PHP :: Bug #74124 :: Seg fault when running code using the ps (postscript) extension

Bug #74124

Seg fault when running code using the ps (postscript) extension

Submitted:

2017-02-18 19:53 UTC

Modified:

2021-11-28 04:22 UTC

Votes:	3
Avg. Score:	5.0 ± 0.0
Reproduced:	3 of 3 (100.0%)
Same Version:	3 (100.0%)
Same OS:	2 (66.7%)

From:

ian at gumstix dot com

Assigned:

cmb (profile)

Status:

No Feedback

Package:

ps (PECL)

PHP Version:

7.1.5

OS:

Xubuntu 16.04.2

Private report:

CVE-ID:

None

View Developer Edit

[2017-02-18 19:53 UTC] ian at gumstix dot com

Description:
------------
When running the unit test for my application, some code that uses the ps PECL extension crashes with a seg fault. gdb backtrace is below.

Test script:
---------------
The code that generates the error is proprietary, and I don't have a test script yet that will produce the error. I'll update the bug if I manage to get one.

Actual result:
--------------
(gdb) run vendor/bin/phpunit path/to/my/directory
Starting program: /usr/bin/php vendor/bin/phpunit path/to/my/directory
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
PHPUnit 4.8.35 by Sebastian Bergmann and contributors.

...
Program received signal SIGSEGV, Segmentation fault.
zend_mm_alloc_small (bin_num=<optimized out>, size=<optimized out>, heap=0x7ffff3800040)
    at /build/php7.1-jn_ZrU/php7.1-7.1.2/Zend/zend_alloc.c:1261
1261	/build/php7.1-jn_ZrU/php7.1-7.1.2/Zend/zend_alloc.c: No such file or directory.
(gdb) backtrace
#0  zend_mm_alloc_small (bin_num=<optimized out>, size=<optimized out>, heap=0x7ffff3800040)
    at /build/php7.1-jn_ZrU/php7.1-7.1.2/Zend/zend_alloc.c:1261
#1  zend_mm_alloc_heap (size=<optimized out>, heap=0x7ffff3800040)
    at /build/php7.1-jn_ZrU/php7.1-7.1.2/Zend/zend_alloc.c:1332
#2  _emalloc (size=<optimized out>) at /build/php7.1-jn_ZrU/php7.1-7.1.2/Zend/zend_alloc.c:2417
#3  0x000055555579b89d in _safe_emalloc (nmemb=nmemb@entry=24, size=<optimized out>, offset=offset@entry=0)
    at /build/php7.1-jn_ZrU/php7.1-7.1.2/Zend/zend_alloc.c:2472
#4  0x00005555557a4aec in zend_compile_params (ast=ast@entry=0x7fffdcfd2578, return_type_ast=return_type_ast@entry=0x0)
    at /build/php7.1-jn_ZrU/php7.1-7.1.2/Zend/zend_compile.c:5118
#5  0x00005555557acaaf in zend_compile_func_decl (result=result@entry=0x0, ast=ast@entry=0x7fffdcfd36b8)
    at /build/php7.1-jn_ZrU/php7.1-7.1.2/Zend/zend_compile.c:5619
#6  0x00005555557abc7a in zend_compile_stmt (ast=0x7fffdcfd36b8)
    at /build/php7.1-jn_ZrU/php7.1-7.1.2/Zend/zend_compile.c:7838
#7  0x00005555557ac757 in zend_compile_stmt_list (ast=ast@entry=0x7fffdcfd1860)
    at /build/php7.1-jn_ZrU/php7.1-7.1.2/Zend/zend_compile.c:5022
#8  0x00005555557abb46 in zend_compile_stmt (ast=ast@entry=0x7fffdcfd1860)
    at /build/php7.1-jn_ZrU/php7.1-7.1.2/Zend/zend_compile.c:7782
#9  0x00005555557ab2a9 in zend_compile_class_decl (ast=ast@entry=0x7fffdcfd3700)
    at /build/php7.1-jn_ZrU/php7.1-7.1.2/Zend/zend_compile.c:6029
#10 0x00005555557abc88 in zend_compile_stmt (ast=ast@entry=0x7fffdcfd3700)
    at /build/php7.1-jn_ZrU/php7.1-7.1.2/Zend/zend_compile.c:7850
#11 0x00005555557ae3fa in zend_compile_top_stmt (ast=0x7fffdcfd3700)
    at /build/php7.1-jn_ZrU/php7.1-7.1.2/Zend/zend_compile.c:7756
#12 0x00005555557ae43f in zend_compile_top_stmt (ast=0x7fffdcfd1018)
    at /build/php7.1-jn_ZrU/php7.1-7.1.2/Zend/zend_compile.c:7751
#13 0x0000555555785ecd in zend_compile (type=type@entry=2) at Zend/zend_language_scanner.l:601
#14 0x0000555555787376 in compile_file (file_handle=0x7fffffff95a0, type=2) at Zend/zend_language_scanner.l:635
#15 0x00007fffea09a3d8 in ?? () from /usr/lib/php/20160303/phar.so
#16 0x00007ffff32d12ac in ?? () from /usr/lib/php/20160303/opcache.so
#17 0x00007ffff32d32a9 in persistent_compile_file () from /usr/lib/php/20160303/opcache.so
#18 0x000055555578756b in compile_filename (type=type@entry=2, filename=filename@entry=0x7ffff3814510)
    at Zend/zend_language_scanner.l:662
#19 0x00005555558259ea in zend_include_or_eval (inc_filename=0x7ffff3814510, type=2)
---Type <return> to continue, or q <return> to quit---
    at /build/php7.1-jn_ZrU/php7.1-7.1.2/Zend/zend_execute.c:2846
#20 0x000055555585fbcf in ZEND_INCLUDE_OR_EVAL_SPEC_CV_HANDLER ()
    at /build/php7.1-jn_ZrU/php7.1-7.1.2/Zend/zend_vm_execute.h:35461
#21 0x000055555580ac1b in execute_ex (ex=<optimized out>)
    at /build/php7.1-jn_ZrU/php7.1-7.1.2/Zend/zend_vm_execute.h:429
#22 0x00005555557b1d4f in zend_call_function (fci=fci@entry=0x7fffffff98e0, fci_cache=<optimized out>, 
    fci_cache@entry=0x7fffffff98b0) at /build/php7.1-jn_ZrU/php7.1-7.1.2/Zend/zend_execute_API.c:828
#23 0x00005555557dfaa9 in zend_call_method (object=0x7ffff38c7818, obj_ce=<optimized out>, fn_proxy=<optimized out>, 
    function_name=0x7ffff38d6f68 "composer\\autoload\\classloader::loadclass\001", function_name_len=<optimized out>, 
    retval_ptr=retval_ptr@entry=0x0, param_count=1, arg1=0x7ffff3814420, arg2=0x0)
    at /build/php7.1-jn_ZrU/php7.1-7.1.2/Zend/zend_interfaces.c:101
#24 0x00005555556bdbae in zif_spl_autoload_call (execute_data=<optimized out>, return_value=<optimized out>)
    at /build/php7.1-jn_ZrU/php7.1-7.1.2/ext/spl/php_spl.c:420
#25 0x00005555557b1c4b in zend_call_function (fci=fci@entry=0x7fffffff9b80, fci_cache=<optimized out>, 
    fci_cache@entry=0x7fffffff9b50) at /build/php7.1-jn_ZrU/php7.1-7.1.2/Zend/zend_execute_API.c:842
#26 0x00005555557b22a1 in zend_lookup_class_ex (name=name@entry=0x7fffddb26950, key=0x7fffde9b18a8, 
    use_autoload=use_autoload@entry=1) at /build/php7.1-jn_ZrU/php7.1-7.1.2/Zend/zend_execute_API.c:1001
#27 0x00005555557b2c58 in zend_fetch_class_by_name (class_name=0x7fffddb26950, key=<optimized out>, fetch_type=0)
    at /build/php7.1-jn_ZrU/php7.1-7.1.2/Zend/zend_execute_API.c:1436
#28 0x000055555580f779 in ZEND_FETCH_CLASS_SPEC_CONST_HANDLER ()
    at /build/php7.1-jn_ZrU/php7.1-7.1.2/Zend/zend_vm_execute.h:2096
#29 0x000055555580ac1b in execute_ex (ex=<optimized out>)
    at /build/php7.1-jn_ZrU/php7.1-7.1.2/Zend/zend_vm_execute.h:429
#30 0x00005555557b1d4f in zend_call_function (fci=fci@entry=0x7fffffff9dd0, fci_cache=<optimized out>, 
    fci_cache@entry=0x7fffffff9da0) at /build/php7.1-jn_ZrU/php7.1-7.1.2/Zend/zend_execute_API.c:828
#31 0x00005555557dfaa9 in zend_call_method (object=0x7ffff38c7818, obj_ce=<optimized out>, fn_proxy=<optimized out>, 
    function_name=0x7ffff38d6f68 "composer\\autoload\\classloader::loadclass\001", function_name_len=<optimized out>, 
    retval_ptr=retval_ptr@entry=0x0, param_count=1, arg1=0x7ffff3814270, arg2=0x0)
    at /build/php7.1-jn_ZrU/php7.1-7.1.2/Zend/zend_interfaces.c:101
#32 0x00005555556bdbae in zif_spl_autoload_call (execute_data=<optimized out>, return_value=<optimized out>)
    at /build/php7.1-jn_ZrU/php7.1-7.1.2/ext/spl/php_spl.c:420
#33 0x00005555557b1c4b in zend_call_function (fci=fci@entry=0x7fffffffa070, fci_cache=<optimized out>, 
    fci_cache@entry=0x7fffffffa040) at /build/php7.1-jn_ZrU/php7.1-7.1.2/Zend/zend_execute_API.c:842
---Type <return> to continue, or q <return> to quit---
#34 0x00005555557b22a1 in zend_lookup_class_ex (name=name@entry=0x7fffdcc74410, key=0x7fffdcd39870, 
    use_autoload=use_autoload@entry=1) at /build/php7.1-jn_ZrU/php7.1-7.1.2/Zend/zend_execute_API.c:1001
#35 0x00005555557b2c58 in zend_fetch_class_by_name (class_name=0x7fffdcc74410, key=<optimized out>, 
    fetch_type=fetch_type@entry=512) at /build/php7.1-jn_ZrU/php7.1-7.1.2/Zend/zend_execute_API.c:1436
#36 0x0000555555860cf7 in ZEND_NEW_SPEC_CONST_HANDLER ()
    at /build/php7.1-jn_ZrU/php7.1-7.1.2/Zend/zend_vm_execute.h:3199
#37 0x000055555580ac1b in execute_ex (ex=<optimized out>)
    at /build/php7.1-jn_ZrU/php7.1-7.1.2/Zend/zend_vm_execute.h:429
#38 0x00005555557b1d4f in zend_call_function (fci=fci@entry=0x7fffffffa2f0, fci_cache=<optimized out>, 
    fci_cache@entry=0x7fffffffa2c0) at /build/php7.1-jn_ZrU/php7.1-7.1.2/Zend/zend_execute_API.c:828
#39 0x00005555556a8c64 in reflection_method_invoke (execute_data=<optimized out>, return_value=0x7ffff3813cb0, 
    variadic=<optimized out>) at /build/php7.1-jn_ZrU/php7.1-7.1.2/ext/reflection/php_reflection.c:3325
#40 0x00005555558635dc in ZEND_DO_FCALL_SPEC_RETVAL_USED_HANDLER ()
    at /build/php7.1-jn_ZrU/php7.1-7.1.2/Zend/zend_vm_execute.h:1097
#41 0x000055555580ac1b in execute_ex (ex=<optimized out>)
    at /build/php7.1-jn_ZrU/php7.1-7.1.2/Zend/zend_vm_execute.h:429
#42 0x0000555555865a60 in zend_execute (op_array=0x7ffff3884000, op_array@entry=0x7fffde3dcc80, 
    return_value=return_value@entry=0x7ffff3813bf0) at /build/php7.1-jn_ZrU/php7.1-7.1.2/Zend/zend_vm_execute.h:474
#43 0x00005555557c1723 in zend_execute_scripts (type=type@entry=8, retval=0x7ffff3813bf0, retval@entry=0x0, 
    file_count=file_count@entry=3) at /build/php7.1-jn_ZrU/php7.1-7.1.2/Zend/zend.c:1475
#44 0x000055555575e520 in php_execute_script (primary_file=0x7fffffffc960)
    at /build/php7.1-jn_ZrU/php7.1-7.1.2/main/main.c:2537
#45 0x0000555555867ce7 in do_cli (argc=3, argv=0x555555bdf440)
    at /build/php7.1-jn_ZrU/php7.1-7.1.2/sapi/cli/php_cli.c:993
#46 0x000055555563a92c in main (argc=3, argv=0x555555bdf440)
    at /build/php7.1-jn_ZrU/php7.1-7.1.2/sapi/cli/php_cli.c:1381

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2017-02-18 22:22 UTC] ian at gumstix dot com

-Summary: Seg fault when running code using the ps (postscript) extension +Summary: ian@gumstix.com

[2017-02-18 22:22 UTC] ian at gumstix dot com

I've created a test script that reproduces the bug. It is here:

https://github.com/ianfp/php-ps-segfault

[2017-02-18 22:23 UTC] ian at gumstix dot com

-Summary: ian@gumstix.com +Summary: Seg fault when running code using the ps (postscript) extension

[2017-02-18 22:23 UTC] ian at gumstix dot com

Revert accidental change to the bug summary.

[2017-03-02 18:45 UTC] ian at gumstix dot com

-Package: Reproducible crash +Package: ps

[2017-03-02 18:45 UTC] ian at gumstix dot com

Changed package to "ps" because I just encountered this bug in production code (as opposed to while running PHPUnit tests) that uses the ps extension.

[2017-03-21 15:54 UTC] ian at gumstix dot com

-PHP Version: 7.1.2 +PHP Version: 7.1.3

[2017-03-21 15:54 UTC] ian at gumstix dot com

Still occurs in PHP 7.1.3.

[2017-04-04 08:43 UTC] bugsphpnet888 at allanid dot com

I experience the same problem. Having the same PHP version (7.1.3) but on a Debian 8.7. It gives strange artifacts my remaining PHP code. It somehow manages to cause the PHP script to be run multiple times - so if I run a script that adds a database record the record might be added 3 times!

I need to use the ps_hyphenate() function to hyphenate text. Using this extension is the only method I have found to do it, so I really need this bug fixed.

[2017-05-30 21:19 UTC] ian at gumstix dot com

Related To: Bug #74676

[2017-05-30 21:49 UTC] ian at gumstix dot com

-Package: ps +Package: Reproducible crash -PHP Version: 7.1.3 +PHP Version: 7.1.5

[2017-05-30 21:49 UTC] ian at gumstix dot com

I'm changing the package from "ps" to "Reproducible crash" based on the comment thread in bug 74676, which suggests that this is not actually a bug in the Postscript extension.

[2017-05-30 22:06 UTC] ian at gumstix dot com

Related To: Bug #74676

[2017-06-01 22:07 UTC] ian at gumstix dot com

Commenting out the call to ps_delete() seems to solve the problem.

https://github.com/ianfp/php-ps-segfault/blob/master/src/PostscriptDocument.php#L63

[2021-01-27 16:05 UTC] cmb@php.net

-Package: Reproducible crash +Package: ps

[2021-11-19 13:39 UTC] cmb@php.net

-Status: Open +Status: Feedback -Assigned To: +Assigned To: cmb

[2021-11-19 13:39 UTC] cmb@php.net

There have been fixes to support PHP 7, or is this still an issue
for you with latest ps (1.4.4)?

[2021-11-28 04:22 UTC] pecl-dev at lists dot php dot net

No feedback was provided. The bug is being suspended because
we assume that you are no longer experiencing the problem.
If this is not the case and you are able to provide the
information that was requested earlier, please do so and
change the status of the bug back to "Re-Opened". Thank you.

[2023-07-27 21:03 UTC] bugs dot php dot net at trackmail dot cz

> There have been fixes to support PHP 7, or is this still an issue
> for you with latest ps (1.4.4)?

Yes, problem is still there when calling ps_delete().
Tested on Debian 9, 10 with PHP 7.x, 8.x, ps 1.4.4

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Sat Dec 21 13:01:31 2024 UTC