Re: [PHP-DEV] PHP 7 Segmentation fault

Frank M. Kromann Wed, 11 Nov 2015 15:12:50 -0800

Hi Dmetry,

Thanks a lot. That was very helpful. I was not able to run the scriptwithout the database, but I was able to create a small test scriptwithout the autoloading and narrow it down to one of two funtions in thedatabase extension that causes the problem. I\ll do some more debuggingand fix the problem in the extension.


- Frank

On 11/11/15 13:29, Dmitry Stogov wrote:

On Wed, Nov 11, 2015 at 11:24 PM, Frank M. Kromann <f...@webbypixel.com>
wrote:

Hi Dmitry,

Here is the output.

==28336== Conditional jump or move depends on uninitialised value(s)
==28336==    at 0x64EF568: tzload (FSTimeZones.c:794)
==28336==    by 0x64EFBC0: fstzZoneFromData (FSTimeZones.c:1765)
==28336==    by 0x64EA5ED: fbctzTimeZone (FBCTimeZones.c:51)
==28336==    by 0x64EA19A: fbcrhInitWithOptions (FBCRowHandler.c:94)
==28336==    by 0x587D8C: phpfbFetchRow (php_fbsql.c:986)
==28336==    by 0x58A1BB: php_fbsql_fetch_hash.isra.10 (php_fbsql.c:3089)
==28336==    by 0x85B72D: ZEND_DO_ICALL_SPEC_HANDLER
(zend_vm_execute.h:586)
==28336==    by 0x84CECA: execute_ex (zend_vm_execute.h:414)
==28336==    by 0x89D968: zend_execute (zend_vm_execute.h:458)
==28336==    by 0x80DB36: zend_execute_scripts (zend.c:1428)
==28336==    by 0x7A2ADF: php_execute_script (main.c:2471)
==28336==    by 0x89F789: do_cli (php_cli.c:974)
==28336==
==28336==
==28336== ---- Attach to debugger ? --- [Return/N/n/Y/y/C/c] ---- n
==28336== Invalid read of size 4
==28336==    at 0x89BE3B: i_free_compiled_variables (zend_execute.c:2052)
==28336==    by 0x89BE3B: zend_leave_helper_SPEC (zend_vm_execute.h:470)
==28336==    by 0x84CECA: execute_ex (zend_vm_execute.h:414)
==28336==    by 0x89D968: zend_execute (zend_vm_execute.h:458)
==28336==    by 0x80DB36: zend_execute_scripts (zend.c:1428)
==28336==    by 0x7A2ADF: php_execute_script (main.c:2471)
==28336==    by 0x89F789: do_cli (php_cli.c:974)
==28336==    by 0x443466: main (php_cli.c:1345)
==28336==  Address 0x1329d150 is 0 bytes inside a block of size 24 free'd
==28336==    at 0x4C2AD17: free (in
/usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==28336==    by 0x81E095: _zend_hash_del_el_ex (zend_hash.c:958)
==28336==    by 0x81E095: zend_hash_index_del (zend_hash.c:1170)
==28336==    by 0x89BE52: i_free_compiled_variables (zend_execute.c:2055)
==28336==    by 0x89BE52: zend_leave_helper_SPEC (zend_vm_execute.h:470)
==28336==    by 0x84CECA: execute_ex (zend_vm_execute.h:414)
==28336==    by 0x89D968: zend_execute (zend_vm_execute.h:458)
==28336==    by 0x80DB36: zend_execute_scripts (zend.c:1428)
==28336==    by 0x7A2ADF: php_execute_script (main.c:2471)
==28336==    by 0x89F789: do_cli (php_cli.c:974)
==28336==    by 0x443466: main (php_cli.c:1345)

The first issue is a leak inside the C API for the FrontBase database.
It's a known issue that is fixed by the vendor but not yet released and it
does not cause any segfaults on scripts that don't use autoload of classes.

This is use-after-free. most probably, because of wrong reference counting.
This may be caused by a bug in third party extension.
Can you reproduce the failure without them?

Thanks. Dmitry.

- Frank


On 11/11/15 12:16, Dmitry Stogov wrote:

I added zend_add_live_range() into master a day ago and replaced it with
zend_start_live_range/zend_end_live_range today.

Thanks. Dmitry.

On Wed, Nov 11, 2015 at 11:02 PM, Anatol Belski <anatol....@belski.net> 
<anatol....@belski.net>
wrote:


-----Original Message-----
From: Frank M. Kromann [mailto:f...@webbypixel.com <f...@webbypixel.com>]
Sent: Wednesday, November 11, 2015 8:51 PM
To: Anatol Belski <anatol....@belski.net> <anatol....@belski.net>; 'Dmitry Stogov' 
<

dmi...@zend.com>

Cc: 'PHP Internals' <internals@lists.php.net> <internals@lists.php.net>
Subject: Re: [PHP-DEV] PHP 7 Segmentation fault

Just switched to PHP-7.0 and there is no longer any references to

_live_range

but the problem with the segfault is still there. Here is a new

backtrace.

#0  zend_mm_alloc_small (size=<optimized out>, bin_num=<optimized out>,
heap=<optimized out>) at /home/frank/Source/php-src-
7/Zend/zend_alloc.c:1291
#1  zend_mm_alloc_heap (size=<optimized out>, heap=<optimized out>) at
/home/frank/Source/php-src-7/Zend/zend_alloc.c:1358
#2  _emalloc (size=2) at

/home/frank/Source/php-src-7/Zend/zend_alloc.c:2442

#3  0x00000000007e724d in _safe_emalloc (nmemb=nmemb@entry=24,
size=<optimized out>, offset=offset@entry=0) at
/home/frank/Source/php-src-7/Zend/zend_alloc.c:2510
#4  0x00000000007f0b93 in zend_compile_params
(ast=ast@entry=0x7ffff0ab7250,
return_type_ast=return_type_ast@entry=0x0) at
/home/frank/Source/php-src-7/Zend/zend_compile.c:4429
#5  0x00000000007fa240 in zend_compile_func_decl (result=result@entry

=0x0,

ast=ast@entry=0x7ffff0ab7668) at
/home/frank/Source/php-src-7/Zend/zend_compile.c:4879
#6  0x00000000007f799a in zend_compile_stmt (ast=0x7ffff0ab7668) at
/home/frank/Source/php-src-7/Zend/zend_compile.c:7048
#7  0x00000000007f8487 in zend_compile_stmt_list
(ast=ast@entry=0x7ffff0ab8388) at
/home/frank/Source/php-src-7/Zend/zend_compile.c:4347
#8  0x00000000007f781e in zend_compile_stmt
(ast=ast@entry=0x7ffff0ab8388) at
/home/frank/Source/php-src-7/Zend/zend_compile.c:6992
#9  0x00000000007f88bf in zend_compile_class_decl
(ast=ast@entry=0x7ffff0ab8720) at
/home/frank/Source/php-src-7/Zend/zend_compile.c:5289
#10 0x00000000007f7938 in zend_compile_stmt
(ast=ast@entry=0x7ffff0ab8720) at
/home/frank/Source/php-src-7/Zend/zend_compile.c:7060
#11 0x00000000007fa67a in zend_compile_top_stmt (ast=0x7ffff0ab8720) at
/home/frank/Source/php-src-7/Zend/zend_compile.c:6966
#12 0x00000000007fa6bf in zend_compile_top_stmt (ast=0x7ffff0ab4018) at
/home/frank/Source/php-src-7/Zend/zend_compile.c:6961
#13 0x00000000007cde07 in compile_file (file_handle=<optimized out>,
type=<optimized out>) at Zend/zend_language_scanner.l:607
#14 0x000000000065434e in phar_compile_file (file_handle=<optimized
out>, type=<optimized out>) at
/home/frank/Source/php-src-7/ext/phar/phar.c:3311
#15 0x00000000007cdf35 in compile_filename (type=2,
filename=filename@entry=0x7ffff0a14550) at
Zend/zend_language_scanner.l:647
#16 0x0000000000899a2f in ZEND_INCLUDE_OR_EVAL_SPEC_CV_HANDLER ()
at
/home/frank/Source/php-src-7/Zend/zend_vm_execute.h:29114
#17 0x000000000084cecb in execute_ex (ex=<optimized out>) at
/home/frank/Source/php-src-7/Zend/zend_vm_execute.h:414
#18 0x00000000007fe607 in zend_call_function (fci=0x7ffff0a89aa0,
fci@entry=0x7fffffffa8f0, fci_cache=fci_cache@entry=0x7fffffffa8c0)
      at /home/frank/Source/php-src-7/Zend/zend_execute_API.c:854
#19 0x000000000082b244 in zend_call_method (object=0x7ffff0aa38d8,
obj_ce=<optimized out>, fn_proxy=<optimized out>,
      function_name=0x7ffff0aaf108
"composer\\autoload\\classloader::loadclass\001",
function_name_len=<optimized out>, retval_ptr=retval_ptr@entry=0x0,
      param_count=param_count@entry=1, arg1=0x7ffff0a14430,
arg2=arg2@entry=0x0) at
/home/frank/Source/php-src-7/Zend/zend_interfaces.c:104
#20 0x00000000006c1324 in zif_spl_autoload_call (execute_data=<optimized
out>, return_value=<optimized out>) at
/home/frank/Source/php-src-7/ext/spl/php_spl.c:425
#21 0x00000000007fe6a0 in zend_call_function (fci=fci@entry

=0x7fffffffab40,

fci_cache=fci_cache@entry=0x7fffffffab10)
at /home/frank/Source/php-src-7/Zend/zend_execute_API.c:873
#22 0x00000000007feec9 in zend_lookup_class_ex
(name=name@entry=0x7ffff0a55e80, key=0x7ffff0a70420,
use_autoload=use_autoload@entry=1)
      at /home/frank/Source/php-src-7/Zend/zend_execute_API.c:1036
#23 0x00000000007ffa18 in zend_fetch_class_by_name
(class_name=0x7ffff0a55e80, key=<optimized out>,
fetch_type=fetch_type@entry=512)
      at /home/frank/Source/php-src-7/Zend/zend_execute_API.c:1383
#24 0x000000000089af51 in ZEND_NEW_SPEC_CONST_HANDLER () at
/home/frank/Source/php-src-7/Zend/zend_vm_execute.h:3354
#25 0x000000000084cecb in execute_ex (ex=<optimized out>) at
/home/frank/Source/php-src-7/Zend/zend_vm_execute.h:414
#26 0x000000000089d969 in zend_execute (op_array=<optimized out>,
return_value=<optimized out>) at
/home/frank/Source/php-src-7/Zend/zend_vm_execute.h:458
#27 0x000000000080db37 in zend_execute_scripts (type=type@entry=8,
retval=retval@entry=0x0, file_count=file_count@entry=3) at
/home/frank/Source/php-src-7/Zend/zend.c:1428
#28 0x00000000007a2ae0 in php_execute_script
(primary_file=primary_file@entry=0x7fffffffd070) at
/home/frank/Source/php-src-7/main/main.c:2471
#29 0x000000000089f78a in do_cli (argc=4, argv=0x1167c60) at
/home/frank/Source/php-src-7/sapi/cli/php_cli.c:974
#30 0x0000000000443467 in main (argc=4, argv=0x1167c60) at
/home/frank/Source/php-src-7/sapi/cli/php_cli.c:1345


Ok, but in master there's no zend_add_live_range() as well, so that is
what was strange. Could you please USE_ZEND_ALLOC=0 to collect the BT?

Thanks

Anatol




--
Frank M. Kromann, M.Sc.E.E.
Web by Pixel, Inc.

Phone: +1 949 742 7533
Fax: +1 949 742 7534
Cell: +1 949 702 1794
Denmark: +45 78 79 11 48

Web: http://webbypixel.com


--
Frank M. Kromann, M.Sc.E.E.
Web by Pixel, Inc.

Phone: +1 949 742 7533
Fax: +1 949 742 7534
Cell: +1 949 702 1794
Denmark: +45 78 79 11 48

Web: http://webbypixel.com

Re: [PHP-DEV] PHP 7 Segmentation fault

Reply via email to