PHP :: Bug #73599 :: Segmentation fault in

Bug #73599	Segmentation fault in _emalloc
Submitted:	2016-11-24 09:05 UTC	Modified:	2016-11-30 02:10 UTC
From:	xeonchik at gmail dot com	Assigned:
Status:	Wont fix	Package:	*General Issues
PHP Version:	7.0.13	OS:	Ubuntu 14.04 Kern:3.13.0-24 64-b
Private report:	No	CVE-ID:	None

View Developer Edit

[2016-11-24 09:05 UTC] xeonchik at gmail dot com

Description:
------------
Hi, have a problem with php-fpm 7.0.13
I was tested with minimum of extensions, but got the same error. Tried to build php from binaries, and install from packages.


Environment info:

----
PHP 7.0.13 (cli) (built: Nov 24 2016 09:30:51) ( NTS )
Copyright (c) 1997-2016 The PHP Group
Zend Engine v3.0.0, Copyright (c) 1998-2016 Zend Technologies
----

Configure Command =>  './configure'  '--enable-fpm' '--enable-mysqlnd' '--enable-soap' '--with-mysqli=mysqlnd' '--with-pdo-mysql=mysqlnd'

ERROR:
======

Program terminated with signal SIGSEGV, Segmentation fault.
#0  0x0000000000720371 in _emalloc (size=40) at /root/php-7.0.13/Zend/zend_alloc.c:2439



Actual result:
--------------
#0  0x0000000000720371 in _emalloc (size=40) at /root/php-7.0.13/Zend/zend_alloc.c:2439
#1  0x000000000075dda5 in zend_string_alloc (persistent=0, len=<optimized out>) at /root/php-7.0.13/Zend/zend_string.h:121
#2  zend_string_init (persistent=0, len=<optimized out>, str=0xbfa701 "__tostring") at /root/php-7.0.13/Zend/zend_string.h:157
#3  zend_call_method (object=object@entry=0x7f5189e721b0, obj_ce=obj_ce@entry=0x7f518a93a290, fn_proxy=fn_proxy@entry=0x7f518a93a3c0, function_name=function_name@entry=0xbfa701 "__tostring",
    function_name_len=function_name_len@entry=10, retval_ptr=retval_ptr@entry=0x7fff99ef5140, param_count=param_count@entry=0, arg1=arg1@entry=0x0, arg2=arg2@entry=0x0)
    at /root/php-7.0.13/Zend/zend_interfaces.c:53
#4  0x0000000000776a8c in zend_std_cast_object_tostring (readobj=0x7f5189e721b0, writeobj=0x7fff99ef51a0, type=<optimized out>) at /root/php-7.0.13/Zend/zend_object_handlers.c:1558
#5  0x000000000073a4cc in _zval_get_string_func (op=op@entry=0x7f5189e721b0) at /root/php-7.0.13/Zend/zend_operators.c:841
#6  0x00000000007999f8 in _zval_get_string (op=0x7f5189e721b0) at /root/php-7.0.13/Zend/zend_operators.h:266
#7  ZEND_CAST_SPEC_VAR_HANDLER () at /root/php-7.0.13/Zend/zend_vm_execute.h:15609
#8  0x000000000077e21b in execute_ex (ex=<optimized out>) at /root/php-7.0.13/Zend/zend_vm_execute.h:414
#9  0x0000000000733ee2 in zend_call_function (fci=fci@entry=0x7fff99ef53d0, fci_cache=0x7f518a915300, fci_cache@entry=0x7fff99ef53a0) at /root/php-7.0.13/Zend/zend_execute_API.c:858
#10 0x000000000075deb4 in zend_call_method (object=object@entry=0x7f5189e72080, obj_ce=<optimized out>, obj_ce@entry=0x7f518a93a290, fn_proxy=fn_proxy@entry=0x7f518a93a3c0,
    function_name=function_name@entry=0xbfa701 "__tostring", function_name_len=function_name_len@entry=10, retval_ptr=retval_ptr@entry=0x7fff99ef5480, param_count=param_count@entry=0,
    arg1=arg1@entry=0x0, arg2=arg2@entry=0x0) at /root/php-7.0.13/Zend/zend_interfaces.c:104
#11 0x0000000000776a8c in zend_std_cast_object_tostring (readobj=0x7f5189e72080, writeobj=0x7fff99ef54e0, type=<optimized out>) at /root/php-7.0.13/Zend/zend_object_handlers.c:1558
#12 0x000000000073a4cc in _zval_get_string_func (op=op@entry=0x7f5189e72080) at /root/php-7.0.13/Zend/zend_operators.c:841
#13 0x00000000007999f8 in _zval_get_string (op=0x7f5189e72080) at /root/php-7.0.13/Zend/zend_operators.h:266
#14 ZEND_CAST_SPEC_VAR_HANDLER () at /root/php-7.0.13/Zend/zend_vm_execute.h:15609
#15 0x000000000077e21b in execute_ex (ex=<optimized out>) at /root/php-7.0.13/Zend/zend_vm_execute.h:414
#16 0x0000000000733ee2 in zend_call_function (fci=fci@entry=0x7fff99ef5710, fci_cache=0x7f518a915300, fci_cache@entry=0x7fff99ef56e0) at /root/php-7.0.13/Zend/zend_execute_API.c:858
#17 0x000000000075deb4 in zend_call_method (object=object@entry=0x7f5189e71f50, obj_ce=<optimized out>, obj_ce@entry=0x7f518a93a290, fn_proxy=fn_proxy@entry=0x7f518a93a3c0,
    function_name=function_name@entry=0xbfa701 "__tostring", function_name_len=function_name_len@entry=10, retval_ptr=retval_ptr@entry=0x7fff99ef57c0, param_count=param_count@entry=0,
    arg1=arg1@entry=0x0, arg2=arg2@entry=0x0) at /root/php-7.0.13/Zend/zend_interfaces.c:104
#18 0x0000000000776a8c in zend_std_cast_object_tostring (readobj=0x7f5189e71f50, writeobj=0x7fff99ef5820, type=<optimized out>) at /root/php-7.0.13/Zend/zend_object_handlers.c:1558
#19 0x000000000073a4cc in _zval_get_string_func (op=op@entry=0x7f5189e71f50) at /root/php-7.0.13/Zend/zend_operators.c:841
#20 0x00000000007999f8 in _zval_get_string (op=0x7f5189e71f50) at /root/php-7.0.13/Zend/zend_operators.h:266
#21 ZEND_CAST_SPEC_VAR_HANDLER () at /root/php-7.0.13/Zend/zend_vm_execute.h:15609
#22 0x000000000077e21b in execute_ex (ex=<optimized out>) at /root/php-7.0.13/Zend/zend_vm_execute.h:414
#23 0x0000000000733ee2 in zend_call_function (fci=fci@entry=0x7fff99ef5a50, fci_cache=0x7f518a915300, fci_cache@entry=0x7fff99ef5a20) at /root/php-7.0.13/Zend/zend_execute_API.c:858
#24 0x000000000075deb4 in zend_call_method (object=object@entry=0x7f5189e71e20, obj_ce=<optimized out>, obj_ce@entry=0x7f518a93a290, fn_proxy=fn_proxy@entry=0x7f518a93a3c0,
    function_name=function_name@entry=0xbfa701 "__tostring", function_name_len=function_name_len@entry=10, retval_ptr=retval_ptr@entry=0x7fff99ef5b00, param_count=param_count@entry=0,
    arg1=arg1@entry=0x0, arg2=arg2@entry=0x0) at /root/php-7.0.13/Zend/zend_interfaces.c:104
#25 0x0000000000776a8c in zend_std_cast_object_tostring (readobj=0x7f5189e71e20, writeobj=0x7fff99ef5b60, type=<optimized out>) at /root/php-7.0.13/Zend/zend_object_handlers.c:1558
#26 0x000000000073a4cc in _zval_get_string_func (op=op@entry=0x7f5189e71e20) at /root/php-7.0.13/Zend/zend_operators.c:841
#27 0x00000000007999f8 in _zval_get_string (op=0x7f5189e71e20) at /root/php-7.0.13/Zend/zend_operators.h:266
#28 ZEND_CAST_SPEC_VAR_HANDLER () at /root/php-7.0.13/Zend/zend_vm_execute.h:15609
#29 0x000000000077e21b in execute_ex (ex=<optimized out>) at /root/php-7.0.13/Zend/zend_vm_execute.h:414
#30 0x0000000000733ee2 in zend_call_function (fci=fci@entry=0x7fff99ef5d90, fci_cache=0x7f518a915300, fci_cache@entry=0x7fff99ef5d60) at /root/php-7.0.13/Zend/zend_execute_API.c:858
#31 0x000000000075deb4 in zend_call_method (object=object@entry=0x7f5189e71cf0, obj_ce=<optimized out>, obj_ce@entry=0x7f518a93a290, fn_proxy=fn_proxy@entry=0x7f518a93a3c0,
    function_name=function_name@entry=0xbfa701 "__tostring", function_name_len=function_name_len@entry=10, retval_ptr=retval_ptr@entry=0x7fff99ef5e40, param_count=param_count@entry=0,
    arg1=arg1@entry=0x0, arg2=arg2@entry=0x0) at /root/php-7.0.13/Zend/zend_interfaces.c:104
#32 0x0000000000776a8c in zend_std_cast_object_tostring (readobj=0x7f5189e71cf0, writeobj=0x7fff99ef5ea0, type=<optimized out>) at /root/php-7.0.13/Zend/zend_object_handlers.c:1558
#33 0x000000000073a4cc in _zval_get_string_func (op=op@entry=0x7f5189e71cf0) at /root/php-7.0.13/Zend/zend_operators.c:841
#34 0x00000000007999f8 in _zval_get_string (op=0x7f5189e71cf0) at /root/php-7.0.13/Zend/zend_operators.h:266
#35 ZEND_CAST_SPEC_VAR_HANDLER () at /root/php-7.0.13/Zend/zend_vm_execute.h:15609
#36 0x000000000077e21b in execute_ex (ex=<optimized out>) at /root/php-7.0.13/Zend/zend_vm_execute.h:414
#37 0x0000000000733ee2 in zend_call_function (fci=fci@entry=0x7fff99ef60d0, fci_cache=0x7f518a915300, fci_cache@entry=0x7fff99ef60a0) at /root/php-7.0.13/Zend/zend_execute_API.c:858
#38 0x000000000075deb4 in zend_call_method (object=object@entry=0x7f5189e71bc0, obj_ce=<optimized out>, obj_ce@entry=0x7f518a93a290, fn_proxy=fn_proxy@entry=0x7f518a93a3c0,
    function_name=function_name@entry=0xbfa701 "__tostring", function_name_len=function_name_len@entry=10, retval_ptr=retval_ptr@entry=0x7fff99ef6180, param_count=param_count@entry=0,
    arg1=arg1@entry=0x0, arg2=arg2@entry=0x0) at /root/php-7.0.13/Zend/zend_interfaces.c:104
#39 0x0000000000776a8c in zend_std_cast_object_tostring (readobj=0x7f5189e71bc0, writeobj=0x7fff99ef61e0, type=<optimized out>) at /root/php-7.0.13/Zend/zend_object_handlers.c:1558
#40 0x000000000073a4cc in _zval_get_string_func (op=op@entry=0x7f5189e71bc0) at /root/php-7.0.13/Zend/zend_operators.c:841

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2016-11-24 17:44 UTC] bwoebi@php.net

-Status: Open +Status: Feedback

[2016-11-24 17:44 UTC] bwoebi@php.net

Thank you for this bug report. To properly diagnose the problem, we
need a short but complete example script to be able to reproduce
this bug ourselves. 

A proper reproducing script starts with <?php and ends with ?>,
is max. 10-20 lines long and does not require any external 
resources such as databases, etc. If the script requires a 
database to demonstrate the issue, please make sure it creates 
all necessary tables, stored procedures etc.

Please avoid embedding huge scripts into the report.

This can mean an issue anywhere, the backtrace doesn't help us at all here :-/

[2016-11-25 10:15 UTC] xeonchik at gmail dot com

-Status: Feedback +Status: Open

[2016-11-25 10:15 UTC] xeonchik at gmail dot com

Ok. I prepared two files, which reproduce this problem. It can be more compact, but may be it's not nessesarry.

https://drive.google.com/open?id=0B4qIypF4M_QzYVNLWVk1ck9RTlE

simple download, and start
$ php test.php

[2016-11-25 11:28 UTC] xeonchik at gmail dot com

Ok, it's minified version of the test:

<?php
/**
 * Segfault test for PHP 7.0.13 cli
 */
class QueryBuilderTest
{
    public $sqlParts = null;

    public function andWhere($where)
    {
        $where = $this->sqlParts;
        $args = func_get_args();

        if (!$where) {
            $where = new CompositeExpression;
        } else {
            $where->parts = $args;
        }
        $this->sqlParts = $where;
    }
}

class CompositeExpression
{
    public $parts = array();

    public function __toString()
    {
        return implode(',', $this->parts);
    }
}

$qb = new QueryBuilderTest();
for($i = 1; $i < 3; $i++) {
    $qb->andWhere($i);
}
print (string) $qb->sqlParts;

die("TEST PASSED!");

?>

In this example we has a reqursion in object, and PHP can't do __toString of this object...

Issue is related to

https://github.com/doctrine/doctrine2/issues/4712
https://github.com/doctrine/doctrine2/commit/b33c9befb7390565c5f9f7d43967ced32a6ae67c

So, in a new version of Doctrine, that was fixed, but i think, that PHP must handle recursions with __toString() calls...

[2016-11-30 02:10 UTC] bwoebi@php.net

-Status: Open +Status: Wont fix

[2016-11-30 02:10 UTC] bwoebi@php.net

That's a trivial stack overflow.

Due to implementation details, this is unfixable, except by removing the concept of __toString() altogether [or very major changes to the code].

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2025 The PHP Group All rights reserved.	Last updated: Sun Jul 06 09:01:32 2025 UTC