ID: 47596 Updated by: sh...@php.net Reported By: pahan at hubbitus dot info Status: Verified Bug Type: Reproducible crash Operating System: Linux PHP Version: 5.3.0beta1 Assigned To: scottmac New Comment:
This is being caused because of mis-use of mmap(). We are currently relying on mmap to pad the end of our mmap'd file with zeros for detection of EOF in the scanner and scanning ahead. We specifically add ZEND_MMAP_AHEAD to the len passed to mmap in zend_stream_fixup(): /* *buf[size] is zeroed automatically by the kernel */ *buf = mmap(0, size + ZEND_MMAP_AHEAD, PROT_READ, MAP_PRIVATE, fileno(file_handle->handle.fp), 0); But AFAIK mmap does not support this usage of the len parameter, as it's a limit rather than able to extend the mmap region. This appears to work under most cases as mmap will pad zeroes up to PAGESIZE. This error will occur anytime we use mmap in this way on a file that is not ZEND_MMAP_AHEAD bytes less than PAGESIZE and therefore attempt to access a byte over PAGESIZE. It will be easy to fix the mmap calls, however this will break the re2c scanner. Originally for the EOF checks I was going to re-implement YYFILL to malloc additional space for the scanner after EOF, this may be an option to correct this. Previous Comments: ------------------------------------------------------------------------ [2009-03-10 18:23:04] scott...@php.net Looks like something in the re2c stuff that's causing it to overread. ------------------------------------------------------------------------ [2009-03-10 18:13:53] pahan at hubbitus dot info No, as I also mentioned abowe, this is not require any externul stuff (include_path=::::: even "." dir not contain!, so, can't be include files). ------------------------------------------------------------------------ [2009-03-10 16:59:28] j...@php.net That script requires some external crap that is NOT included. At least provide ALL the files necessary to run the script. Otherwise the next status this report gets is Bogus. ------------------------------------------------------------------------ [2009-03-10 11:12:19] pahan at hubbitus dot info This script completely self-contained reproducing script. But as I mention before, I can't make it smaller because it break reproducibility. ------------------------------------------------------------------------ [2009-03-08 09:37:43] pahan at hubbitus dot info Description: ------------ On particular file php always crashes with Bus Error. I'm try split file to get only sensible data, but I can't. ANY changes in it do predictable behavior and all works as expected. Even add/delete comment, any letter, space in any place... $ php test.bus.error.php Bus error Its contain many external dependencies, but it is absolutely unneeded for reproducibility: $ php -d"include_path=:::::" test.bus.error.php Bus error [pa...@x-www _SHARED_]$ ulimit -c unlimited [pa...@x-www _SHARED_]$ php -d"include_path=/" test.bus.error.php Bus error (core dumped) This file is my working mess for test and sandboxing :), so, it is really not intended for any use outside and even any use except probes and examples. But as I can't even change 1 letter in it, I place it as is: http://ru.bir.ru/_temp/php-bugs/2/test.bus.error.php.gz Coredump file also available for download: http://ru.bir.ru/_temp/php- bugs/2/core.19581 Reproduce code: --------------- http://ru.bir.ru/_temp/php-bugs/2/test.bus.error.php.gz Sorry, I can't do that smaller. ------------------------------------------------------------------------ -- Edit this bug report at http://bugs.php.net/?id=47596&edit=1