php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #74632 Segmentation fault on php_request_shutdown
Submitted: 2017-05-22 14:01 UTC Modified: -
Votes:2
Avg. Score:4.5 ± 0.5
Reproduced:2 of 2 (100.0%)
Same Version:2 (100.0%)
Same OS:0 (0.0%)
From: adam dot rosadzinski at home dot net dot pl Assigned:
Status: Open Package: Reproducible crash
PHP Version: 5.6.30 OS: Arch Linux, kernel 4.0.6 x86_64
Private report: No CVE-ID:
View Add Comment Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.
(description)
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: adam dot rosadzinski at home dot net dot pl
New email:
PHP Version: OS:

 

 [2017-05-22 14:01 UTC] adam dot rosadzinski at home dot net dot pl
Description:
------------
PHP version: 5.6.30
Configure line: ./configure --disable-rpath --with-layout=GNU --with-pic --enable-static=no --prefix=/usr --with-pear=/usr/lib/pear --datarootdir=/usr/share --with-config-file-path=/usr/etc --with-config-file-scan-dir=/usr/etc/conf.d

I'd like to report possible bug in Zend MM, which causes crash on request shutdown.
This issue is easily reproducible if you try to allocate more memory than specified in memory_limit directive.

Tested also on Mac OS X 10.12.4 (Sierra) with same result.

Test script:
---------------
<?php
error_reporting(E_ALL);
ini_set('display_errors', 0);
ini_set('memory_limit', '512M');

for($x=0;$x<100000000;$x++)
        $array[$x]=$x;

?>

Expected result:
----------------
No output on stdout
Script exited with code 0

Actual result:
--------------
Output on stdout: Segmentation fault
Script exited with code 139

Valgrind output:
==28140== Invalid read of size 4
==28140==    at 0xA8C634: zval_delref_p (zend.h:411)
==28140==    by 0xA8C634: i_zval_ptr_dtor (zend_execute.h:76)
==28140==    by 0xA8C634: _zval_ptr_dtor (zend_execute_API.c:424)
==28140==    by 0xAAFB4F: i_zend_hash_bucket_delete (zend_hash.c:182)
==28140==    by 0xAAFB4F: zend_hash_bucket_delete (zend_hash.c:192)
==28140==    by 0xAAFB4F: zend_hash_graceful_reverse_destroy (zend_hash.c:613)
==28140==    by 0xA8CC55: shutdown_executor (zend_execute_API.c:244)
==28140==    by 0xA9EE55: zend_deactivate (zend.c:960)
==28140==    by 0xA2EB6F: php_request_shutdown (main.c:1899)
==28140==    by 0xB5807E: do_cli (php_cli.c:1181)
==28140==    by 0x463542: main (php_cli.c:1382)
==28140==  Address 0x2a1ec220 is 261,984 bytes inside a block of size 262,144 free'd
==28140==    at 0x4C2C14B: free (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==28140==    by 0xA71740: zend_mm_del_segment (zend_alloc.c:928)
==28140==    by 0xA71740: _zend_mm_free_int (zend_alloc.c:2115)
==28140==    by 0xA71740: _efree (zend_alloc.c:2440)
==28140==    by 0xAAF7FD: zend_hash_destroy (zend_hash.c:553)
==28140==    by 0xA9DD8A: _zval_dtor_func (zend_variables.c:45)
==28140==    by 0xA8C67F: _zval_dtor (zend_variables.h:35)
==28140==    by 0xA8C67F: i_zval_ptr_dtor (zend_execute.h:79)
==28140==    by 0xA8C67F: _zval_ptr_dtor (zend_execute_API.c:424)
==28140==    by 0xAAFB4F: i_zend_hash_bucket_delete (zend_hash.c:182)
==28140==    by 0xAAFB4F: zend_hash_bucket_delete (zend_hash.c:192)
==28140==    by 0xAAFB4F: zend_hash_graceful_reverse_destroy (zend_hash.c:613)
==28140==    by 0xA8CC55: shutdown_executor (zend_execute_API.c:244)
==28140==    by 0xA9EE55: zend_deactivate (zend.c:960)
==28140==    by 0xA2EB6F: php_request_shutdown (main.c:1899)
==28140==    by 0xB5807E: do_cli (php_cli.c:1181)
==28140==    by 0x463542: main (php_cli.c:1382)
==28140==  Block was alloc'd at
==28140==    at 0x4C2AF1F: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==28140==    by 0xA6E8FF: _zend_mm_alloc_int (zend_alloc.c:1982)
==28140==    by 0xAE7DDA: ZEND_POST_INC_SPEC_CV_HANDLER (zend_vm_execute.h:30867)
==28140==    by 0xADFA1D: execute_ex (zend_vm_execute.h:363)
==28140==    by 0x167162E6: zend_oe (in /usr/local/php56/modules/ZendGuardLoader.so)
==28140==    by 0x164B3BEB: ??? (in /usr/local/php56/modules/ioncube_loader_lin_5.6.so)
==28140==    by 0xAA0770: zend_execute_scripts (zend.c:1341)
==28140==    by 0xA2FFF2: php_execute_script (main.c:2613)
==28140==    by 0xB58D2E: do_cli (php_cli.c:998)
==28140==    by 0x463542: main (php_cli.c:1382)
==28140==
==28140== Invalid write of size 4
==28140==    at 0xA8C63C: zval_delref_p (zend.h:411)
==28140==    by 0xA8C63C: i_zval_ptr_dtor (zend_execute.h:76)
==28140==    by 0xA8C63C: _zval_ptr_dtor (zend_execute_API.c:424)
==28140==    by 0xAAFB4F: i_zend_hash_bucket_delete (zend_hash.c:182)
==28140==    by 0xAAFB4F: zend_hash_bucket_delete (zend_hash.c:192)
==28140==    by 0xAAFB4F: zend_hash_graceful_reverse_destroy (zend_hash.c:613)
==28140==    by 0xA8CC55: shutdown_executor (zend_execute_API.c:244)
==28140==    by 0xA9EE55: zend_deactivate (zend.c:960)
==28140==    by 0xA2EB6F: php_request_shutdown (main.c:1899)
==28140==    by 0xB5807E: do_cli (php_cli.c:1181)
==28140==    by 0x463542: main (php_cli.c:1382)
==28140==  Address 0x2a1ec220 is 261,984 bytes inside a block of size 262,144 free'd
==28140==    at 0x4C2C14B: free (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==28140==    by 0xA71740: zend_mm_del_segment (zend_alloc.c:928)
==28140==    by 0xA71740: _zend_mm_free_int (zend_alloc.c:2115)
==28140==    by 0xA71740: _efree (zend_alloc.c:2440)
==28140==    by 0xAAF7FD: zend_hash_destroy (zend_hash.c:553)
==28140==    by 0xA9DD8A: _zval_dtor_func (zend_variables.c:45)
==28140==    by 0xA8C67F: _zval_dtor (zend_variables.h:35)
==28140==    by 0xA8C67F: i_zval_ptr_dtor (zend_execute.h:79)
==28140==    by 0xA8C67F: _zval_ptr_dtor (zend_execute_API.c:424)
==28140==    by 0xAAFB4F: i_zend_hash_bucket_delete (zend_hash.c:182)
==28140==    by 0xAAFB4F: zend_hash_bucket_delete (zend_hash.c:192)
==28140==    by 0xAAFB4F: zend_hash_graceful_reverse_destroy (zend_hash.c:613)
==28140==    by 0xA8CC55: shutdown_executor (zend_execute_API.c:244)
==28140==    by 0xA9EE55: zend_deactivate (zend.c:960)
==28140==    by 0xA2EB6F: php_request_shutdown (main.c:1899)
==28140==    by 0xB5807E: do_cli (php_cli.c:1181)
==28140==    by 0x463542: main (php_cli.c:1382)
==28140==  Block was alloc'd at
==28140==    at 0x4C2AF1F: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==28140==    by 0xA6E8FF: _zend_mm_alloc_int (zend_alloc.c:1982)
==28140==    by 0xAE7DDA: ZEND_POST_INC_SPEC_CV_HANDLER (zend_vm_execute.h:30867)
==28140==    by 0xADFA1D: execute_ex (zend_vm_execute.h:363)
==28140==    by 0x167162E6: zend_oe (in /usr/local/php56/modules/ZendGuardLoader.so)
==28140==    by 0x164B3BEB: ??? (in /usr/local/php56/modules/ioncube_loader_lin_5.6.so)
==28140==    by 0xAA0770: zend_execute_scripts (zend.c:1341)
==28140==    by 0xA2FFF2: php_execute_script (main.c:2613)
==28140==    by 0xB58D2E: do_cli (php_cli.c:998)
==28140==    by 0x463542: main (php_cli.c:1382)
==28140==
==28140== Invalid read of size 1
==28140==    at 0xA8C665: gc_zval_check_possible_root (zend_gc.h:182)
==28140==    by 0xA8C665: i_zval_ptr_dtor (zend_execute.h:86)
==28140==    by 0xA8C665: _zval_ptr_dtor (zend_execute_API.c:424)
==28140==    by 0xAAFB4F: i_zend_hash_bucket_delete (zend_hash.c:182)
==28140==    by 0xAAFB4F: zend_hash_bucket_delete (zend_hash.c:192)
==28140==    by 0xAAFB4F: zend_hash_graceful_reverse_destroy (zend_hash.c:613)
==28140==    by 0xA8CC55: shutdown_executor (zend_execute_API.c:244)
==28140==    by 0xA9EE55: zend_deactivate (zend.c:960)
==28140==    by 0xA2EB6F: php_request_shutdown (main.c:1899)
==28140==    by 0xB5807E: do_cli (php_cli.c:1181)
==28140==    by 0x463542: main (php_cli.c:1382)
==28140==  Address 0x2a1ec224 is 261,988 bytes inside a block of size 262,144 free'd
==28140==    at 0x4C2C14B: free (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==28140==    by 0xA71740: zend_mm_del_segment (zend_alloc.c:928)
==28140==    by 0xA71740: _zend_mm_free_int (zend_alloc.c:2115)
==28140==    by 0xA71740: _efree (zend_alloc.c:2440)
==28140==    by 0xAAF7FD: zend_hash_destroy (zend_hash.c:553)
==28140==    by 0xA9DD8A: _zval_dtor_func (zend_variables.c:45)
==28140==    by 0xA8C67F: _zval_dtor (zend_variables.h:35)
==28140==    by 0xA8C67F: i_zval_ptr_dtor (zend_execute.h:79)
==28140==    by 0xA8C67F: _zval_ptr_dtor (zend_execute_API.c:424)
==28140==    by 0xAAFB4F: i_zend_hash_bucket_delete (zend_hash.c:182)
==28140==    by 0xAAFB4F: zend_hash_bucket_delete (zend_hash.c:192)
==28140==    by 0xAAFB4F: zend_hash_graceful_reverse_destroy (zend_hash.c:613)
==28140==    by 0xA8CC55: shutdown_executor (zend_execute_API.c:244)
==28140==    by 0xA9EE55: zend_deactivate (zend.c:960)
==28140==    by 0xA2EB6F: php_request_shutdown (main.c:1899)
==28140==    by 0xB5807E: do_cli (php_cli.c:1181)
==28140==    by 0x463542: main (php_cli.c:1382)
==28140==  Block was alloc'd at
==28140==    at 0x4C2AF1F: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==28140==    by 0xA6E8FF: _zend_mm_alloc_int (zend_alloc.c:1982)
==28140==    by 0xAE7DDA: ZEND_POST_INC_SPEC_CV_HANDLER (zend_vm_execute.h:30867)
==28140==    by 0xADFA1D: execute_ex (zend_vm_execute.h:363)
==28140==    by 0x167162E6: zend_oe (in /usr/local/php56/modules/ZendGuardLoader.so)
==28140==    by 0x164B3BEB: ??? (in /usr/local/php56/modules/ioncube_loader_lin_5.6.so)
==28140==    by 0xAA0770: zend_execute_scripts (zend.c:1341)
==28140==    by 0xA2FFF2: php_execute_script (main.c:2613)
==28140==    by 0xB58D2E: do_cli (php_cli.c:998)
==28140==    by 0x463542: main (php_cli.c:1382)

Patches

Add a Patch

Pull Requests

Add a Pull Request

 
PHP Copyright © 2001-2017 The PHP Group
All rights reserved.
Last updated: Tue Aug 29 15:01:52 2017 UTC