php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #72257 "get_defined_constants(true)" core dump
Submitted: 2016-05-23 07:39 UTC Modified: 2016-06-02 02:47 UTC
From: jccgls001 at 126 dot com Assigned:
Status: Closed Package: Scripting Engine problem
PHP Version: 7.0.6 OS: linux 2.6
Private report: No CVE-ID: None
 [2016-05-23 07:39 UTC] jccgls001 at 126 dot com
Description:
------------
hi,

I find that when using "get_defined_constants()" function with args "true", zend core will dump. the code like this :

    var_dump(get_defined_constants(true));

---------------------------------------------------------
About debug detail:

I debug the code with gdb and find, this bug maybe caused by "zend_startup_builtin_functions()" in zend_builtin_functions.c(line 362), which the code :

    zend_builtin_module.module_number = 0;

this place assign module index to 0, which will cause "get_defined_constants(true)" dump. Because in this function, the 0 index is reserved to "internal".

----------------------------------------------------------
About fix:

I think the code in zend_builtin_functions.c(line 362) can be modified to:

    zend_builtin_module.module_number = zend_next_free_module();

this will lead index to 1, and can make "get_defined_constants(true)" run correctly.

Test script:
---------------
get_defined_constants(true);

Expected result:
----------------
two dimension array that contains all defined constants group by module's name

Actual result:
--------------
segmentation fault and core dump

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2016-05-23 10:23 UTC] laruence@php.net
-Status: Open +Status: Feedback
 [2016-05-23 10:23 UTC] laruence@php.net
Thank you for this bug report. To properly diagnose the problem, we
need a backtrace to see what is happening behind the scenes. To
find out how to generate a backtrace, please read
http://bugs.php.net/bugs-generating-backtrace.php for *NIX and
http://bugs.php.net/bugs-generating-backtrace-win32.php for Win32

Once you have generated a backtrace, please submit it to this bug
report and change the status back to "Open". Thank you for helping
us make PHP better.

I can not reproduce this.
 [2016-05-23 12:02 UTC] jccgls001 at 126 dot com
-Status: Feedback +Status: Open
 [2016-05-23 12:02 UTC] jccgls001 at 126 dot com
backtrace is here :
------------------------

Using host libthread_db library "/lib64/tls/libthread_db.so.1".
Core was generated by `install/php/bin/php -r get_defined_constants(true);'.
Program terminated with signal SIGSEGV, Segmentation fault.
#0  0x000000302af6ff40 in strlen ()
   from /home/users/lvshun_iwm/php7_odp/trunk/php/.tmp/install/php/bin/../../lib/gcc-3.4.5/libc.so.6
(gdb) bt
#0  0x000000302af6ff40 in strlen ()
   from /home/users/lvshun_iwm/php7_odp/trunk/php/.tmp/install/php/bin/../../lib/gcc-3.4.5/libc.so.6
#1  0x0000000000a652b6 in zif_get_defined_constants (execute_data=0x7f9e74c120a0, return_value=0x7f9e74c12090)
    at /home/users/lvshun_iwm/php7_odp/trunk/php/.tmp/build/php-7.0.6/Zend/zend_builtin_functions.c:2227
#2  0x0000000000ab1781 in ZEND_DO_ICALL_SPEC_HANDLER (execute_data=0x7f9e74c12030)
    at /home/users/lvshun_iwm/php7_odp/trunk/php/.tmp/build/php-7.0.6/Zend/zend_vm_execute.h:586
#3  0x0000000000ab04bc in execute_ex (ex=0x7f9e74c12030)
    at /home/users/lvshun_iwm/php7_odp/trunk/php/.tmp/build/php-7.0.6/Zend/zend_vm_execute.h:417
#4  0x0000000000ab0c66 in zend_execute (op_array=0x7f9e74c610e0, return_value=0x7ffffa23d620)
    at /home/users/lvshun_iwm/php7_odp/trunk/php/.tmp/build/php-7.0.6/Zend/zend_vm_execute.h:458
#5  0x0000000000a18f78 in zend_eval_stringl (str=0x17d4cd0 "get_defined_constants(true);", str_len=28, retval_ptr=0x0, 
    string_name=0x1353fcc "Command line code")
    at /home/users/lvshun_iwm/php7_odp/trunk/php/.tmp/build/php-7.0.6/Zend/zend_execute_API.c:1135
#6  0x0000000000a19135 in zend_eval_stringl_ex (str=0x17d4cd0 "get_defined_constants(true);", str_len=28, retval_ptr=0x0, 
    string_name=0x1353fcc "Command line code", handle_exceptions=1)
    at /home/users/lvshun_iwm/php7_odp/trunk/php/.tmp/build/php-7.0.6/Zend/zend_execute_API.c:1176
#7  0x0000000000a191ad in zend_eval_string_ex (str=0x17d4cd0 "get_defined_constants(true);", retval_ptr=0x0, 
    string_name=0x1353fcc "Command line code", handle_exceptions=1)
    at /home/users/lvshun_iwm/php7_odp/trunk/php/.tmp/build/php-7.0.6/Zend/zend_execute_API.c:1187
#8  0x0000000000b6a05c in do_cli (argc=3, argv=0x17d4c60)
    at /home/users/lvshun_iwm/php7_odp/trunk/php/.tmp/build/php-7.0.6/sapi/cli/php_cli.c:1005
#9  0x0000000000b6b0f5 in main (argc=3, argv=0x17d4c60)
    at /home/users/lvshun_iwm/php7_odp/trunk/php/.tmp/build/php-7.0.6/sapi/cli/php_cli.c:1344
 [2016-05-23 12:13 UTC] laruence@php.net
try again after you disable any third-part extension.

like: php -n -r "var_dump(get_define_constants(true);", then add them one by one to check which extension cause this.
 [2016-05-23 12:39 UTC] jccgls001 at 126 dot com
Following your advise, I use php -n -r "var_dump(get_define_constants(true);" command but segmentation fault again. the backtrace info is same as before.

I have removed all third-party extensions when build source and before run code.
 [2016-05-29 12:12 UTC] bwoebi@php.net
The only way this code could crash is if module->name is invalid.

Try:
USE_ZEND_ALLOC=0 valgrind php -n -r "var_dump(get_define_constants(true));"

Perhaps this finds something, but locally I cannot reproduce it either.

Also, what does php -m tell you?
 [2016-05-30 03:02 UTC] jccgls001 at 126 dot com
thanks for you apply~ this problem really troubles me a lot ...

I use this command:
USE_ZEND_ALLOC valgrind -r -n "var_dump(get_defined_constants(true));"

valgrind show these infos:
==25809== Memcheck, a memory error detector
==25809== Copyright (C) 2002-2012, and GNU GPL'd, by Julian Seward et al.
==25809== Using Valgrind-3.8.1 and LibVEX; rerun with -h for copyright info
==25809== Command: install/php/bin/php -n -r var_dump(get_defined_constants(true));
==25809== 
==25809== Use of uninitialised value of size 8
==25809==    at 0x49095B2: strlen (mc_replace_strmem.c:399)
==25809==    by 0xA652B5: zif_get_defined_constants (zend_builtin_functions.c:2227)
==25809==    by 0xAB1780: ZEND_DO_ICALL_SPEC_HANDLER (zend_vm_execute.h:586)
==25809==    by 0xAB04BB: execute_ex (zend_vm_execute.h:417)
==25809==    by 0xAB0C65: zend_execute (zend_vm_execute.h:458)
==25809==    by 0xA18F77: zend_eval_stringl (zend_execute_API.c:1135)
==25809==    by 0xA19134: zend_eval_stringl_ex (zend_execute_API.c:1176)
==25809==    by 0xA191AC: zend_eval_string_ex (zend_execute_API.c:1187)
==25809==    by 0xB6A05B: do_cli (php_cli.c:1005)
==25809==    by 0xB6B0F4: main (php_cli.c:1344)
==25809== 
==25809== Invalid read of size 1
==25809==    at 0x49095B2: strlen (mc_replace_strmem.c:399)
==25809==    by 0xA652B5: zif_get_defined_constants (zend_builtin_functions.c:2227)
==25809==    by 0xAB1780: ZEND_DO_ICALL_SPEC_HANDLER (zend_vm_execute.h:586)
==25809==    by 0xAB04BB: execute_ex (zend_vm_execute.h:417)
==25809==    by 0xAB0C65: zend_execute (zend_vm_execute.h:458)
==25809==    by 0xA18F77: zend_eval_stringl (zend_execute_API.c:1135)
==25809==    by 0xA19134: zend_eval_stringl_ex (zend_execute_API.c:1176)
==25809==    by 0xA191AC: zend_eval_string_ex (zend_execute_API.c:1187)
==25809==    by 0xB6A05B: do_cli (php_cli.c:1005)
==25809==    by 0xB6B0F4: main (php_cli.c:1344)
==25809==  Address 0x0 is not stack'd, malloc'd or (recently) free'd
==25809== 
==25809== 
==25809== Process terminating with default action of signal 11 (SIGSEGV)
==25809==  Access not within mapped region at address 0x0
==25809==    at 0x49095B2: strlen (mc_replace_strmem.c:399)
==25809==    by 0xA652B5: zif_get_defined_constants (zend_builtin_functions.c:2227)
==25809==    by 0xAB1780: ZEND_DO_ICALL_SPEC_HANDLER (zend_vm_execute.h:586)
==25809==    by 0xAB04BB: execute_ex (zend_vm_execute.h:417)
==25809==    by 0xAB0C65: zend_execute (zend_vm_execute.h:458)
==25809==    by 0xA18F77: zend_eval_stringl (zend_execute_API.c:1135)
==25809==    by 0xA19134: zend_eval_stringl_ex (zend_execute_API.c:1176)
==25809==    by 0xA191AC: zend_eval_string_ex (zend_execute_API.c:1187)
==25809==    by 0xB6A05B: do_cli (php_cli.c:1005)
==25809==    by 0xB6B0F4: main (php_cli.c:1344)
==25809==  If you believe this happened as a result of a stack
==25809==  overflow in your program's main thread (unlikely but
==25809==  possible), you can try to increase the size of the
==25809==  main thread stack using the --main-stacksize= flag.
==25809==  The main thread stack size used in this run was 10485760.
==25809== 
==25809== HEAP SUMMARY:
==25809==     in use at exit: 2,092,430 bytes in 16,256 blocks
==25809==   total heap usage: 19,987 allocs, 3,731 frees, 2,593,732 bytes allocated
==25809== 
==25809== LEAK SUMMARY:
==25809==    definitely lost: 923 bytes in 13 blocks
==25809==    indirectly lost: 0 bytes in 0 blocks
==25809==      possibly lost: 1,213,506 bytes in 12,245 blocks
==25809==    still reachable: 878,001 bytes in 3,998 blocks
==25809==         suppressed: 0 bytes in 0 blocks
==25809== Rerun with --leak-check=full to see details of leaked memory
==25809== 
==25809== For counts of detected and suppressed errors, rerun with: -v
==25809== Use --track-origins=yes to see where uninitialised values come from
==25809== ERROR SUMMARY: 2 errors from 2 contexts (suppressed: 7 from 7)

it seems like strlen() used a uninitialised char*(size of 8)

i think this problem maybe caused by:
module_names in zend_builtin_functions.c(2203), it should assign "Core" to module_names[1], but actually assign to module_names[0], which will lead to error when call "strlen(module_names[1])" in line 2227.


----------------------
by the way, "php -m" show:
[PHP Modules]
bcmath
Core
ctype
curl
date
dom
fileinfo
filter
gd
hash
iconv
json
libxml
mbstring
mcrypt
openssl
pcntl
pcre
PDO
pdo_mysql
pdo_sqlite
Phar
posix
Reflection
session
shmop
SimpleXML
soap
sockets
SPL
sqlite3
standard
sysvsem
tokenizer
xml
xmlreader
xmlrpc
xmlwriter
zip
zlib

[Zend Modules]
 [2016-05-30 05:36 UTC] krakjoe@php.net
-Status: Open +Status: Feedback
 [2016-05-30 05:36 UTC] krakjoe@php.net
I can't reproduce either.

Can you post "bt full" ?
 [2016-05-30 05:56 UTC] jccgls001 at 126 dot com
-Status: Feedback +Status: Open
 [2016-05-30 05:56 UTC] jccgls001 at 126 dot com
I find when i add USE_ZEND_ALLOC=0 the function run successful

--------------------------------------------
these info are created by command without USE_ZEND_ALLOC=0:
gdb --args ./php -n -r "var_dump(get_defined_constants(true));"


(gdb) bt full
#0  0x000000302af6ff40 in ?? ()
No symbol table info available.
#1  0x0000000000a652b6 in zif_get_defined_constants (execute_data=0x7ffff7612120, return_value=0x7ffff7612090)
    at /home/users/lvshun/php7/trunk/php/.tmp/build/php-7.0.6/Zend/zend_builtin_functions.c:2227
        _z = 0x1901690
        _p = 0x1901690
        _end = 0x190f2b0
        val = 0x17ec910
        modules = 0x7ffff7676000
        const_val = {value = {lval = 2, dval = 9.8813129168249309e-324, counted = 0x2, str = 0x2, arr = 0x2, obj = 0x2, res = 0x2, 
            ref = 0x2, ast = 0x2, zv = 0x2, ptr = 0x2, ce = 0x2, func = 0x2, ww = {w1 = 2, w2 = 0}}, u1 = {v = {type = 1 '\001', 
              type_flags = 0 '\000', const_flags = 0 '\000', reserved = 0 '\000'}, type_info = 1}, u2 = {var_flags = 0, next = 0, 
            cache_slot = 0, lineno = 0, num_args = 0, fe_pos = 0, fe_iter_idx = 0}}
        module = 0x17df330
        i = 41
        module_number = 1
        module_names = 0x7ffff7679000
        categorize = 1 '\001'
#2  0x0000000000ab1781 in ZEND_DO_ICALL_SPEC_HANDLER (execute_data=0x7ffff7612030)
    at /home/users/lvshun/php7/trunk/php/.tmp/build/php-7.0.6/Zend/zend_vm_execute.h:586
        opline = 0x7ffff7662220
        call = 0x7ffff7612120
        fbc = 0x17e9700
        ret = 0x7ffff7612090
#3  0x0000000000ab04bc in execute_ex (ex=0x7ffff7612030)
    at /home/users/lvshun/php7/trunk/php/.tmp/build/php-7.0.6/Zend/zend_vm_execute.h:417
        ret = 0
        execute_data = 0x7ffff7612030
#4  0x0000000000ab0c66 in zend_execute (op_array=0x7ffff76620e0, return_value=0x7fffffffcdf0)
    at /home/users/lvshun/php7/trunk/php/.tmp/build/php-7.0.6/Zend/zend_vm_execute.h:458
        execute_data = 0x7ffff7612030
#5  0x0000000000a18f78 in zend_eval_stringl (str=0x17d4d90 "var_dump(get_defined_constants(true));", str_len=38, retval_ptr=0x0, 
    string_name=0x1353fcc "Command line code")
    at /home/users/lvshun/php7/trunk/php/.tmp/build/php-7.0.6/Zend/zend_execute_API.c:1135
        __orig_bailout = 0x7fffffffe050
        __bailout = {{__jmpbuf = {0, 140737488342688, 14558992, 140737488348272, 0, 0, 140737488342256, 10587994}, 
            __mask_was_saved = 0, __saved_mask = {__val = {140737488342432, 14558992, 10461214, 0, 26465744, 0, 140737488342608, 
                140737488342800, 11965133, 18446744073565204544, 1125281431552, 26465744, 26465744, 1129432048064, 26465696, 
                26465696}}}}
        local_retval = {value = {lval = 26465648, dval = 1.3075767471727095e-316, counted = 0x193d570, str = 0x193d570, 
            arr = 0x193d570, obj = 0x193d570, res = 0x193d570, ref = 0x193d570, ast = 0x193d570, zv = 0x193d570, ptr = 0x193d570, 
            ce = 0x193d570, func = 0x193d570, ww = {w1 = 26465648, w2 = 0}}, u1 = {v = {type = 0 '\000', type_flags = 0 '\000', 
              const_flags = 0 '\000', reserved = 0 '\000'}, type_info = 0}, u2 = {var_flags = 0, next = 0, cache_slot = 0, 
            lineno = 0, num_args = 0, fe_pos = 0, fe_iter_idx = 0}}
        pv = {value = {lval = 140737343656320, dval = 6.9533486587541203e-310, counted = 0x7ffff7601180, str = 0x7ffff7601180, 
            arr = 0x7ffff7601180, obj = 0x7ffff7601180, res = 0x7ffff7601180, ref = 0x7ffff7601180, ast = 0x7ffff7601180, 
            zv = 0x7ffff7601180, ptr = 0x7ffff7601180, ce = 0x7ffff7601180, func = 0x7ffff7601180, ww = {w1 = 4150268288, 
              w2 = 32767}}, u1 = {v = {type = 6 '\006', type_flags = 20 '\024', const_flags = 0 '\000', reserved = 0 '\000'}, 
            type_info = 5126}, u2 = {var_flags = 0, next = 0, cache_slot = 0, lineno = 0, num_args = 0, fe_pos = 0, 
            fe_iter_idx = 0}}
        new_op_array = 0x7ffff76620e0
        original_compiler_options = 2
        retval = 26465744
#6  0x0000000000a19135 in zend_eval_stringl_ex (str=0x17d4d90 "var_dump(get_defined_constants(true));", str_len=38, retval_ptr=0x0, 
    string_name=0x1353fcc "Command line code", handle_exceptions=1)
    at /home/users/lvshun/php7/trunk/php/.tmp/build/php-7.0.6/Zend/zend_execute_API.c:1176
        result = 0
#7  0x0000000000a191ad in zend_eval_string_ex (str=0x17d4d90 "var_dump(get_defined_constants(true));", retval_ptr=0x0, 
    string_name=0x1353fcc "Command line code", handle_exceptions=1)
    at /home/users/lvshun/php7/trunk/php/.tmp/build/php-7.0.6/Zend/zend_execute_API.c:1187
No locals.
#8  0x0000000000b6a05c in do_cli (argc=4, argv=0x17d4cd0)
    at /home/users/lvshun/php7/trunk/php/.tmp/build/php-7.0.6/sapi/cli/php_cli.c:1005
        __orig_bailout = 0x7fffffffe270
        __bailout = {{__jmpbuf = {0, 140737488347712, 14558992, 140737488348272, 0, 0, 140737488342816, 11965745}, 
            __mask_was_saved = 0, __saved_mask = {__val = {16, 20146392, 20146440, 20146471, 20146480, 20146504, 20146517, 
                20146534, 20146555, 20146575, 20146592, 20146613, 20146623, 20146637, 20146659, 20146678}}}}
        c = -1
        file_handle = {handle = {fd = 722660096, fp = 0x302b12eb00, stream = {handle = 0x302b12eb00, isatty = 10040959, mmap = {
                len = 10135242, pos = 10041794, map = 0x993470 <php_stream_open_for_zend>, 
                buf = 0x99b7b9 <vspprintf> "UH\211\345H\203\354PH\211}\370H\211u\360H\211U\350H\211M\340H\215}\300", <incomplete sequence \374\272>, old_handle = 0x99b970 <vstrpprintf>, old_closer = 0x9a282f <sapi_getenv>}, 
              reader = 0x993657 <php_resolve_path_for_zend>, fsizer = 0x302b130620, closer = 0x70}}, filename = 0x1353f76 "-", 
          opened_path = 0x0, type = ZEND_HANDLE_FP, free_filename = 0 '\000'}
        behavior = 6
        reflection_what = 0x0
        request_started = 1
        exit_status = 0
        php_optarg = 0x17d4d90 "var_dump(get_defined_constants(true));"
        orig_optarg = 0x0
        php_optind = 4
        orig_optind = 1
        exec_direct = 0x17d4d90 "var_dump(get_defined_constants(true));"
        exec_run = 0x0
        exec_begin = 0x0
        exec_end = 0x0
        arg_free = 0x17d4d90 "var_dump(get_defined_constants(true));"
        arg_excp = 0x17d4ce8
        script_file = 0x0
        translated_path = 0x0
        interactive = 0
        param_error = 0x0
        hide_argv = 0
#9  0x0000000000b6b0f5 in main (argc=4, argv=0x17d4cd0)
    at /home/users/lvshun/php7/trunk/php/.tmp/build/php-7.0.6/sapi/cli/php_cli.c:1344
        __orig_bailout = 0x0
        __bailout = {{__jmpbuf = {0, 140737488348064, 14558992, 140737488348272, 0, 0, 140737488347728, 11972824}, 
            __mask_was_saved = 0, __saved_mask = {__val = {23437640, 22686360, 140737488348272, 0, 0, 270766525504, 270765434426, 
                206158430209, 0, 140737346091280, 206878818672, 0, 270765434114, 0, 32, 0}}}}
        c = -1
        exit_status = 0
        module_started = 1
        sapi_started = 1
        php_optarg = 0x17d4d90 "var_dump(get_defined_constants(true));"
        php_optind = 4
        use_extended_info = 0
        ini_path_override = 0x0
        ini_entries = 0x17d4fe0 "html_errors=0\nregister_argc_argv=1\nimplicit_flush=1\noutput_buffering=0\nmax_execution_time=0\nmax_input_time=-1\n"
        ini_entries_len = 110
        ini_ignore = 1
        sapi_module = 0x1672d60 <cli_sapi_module>
 [2016-05-30 12:46 UTC] bwoebi@php.net
-Status: Open +Status: Feedback
 [2016-05-30 12:46 UTC] bwoebi@php.net
Well, module_number 1 should be unused.

Can you please give us the faulty constant name with the bad module number?

f 1
p (char*)val->name->val
 [2016-05-30 13:02 UTC] jccgls001 at 126 dot com
-Status: Feedback +Status: Open
 [2016-05-30 13:02 UTC] jccgls001 at 126 dot com
ok and i find module_names[1] is uninitailized value...

(gdb) p (char*)module_names[0]  <------- this may ‘internal’ ?
$1 = 0x134d795 "Core"
(gdb) p (char*)module_names[1]  <------- problem module, may 'Core' but null
$2 = 0x0
(gdb) p (char*)module_names[2]
$3 = 0xde2964 "date"
(gdb) p (char*)module_number 
$4 = 0x1 <error: Cannot access memory at address 0x1>

(gdb) p (char*)val->name->val
$5 = 0x17ecc08 "PHP_VERSION"
 [2016-05-30 13:05 UTC] jccgls001 at 126 dot com
by the way, f 1 locate code :

#1  0x0000000000a652b6 in zif_get_defined_constants (execute_data=0x7ffff7612120, return_value=0x7ffff7612090)
    at /home/users/lvshun_iwm/php7_odp/trunk/php/.tmp/build/php-7.0.6/Zend/zend_builtin_functions.c:2227

2227    add_assoc_zval(return_value, module_names[module_number], &modules[module_number]);

(gdb) list
2222    module_number = val->module_number;
2223	}
2224	
2225    if (Z_TYPE(modules[module_number]) == IS_UNDEF) {
2226	    array_init(&modules[module_number]);
2227	    add_assoc_zval(return_value, module_names[module_number], &modules[module_number]);
2228	}
2229	
2230	ZVAL_DUP(&const_val, &val->value);
2231	zend_hash_add_new(Z_ARRVAL(modules[module_number]), val->name, &const_val);
 [2016-05-30 13:47 UTC] bwoebi@php.net
-Status: Open +Status: Feedback
 [2016-05-30 13:47 UTC] bwoebi@php.net
I have no idea how this can happen. PHP_VERSION is defined at main.c:2107 (in current 7.0 tree)

REGISTER_MAIN_STRINGL_CONSTANT() is specifying module_number 0.

In case you have enough gdb experience, may you please set a breakpoint there, step a bit forward until allocation of the zend_constant and set a watchpoint on its module number.
In case you don't, may you please provide someone of us ssh access able to execute gdb with your php build (a direct email with credentials) so that we can investigate?
Else I don't see much we can do here...
 [2016-05-31 06:11 UTC] jccgls001 at 126 dot com
-Status: Feedback +Status: Open
 [2016-05-31 06:11 UTC] jccgls001 at 126 dot com
I try my best to debug code with:

gdb ./php -n -r "get_defined_constants(true);"

and set breakpoint to see why module_names[1]=0x0

-----------------------------------------------------------

(gdb) b zend_builtin_functions.c :2198
Breakpoint 1, zif_get_defined_constants (execute_data=0x7ffff495a0b0, return_value=0x7ffff495a0a0)
    at /home/users/lvshun/php7/trunk/php/.tmp/build/php-7.0.6/Zend/zend_builtin_functions.c:2198
2198	int i = 1;
(gdb) n
2203	module_names[0] = "internal";  <------ Important
(gdb) p module_names[0]
$1 = 0x134dc1e "internal"

in this place, module_names[0] has assigned to "internal", and then:

(gdb) n
0x0000000000a6511c in zif_get_defined_constants (execute_data=0x7ffff495a0b0, return_value=0x7ffff495a0a0)
(gdb) n
2205	module_names[module->module_number] = (char *)module->name;
(gdb) p module->name
$2 = 0x134d795 "Core"
(gdb) p module->module_number    <------ Important, number is 0, but 0 is "internal"
$3 = 0

I find "Core" module's number is 0, this means it will rewrite "internal", and then the next module "date":

2204	ZEND_HASH_FOREACH_PTR(&module_registry, module) {
(gdb) 
0x0000000000a6511c in zif_get_defined_constants (execute_data=0x7ffff495a0b0, return_value=0x7ffff495a0a0)
(gdb) 
2205	module_names[module->module_number] = (char *)module->name;
(gdb) p module->name
$5 = 0xde2964 "date"
(gdb) p module->module_number 
$6 = 2

module "data" number is 2! This make me trouble, why "Core" is 0 but "data" is 2. To make this problem clearly, i continue debug code ...

------------------------------------------------

At last, I find the place to assign "Core" module_number. in zend_startup functions, zend engine will load builtin module "Core", these code are:

Breakpoint 1, zend_startup_builtin_functions () at /home/users/lvshun/php7/trunk/php/.tmp/build/php-7.0.6/Zend/zend_builtin_functions.c:362
362	zend_builtin_module.module_number = 0;
(gdb) l
357	};
358	/* }}} */
359	
360	int zend_startup_builtin_functions(void) /* {{{ */
361	{
362		zend_builtin_module.module_number = 0;
363		zend_builtin_module.type = MODULE_PERSISTENT;
364		return (EG(current_module) = zend_register_module_ex(&zend_builtin_module)) == NULL ? FAILURE : SUCCESS;
365	}
366	/* }}} */

as we can see, "Core" module_number assign to 0. Then i debug other module load process and find:

(gdb) b zend_API.c:2050
Breakpoint 2 at 0xa3c5ed: file /home/users/lvshun/php7/trunk/php/.tmp/build/php-7.0.6/Zend/zend_API.c, line 2050.
(gdb) c
Continuing.

Breakpoint 2, zend_register_internal_module (module=0x165ac20 <date_module_entry>) at /home/users/lvshun/php7/trunk/php/.tmp/build/php-7.0.6/Zend/zend_API.c:2050
2050		module->module_number = zend_next_free_module();
(gdb) p module->name 
$1 = 0xde2964 "date"

in these codes, other module get number by "zend_next_free_module()", and i step the code:
(gdb) step
zend_next_free_module () at /home/users/lvshun/php7/trunk/php/.tmp/build/php-7.0.6/Zend/zend_API.c:2643
2643	return zend_hash_num_elements(&module_registry) + 1;
(gdb) p module_registry.nNumOfElements
$2 = 1

the result is, this will return 2 but not 1. Because module_registry contains "Core".

I think the problem is come from here, which "Core" module_number don't use "zend_next_free_module()" but direct assign 0. This will lead other module_name calculate error.

---------------------------------------------------------------------

Finally, "Core" module_number = 0, but "data" module_number = 2, so module_names[1]=0x0, this will lead core dump:

#1  0x0000000000a652b6 in zif_get_defined_constants (execute_data=0x7ffff76120a0, return_value=0x7ffff7612090)
    at /home/users/lvshun/php7/trunk/php/.tmp/build/php-7.0.6/Zend/zend_builtin_functions.c:2227
2227	add_assoc_zval(return_value, module_names[module_number], &modules[module_number]);
(gdb) p module_names[module_number]
$1 = 0x0
(gdb) p module_number
$2 = 1

add_assoc_zval expand to add_assoc_zval_ex(__arg, __key, strlen(__key), __value), which strlen(0x0) will make core dump.

-----------------------------------------------------------------------

by the way, i add USE_ZEND_ALLOC=0 to see why it can run:

Breakpoint 1, zif_get_defined_constants (execute_data=0x7ffff495a0b0, return_value=0x7ffff495a0a0)
    at /home/users/lvshun/php7/trunk/php/.tmp/build/php-7.0.6/Zend/zend_builtin_functions.c:2227
2227	add_assoc_zval(return_value, module_names[module_number], &modules[module_number]);
(gdb) p module_number
$2 = 1
(gdb) p module_names[module_number]
$3 = 0x302b130b38 "(\v\023+0"  <-------- may be USE_ZEND_ALLOC=0 make this value not 0x0
 [2016-05-31 09:15 UTC] bwoebi@php.net
-Status: Open +Status: Feedback
 [2016-05-31 09:15 UTC] bwoebi@php.net
The question was rather how it is possible that PHP_VERSION gets a module_number of 1. That module_name[1] == 0x0 is normal and intended as it must be unused.
 [2016-06-02 02:47 UTC] jccgls001 at 126 dot com
-Status: Feedback +Status: Closed
 [2016-06-02 02:47 UTC] jccgls001 at 126 dot com
At last i find the reason why PHP_VERSION module_number = 1...

When we build php source, the shell script will REDEFINE REGISTER_MAIN_STRINGL_CONSTANT and do some extra job in this macro. 

Unfortunately, the replace macro change the module_number param from 0 to 1... I use gdb debug and find this problem. Now i can continue my work, and i will ask other fellow workers why use 1 but not 0 in this code :(

Thank you for help us find the problem all long, and i also learn much about php7 core~
 
PHP Copyright © 2001-2018 The PHP Group
All rights reserved.
Last updated: Tue Dec 18 19:01:27 2018 UTC