +Status: Closed
 [2016-07-20 11:33 UTC] davey@php.net
Automatic comment on behalf of laruence@gmail.com
Revision: http://git.php.net/?p=php-src.git;a=commit;h=9ff08ae17cc6092810268b647dd9966e33fdc0a6
Log: Fixed bug #71443 (Segfault using built-in webserver with intl using symfony)
 
PHP Copyright © 2001-2017 The PHP Group
All rights reserved.
Last updated: Tue Aug 29 15:01:52 2017 UTC