From: ikickdogsforfun at hotmail dot com Operating system: Debian 5 PHP version: 5.3.1 PHP Bug Type: Scripting Engine problem Bug description: segfault when using SAPI
Description: ------------ When using PHP SAPI and values have been added to the global $_SERVER variable, shutdown segfaults in zend_gc. If I remove the setting of the global variables it doesn't seg fault. This is possibly not a fault the SAPI, but I've been unable to resolve, removing the destroy and free commands in shutdown function doesn't stop it from segfaulting. Reproduce code: --------------- The entire source code file is available at https://crispycrisp.org/php.txt this is the function that causes a segfault in shutdown if it has been called: void php_set_superglobal_server(char *name, char *val) { zend_first_try { HashTable* locals = &EG(symbol_table); zval *type; /* Fetch $_SERVER from the global scope */ zend_hash_find(locals, "_SERVER", sizeof("_SERVER"), (void**)&SERVER); ALLOC_INIT_ZVAL(type); ZVAL_STRING(type, val, 1); ZEND_SET_SYMBOL(Z_ARRVAL_PP(SERVER), name, type); } zend_end_try(); } Expected result: ---------------- No segfault Actual result: -------------- ==17605== Thread 2: ==17605== Invalid read of size 4 ==17605== at 0x43B4BB9: gc_remove_zval_from_buffer (zend_gc.h:189) ==17605== by 0x438E18F: _zval_ptr_dtor (zend_execute_API.c:434) ==17605== by 0x43A4C7D: zend_hash_destroy (zend_hash.c:526) ==17605== by 0x804A88A: php_shutdown (php.c:143) ==17605== by 0x804A955: php (php.c:168) ==17605== by 0x8049D94: parsing_request (handler.c:180) ==17605== by 0x80496FE: handle (handler.c:25) ==17605== by 0x4032F3A: start_thread (in /lib/libpthread-2.7.so) ==17605== by 0x4793BED: clone (in /lib/libc-2.7.so) ==17605== Address 0x1c is not stack'd, malloc'd or (recently) free'd ==17605== ==17605== Process terminating with default action of signal 11 (SIGSEGV) ==17605== Access not within mapped region at address 0x1C ==17605== at 0x43B4BB9: gc_remove_zval_from_buffer (zend_gc.h:189) ==17605== by 0x438E18F: _zval_ptr_dtor (zend_execute_API.c:434) ==17605== by 0x43A4C7D: zend_hash_destroy (zend_hash.c:526) ==17605== by 0x804A88A: php_shutdown (php.c:143) ==17605== by 0x804A955: php (php.c:168) ==17605== by 0x8049D94: parsing_request (handler.c:180) ==17605== by 0x80496FE: handle (handler.c:25) ==17605== by 0x4032F3A: start_thread (in /lib/libpthread-2.7.so) ==17605== by 0x4793BED: clone (in /lib/libc-2.7.so) -- Edit bug report at http://bugs.php.net/?id=50399&edit=1 -- Try a snapshot (PHP 5.2): http://bugs.php.net/fix.php?id=50399&r=trysnapshot52 Try a snapshot (PHP 5.3): http://bugs.php.net/fix.php?id=50399&r=trysnapshot53 Try a snapshot (PHP 6.0): http://bugs.php.net/fix.php?id=50399&r=trysnapshot60 Fixed in SVN: http://bugs.php.net/fix.php?id=50399&r=fixed Fixed in SVN and need be documented: http://bugs.php.net/fix.php?id=50399&r=needdocs Fixed in release: http://bugs.php.net/fix.php?id=50399&r=alreadyfixed Need backtrace: http://bugs.php.net/fix.php?id=50399&r=needtrace Need Reproduce Script: http://bugs.php.net/fix.php?id=50399&r=needscript Try newer version: http://bugs.php.net/fix.php?id=50399&r=oldversion Not developer issue: http://bugs.php.net/fix.php?id=50399&r=support Expected behavior: http://bugs.php.net/fix.php?id=50399&r=notwrong Not enough info: http://bugs.php.net/fix.php?id=50399&r=notenoughinfo Submitted twice: http://bugs.php.net/fix.php?id=50399&r=submittedtwice register_globals: http://bugs.php.net/fix.php?id=50399&r=globals PHP 4 support discontinued: http://bugs.php.net/fix.php?id=50399&r=php4 Daylight Savings: http://bugs.php.net/fix.php?id=50399&r=dst IIS Stability: http://bugs.php.net/fix.php?id=50399&r=isapi Install GNU Sed: http://bugs.php.net/fix.php?id=50399&r=gnused Floating point limitations: http://bugs.php.net/fix.php?id=50399&r=float No Zend Extensions: http://bugs.php.net/fix.php?id=50399&r=nozend MySQL Configuration Error: http://bugs.php.net/fix.php?id=50399&r=mysqlcfg
