PHP :: Bug #76427 :: Segfault in zend_objects_store

Bug #76427	Segfault in zend_objects_store_put
Submitted:	2018-06-08 00:50 UTC	Modified:	2018-06-12 20:10 UTC
From:	thekid@php.net	Assigned:	laruence (profile)
Status:	Closed	Package:	Reproducible crash
PHP Version:	7.3.0alpha1	OS:	Linux
Private report:	No	CVE-ID:	None

View Add Comment Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If this is not your bug, you can add a comment by following this link.
If this is your bug, but you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	thekid@php.net
New email:
PHP Version:		OS:

New Comment:

[2018-06-08 00:50 UTC] thekid@php.net

Description:
------------
Running the test suite for the project https://github.com/xp-framework/compiler causes a segmentation fault, see https://github.com/xp-framework/compiler/issues/35


Test script:
---------------
Haven't been able to reproduce this with a short script, sorry!

Expected result:
----------------
Test suite runs fine, as does with most recent PHP 7.2

Actual result:
--------------
Crash

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports

[2018-06-08 01:23 UTC] thekid@php.net

Here's the stack trace from GDB:

Program received signal SIGSEGV, Segmentation fault.
0x000000000078f6d2 in zend_objects_store_put (object=object@entry=0x7ffffadc2310)
    at .../devel/php-src/Zend/zend_objects_API.c:141
141                     EG(objects_store).free_list_head = GET_OBJ_BUCKET_NUMBER(EG(objects_store).object_buckets[handle]);
(gdb) bt
#0  0x000000000078f6d2 in zend_objects_store_put (object=object@entry=0x7ffffadc2310)
    at .../devel/php-src/Zend/zend_objects_API.c:141
#1  0x000000000078a2ca in zend_object_std_init (object=0x7ffffadc2310, ce=0x7ffffaef34d0)
    at .../devel/php-src/Zend/zend_objects.c:36
#2  0x000000000078a6e6 in zend_objects_new (ce=ce@entry=0x7ffffaef34d0)
    at .../devel/php-src/Zend/zend_objects.c:161
#3  0x0000000000759481 in _object_and_properties_init (arg=arg@entry=0x7ffffb6236f0,
    class_type=class_type@entry=0x7ffffaef34d0, properties=properties@entry=0x0)
    at .../devel/php-src/Zend/zend_API.c:1359
#4  0x0000000000759567 in _object_init_ex (arg=arg@entry=0x7ffffb6236f0, class_type=class_type@entry=0x7ffffaef34d0)
    at .../devel/php-src/Zend/zend_API.c:1374
#5  0x00000000007d7ea4 in ZEND_NEW_SPEC_CONST_UNUSED_HANDLER ()
    at .../devel/php-src/Zend/zend_vm_execute.h:8720
#6  0x00000000007dfc2a in execute_ex (ex=0x7ffffadc2310)
    at .../devel/php-src/Zend/zend_vm_execute.h:55311
#7  0x0000000000749188 in zend_call_function (fci=0x7ffffb6234d0, fci@entry=0x7ffffffda4d0, fci_cache=<optimized out>,
    fci_cache@entry=0x0) at .../devel/php-src/Zend/zend_execute_API.c:786
#8  0x0000000000749505 in _call_user_function_ex (object=object@entry=0x0, function_name=<optimized out>,
    retval_ptr=retval_ptr@entry=0x7ffffb621820, param_count=<optimized out>, params=<optimized out>,
    no_separation=no_separation@entry=1) at .../devel/php-src/Zend/zend_execute_API.c:628
#9  0x000000000077fee5 in zim_Closure___invoke (execute_data=<optimized out>, return_value=0x7ffffb621820)
    at .../devel/php-src/Zend/zend_closures.c:54
#10 0x00000000007e6d40 in ZEND_DO_FCALL_SPEC_RETVAL_USED_HANDLER ()
    at .../devel/php-src/Zend/zend_vm_execute.h:1102
#11 execute_ex (ex=0x7ffffadc2310) at .../devel/php-src/Zend/zend_vm_execute.h:54505
#12 0x0000000000784006 in zend_generator_resume (orig_generator=orig_generator@entry=0x7ffffaa15080)
    at .../devel/php-src/Zend/zend_generators.c:772
#13 0x0000000000784f30 in zend_generator_ensure_initialized (generator=<optimized out>)
    at .../devel/php-src/Zend/zend_generators.c:817
---Type <return> to continue, or q <return> to quit---
#14 zend_generator_rewind (generator=<optimized out>)
    at .../devel/php-src/Zend/zend_generators.c:826
#15 zend_generator_iterator_rewind (iterator=<optimized out>)
    at .../devel/php-src/Zend/zend_generators.c:1124
#16 0x000000000079f3d2 in zend_fe_reset_iterator (array_ptr=array_ptr@entry=0x7ffffb6215d0, by_ref=by_ref@entry=0)
    at .../devel/php-src/Zend/zend_execute.c:3215
#17 0x00000000007ab52b in ZEND_FE_RESET_R_SPEC_CV_HANDLER ()
    at .../devel/php-src/Zend/zend_vm_execute.h:37145
#18 0x00000000007e113d in execute_ex (ex=0x7ffffadc2310)
    at .../devel/php-src/Zend/zend_vm_execute.h:58397
#19 0x0000000000749188 in zend_call_function (fci=0x7ffffb621570, fci@entry=0x7ffffffda820, fci_cache=<optimized out>,
    fci_cache@entry=0x7ffffffda800) at .../devel/php-src/Zend/zend_execute_API.c:786
#20 0x0000000000628571 in reflection_method_invoke (execute_data=<optimized out>, return_value=0x7ffffb621400,
    variadic=<optimized out>) at .../devel/php-src/ext/reflection/php_reflection.c:3208
#21 0x00000000007e6d40 in ZEND_DO_FCALL_SPEC_RETVAL_USED_HANDLER ()
    at .../devel/php-src/Zend/zend_vm_execute.h:1102
#22 execute_ex (ex=0x7ffffadc2310) at .../devel/php-src/Zend/zend_vm_execute.h:54505
#23 0x00000000007e799a in zend_execute (op_array=0x7ffffb67e2a0, op_array@entry=0x7ffffb7b9060,
    return_value=return_value@entry=0x7ffffb620f10)
    at .../devel/php-src/Zend/zend_vm_execute.h:59905
#24 0x00000000007578f3 in zend_execute_scripts (type=type@entry=8, retval=0x7ffffb620f10, retval@entry=0x0,
    file_count=file_count@entry=3) at .../devel/php-src/Zend/zend.c:1564
#25 0x00000000006f6d70 in php_execute_script (primary_file=primary_file@entry=0x7ffffffdced0)
    at .../devel/php-src/main/main.c:2467
#26 0x00000000007e9db9 in do_cli (argc=8, argv=0x1185820)
    at .../devel/php-src/sapi/cli/php_cli.c:1011
#27 0x000000000043b58c in main (argc=8, argv=0x1185820)
    at .../devel/php-src/sapi/cli/php_cli.c:1404

[2018-06-11 13:03 UTC] laruence@php.net

Automatic comment on behalf of laruence@gmail.com
Revision: http://git.php.net/?p=php-src.git;a=commit;h=ffaee27478a9cb338e40edeb5acf233f9cb67111
Log: Fixed bug #76427 (Segfault in zend_objects_store_put)

[2018-06-11 13:03 UTC] laruence@php.net

-Status: Open +Status: Closed

[2018-06-12 01:36 UTC] thekid@php.net

-Status: Closed +Status: Re-Opened

[2018-06-12 01:36 UTC] thekid@php.net

Thanks!

The test case now works:

$ ../../php-src/sapi/cli/php bug76427.php
int(4)

Unfortunately, the original code still doesn't, failing for the same reason:

(gdb) run -d include_path=".::.:vendor/autoload.php" -d date.timezone=Europe/Berlin /usr/bin
Starting program: .../php-src/sapi/cli/php -d include_path=".::.:vendor/autoload.php" -d date.timezone=Europe/Berlin /usr/bin
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
[Inferior 1 (process 30751) exited normally]
(gdb) run -d include_path=".::.:vendor/autoload.php" -d date.timezone=Europe/Berlin /usr/bin/class-main.php xp.unittest.Runner src/test/php
Starting program: .../php-src/sapi/cli/php -d include_path=".::.:vendor/autoload.php" -d date.timezone=Europe/Berlin /usr/bin/class-main.php xp.unittest.Runner src/test/php
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
[........................................................................
.........................................................................
.........................................................................
.........................................................................
....................
Program received signal SIGSEGV, Segmentation fault.
0x0000000008499972 in zend_objects_store_put (object=object@entry=0x7ffffa3a0380)
    at .../php-src/Zend/zend_objects_API.c:141
141                     EG(objects_store).free_list_head = GET_OBJ_BUCKET_NUMBER(EG(objects_store).object_buckets[handle]);
(gdb) bt
#0  0x0000000008499972 in zend_objects_store_put (object=object@entry=0x7ffffa3a0380)
    at .../php-src/Zend/zend_objects_API.c:141
#1  0x00000000084944ca in zend_object_std_init (object=0x7ffffa3a0380, ce=0x7ffffa4e1290)
    at .../php-src/Zend/zend_objects.c:36
#2  0x0000000008494906 in zend_objects_new (ce=ce@entry=0x7ffffa4e1290)
    at .../php-src/Zend/zend_objects.c:161
#3  0x0000000008463931 in _object_and_properties_init (arg=arg@entry=0x7ffffaa22330,
    class_type=class_type@entry=0x7ffffa4e1290, properties=properties@entry=0x0)
    at .../php-src/Zend/zend_API.c:1359
#4  0x0000000008463987 in _object_init_ex (arg=arg@entry=0x7ffffaa22330,
    class_type=class_type@entry=0x7ffffa4e1290)
    at .../php-src/Zend/zend_API.c:1374
#5  0x00000000084e12b4 in ZEND_NEW_SPEC_CONST_UNUSED_HANDLER ()
    at .../php-src/Zend/zend_vm_execute.h:8720
#6  0x00000000084ea1cd in execute_ex (ex=0x7ffffa3a0380)
    at .../php-src/Zend/zend_vm_execute.h:55301
#7  0x000000000845398b in zend_call_function (fci=fci@entry=0x7ffffffea7a0, fci_cache=<optimized out>,
    fci_cache@entry=0x7ffffffea780) at .../php-src/Zend/zend_execute_API.c:786
#8  0x0000000008322786 in reflection_method_invoke (execute_data=<optimized out>,
    return_value=0x7ffffaa21490, variadic=0)
    at .../php-src/ext/reflection/php_reflection.c:3208
#9  0x00000000084ee5be in ZEND_DO_FCALL_SPEC_RETVAL_USED_HANDLER ()
    at .../php-src/Zend/zend_vm_execute.h:1102
#10 execute_ex (ex=0x7ffffa3a0380) at .../php-src/Zend/zend_vm_execute.h:54495
#11 0x00000000084f09ee in zend_execute (op_array=op_array@entry=0x7ffffaa7e2a0, return_value=0x0,
    return_value@entry=0x7ffffabe0060)
    at .../php-src/Zend/zend_vm_execute.h:59895
#12 0x0000000008461e02 in zend_execute_scripts (type=type@entry=8, retval=0x7ffffabe0060, retval@entry=0x0,
    file_count=-90042464, file_count@entry=3) at .../php-src/Zend/zend.c:1564
#13 0x0000000008402830 in php_execute_script (primary_file=0x7ffffffece60)
    at .../php-src/main/main.c:2467
#14 0x00000000084f2e4c in do_cli (argc=8, argv=0x909fb50)
    at .../php-src/sapi/cli/php_cli.c:1011
#15 0x0000000008117a5b in main (argc=8, argv=0x909fb50)
    at .../php-src/sapi/cli/php_cli.c:1404
(gdb) p handle
$1 = -49631200

[2018-06-12 01:53 UTC] thekid@php.net

I'm sorry I still can't come up with a short reproducible script. Here's the setup procedure:

# Clone, fetch dependencies
$ git clone git@github.com:xp-framework/compiler.git
$ composer install
$ curl -sSL https://dl.bintray.com/xp-runners/generic/xp-run-master.sh | sed '0,/^EOF;$/d' > class-main.php

# Run
$ /path/to/php-src/sapi/cli/php -d include_path=".::.:vendor/autoload.php" -d date.timezone=UTC class-main.php xp.unittest.Runner src/test/php/

[2018-06-12 03:25 UTC] laruence@php.net

-Status: Re-Opened +Status: Closed -Assigned To: +Assigned To: laruence

[2018-06-12 04:00 UTC] laruence@php.net

I committed another supplemental fix just now, it should works now.

[2018-06-12 20:10 UTC] thekid@php.net

Indeed! Thanks a lot:-)

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Fri Apr 19 23:01:28 2024 UTC