php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #79938 Segmentation fault in ds_vector_from_buffer
Submitted: 2020-08-06 11:53 UTC Modified: 2020-08-28 08:33 UTC
From: enumag at gmail dot com Assigned: rtheunissen (profile)
Status: Assigned Package: Unknown/Other Function
PHP Version: 7.4.9 OS: Ubuntu
Private report: No CVE-ID: None
Have you experienced this issue?
Rate the importance of this bug to you:

 [2020-08-06 11:53 UTC] enumag at gmail dot com
Description:
------------
While testing our application we got an unexpected Segmentation fault error. So far we're unable to reproduce it but we do have a crash report from Ubuntu which you can look into:
https://www.svjonline.cz/files/_usr_bin_php7.4.1000.crash


Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2020-08-06 11:59 UTC] sjon@php.net
-Status: Open +Status: Feedback
 [2020-08-06 11:59 UTC] sjon@php.net
Thank you for this bug report. To properly diagnose the problem, we
need a short but complete example script to be able to reproduce
this bug ourselves.

A proper reproducing script starts with <?php and ends with ?>,
is max. 10-20 lines long and does not require any external
resources such as databases, etc. If the script requires a
database to demonstrate the issue, please make sure it creates
all necessary tables, stored procedures etc.

Please avoid embedding huge scripts into the report.

additionally, please try without xdebug. If it still crashes, consider reporting this to https://github.com/php-ds/ext-ds as it crashes in ds_vector_from_buffer
 [2020-08-06 15:07 UTC] danack@php.net
Putting core dumps online is a _bold choice_.

Hope there aren't any passwords or ssl secrets in there.
 [2020-08-06 15:40 UTC] enumag at gmail dot com
-Status: Feedback +Status: Open
 [2020-08-06 15:40 UTC] enumag at gmail dot com
I have no idea how it happened so there is *obviously* no way I can give you short script reproducing the segfault.
 [2020-08-10 11:13 UTC] nikic@php.net
For the record, the start of the stack trace looks like this:

 #0  0x000055799417898d in _emalloc ()
 No symbol table info available.
 #1  0x000055799417980b in _ecalloc ()
 No symbol table info available.
 #2  0x00007f263ec59ac2 in ds_vector_from_buffer (buffer=buffer@entry=0x7f263bef5380, capacity=8, size=2) at /tmp/pear/temp/ds/src/ds/ds_vector.c:59
         vector = <optimized out>
 #3  0x00007f263ec5aaaa in ds_vector_map (vector=0x7f2639f28a38, fci=..., fci_cache=...) at /tmp/pear/temp/ds/src/ds/ds_vector.c:579
         retval = {value = {lval = 139802148938816, dval = 6.9071439005450267e-310, counted = 0x7f26396d2440, str = 0x7f26396d2440, arr = 0x7f26396d2440, obj = 0x7f26396d2440, res = 0x7f26396d2440, ref = 0x7f26396d2440, ast = 0x7f26396d2440, zv = 0x7f26396d2440, ptr = 0x7f26396d2440, ce = 0x7f26396d2440, func = 0x7f26396d2440, ww = {w1 = 963454016, w2 = 32550}}, u1 = {v = {type = 6 '\006', type_flags = 1 '\001', u = {extra = 0}}, type_info = 262}, u2 = {next = 0, cache_slot = 0, opline_num = 0, lineno = 0, num_args = 0, fe_pos = 0, fe_iter_idx = 0, access_flags = 0, property_guard = 0, constant_flags = 0, extra = 0}}
         value = <optimized out>
         buffer = 0x7f263bef5380
         target = <optimized out>
 #4  0x00007f263ec65a4d in zim_Vector_map (execute_data=0x7f264f215150, return_value=0x7f264f2150b0) at /tmp/pear/temp/ds/src/php/classes/php_vector_ce.c:134
         _v = <optimized out>
         fci = {size = 56, function_name = {value = {lval = 139802149083328, dval = 6.9071439076848682e-310, counted = 0x7f26396f58c0, str = 0x7f26396f58c0, arr = 0x7f26396f58c0, obj = 0x7f26396f58c0, res = 0x7f26396f58c0, ref = 0x7f26396f58c0, ast = 0x7f26396f58c0, zv = 0x7f26396f58c0, ptr = 0x7f26396f58c0, ce = 0x7f26396f58c0, func = 0x7f26396f58c0, ww = {w1 = 963598528, w2 = 32550}}, u1 = {v = {type = 8 '\b', type_flags = 3 '\003', u = {extra = 0}}, type_info = 776}, u2 = {next = 0, cache_slot = 0, opline_num = 0, lineno = 0, num_args = 0, fe_pos = 0, fe_iter_idx = 0, access_flags = 0, property_guard = 0, constant_flags = 0, extra = 0}}, retval = 0x0, params = 0x0, object = 0x0, no_separation = 1 '\001', param_count = 0}
         fci_cache = {function_handler = 0x7f26396f58f8, calling_scope = 0x7f263ad97b28, called_scope = 0x7f263ad97b28, object = 0x0}
 #5  0x00007f264e92d4f5 in xdebug_execute_internal (current_execute_data=0x7f264f215150, return_value=0x7f264f2150b0) at ./build-7.4/src/base/base.c:466
         edata = <optimized out>
         fse = 0x557995aa5d30
         function_nr = 115239821
         function_call_traced = 0
         restore_error_handler_situation = 0
         tmp_error_cb = 0x0
 #6  0x0000557993feffe3 in ?? ()
 No symbol table info available.
 #7  0x000055799422438b in execute_ex ()
 No symbol table info available.
 #8  0x00007f264e92cb6c in xdebug_execute_ex (execute_data=0x7f264f215020) at ./build-7.4/src/base/base.c:380
         op_array = 0x7f263ad851c0
         edata = <optimized out>
         fse = 0x557995a51600
         xfse = <optimized out>
         function_nr = 115239820
         le = <optimized out>
         code_coverage_function_name = 0x0
         code_coverage_file_name = 0x0
         code_coverage_init = 0

As @sjon suggests, it is quite likely that this issue comes from ext/ds.
 [2020-08-11 09:12 UTC] nikic@php.net
-Summary: Segmentation fault +Summary: Segmentation fault in ds_vector_from_buffer
 [2020-08-28 08:33 UTC] cmb@php.net
-Package: *General Issues +Package: Unknown/Other Function -Assigned To: +Assigned To: rtheunissen
 
PHP Copyright © 2001-2020 The PHP Group
All rights reserved.
Last updated: Tue Sep 22 04:01:23 2020 UTC