Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:89192 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 8716 invoked from network); 11 Nov 2015 21:29:59 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 11 Nov 2015 21:29:59 -0000 Authentication-Results: pb1.pair.com header.from=dmitry@zend.com; sender-id=pass Authentication-Results: pb1.pair.com smtp.mail=dmitry@zend.com; spf=pass; sender-id=pass Received-SPF: pass (pb1.pair.com: domain zend.com designates 209.85.213.179 as permitted sender) X-PHP-List-Original-Sender: dmitry@zend.com X-Host-Fingerprint: 209.85.213.179 mail-ig0-f179.google.com Received: from [209.85.213.179] ([209.85.213.179:35199] helo=mail-ig0-f179.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id AB/A4-16149-653B3465 for ; Wed, 11 Nov 2015 16:29:58 -0500 Received: by igl9 with SMTP id 9so84659720igl.0 for ; Wed, 11 Nov 2015 13:29:55 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=zend_com.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=79AIE65+X1L1Paz17ht5ikrdVPPC+A/avbxtyF4fqSg=; b=0bENpmmadShOAQGn52dGyyIUIzyPWEY3nMBKZmRyaRx83UTSfOtLeWt0r+uTVvBiW8 Mu6uvZhvR1hv02c2fD9J7U1uPo0Bk8PEXBs/a8iRfNVEqwmkB/FInwdjHt2+SGokdOPi HWMWRgdHdBHyBk6qTBYWBiYlOIZ4l9mWsvJjfim+Pzr5ofC5eff+ANEzjxSRC9Aaf4fI R3jWYnRNsgonmbTGk6XDLBb3MYJ7khHebALNMakvA2DTxzy5H7VfvgTu+ORmSYfZ8OjU fh+s7juiE2Ojo8daU2+RSUY3h4jrn0po4iur+/3Yik+7MIjyx2yuzRuXXcka9q1R9Tvy XGVw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=79AIE65+X1L1Paz17ht5ikrdVPPC+A/avbxtyF4fqSg=; b=mg+Lj0aEVtCaM//10XCUr8x0K3H5jYQ2oGWE8wyagu19m/CqbY26Uj6ft+Uwelfo8C pEe8F/5L+17jXVLzW2hIYzNE7yQQhWbXUYOmdQ9WAg4XnDDmx1c9OYJTq7XnkpQOkdJ2 03puWm5fCOXkIcmAx+uXCThaOo679QZMvzWFnBqiub7BdYXdkH5Vw4YALa9bYKg+iz79 3ZlGURkKiWLAVcn3/C3R1JXCVMufQmoKC7lzl6UyajzF6kV4b+PjXDvWCAhZJomJold+ ksl56sfNr+c3Z2VfGCsB60T6XNYmHVDWGFunMqLvCbEd99PO3Nq7wo1Z3UGhjdES3uBE YovA== X-Gm-Message-State: ALoCoQmoiusGMFLao0a7SNLJrnLsX1XuxFAJe1Tckv5fd41Cz/uijdehlNEICaAs8TX5RWoXHoJ49NiPqVflLHh8+VWTRE8ILsJKGtXVDicqNmaPnfz799yzOzQinF9+5USIYmjV8TA19uYQ6r9FFdCi9PXQ0aX6puRhQTA48ZvWB871yMwKPdQ= MIME-Version: 1.0 X-Received: by 10.50.49.16 with SMTP id q16mr11668163ign.74.1447277395468; Wed, 11 Nov 2015 13:29:55 -0800 (PST) Received: by 10.50.73.166 with HTTP; Wed, 11 Nov 2015 13:29:55 -0800 (PST) In-Reply-To: <5643A418.9030905@webbypixel.com> References: <56428A30.4060803@php.net> <56439392.2020608@php.net> <01ab01d11cb7$f9605d10$ec211730$@belski.net> <5643993C.3020908@php.net> <5643999D.2070207@webbypixel.com> <56439C2D.70600@webbypixel.com> <01b701d11cbb$f1fd33a0$d5f79ae0$@belski.net> <5643A418.9030905@webbypixel.com> Date: Thu, 12 Nov 2015 00:29:55 +0300 Message-ID: To: "Frank M. Kromann" Cc: Anatol Belski , PHP Internals Content-Type: multipart/alternative; boundary=e89a8f3b9fad0c84cc05244a873f Subject: Re: [PHP-DEV] PHP 7 Segmentation fault From: dmitry@zend.com (Dmitry Stogov) --e89a8f3b9fad0c84cc05244a873f Content-Type: text/plain; charset=UTF-8 On Wed, Nov 11, 2015 at 11:24 PM, Frank M. Kromann wrote: > Hi Dmitry, > > Here is the output. > > ==28336== Conditional jump or move depends on uninitialised value(s) > ==28336== at 0x64EF568: tzload (FSTimeZones.c:794) > ==28336== by 0x64EFBC0: fstzZoneFromData (FSTimeZones.c:1765) > ==28336== by 0x64EA5ED: fbctzTimeZone (FBCTimeZones.c:51) > ==28336== by 0x64EA19A: fbcrhInitWithOptions (FBCRowHandler.c:94) > ==28336== by 0x587D8C: phpfbFetchRow (php_fbsql.c:986) > ==28336== by 0x58A1BB: php_fbsql_fetch_hash.isra.10 (php_fbsql.c:3089) > ==28336== by 0x85B72D: ZEND_DO_ICALL_SPEC_HANDLER > (zend_vm_execute.h:586) > ==28336== by 0x84CECA: execute_ex (zend_vm_execute.h:414) > ==28336== by 0x89D968: zend_execute (zend_vm_execute.h:458) > ==28336== by 0x80DB36: zend_execute_scripts (zend.c:1428) > ==28336== by 0x7A2ADF: php_execute_script (main.c:2471) > ==28336== by 0x89F789: do_cli (php_cli.c:974) > ==28336== > ==28336== > ==28336== ---- Attach to debugger ? --- [Return/N/n/Y/y/C/c] ---- n > ==28336== Invalid read of size 4 > ==28336== at 0x89BE3B: i_free_compiled_variables (zend_execute.c:2052) > ==28336== by 0x89BE3B: zend_leave_helper_SPEC (zend_vm_execute.h:470) > ==28336== by 0x84CECA: execute_ex (zend_vm_execute.h:414) > ==28336== by 0x89D968: zend_execute (zend_vm_execute.h:458) > ==28336== by 0x80DB36: zend_execute_scripts (zend.c:1428) > ==28336== by 0x7A2ADF: php_execute_script (main.c:2471) > ==28336== by 0x89F789: do_cli (php_cli.c:974) > ==28336== by 0x443466: main (php_cli.c:1345) > ==28336== Address 0x1329d150 is 0 bytes inside a block of size 24 free'd > ==28336== at 0x4C2AD17: free (in > /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so) > ==28336== by 0x81E095: _zend_hash_del_el_ex (zend_hash.c:958) > ==28336== by 0x81E095: zend_hash_index_del (zend_hash.c:1170) > ==28336== by 0x89BE52: i_free_compiled_variables (zend_execute.c:2055) > ==28336== by 0x89BE52: zend_leave_helper_SPEC (zend_vm_execute.h:470) > ==28336== by 0x84CECA: execute_ex (zend_vm_execute.h:414) > ==28336== by 0x89D968: zend_execute (zend_vm_execute.h:458) > ==28336== by 0x80DB36: zend_execute_scripts (zend.c:1428) > ==28336== by 0x7A2ADF: php_execute_script (main.c:2471) > ==28336== by 0x89F789: do_cli (php_cli.c:974) > ==28336== by 0x443466: main (php_cli.c:1345) > > The first issue is a leak inside the C API for the FrontBase database. > It's a known issue that is fixed by the vendor but not yet released and it > does not cause any segfaults on scripts that don't use autoload of classes. > This is use-after-free. most probably, because of wrong reference counting. This may be caused by a bug in third party extension. Can you reproduce the failure without them? Thanks. Dmitry. > > - Frank > > > On 11/11/15 12:16, Dmitry Stogov wrote: > > I added zend_add_live_range() into master a day ago and replaced it with > zend_start_live_range/zend_end_live_range today. > > Thanks. Dmitry. > > On Wed, Nov 11, 2015 at 11:02 PM, Anatol Belski > wrote: > > > -----Original Message----- > From: Frank M. Kromann [mailto:fmk@webbypixel.com ] > Sent: Wednesday, November 11, 2015 8:51 PM > To: Anatol Belski ; 'Dmitry Stogov' < > > dmitry@zend.com> > > Cc: 'PHP Internals' > Subject: Re: [PHP-DEV] PHP 7 Segmentation fault > > Just switched to PHP-7.0 and there is no longer any references to > > _live_range > > but the problem with the segfault is still there. Here is a new > > backtrace. > > #0 zend_mm_alloc_small (size=, bin_num=, > heap=) at /home/frank/Source/php-src- > 7/Zend/zend_alloc.c:1291 > #1 zend_mm_alloc_heap (size=, heap=) at > /home/frank/Source/php-src-7/Zend/zend_alloc.c:1358 > #2 _emalloc (size=2) at > > /home/frank/Source/php-src-7/Zend/zend_alloc.c:2442 > > #3 0x00000000007e724d in _safe_emalloc (nmemb=nmemb@entry=24, > size=, offset=offset@entry=0) at > /home/frank/Source/php-src-7/Zend/zend_alloc.c:2510 > #4 0x00000000007f0b93 in zend_compile_params > (ast=ast@entry=0x7ffff0ab7250, > return_type_ast=return_type_ast@entry=0x0) at > /home/frank/Source/php-src-7/Zend/zend_compile.c:4429 > #5 0x00000000007fa240 in zend_compile_func_decl (result=result@entry > > =0x0, > > ast=ast@entry=0x7ffff0ab7668) at > /home/frank/Source/php-src-7/Zend/zend_compile.c:4879 > #6 0x00000000007f799a in zend_compile_stmt (ast=0x7ffff0ab7668) at > /home/frank/Source/php-src-7/Zend/zend_compile.c:7048 > #7 0x00000000007f8487 in zend_compile_stmt_list > (ast=ast@entry=0x7ffff0ab8388) at > /home/frank/Source/php-src-7/Zend/zend_compile.c:4347 > #8 0x00000000007f781e in zend_compile_stmt > (ast=ast@entry=0x7ffff0ab8388) at > /home/frank/Source/php-src-7/Zend/zend_compile.c:6992 > #9 0x00000000007f88bf in zend_compile_class_decl > (ast=ast@entry=0x7ffff0ab8720) at > /home/frank/Source/php-src-7/Zend/zend_compile.c:5289 > #10 0x00000000007f7938 in zend_compile_stmt > (ast=ast@entry=0x7ffff0ab8720) at > /home/frank/Source/php-src-7/Zend/zend_compile.c:7060 > #11 0x00000000007fa67a in zend_compile_top_stmt (ast=0x7ffff0ab8720) at > /home/frank/Source/php-src-7/Zend/zend_compile.c:6966 > #12 0x00000000007fa6bf in zend_compile_top_stmt (ast=0x7ffff0ab4018) at > /home/frank/Source/php-src-7/Zend/zend_compile.c:6961 > #13 0x00000000007cde07 in compile_file (file_handle=, > type=) at Zend/zend_language_scanner.l:607 > #14 0x000000000065434e in phar_compile_file (file_handle= out>, type=) at > /home/frank/Source/php-src-7/ext/phar/phar.c:3311 > #15 0x00000000007cdf35 in compile_filename (type=2, > filename=filename@entry=0x7ffff0a14550) at > Zend/zend_language_scanner.l:647 > #16 0x0000000000899a2f in ZEND_INCLUDE_OR_EVAL_SPEC_CV_HANDLER () > at > /home/frank/Source/php-src-7/Zend/zend_vm_execute.h:29114 > #17 0x000000000084cecb in execute_ex (ex=) at > /home/frank/Source/php-src-7/Zend/zend_vm_execute.h:414 > #18 0x00000000007fe607 in zend_call_function (fci=0x7ffff0a89aa0, > fci@entry=0x7fffffffa8f0, fci_cache=fci_cache@entry=0x7fffffffa8c0) > at /home/frank/Source/php-src-7/Zend/zend_execute_API.c:854 > #19 0x000000000082b244 in zend_call_method (object=0x7ffff0aa38d8, > obj_ce=, fn_proxy=, > function_name=0x7ffff0aaf108 > "composer\\autoload\\classloader::loadclass\001", > function_name_len=, retval_ptr=retval_ptr@entry=0x0, > param_count=param_count@entry=1, arg1=0x7ffff0a14430, > arg2=arg2@entry=0x0) at > /home/frank/Source/php-src-7/Zend/zend_interfaces.c:104 > #20 0x00000000006c1324 in zif_spl_autoload_call (execute_data= out>, return_value=) at > /home/frank/Source/php-src-7/ext/spl/php_spl.c:425 > #21 0x00000000007fe6a0 in zend_call_function (fci=fci@entry > > =0x7fffffffab40, > > fci_cache=fci_cache@entry=0x7fffffffab10) > at /home/frank/Source/php-src-7/Zend/zend_execute_API.c:873 > #22 0x00000000007feec9 in zend_lookup_class_ex > (name=name@entry=0x7ffff0a55e80, key=0x7ffff0a70420, > use_autoload=use_autoload@entry=1) > at /home/frank/Source/php-src-7/Zend/zend_execute_API.c:1036 > #23 0x00000000007ffa18 in zend_fetch_class_by_name > (class_name=0x7ffff0a55e80, key=, > fetch_type=fetch_type@entry=512) > at /home/frank/Source/php-src-7/Zend/zend_execute_API.c:1383 > #24 0x000000000089af51 in ZEND_NEW_SPEC_CONST_HANDLER () at > /home/frank/Source/php-src-7/Zend/zend_vm_execute.h:3354 > #25 0x000000000084cecb in execute_ex (ex=) at > /home/frank/Source/php-src-7/Zend/zend_vm_execute.h:414 > #26 0x000000000089d969 in zend_execute (op_array=, > return_value=) at > /home/frank/Source/php-src-7/Zend/zend_vm_execute.h:458 > #27 0x000000000080db37 in zend_execute_scripts (type=type@entry=8, > retval=retval@entry=0x0, file_count=file_count@entry=3) at > /home/frank/Source/php-src-7/Zend/zend.c:1428 > #28 0x00000000007a2ae0 in php_execute_script > (primary_file=primary_file@entry=0x7fffffffd070) at > /home/frank/Source/php-src-7/main/main.c:2471 > #29 0x000000000089f78a in do_cli (argc=4, argv=0x1167c60) at > /home/frank/Source/php-src-7/sapi/cli/php_cli.c:974 > #30 0x0000000000443467 in main (argc=4, argv=0x1167c60) at > /home/frank/Source/php-src-7/sapi/cli/php_cli.c:1345 > > > Ok, but in master there's no zend_add_live_range() as well, so that is > what was strange. Could you please USE_ZEND_ALLOC=0 to collect the BT? > > Thanks > > Anatol > > > > > -- > Frank M. Kromann, M.Sc.E.E. > Web by Pixel, Inc. > > Phone: +1 949 742 7533 > Fax: +1 949 742 7534 > Cell: +1 949 702 1794 > Denmark: +45 78 79 11 48 > > Web: http://webbypixel.com > --e89a8f3b9fad0c84cc05244a873f--