Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:89193
Return-Path: <fmk@webbypixel.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 14379 invoked from network); 11 Nov 2015 23:12:13 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 11 Nov 2015 23:12:13 -0000
Authentication-Results: pb1.pair.com header.from=fmk@webbypixel.com; sender-id=pass
Authentication-Results: pb1.pair.com smtp.mail=fmk@webbypixel.com; spf=pass; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain webbypixel.com designates 173.255.241.80 as permitted sender)
X-PHP-List-Original-Sender: fmk@webbypixel.com
X-Host-Fingerprint: 173.255.241.80 mail.webbypixel.com  
Received: from [173.255.241.80] ([173.255.241.80:50250] helo=mail.webbypixel.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id AD/35-16149-C4BC3465 for <internals@lists.php.net>; Wed, 11 Nov 2015 18:12:13 -0500
Received: from PA004424MAC.local (206-190-75-9.static.twtelecom.net [206.190.75.9])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	(Authenticated sender: frank)
	by mail.webbypixel.com (Postfix) with ESMTPSA id D294060E0;
	Wed, 11 Nov 2015 15:12:09 -0800 (PST)
To: Dmitry Stogov <dmitry@zend.com>
References: <56428A30.4060803@php.net>
 <CA+9eiLvVhnjgYtUEy7kpZ=5+tjz7QXGOdcc=OXe0pZEgSdHTVQ@mail.gmail.com>
 <56439392.2020608@php.net> <01ab01d11cb7$f9605d10$ec211730$@belski.net>
 <5643993C.3020908@php.net> <5643999D.2070207@webbypixel.com>
 <56439C2D.70600@webbypixel.com> <01b701d11cbb$f1fd33a0$d5f79ae0$@belski.net>
 <CA+9eiLtYGLzsWtJy6syi=9kJcVFdMnaor6OkJct3BNieanP=6A@mail.gmail.com>
 <5643A418.9030905@webbypixel.com>
 <CA+9eiLtQyyC63eQ0OvW2qZKxOTW0LmyUsN2z69Xv4MLqC3uegA@mail.gmail.com>
Cc: Anatol Belski <anatol.php@belski.net>,
 PHP Internals <internals@lists.php.net>
Message-ID: <5643CB4D.7010108@webbypixel.com>
Date: Wed, 11 Nov 2015 15:12:13 -0800
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:38.0)
 Gecko/20100101 Thunderbird/38.3.0
MIME-Version: 1.0
In-Reply-To: <CA+9eiLtQyyC63eQ0OvW2qZKxOTW0LmyUsN2z69Xv4MLqC3uegA@mail.gmail.com>
Content-Type: multipart/alternative;
 boundary="------------060700090606000004070609"
Subject: Re: [PHP-DEV] PHP 7 Segmentation fault
From: fmk@webbypixel.com ("Frank M. Kromann")

--------------060700090606000004070609
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 7bit

Hi Dmetry,

Thanks a lot. That was very helpful. I was not able to run the script 
without the database, but I was able to create a small test script 
without the autoloading and narrow it down to one of two funtions in the 
database extension that causes the problem. I\ll do some more debugging 
and fix the problem in the extension.

- Frank

On 11/11/15 13:29, Dmitry Stogov wrote:
> On Wed, Nov 11, 2015 at 11:24 PM, Frank M. Kromann <fmk@webbypixel.com>
> wrote:
>
>> Hi Dmitry,
>>
>> Here is the output.
>>
>> ==28336== Conditional jump or move depends on uninitialised value(s)
>> ==28336==    at 0x64EF568: tzload (FSTimeZones.c:794)
>> ==28336==    by 0x64EFBC0: fstzZoneFromData (FSTimeZones.c:1765)
>> ==28336==    by 0x64EA5ED: fbctzTimeZone (FBCTimeZones.c:51)
>> ==28336==    by 0x64EA19A: fbcrhInitWithOptions (FBCRowHandler.c:94)
>> ==28336==    by 0x587D8C: phpfbFetchRow (php_fbsql.c:986)
>> ==28336==    by 0x58A1BB: php_fbsql_fetch_hash.isra.10 (php_fbsql.c:3089)
>> ==28336==    by 0x85B72D: ZEND_DO_ICALL_SPEC_HANDLER
>> (zend_vm_execute.h:586)
>> ==28336==    by 0x84CECA: execute_ex (zend_vm_execute.h:414)
>> ==28336==    by 0x89D968: zend_execute (zend_vm_execute.h:458)
>> ==28336==    by 0x80DB36: zend_execute_scripts (zend.c:1428)
>> ==28336==    by 0x7A2ADF: php_execute_script (main.c:2471)
>> ==28336==    by 0x89F789: do_cli (php_cli.c:974)
>> ==28336==
>> ==28336==
>> ==28336== ---- Attach to debugger ? --- [Return/N/n/Y/y/C/c] ---- n
>> ==28336== Invalid read of size 4
>> ==28336==    at 0x89BE3B: i_free_compiled_variables (zend_execute.c:2052)
>> ==28336==    by 0x89BE3B: zend_leave_helper_SPEC (zend_vm_execute.h:470)
>> ==28336==    by 0x84CECA: execute_ex (zend_vm_execute.h:414)
>> ==28336==    by 0x89D968: zend_execute (zend_vm_execute.h:458)
>> ==28336==    by 0x80DB36: zend_execute_scripts (zend.c:1428)
>> ==28336==    by 0x7A2ADF: php_execute_script (main.c:2471)
>> ==28336==    by 0x89F789: do_cli (php_cli.c:974)
>> ==28336==    by 0x443466: main (php_cli.c:1345)
>> ==28336==  Address 0x1329d150 is 0 bytes inside a block of size 24 free'd
>> ==28336==    at 0x4C2AD17: free (in
>> /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
>> ==28336==    by 0x81E095: _zend_hash_del_el_ex (zend_hash.c:958)
>> ==28336==    by 0x81E095: zend_hash_index_del (zend_hash.c:1170)
>> ==28336==    by 0x89BE52: i_free_compiled_variables (zend_execute.c:2055)
>> ==28336==    by 0x89BE52: zend_leave_helper_SPEC (zend_vm_execute.h:470)
>> ==28336==    by 0x84CECA: execute_ex (zend_vm_execute.h:414)
>> ==28336==    by 0x89D968: zend_execute (zend_vm_execute.h:458)
>> ==28336==    by 0x80DB36: zend_execute_scripts (zend.c:1428)
>> ==28336==    by 0x7A2ADF: php_execute_script (main.c:2471)
>> ==28336==    by 0x89F789: do_cli (php_cli.c:974)
>> ==28336==    by 0x443466: main (php_cli.c:1345)
>>
>> The first issue is a leak inside the C API for the FrontBase database.
>> It's a known issue that is fixed by the vendor but not yet released and it
>> does not cause any segfaults on scripts that don't use autoload of classes.
>>
> This is use-after-free. most probably, because of wrong reference counting.
> This may be caused by a bug in third party extension.
> Can you reproduce the failure without them?
>
> Thanks. Dmitry.
>
>
>> - Frank
>>
>>
>> On 11/11/15 12:16, Dmitry Stogov wrote:
>>
>> I added zend_add_live_range() into master a day ago and replaced it with
>> zend_start_live_range/zend_end_live_range today.
>>
>> Thanks. Dmitry.
>>
>> On Wed, Nov 11, 2015 at 11:02 PM, Anatol Belski <anatol.php@belski.net> <anatol.php@belski.net>
>> wrote:
>>
>>
>> -----Original Message-----
>> From: Frank M. Kromann [mailto:fmk@webbypixel.com <fmk@webbypixel.com>]
>> Sent: Wednesday, November 11, 2015 8:51 PM
>> To: Anatol Belski <anatol.php@belski.net> <anatol.php@belski.net>; 'Dmitry Stogov' <
>>
>> dmitry@zend.com>
>>
>> Cc: 'PHP Internals' <internals@lists.php.net> <internals@lists.php.net>
>> Subject: Re: [PHP-DEV] PHP 7 Segmentation fault
>>
>> Just switched to PHP-7.0 and there is no longer any references to
>>
>> _live_range
>>
>> but the problem with the segfault is still there. Here is a new
>>
>> backtrace.
>>
>> #0  zend_mm_alloc_small (size=<optimized out>, bin_num=<optimized out>,
>> heap=<optimized out>) at /home/frank/Source/php-src-
>> 7/Zend/zend_alloc.c:1291
>> #1  zend_mm_alloc_heap (size=<optimized out>, heap=<optimized out>) at
>> /home/frank/Source/php-src-7/Zend/zend_alloc.c:1358
>> #2  _emalloc (size=2) at
>>
>> /home/frank/Source/php-src-7/Zend/zend_alloc.c:2442
>>
>> #3  0x00000000007e724d in _safe_emalloc (nmemb=nmemb@entry=24,
>> size=<optimized out>, offset=offset@entry=0) at
>> /home/frank/Source/php-src-7/Zend/zend_alloc.c:2510
>> #4  0x00000000007f0b93 in zend_compile_params
>> (ast=ast@entry=0x7ffff0ab7250,
>> return_type_ast=return_type_ast@entry=0x0) at
>> /home/frank/Source/php-src-7/Zend/zend_compile.c:4429
>> #5  0x00000000007fa240 in zend_compile_func_decl (result=result@entry
>>
>> =0x0,
>>
>> ast=ast@entry=0x7ffff0ab7668) at
>> /home/frank/Source/php-src-7/Zend/zend_compile.c:4879
>> #6  0x00000000007f799a in zend_compile_stmt (ast=0x7ffff0ab7668) at
>> /home/frank/Source/php-src-7/Zend/zend_compile.c:7048
>> #7  0x00000000007f8487 in zend_compile_stmt_list
>> (ast=ast@entry=0x7ffff0ab8388) at
>> /home/frank/Source/php-src-7/Zend/zend_compile.c:4347
>> #8  0x00000000007f781e in zend_compile_stmt
>> (ast=ast@entry=0x7ffff0ab8388) at
>> /home/frank/Source/php-src-7/Zend/zend_compile.c:6992
>> #9  0x00000000007f88bf in zend_compile_class_decl
>> (ast=ast@entry=0x7ffff0ab8720) at
>> /home/frank/Source/php-src-7/Zend/zend_compile.c:5289
>> #10 0x00000000007f7938 in zend_compile_stmt
>> (ast=ast@entry=0x7ffff0ab8720) at
>> /home/frank/Source/php-src-7/Zend/zend_compile.c:7060
>> #11 0x00000000007fa67a in zend_compile_top_stmt (ast=0x7ffff0ab8720) at
>> /home/frank/Source/php-src-7/Zend/zend_compile.c:6966
>> #12 0x00000000007fa6bf in zend_compile_top_stmt (ast=0x7ffff0ab4018) at
>> /home/frank/Source/php-src-7/Zend/zend_compile.c:6961
>> #13 0x00000000007cde07 in compile_file (file_handle=<optimized out>,
>> type=<optimized out>) at Zend/zend_language_scanner.l:607
>> #14 0x000000000065434e in phar_compile_file (file_handle=<optimized
>> out>, type=<optimized out>) at
>> /home/frank/Source/php-src-7/ext/phar/phar.c:3311
>> #15 0x00000000007cdf35 in compile_filename (type=2,
>> filename=filename@entry=0x7ffff0a14550) at
>> Zend/zend_language_scanner.l:647
>> #16 0x0000000000899a2f in ZEND_INCLUDE_OR_EVAL_SPEC_CV_HANDLER ()
>> at
>> /home/frank/Source/php-src-7/Zend/zend_vm_execute.h:29114
>> #17 0x000000000084cecb in execute_ex (ex=<optimized out>) at
>> /home/frank/Source/php-src-7/Zend/zend_vm_execute.h:414
>> #18 0x00000000007fe607 in zend_call_function (fci=0x7ffff0a89aa0,
>> fci@entry=0x7fffffffa8f0, fci_cache=fci_cache@entry=0x7fffffffa8c0)
>>       at /home/frank/Source/php-src-7/Zend/zend_execute_API.c:854
>> #19 0x000000000082b244 in zend_call_method (object=0x7ffff0aa38d8,
>> obj_ce=<optimized out>, fn_proxy=<optimized out>,
>>       function_name=0x7ffff0aaf108
>> "composer\\autoload\\classloader::loadclass\001",
>> function_name_len=<optimized out>, retval_ptr=retval_ptr@entry=0x0,
>>       param_count=param_count@entry=1, arg1=0x7ffff0a14430,
>> arg2=arg2@entry=0x0) at
>> /home/frank/Source/php-src-7/Zend/zend_interfaces.c:104
>> #20 0x00000000006c1324 in zif_spl_autoload_call (execute_data=<optimized
>> out>, return_value=<optimized out>) at
>> /home/frank/Source/php-src-7/ext/spl/php_spl.c:425
>> #21 0x00000000007fe6a0 in zend_call_function (fci=fci@entry
>>
>> =0x7fffffffab40,
>>
>> fci_cache=fci_cache@entry=0x7fffffffab10)
>> at /home/frank/Source/php-src-7/Zend/zend_execute_API.c:873
>> #22 0x00000000007feec9 in zend_lookup_class_ex
>> (name=name@entry=0x7ffff0a55e80, key=0x7ffff0a70420,
>> use_autoload=use_autoload@entry=1)
>>       at /home/frank/Source/php-src-7/Zend/zend_execute_API.c:1036
>> #23 0x00000000007ffa18 in zend_fetch_class_by_name
>> (class_name=0x7ffff0a55e80, key=<optimized out>,
>> fetch_type=fetch_type@entry=512)
>>       at /home/frank/Source/php-src-7/Zend/zend_execute_API.c:1383
>> #24 0x000000000089af51 in ZEND_NEW_SPEC_CONST_HANDLER () at
>> /home/frank/Source/php-src-7/Zend/zend_vm_execute.h:3354
>> #25 0x000000000084cecb in execute_ex (ex=<optimized out>) at
>> /home/frank/Source/php-src-7/Zend/zend_vm_execute.h:414
>> #26 0x000000000089d969 in zend_execute (op_array=<optimized out>,
>> return_value=<optimized out>) at
>> /home/frank/Source/php-src-7/Zend/zend_vm_execute.h:458
>> #27 0x000000000080db37 in zend_execute_scripts (type=type@entry=8,
>> retval=retval@entry=0x0, file_count=file_count@entry=3) at
>> /home/frank/Source/php-src-7/Zend/zend.c:1428
>> #28 0x00000000007a2ae0 in php_execute_script
>> (primary_file=primary_file@entry=0x7fffffffd070) at
>> /home/frank/Source/php-src-7/main/main.c:2471
>> #29 0x000000000089f78a in do_cli (argc=4, argv=0x1167c60) at
>> /home/frank/Source/php-src-7/sapi/cli/php_cli.c:974
>> #30 0x0000000000443467 in main (argc=4, argv=0x1167c60) at
>> /home/frank/Source/php-src-7/sapi/cli/php_cli.c:1345
>>
>>
>> Ok, but in master there's no zend_add_live_range() as well, so that is
>> what was strange. Could you please USE_ZEND_ALLOC=0 to collect the BT?
>>
>> Thanks
>>
>> Anatol
>>
>>
>>
>>
>> --
>> Frank M. Kromann, M.Sc.E.E.
>> Web by Pixel, Inc.
>>
>> Phone: +1 949 742 7533
>> Fax: +1 949 742 7534
>> Cell: +1 949 702 1794
>> Denmark: +45 78 79 11 48
>>
>> Web: http://webbypixel.com
>>

-- 
Frank M. Kromann, M.Sc.E.E.
Web by Pixel, Inc.

Phone: +1 949 742 7533
Fax: +1 949 742 7534
Cell: +1 949 702 1794
Denmark: +45 78 79 11 48

Web: http://webbypixel.com

--------------060700090606000004070609--