php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #73599 Segmentation fault in _emalloc
Submitted: 2016-11-24 09:05 UTC Modified: 2016-11-30 02:10 UTC
From: xeonchik at gmail dot com Assigned:
Status: Wont fix Package: *General Issues
PHP Version: 7.0.13 OS: Ubuntu 14.04 Kern:3.13.0-24 64-b
Private report: No CVE-ID: None
View Add Comment Developer Edit
Have you experienced this issue?
Rate the importance of this bug to you:

 [2016-11-24 09:05 UTC] xeonchik at gmail dot com 
Description:
------------
Hi, have a problem with php-fpm 7.0.13
I was tested with minimum of extensions, but got the same error. Tried to build php from binaries, and install from packages.


Environment info:

----
PHP 7.0.13 (cli) (built: Nov 24 2016 09:30:51) ( NTS )
Copyright (c) 1997-2016 The PHP Group
Zend Engine v3.0.0, Copyright (c) 1998-2016 Zend Technologies
----

Configure Command =>  './configure'  '--enable-fpm' '--enable-mysqlnd' '--enable-soap' '--with-mysqli=mysqlnd' '--with-pdo-mysql=mysqlnd'

ERROR:
======

Program terminated with signal SIGSEGV, Segmentation fault.
#0  0x0000000000720371 in _emalloc (size=40) at /root/php-7.0.13/Zend/zend_alloc.c:2439



Actual result:
--------------
#0  0x0000000000720371 in _emalloc (size=40) at /root/php-7.0.13/Zend/zend_alloc.c:2439
#1  0x000000000075dda5 in zend_string_alloc (persistent=0, len=<optimized out>) at /root/php-7.0.13/Zend/zend_string.h:121
#2  zend_string_init (persistent=0, len=<optimized out>, str=0xbfa701 "__tostring") at /root/php-7.0.13/Zend/zend_string.h:157
#3  zend_call_method (object=object@entry=0x7f5189e721b0, obj_ce=obj_ce@entry=0x7f518a93a290, fn_proxy=fn_proxy@entry=0x7f518a93a3c0, function_name=function_name@entry=0xbfa701 "__tostring",
    function_name_len=function_name_len@entry=10, retval_ptr=retval_ptr@entry=0x7fff99ef5140, param_count=param_count@entry=0, arg1=arg1@entry=0x0, arg2=arg2@entry=0x0)
    at /root/php-7.0.13/Zend/zend_interfaces.c:53
#4  0x0000000000776a8c in zend_std_cast_object_tostring (readobj=0x7f5189e721b0, writeobj=0x7fff99ef51a0, type=<optimized out>) at /root/php-7.0.13/Zend/zend_object_handlers.c:1558
#5  0x000000000073a4cc in _zval_get_string_func (op=op@entry=0x7f5189e721b0) at /root/php-7.0.13/Zend/zend_operators.c:841
#6  0x00000000007999f8 in _zval_get_string (op=0x7f5189e721b0) at /root/php-7.0.13/Zend/zend_operators.h:266
#7  ZEND_CAST_SPEC_VAR_HANDLER () at /root/php-7.0.13/Zend/zend_vm_execute.h:15609
#8  0x000000000077e21b in execute_ex (ex=<optimized out>) at /root/php-7.0.13/Zend/zend_vm_execute.h:414
#9  0x0000000000733ee2 in zend_call_function (fci=fci@entry=0x7fff99ef53d0, fci_cache=0x7f518a915300, fci_cache@entry=0x7fff99ef53a0) at /root/php-7.0.13/Zend/zend_execute_API.c:858
#10 0x000000000075deb4 in zend_call_method (object=object@entry=0x7f5189e72080, obj_ce=<optimized out>, obj_ce@entry=0x7f518a93a290, fn_proxy=fn_proxy@entry=0x7f518a93a3c0,
    function_name=function_name@entry=0xbfa701 "__tostring", function_name_len=function_name_len@entry=10, retval_ptr=retval_ptr@entry=0x7fff99ef5480, param_count=param_count@entry=0,
    arg1=arg1@entry=0x0, arg2=arg2@entry=0x0) at /root/php-7.0.13/Zend/zend_interfaces.c:104
#11 0x0000000000776a8c in zend_std_cast_object_tostring (readobj=0x7f5189e72080, writeobj=0x7fff99ef54e0, type=<optimized out>) at /root/php-7.0.13/Zend/zend_object_handlers.c:1558
#12 0x000000000073a4cc in _zval_get_string_func (op=op@entry=0x7f5189e72080) at /root/php-7.0.13/Zend/zend_operators.c:841
#13 0x00000000007999f8 in _zval_get_string (op=0x7f5189e72080) at /root/php-7.0.13/Zend/zend_operators.h:266
#14 ZEND_CAST_SPEC_VAR_HANDLER () at /root/php-7.0.13/Zend/zend_vm_execute.h:15609
#15 0x000000000077e21b in execute_ex (ex=<optimized out>) at /root/php-7.0.13/Zend/zend_vm_execute.h:414
#16 0x0000000000733ee2 in zend_call_function (fci=fci@entry=0x7fff99ef5710, fci_cache=0x7f518a915300, fci_cache@entry=0x7fff99ef56e0) at /root/php-7.0.13/Zend/zend_execute_API.c:858
#17 0x000000000075deb4 in zend_call_method (object=object@entry=0x7f5189e71f50, obj_ce=<optimized out>, obj_ce@entry=0x7f518a93a290, fn_proxy=fn_proxy@entry=0x7f518a93a3c0,
    function_name=function_name@entry=0xbfa701 "__tostring", function_name_len=function_name_len@entry=10, retval_ptr=retval_ptr@entry=0x7fff99ef57c0, param_count=param_count@entry=0,
    arg1=arg1@entry=0x0, arg2=arg2@entry=0x0) at /root/php-7.0.13/Zend/zend_interfaces.c:104
#18 0x0000000000776a8c in zend_std_cast_object_tostring (readobj=0x7f5189e71f50, writeobj=0x7fff99ef5820, type=<optimized out>) at /root/php-7.0.13/Zend/zend_object_handlers.c:1558
#19 0x000000000073a4cc in _zval_get_string_func (op=op@entry=0x7f5189e71f50) at /root/php-7.0.13/Zend/zend_operators.c:841
#20 0x00000000007999f8 in _zval_get_string (op=0x7f5189e71f50) at /root/php-7.0.13/Zend/zend_operators.h:266
#21 ZEND_CAST_SPEC_VAR_HANDLER () at /root/php-7.0.13/Zend/zend_vm_execute.h:15609
#22 0x000000000077e21b in execute_ex (ex=<optimized out>) at /root/php-7.0.13/Zend/zend_vm_execute.h:414
#23 0x0000000000733ee2 in zend_call_function (fci=fci@entry=0x7fff99ef5a50, fci_cache=0x7f518a915300, fci_cache@entry=0x7fff99ef5a20) at /root/php-7.0.13/Zend/zend_execute_API.c:858
#24 0x000000000075deb4 in zend_call_method (object=object@entry=0x7f5189e71e20, obj_ce=<optimized out>, obj_ce@entry=0x7f518a93a290, fn_proxy=fn_proxy@entry=0x7f518a93a3c0,
    function_name=function_name@entry=0xbfa701 "__tostring", function_name_len=function_name_len@entry=10, retval_ptr=retval_ptr@entry=0x7fff99ef5b00, param_count=param_count@entry=0,
    arg1=arg1@entry=0x0, arg2=arg2@entry=0x0) at /root/php-7.0.13/Zend/zend_interfaces.c:104
#25 0x0000000000776a8c in zend_std_cast_object_tostring (readobj=0x7f5189e71e20, writeobj=0x7fff99ef5b60, type=<optimized out>) at /root/php-7.0.13/Zend/zend_object_handlers.c:1558
#26 0x000000000073a4cc in _zval_get_string_func (op=op@entry=0x7f5189e71e20) at /root/php-7.0.13/Zend/zend_operators.c:841
#27 0x00000000007999f8 in _zval_get_string (op=0x7f5189e71e20) at /root/php-7.0.13/Zend/zend_operators.h:266
#28 ZEND_CAST_SPEC_VAR_HANDLER () at /root/php-7.0.13/Zend/zend_vm_execute.h:15609
#29 0x000000000077e21b in execute_ex (ex=<optimized out>) at /root/php-7.0.13/Zend/zend_vm_execute.h:414
#30 0x0000000000733ee2 in zend_call_function (fci=fci@entry=0x7fff99ef5d90, fci_cache=0x7f518a915300, fci_cache@entry=0x7fff99ef5d60) at /root/php-7.0.13/Zend/zend_execute_API.c:858
#31 0x000000000075deb4 in zend_call_method (object=object@entry=0x7f5189e71cf0, obj_ce=<optimized out>, obj_ce@entry=0x7f518a93a290, fn_proxy=fn_proxy@entry=0x7f518a93a3c0,
    function_name=function_name@entry=0xbfa701 "__tostring", function_name_len=function_name_len@entry=10, retval_ptr=retval_ptr@entry=0x7fff99ef5e40, param_count=param_count@entry=0,
    arg1=arg1@entry=0x0, arg2=arg2@entry=0x0) at /root/php-7.0.13/Zend/zend_interfaces.c:104
#32 0x0000000000776a8c in zend_std_cast_object_tostring (readobj=0x7f5189e71cf0, writeobj=0x7fff99ef5ea0, type=<optimized out>) at /root/php-7.0.13/Zend/zend_object_handlers.c:1558
#33 0x000000000073a4cc in _zval_get_string_func (op=op@entry=0x7f5189e71cf0) at /root/php-7.0.13/Zend/zend_operators.c:841
#34 0x00000000007999f8 in _zval_get_string (op=0x7f5189e71cf0) at /root/php-7.0.13/Zend/zend_operators.h:266
#35 ZEND_CAST_SPEC_VAR_HANDLER () at /root/php-7.0.13/Zend/zend_vm_execute.h:15609
#36 0x000000000077e21b in execute_ex (ex=<optimized out>) at /root/php-7.0.13/Zend/zend_vm_execute.h:414
#37 0x0000000000733ee2 in zend_call_function (fci=fci@entry=0x7fff99ef60d0, fci_cache=0x7f518a915300, fci_cache@entry=0x7fff99ef60a0) at /root/php-7.0.13/Zend/zend_execute_API.c:858
#38 0x000000000075deb4 in zend_call_method (object=object@entry=0x7f5189e71bc0, obj_ce=<optimized out>, obj_ce@entry=0x7f518a93a290, fn_proxy=fn_proxy@entry=0x7f518a93a3c0,
    function_name=function_name@entry=0xbfa701 "__tostring", function_name_len=function_name_len@entry=10, retval_ptr=retval_ptr@entry=0x7fff99ef6180, param_count=param_count@entry=0,
    arg1=arg1@entry=0x0, arg2=arg2@entry=0x0) at /root/php-7.0.13/Zend/zend_interfaces.c:104
#39 0x0000000000776a8c in zend_std_cast_object_tostring (readobj=0x7f5189e71bc0, writeobj=0x7fff99ef61e0, type=<optimized out>) at /root/php-7.0.13/Zend/zend_object_handlers.c:1558
#40 0x000000000073a4cc in _zval_get_string_func (op=op@entry=0x7f5189e71bc0) at /root/php-7.0.13/Zend/zend_operators.c:841

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2016-11-24 17:44 UTC] bwoebi@php.net
-Status: Open +Status: Feedback
 [2016-11-24 17:44 UTC] bwoebi@php.net 
Thank you for this bug report. To properly diagnose the problem, we
need a short but complete example script to be able to reproduce
this bug ourselves. 

A proper reproducing script starts with <?php and ends with ?>,
is max. 10-20 lines long and does not require any external 
resources such as databases, etc. If the script requires a 
database to demonstrate the issue, please make sure it creates 
all necessary tables, stored procedures etc.

Please avoid embedding huge scripts into the report.

This can mean an issue anywhere, the backtrace doesn't help us at all here :-/
 [2016-11-25 10:15 UTC] xeonchik at gmail dot com
-Status: Feedback +Status: Open
 [2016-11-25 10:15 UTC] xeonchik at gmail dot com 
Ok. I prepared two files, which reproduce this problem. It can be more compact, but may be it's not nessesarry.

https://drive.google.com/open?id=0B4qIypF4M_QzYVNLWVk1ck9RTlE

simple download, and start
$ php test.php
 [2016-11-25 11:28 UTC] xeonchik at gmail dot com 
Ok, it's minified version of the test:

<?php
/**
 * Segfault test for PHP 7.0.13 cli
 */
class QueryBuilderTest
{
    public $sqlParts = null;

    public function andWhere($where)
    {
        $where = $this->sqlParts;
        $args = func_get_args();

        if (!$where) {
            $where = new CompositeExpression;
        } else {
            $where->parts = $args;
        }
        $this->sqlParts = $where;
    }
}

class CompositeExpression
{
    public $parts = array();

    public function __toString()
    {
        return implode(',', $this->parts);
    }
}

$qb = new QueryBuilderTest();
for($i = 1; $i < 3; $i++) {
    $qb->andWhere($i);
}
print (string) $qb->sqlParts;

die("TEST PASSED!");

?>

In this example we has a reqursion in object, and PHP can't do __toString of this object...

Issue is related to

https://github.com/doctrine/doctrine2/issues/4712
https://github.com/doctrine/doctrine2/commit/b33c9befb7390565c5f9f7d43967ced32a6ae67c

So, in a new version of Doctrine, that was fixed, but i think, that PHP must handle recursions with __toString() calls...
 [2016-11-30 02:10 UTC] bwoebi@php.net
-Status: Open +Status: Wont fix
 [2016-11-30 02:10 UTC] bwoebi@php.net 
That's a trivial stack overflow.

Due to implementation details, this is unfixable, except by removing the concept of __toString() altogether [or very major changes to the code].
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Fri Apr 19 19:01:28 2024 UTC