php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #73156 segfault on undefined function
Submitted: 2016-09-23 20:03 UTC Modified: 2016-09-26 06:36 UTC
From: ryan dot brothers at gmail dot com Assigned: dmitry (profile)
Status: Closed Package: Scripting Engine problem
PHP Version: 7.1.0RC2 OS: Linux
Private report: No CVE-ID: None
 [2016-09-23 20:03 UTC] ryan dot brothers at gmail dot com
Description:
------------
I am running into a few segmentation faults in PHP 7.0 and 7.1 when using Opcache.  They seem to be very dependent on the code structure as minor updates to the code fix it - even just renaming a variable in some cases.  It's tricky to generate small reproduce scripts, but I've been able to do one so far.

I am running on CentOS 7.

Create the below 3 files and run the script as:

php -n -d zend_extension=opcache.so -d opcache.enable_cli=1 file1.php


Test script:
---------------
file1.php:
-------
<?php
class a1
{
	public function __call($name, $arguments)
	{
		require('file2.php');
	}
}

$a1 = new a1;
$a1->file2();
-------

file2.php:
-------
<?php
$arguments = array();

require('file3.php');

class a2
{
	public function __call($method_name, $arguments)
	{
		try
		{
			throw new \Exception('abc');
		}
		catch (\Exception $e)
		{
			try
			{
				test();
			}
			catch (\Error $e)
			{
				echo 'caught';
				exit;
			}
		}
	}
}

$a2 = new a2;
$a2->function2();
-------

file3.php:
-------
<?php
namespace test_aaaa;

function abc($row)
{
	if (array_key_exists('a', $row) == true)
	{
		$a = ABC_ERROR_AAA__123_ERROR;

		$a = ABC_ERROR_AAA__123_ERROR;
	}
	else
	{
		$a = ABC_ERROR_AAA__123_ERROR;
	}
}
-------


Expected result:
----------------
caught

Actual result:
--------------
Segmentation fault

backtrace is:
Program received signal SIGSEGV, Segmentation fault.
zend_mm_alloc_small (size=56, bin_num=6, heap=0x7fffee200040) at /usr/local/src/php-7.1.0RC2/Zend/zend_alloc.c:1250
1250                    heap->free_slot[bin_num] = p->next_free_slot;
(gdb) bt
#0  zend_mm_alloc_small (size=56, bin_num=6, heap=0x7fffee200040) at /usr/local/src/php-7.1.0RC2/Zend/zend_alloc.c:1250
#1  _emalloc_56 () at /usr/local/src/php-7.1.0RC2/Zend/zend_alloc.c:2325
#2  0x0000000000857300 in _array_init (arg=arg@entry=0x7fffffffab20, size=size@entry=2) at /usr/local/src/php-7.1.0RC2/Zend/zend_API.c:1060
#3  0x0000000000869baf in debug_backtrace_get_args (call=call@entry=0x7fffee2131a0, arg_array=arg_array@entry=0x7fffffffab20)
    at /usr/local/src/php-7.1.0RC2/Zend/zend_builtin_functions.c:2271
#4  0x000000000086e446 in zend_fetch_debug_backtrace (return_value=return_value@entry=0x7fffffffaba0, skip_last=skip_last@entry=0, options=options@entry=0,
    limit=limit@entry=0) at /usr/local/src/php-7.1.0RC2/Zend/zend_builtin_functions.c:2671
#5  0x0000000000874d9f in zend_default_exception_new_ex (class_type=0x1282820, skip_top_traces=0) at /usr/local/src/php-7.1.0RC2/Zend/zend_exceptions.c:214
#6  0x0000000000857abb in _object_and_properties_init (arg=arg@entry=0x7fffffffac10, class_type=class_type@entry=0x1282820, properties=properties@entry=0x0)
    at /usr/local/src/php-7.1.0RC2/Zend/zend_API.c:1302
#7  0x0000000000857ba7 in _object_init_ex (arg=arg@entry=0x7fffffffac10, class_type=class_type@entry=0x1282820) at /usr/local/src/php-7.1.0RC2/Zend/zend_API.c:1310
#8  0x000000000044a403 in zend_throw_exception (exception_ce=exception_ce@entry=0x1282820, message=0x7fffee284000 "Call to undefined function test()",
    code=code@entry=0) at /usr/local/src/php-7.1.0RC2/Zend/zend_exceptions.c:903
#9  0x0000000000449494 in zend_throw_error (exception_ce=0x1282820, exception_ce@entry=0x0, format=format@entry=0xe48ad8 "Call to undefined function %s()")
    at /usr/local/src/php-7.1.0RC2/Zend/zend.c:1336
#10 0x00000000008e2589 in ZEND_INIT_FCALL_BY_NAME_SPEC_CONST_HANDLER () at /usr/local/src/php-7.1.0RC2/Zend/zend_vm_execute.h:2130
#11 0x0000000000899b8b in execute_ex (ex=<optimized out>) at /usr/local/src/php-7.1.0RC2/Zend/zend_vm_execute.h:429
#12 0x00000000008ec7c4 in zend_execute (op_array=0x7fffee27f0e0, op_array@entry=0x7fffe432a720, return_value=return_value@entry=0x7fffee2131a0)
    at /usr/local/src/php-7.1.0RC2/Zend/zend_vm_execute.h:474
#13 0x0000000000855444 in zend_execute_scripts (type=type@entry=8, retval=0x7fffee2131a0, retval@entry=0x0, file_count=file_count@entry=3)
    at /usr/local/src/php-7.1.0RC2/Zend/zend.c:1464
#14 0x00000000007f7140 in php_execute_script (primary_file=primary_file@entry=0x7fffffffd150) at /usr/local/src/php-7.1.0RC2/main/main.c:2533
#15 0x00000000008ee95f in do_cli (argc=7, argv=0x1202bd0) at /usr/local/src/php-7.1.0RC2/sapi/cli/php_cli.c:990
#16 0x000000000044dd50 in main (argc=7, argv=0x1202bd0) at /usr/local/src/php-7.1.0RC2/sapi/cli/php_cli.c:1378


Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2016-09-25 14:55 UTC] ryan dot brothers at gmail dot com
Please also see bug 73168 that I just added on a different segfault.  I wasn't sure if it was the same underlying issue.
 [2016-09-26 06:17 UTC] laruence@php.net
actually, this is not opcache issue, and also can be reproduced in 7.0, 

a simpler reproduce script is:
<?php
class A {
    public function __call($name, $args) {
        eval('$args = array(); var_dump(debug_backtrace());');
    }
}

$a = new A();

$a->test("test");
?>


I don't see a easy fix for now howerver:<
 [2016-09-26 06:18 UTC] laruence@php.net
please note, my test script may not trigger segfault, should run with valgrind.
 [2016-09-26 06:36 UTC] laruence@php.net
-Package: opcache +Package: Scripting Engine problem -Assigned To: +Assigned To: dmitry
 [2016-09-26 06:36 UTC] laruence@php.net
a fix could be:
diff --git a/Zend/zend_execute_API.c b/Zend/zend_execute_API.c
index 194f16d..1e68534 100644
--- a/Zend/zend_execute_API.c
+++ b/Zend/zend_execute_API.c
@@ -1527,7 +1527,9 @@ ZEND_API void zend_attach_symbol_table(zend_execute_data *execute_data) /* {{{ *
                        if (zv) {
                                if (Z_TYPE_P(zv) == IS_INDIRECT) {
                                        zval *val = Z_INDIRECT_P(zv);
-
+                                 if (EXPECTED(Z_REFCOUNTED_P(zv) && (!Z_ISREF_P(val)))) {
+                                         ZVAL_NEW_REF(val, Z_INDIRECT_P(zv));
+                                 }
                                        ZVAL_COPY_VALUE(var, val);
                                } else {
                                        ZVAL_COPY_VALUE(var, zv);
 [2016-09-26 11:19 UTC] dmitry@php.net
Automatic comment on behalf of dmitry@zend.com
Revision: http://git.php.net/?p=php-src.git;a=commit;h=d2791184228ff86878acda46567a3bc2a94f2a36
Log: Fixed bug #73156 (segfault on undefined function)
 [2016-09-26 11:19 UTC] dmitry@php.net
-Status: Assigned +Status: Closed
 [2016-10-17 10:07 UTC] bwoebi@php.net
Automatic comment on behalf of dmitry@zend.com
Revision: http://git.php.net/?p=php-src.git;a=commit;h=d2791184228ff86878acda46567a3bc2a94f2a36
Log: Fixed bug #73156 (segfault on undefined function)
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Sun Oct 13 14:01:27 2024 UTC