php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #76713 Segmentation fault caused by property corruption
Submitted: 2018-08-06 21:20 UTC Modified: 2018-08-07 04:27 UTC
From: shiranai7 at hotmail dot com Assigned: laruence (profile)
Status: Closed Package: Reproducible crash
PHP Version: 7.3.0beta1 OS: Linux, Windows
Private report: No CVE-ID: None
 [2018-08-06 21:20 UTC] shiranai7 at hotmail dot com
Description:
------------
I'm getting a segmentation fault while running PHPUnit tests of one of my libraries, both on Linux and Windows.

I've traced it to an array_column() call in ./tests/EventEmitterTest.php@642

Dumping $actualListeners reveals that some of the object properties are corrupted just before the crash occurs. This seems to change randomly depending on which code is added or commented-out.

Test script:
---------------
Unfortunately, I haven't been able to reproduce this crash in isolation. I've prepared a ZIP archive with all the necessary PHP files:

(1.75 MB) https://github.com/kuria/event/raw/segfault-repr/segfault-repr.zip

The following command can be used to run the test:

php ./vendor/phpunit/phpunit/phpunit

Expected result:
----------------
No segfault

Actual result:
--------------
Program received signal SIGSEGV, Segmentation fault.
zend_mm_alloc_small (bin_num=<optimized out>, size=140737287172912, heap=0x7ffff4000040)
    at /home/user/Downloads/php-7.3.0beta1/Zend/zend_alloc.c:1283
1283			heap->free_slot[bin_num] = p->next_free_slot;
(gdb) bt
#0  zend_mm_alloc_small (bin_num=<optimized out>, size=140737287172912, heap=0x7ffff4000040)
    at /home/user/Downloads/php-7.3.0beta1/Zend/zend_alloc.c:1283
#1  zend_mm_realloc_heap (copy_size=140737287172912, use_copy_size=0 '\000', size=<optimized out>, 
    ptr=0x7ffff3416100, heap=0x7ffff4000040) at /home/user/Downloads/php-7.3.0beta1/Zend/zend_alloc.c:1598
#2  _erealloc (ptr=ptr@entry=0x7ffff3416100, size=size@entry=72)
    at /home/user/Downloads/php-7.3.0beta1/Zend/zend_alloc.c:2523
#3  0x00005555559e1c5f in zend_string_extend (persistent=0, len=<optimized out>, s=0x7ffff3416100)
    at /home/user/Downloads/php-7.3.0beta1/Zend/zend_string.h:205
#4  ZEND_CONCAT_SPEC_TMPVAR_CV_HANDLER ()
    at /home/user/Downloads/php-7.3.0beta1/Zend/zend_vm_execute.h:16985
#5  0x00005555559f99e5 in execute_ex (ex=0x7ffff3416100)
    at /home/user/Downloads/php-7.3.0beta1/Zend/zend_vm_execute.h:57284
#6  0x0000555555a007de in zend_execute (op_array=op_array@entry=0x7ffff407d2a0, return_value=0x0, 
    return_value@entry=0x7ffff41810e0) at /home/user/Downloads/php-7.3.0beta1/Zend/zend_vm_execute.h:60882
#7  0x0000555555973092 in zend_execute_scripts (type=type@entry=8, retval=0x7ffff41810e0, retval@entry=0x0, 
    file_count=-201182608, file_count@entry=3) at /home/user/Downloads/php-7.3.0beta1/Zend/zend.c:1562
#8  0x0000555555913c40 in php_execute_script (primary_file=0x7fffffffcdc0)
    at /home/user/Downloads/php-7.3.0beta1/main/main.c:2630
#9  0x0000555555a02c7c in do_cli (argc=2, argv=0x555556396fa0)
    at /home/user/Downloads/php-7.3.0beta1/sapi/cli/php_cli.c:997
#10 0x000055555565ce9b in main (argc=2, argv=0x555556396fa0)
    at /home/user/Downloads/php-7.3.0beta1/sapi/cli/php_cli.c:1390

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2018-08-07 04:27 UTC] laruence@php.net
-Assigned To: +Assigned To: laruence
 [2018-08-07 04:37 UTC] laruence@php.net
Automatic comment on behalf of laruence@gmail.com
Revision: http://git.php.net/?p=php-src.git;a=commit;h=2b1d79ce6661efdfae881884ca40b4ca7fc991e7
Log: Fixed bug #76713 (Segmentation fault caused by property corruption)
 [2018-08-07 04:37 UTC] laruence@php.net
-Status: Assigned +Status: Closed
 
PHP Copyright © 2001-2018 The PHP Group
All rights reserved.
Last updated: Thu Dec 13 22:01:26 2018 UTC