php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #79931 Segmentation fault
Submitted: 2020-08-05 10:12 UTC Modified: 2020-08-12 07:46 UTC
Votes:1
Avg. Score:5.0 ± 0.0
Reproduced:1 of 1 (100.0%)
Same Version:1 (100.0%)
Same OS:0 (0.0%)
From: contact dot obukhov at gmail dot com Assigned:
Status: Closed Package: Reproducible crash
PHP Version: 7.4.8 OS: Debian Buster
Private report: No CVE-ID: None
 [2020-08-05 10:12 UTC] contact dot obukhov at gmail dot com
Description:
------------
I am using Symfony 5 and Doctrine and face Segmentation fault on some requests, when about 30-40 records are loaded from database (MySQL 5.7).

Because this is segmentation fault and doctrine code looks OK it seems to be a bug in PHP.

We used 7.4.6, upgraded to 7.4.8 but problem still occurs. We can not test it in 7.3 because of typed properties we use almost everywhere.

Environment is Docker container from official image php:7.4.8-fpm-buster

php -i
https://pastebin.com/D8z7kSbV

valgrind --tool=memcheck --num-callers=30 --log-file=php.log --suppressions=php.supp php bin/console s:t:g:
https://pastebin.com/GAtZ5fLD

What is weird with USE_ZEND_ALLOC=0 it does not crash
USE_ZEND_ALLOC=0 valgrind --tool=memcheck --num-callers=30 --log-file=php_no_zend_alloc.log --suppressions=php.supp php bin/console s:t:g
https://pastebin.com/4zsCyv9p

gdb backtrace:
https://pastebin.com/kDBN8CWa

Core dump: https://drive.google.com/file/d/1ya7ohpKsIXnjFpCYJk9vqu7ICDhAGixL/view?usp=sharing

Valgrind dump:
https://drive.google.com/file/d/1pHZ7ONOMk3HDmRsJcz_kfRFzMBWckw62/view?usp=sharing


Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2020-08-11 09:17 UTC] nikic@php.net
-Status: Open +Status: Feedback
 [2020-08-11 09:17 UTC] nikic@php.net
The valgrind log contains this:


==2253== Invalid read of size 4
==2253==    at 0x5805F1: zend_string_addref (zend_string.h:117)
==2253==    by 0x5853A6: reflection_type_factory (php_reflection.c:1165)
==2253==    by 0x594E2C: zim_reflection_property_getType (php_reflection.c:5623)
==2253==    by 0x886186: ZEND_DO_FCALL_SPEC_RETVAL_USED_HANDLER (zend_vm_execute.h:1730)
==2253==    by 0x8EADDD: execute_ex (zend_vm_execute.h:53828)
==2253==    by 0x7F8A4E: zend_call_function (zend_execute_API.c:813)
==2253==    by 0x83E08E: zend_call_method (zend_interfaces.c:103)
==2253==    by 0x83E1D6: zend_user_it_new_iterator (zend_interfaces.c:127)
==2253==    by 0x83E78D: zend_user_it_get_new_iterator (zend_interfaces.c:268)
==2253==    by 0x881EAB: zend_fe_reset_iterator (zend_execute.c:4298)
==2253==    by 0x8D0071: ZEND_FE_RESET_R_SPEC_CV_HANDLER (zend_vm_execute.h:37821)
==2253==    by 0x8EDF99: execute_ex (zend_vm_execute.h:56972)
==2253==    by 0x8EEEB0: zend_execute (zend_vm_execute.h:57920)
==2253==    by 0x811F04: zend_execute_scripts (zend.c:1678)
==2253==    by 0x77166C: php_execute_script (main.c:2621)
==2253==    by 0x8F1ABE: do_cli (php_cli.c:964)
==2253==    by 0x8F2CCB: main (php_cli.c:1359)
==2253==  Address 0xd3cb8a4 is 4 bytes inside a block of size 80 free'd
==2253==    at 0x48369AB: free (vg_replace_malloc.c:530)
==2253==    by 0x7D69A3: _efree_custom (zend_alloc.c:2426)
==2253==    by 0x7D6AE4: _efree (zend_alloc.c:2546)
==2253==    by 0x8746AB: zend_string_release (zend_string.h:277)
==2253==    by 0x877E38: zend_resolve_class_type (zend_execute.c:947)
==2253==    by 0x877F42: i_zend_check_property_type (zend_execute.c:961)
==2253==    by 0x8780D8: i_zend_verify_property_type (zend_execute.c:984)
==2253==    by 0x878129: zend_verify_property_type (zend_execute.c:993)
==2253==    by 0x865D7C: zend_std_write_property (zend_object_handlers.c:897)
==2253==    by 0x82228D: zend_update_property_ex (zend_API.c:4115)
==2253==    by 0x59470C: zim_reflection_property_setValue (php_reflection.c:5485)
==2253==    by 0x885CCB: ZEND_DO_FCALL_SPEC_RETVAL_UNUSED_HANDLER (zend_vm_execute.h:1618)
==2253==    by 0x8EADCD: execute_ex (zend_vm_execute.h:53824)
==2253==    by 0x7F8A4E: zend_call_function (zend_execute_API.c:813)
==2253==    by 0x83E08E: zend_call_method (zend_interfaces.c:103)
==2253==    by 0x83E1D6: zend_user_it_new_iterator (zend_interfaces.c:127)
==2253==    by 0x83E78D: zend_user_it_get_new_iterator (zend_interfaces.c:268)
==2253==    by 0x881EAB: zend_fe_reset_iterator (zend_execute.c:4298)
==2253==    by 0x8D0071: ZEND_FE_RESET_R_SPEC_CV_HANDLER (zend_vm_execute.h:37821)
==2253==    by 0x8EDF99: execute_ex (zend_vm_execute.h:56972)
==2253==    by 0x8EEEB0: zend_execute (zend_vm_execute.h:57920)
==2253==    by 0x811F04: zend_execute_scripts (zend.c:1678)
==2253==    by 0x77166C: php_execute_script (main.c:2621)
==2253==    by 0x8F1ABE: do_cli (php_cli.c:964)
==2253==    by 0x8F2CCB: main (php_cli.c:1359)
==2253==  Block was alloc'd at
==2253==    at 0x483577F: malloc (vg_replace_malloc.c:299)
==2253==    by 0x7D79E4: __zend_malloc (zend_alloc.c:2976)
==2253==    by 0x7D693C: _malloc_custom (zend_alloc.c:2417)
==2253==    by 0x7D6A6A: _emalloc (zend_alloc.c:2536)
==2253==    by 0x7D7CF1: zend_string_alloc (zend_string.h:133)
==2253==    by 0x7DAE51: zend_concat3 (zend_compile.c:791)
==2253==    by 0x7DAF16: zend_concat_names (zend_compile.c:802)
==2253==    by 0x7DAF77: zend_prefix_with_ns (zend_compile.c:808)
==2253==    by 0x7DB522: zend_resolve_class_name (zend_compile.c:944)
==2253==    by 0x7DB582: zend_resolve_class_name_ast (zend_compile.c:954)
==2253==    by 0x7E7952: zend_compile_typename (zend_compile.c:5318)
==2253==    by 0x7EA253: zend_compile_prop_decl (zend_compile.c:6100)
==2253==    by 0x7EA62E: zend_compile_prop_group (zend_compile.c:6178)
==2253==    by 0x7F1A7C: zend_compile_stmt (zend_compile.c:8538)
==2253==    by 0x7E76CC: zend_compile_stmt_list (zend_compile.c:5262)
==2253==    by 0x7F192F: zend_compile_stmt (zend_compile.c:8479)
==2253==    by 0x7EB44C: zend_compile_class_decl (zend_compile.c:6467)
==2253==    by 0x7F16DE: zend_compile_top_stmt (zend_compile.c:8454)
==2253==    by 0x7F164D: zend_compile_top_stmt (zend_compile.c:8443)
==2253==    by 0x7AE245: zend_compile (zend_language_scanner.l:614)
==2253==    by 0x7AE3E4: compile_file (zend_language_scanner.l:650)
==2253==    by 0x562A12: phar_compile_file (phar.c:3299)
==2253==    by 0x7AE4F6: compile_filename (zend_language_scanner.l:671)
==2253==    by 0x881C49: zend_include_or_eval (zend_execute.c:4240)
==2253==    by 0x8CFB5E: ZEND_INCLUDE_OR_EVAL_SPEC_CV_HANDLER (zend_vm_execute.h:37728)
==2253==    by 0x8EDF89: execute_ex (zend_vm_execute.h:56968)
==2253==    by 0x7F8A4E: zend_call_function (zend_execute_API.c:813)
==2253==    by 0x5B04D2: zif_spl_autoload_call (php_spl.c:452)
==2253==    by 0x7F8B2C: zend_call_function (zend_execute_API.c:826)
==2253==    by 0x7F93B6: zend_lookup_class_ex (zend_execute_API.c:995)

This looks like bug #79820 to me, which has been fixed in PHP 7.4.9. Could you please check whether 7.4.9 resolved this issue?
 [2020-08-12 07:46 UTC] contact dot obukhov at gmail dot com
Yes, in 7.4.9 everything works fine!
 [2020-08-12 07:46 UTC] contact dot obukhov at gmail dot com
-Status: Feedback +Status: Closed
 [2020-08-12 07:46 UTC] contact dot obukhov at gmail dot com
Upgrading to 7.4.9 solved the problem
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Sat Nov 23 07:01:29 2024 UTC