php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #74845 Segfault during memory allocation since PHP 7.1
Submitted: 2017-07-03 08:36 UTC Modified: 2017-07-03 09:29 UTC
From: wouter at wouterj dot nl Assigned:
Status: Duplicate Package: Reproducible crash
PHP Version: 7.1Git-2017-07-03 (Git) OS: Linux
Private report: No CVE-ID: None
 [2017-07-03 08:36 UTC] wouter at wouterj dot nl
Description:
------------
A segfault occurs during the memory allocation after upgrading to PHP 7.1. This happens during the execution of our test suite.

Issues https://bugs.php.net/bug.php?id=74382 and https://bugs.php.net/bug.php?id=74608 seem to be related.

Test script:
---------------
The most minimal application I can consistently reproduce this bug is in https://github.com/wouterj/php7.1-segfault

To reproduce, follow these steps:

 * Clone the repository
 * composer install
 * php reproduce.php

Actual result:
--------------
GDB backtrace:

#0  0x00000000007bd7ac in zend_mm_alloc_small (heap=0x7ffff4000040, size=200, bin_num=14, __zend_filename=0xdce510 "/home/wouter/.pvm/php-7.1/Zend/zend_objects.c", __zend_lineno=171, 
    __zend_orig_filename=0x0, __zend_orig_lineno=0) at /home/wouter/.pvm/php-7.1/Zend/zend_alloc.c:1261
#1  0x00000000007bda50 in zend_mm_alloc_heap (heap=0x7ffff4000040, size=200, __zend_filename=0xdce510 "/home/wouter/.pvm/php-7.1/Zend/zend_objects.c", __zend_lineno=171, 
    __zend_orig_filename=0x0, __zend_orig_lineno=0) at /home/wouter/.pvm/php-7.1/Zend/zend_alloc.c:1332
#2  0x00000000007bff18 in _emalloc (size=168, __zend_filename=0xdce510 "/home/wouter/.pvm/php-7.1/Zend/zend_objects.c", __zend_lineno=171, __zend_orig_filename=0x0, __zend_orig_lineno=0)
    at /home/wouter/.pvm/php-7.1/Zend/zend_alloc.c:2419
#3  0x000000000082598c in zend_objects_new (ce=ce@entry=0x7fffed7bcc18) at /home/wouter/.pvm/php-7.1/Zend/zend_objects.c:171
#4  0x00000000007ecd44 in _object_and_properties_init (arg=arg@entry=0x7ffff4015630, class_type=class_type@entry=0x7fffed7bcc18, properties=properties@entry=0x0, 
    __zend_filename=__zend_filename@entry=0xdcf650 "/home/wouter/.pvm/php-7.1/Zend/zend_vm_execute.h", __zend_lineno=__zend_lineno@entry=3217)
    at /home/wouter/.pvm/php-7.1/Zend/zend_API.c:1295
#5  0x00000000007ecda6 in _object_init_ex (arg=arg@entry=0x7ffff4015630, class_type=class_type@entry=0x7fffed7bcc18, 
    __zend_filename=__zend_filename@entry=0xdcf650 "/home/wouter/.pvm/php-7.1/Zend/zend_vm_execute.h", __zend_lineno=__zend_lineno@entry=3217)
    at /home/wouter/.pvm/php-7.1/Zend/zend_API.c:1310
#6  0x00000000008805b6 in ZEND_NEW_SPEC_CONST_HANDLER () at /home/wouter/.pvm/php-7.1/Zend/zend_vm_execute.h:3217
#7  0x0000000000831cff in execute_ex (ex=<optimized out>) at /home/wouter/.pvm/php-7.1/Zend/zend_vm_execute.h:429
#8  0x000000000088517c in zend_execute (op_array=op_array@entry=0x7ffff4086000, return_value=return_value@entry=0x0) at /home/wouter/.pvm/php-7.1/Zend/zend_vm_execute.h:474
#9  0x00000000007e9d04 in zend_execute_scripts (type=-201239216, type@entry=8, retval=retval@entry=0x0, file_count=file_count@entry=3) at /home/wouter/.pvm/php-7.1/Zend/zend.c:1476
#10 0x0000000000779f2c in php_execute_script (primary_file=primary_file@entry=0x7fffffffc930) at /home/wouter/.pvm/php-7.1/main/main.c:2537
#11 0x0000000000886e2e in do_cli (argc=argc@entry=2, argv=argv@entry=0x114f390) at /home/wouter/.pvm/php-7.1/sapi/cli/php_cli.c:993
#12 0x0000000000887c67 in main (argc=2, argv=0x114f390) at /home/wouter/.pvm/php-7.1/sapi/cli/php_cli.c:1381

Running the script as: USE_ZEND_ALLOC=0 php reproduce.php
produces the following output:

*** Error in `php': corrupted double-linked list: 0x0000000002c6a260 ***
======= Backtrace: =========
/lib/x86_64-linux-gnu/libc.so.6(+0x777e5)[0x7ff49dfcc7e5]
/lib/x86_64-linux-gnu/libc.so.6(+0x80baf)[0x7ff49dfd5baf]
/lib/x86_64-linux-gnu/libc.so.6(cfree+0x4c)[0x7ff49dfd953c]
php(_efree+0x7b)[0x7bff95]
php(zend_objects_store_del+0x1c4)[0x82a7fc]
php(_zval_dtor_func+0xf3)[0x7e6be1]
php(zend_object_std_dtor+0x76)[0x825582]
php(zend_objects_store_del+0x163)[0x82a79b]
php(_zval_dtor_func+0xf3)[0x7e6be1]
php(_zval_ptr_dtor_wrapper+0x2c)[0x7e7055]
php(zend_hash_destroy+0x57)[0x7fbfc5]
php(zend_gc_collect_cycles+0x45c)[0x815862]
php(gc_possible_root+0xf9)[0x815023]
php[0x831c29]
php[0x883afe]
php[0x8849ab]
php(execute_ex+0x2a)[0x831cff]
php(zend_execute+0x2f4)[0x88517c]
php(zend_execute_scripts+0xe6)[0x7e9d04]
php(php_execute_script+0x354)[0x779f2c]
php[0x886e2e]
php[0x887c67]
/lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xf0)[0x7ff49df75830]
php(_start+0x29)[0x426629]

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2017-07-03 09:29 UTC] bwoebi@php.net
-Status: Open +Status: Duplicate
 [2017-07-03 09:29 UTC] bwoebi@php.net
Duplicate of bug #72530.
 
PHP Copyright © 2001-2019 The PHP Group
All rights reserved.
Last updated: Mon May 27 03:01:26 2019 UTC