Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:80907
Return-Path: <rasmus@lerdorf.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 93409 invoked from network); 20 Jan 2015 21:54:47 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 20 Jan 2015 21:54:47 -0000
Authentication-Results: pb1.pair.com smtp.mail=rasmus@lerdorf.com; spf=pass; sender-id=pass
Authentication-Results: pb1.pair.com header.from=rasmus@lerdorf.com; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain lerdorf.com designates 209.85.216.54 as permitted sender)
X-PHP-List-Original-Sender: rasmus@lerdorf.com
X-Host-Fingerprint: 209.85.216.54 mail-qa0-f54.google.com  
Received: from [209.85.216.54] ([209.85.216.54:58977] helo=mail-qa0-f54.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id 64/E8-49046-5AECEB45 for <internals@lists.php.net>; Tue, 20 Jan 2015 16:54:46 -0500
Received: by mail-qa0-f54.google.com with SMTP id w8so29655539qac.13
        for <internals@lists.php.net>; Tue, 20 Jan 2015 13:54:42 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20130820;
        h=x-gm-message-state:message-id:date:from:user-agent:mime-version:to
         :subject:content-type;
        bh=twwRutj3UvTLLJPVg2Z3wUCaqQWfkEnF55Qws57rakw=;
        b=HrWgWm20xuD9Uvp1n1gANgt5wLl4N/KvRPFtnc4Mhp9UmNjWSyW0psUNiPX6dDJ/Sf
         fZOBZmGfvOC0J4n4QZomoAaqpN/j1tzfHnhx8SWMfFqqWDCL6iwwBx/BG8DeBiPTk5oe
         PQ6rS5YLCGDB5NUUgd6S/g1qw5YCzb7drmAAU87vBV/U3PMoOtFtQ3Aq6Z1y5uF7O6Hf
         7uHGERCu8vcL/4q32MB9lviqdQfU+WSql+j8rxVdluRA42G3KUbwk0ZnHDVKBVBMs9a7
         /7cnHnHW7CTb8vhxEgGQ+V6PWtvt0wIpMKsK7miHlKLs9JfUH5EZzEXvLZfO53EmqtAh
         5z1w==
X-Gm-Message-State: ALoCoQnLVondiJCM93TgM9zRsJjlA41LQ5z4B9LtmbTjx49KtZH/c35PAh69qwBuxB7Ypj6tWFTl
X-Received: by 10.140.96.132 with SMTP id k4mr25304535qge.102.1421790882528;
        Tue, 20 Jan 2015 13:54:42 -0800 (PST)
Received: from [192.168.200.14] (c-50-131-44-225.hsd1.ca.comcast.net. [50.131.44.225])
        by mx.google.com with ESMTPSA id t12sm1339446qam.48.2015.01.20.13.54.40
        for <internals@lists.php.net>
        (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
        Tue, 20 Jan 2015 13:54:40 -0800 (PST)
Message-ID: <54BECE9E.5050502@lerdorf.com>
Date: Tue, 20 Jan 2015 13:54:38 -0800
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.4.0
MIME-Version: 1.0
To: PHP internals <internals@lists.php.net>
Content-Type: multipart/signed; micalg=pgp-sha1;
 protocol="application/pgp-signature";
 boundary="aALoipol6VitWeUnUwqIjp7kUrMmrQOx8"
Subject: Help - gcc mystery in ext/imap
From: rasmus@lerdorf.com (Rasmus Lerdorf)

--aALoipol6VitWeUnUwqIjp7kUrMmrQOx8
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable

In testing PHP7 beyond just the default extensions, I am noticing that
ext/imap is segfaulting on almost every test. I tracked it down to this
code in ext/imap/php_imap.c:

/* {{{ imap_do_open
 */
static void php_imap_do_open(INTERNAL_FUNCTION_PARAMETERS, int persistent=
)
{
        char *mailbox, *user, *passwd;
        int mailbox_len, user_len, passwd_len;
        long retries =3D 0, flags =3D NIL, cl_flags =3D NIL;
        MAILSTREAM *imap_stream;
        pils *imap_le_struct;
        zval *params =3D NULL;
        int argc =3D ZEND_NUM_ARGS();

        if (zend_parse_parameters(argc, "pss|lla", &mailbox,
&mailbox_len, &user, &user_len,
                &passwd, &passwd_len, &flags, &retries, &params) =3D=3D
FAILURE) {
                return;
        }
        ...
        /* local filename, need to perform open_basedir check */
        if (mailbox[0] !=3D '{' && php_check_open_basedir(mailbox)) {
                RETURN_FALSE;
        }

The actual segfault is on the access to mailbox[0] because mailbox is a
bogus pointer at this point and from userspace it is reproducable from
cli with just:

  sapi/cli/php -r 'imap_open("host", "user", "password");'

And here is where it gets mysterious. Looking at it with gdb,
zend_parse_parameters is setting that mailbox char* to 0x7fff00000000
while both the user and passwd ptrs are fine. BUT, if I recompile
ext/imap/php_imap.c using gcc -O3 the ptr is magically fine and no more
segfaults.

I suspected my gcc-4.8 on my Ubuntu laptop, so I built a completely
clean Debian 7.8.0 box which defaults to gcc-4.7.2 and I see the exact
same behaviour. segfaults under -O1/O2 but it is fine under -O0/O3. It
is also fine from the PHP 5.6 tree even though the changes are mostly
just removing TSRM and moving from zval** to zval* in a couple of places.=


Things I have tried. changed it from "p" to "s" and also from "p" to "S"
and using a zend_string * instead. In both cases I got the same bogus
address back from zpp. Right now I am trying to make sense of the
generated assembly differences, but it is slow going.

Since almost the same code works for PHP 5.6 and this is limited to just
the imap extension, it seems more logical that something in the 5-6 to 7
changes is causing this and somehow -O3 optimizes its way around the
problem. So, does anyone see a mistake in these changes?

  https://gist.github.com/anonymous/b92dbb17172e9bff5247

-Rasmus


--aALoipol6VitWeUnUwqIjp7kUrMmrQOx8
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iEYEARECAAYFAlS+zp8ACgkQlxayKTuqOuCmNwCbBMLQpH7PA919qpssUeerpGLn
JV4AnRXHLiFsx5TTC47Kcf7pSFdO15AU
=lz4m
-----END PGP SIGNATURE-----

--aALoipol6VitWeUnUwqIjp7kUrMmrQOx8--