Bug #65451 [Com]: Segmentation fault on compiling the script

Wed, 18 Sep 2013 05:28:57 -0700 

Edit report at https://bugs.php.net/bug.php?id=65451&edit=1

 ID:                 65451
 Comment by:         tim at bortnik dot org
 Reported by:        chupaka at gmail dot com
 Summary:            Segmentation fault on compiling the script
 Status:             Feedback
 Type:               Bug
 Package:            Reproducible crash
 Operating System:   Fedora 19
 PHP Version:        5.5.1
 Block user comment: N
 Private report:     N

 New Comment:

Similar problem was caused by apc for me.
Increased apc.shm_size up to 512M (that may vary in different setups) and it is 
gone.


Previous Comments:
------------------------------------------------------------------------
[2013-08-15 17:15:50] a...@php.net

About the reproduce script - any chance to get rid of GET parameters and 
external file dependency? Whereby it might be not that important as it crashes 
just compiling.

I've just tried on windows and (ubuntu with and without dtrace), no crash. 
Maybe 
that's dtrace version, dunno. Is it reproduceable if you compile without dtrace 
support, could you please try?

------------------------------------------------------------------------
[2013-08-14 17:09:21] chupaka at gmail dot com

Description:
------------
I faced the problem after upgrading from php-5.3 to php-5.4, and now it 
continues 
in php-5.5 on Apache 2.4.6.

The script (thumb.php) works correctly almost all the time (clients open 
webpage 
normally), but in Apache logs, there are messages:
[Wed Aug 14 19:33:31.106671 2013] [core:notice] [pid 9968] AH00052: child pid 
21804 exit signal Segmentation fault (11)
[Wed Aug 14 19:33:31.106736 2013] [core:notice] [pid 9968] AH00052: child pid 
23371 exit signal Segmentation fault (11)
[Wed Aug 14 19:33:31.106762 2013] [core:notice] [pid 9968] AH00052: child pid 
23373 exit signal Segmentation fault (11)


Test script:
---------------
thumb.php (it's the only file I saw so far that provokes segfaults):

<?
  if (!isset($_GET['m'], $_GET['n'])) {
    echo "No parameters in thumb.php, _GET is ".var_export($_GET, true)."!";
    die();
  }
  $m = (integer)$_GET['m'];
  $n = (integer)$_GET['n'];
  
  $dn = (floor($m / 100))."/";
  $fn = $dn."$m-$n.jpg";
  if (!file_exists($fn)) die("No frame found!");
  if (!file_exists("thumbs/".$fn) or (filemtime($fn) > 
filemtime("thumbs/".$fn)) or (filesize("thumbs/".$fn) == 0)) {
    if (!file_exists("thumbs/".$dn)) mkdir("thumbs/".$dn);
    
    $img = imagecreatefromjpeg($fn);
    $size = getimagesize($fn);
    $nimg = imagecreatetruecolor(80, 40);
    imagecopyresampled($nimg, $img, 0, 0, 0, 0, 80, 40, $size[0], $size[1]);
    imagejpeg($nimg, "thumbs/".$fn, 85);
  }
  
  readfile("thumbs/".$fn);
?>

Expected result:
----------------
No Segmentation faults

Actual result:
--------------
gdb attached to a child shows this after failure:

Program received signal SIGSEGV, Segmentation fault.
0xb6a40af2 in zend_stack_push (stack=stack@entry=0xb6c0d3d0 
<compiler_globals+368>,
    element=element@entry=0xb6c0d3ac <compiler_globals+332>, size=size@entry=36)
    at /usr/src/debug/php-5.5.1/Zend/zend_stack.c:42
42              stack->elements[stack->top] = (void *) emalloc(size);
(gdb) backtrace
#0  0xb6a40af2 in zend_stack_push (stack=stack@entry=0xb6c0d3d0 
<compiler_globals+368>,
    element=element@entry=0xb6c0d3ac <compiler_globals+332>, size=size@entry=36)
    at /usr/src/debug/php-5.5.1/Zend/zend_stack.c:42
#1  0xb6a09eca in compile_file (file_handle=file_handle@entry=0xbfa206f8, 
type=type@entry=2)
    at Zend/zend_language_scanner.l:586
#2  0xb6a30f56 in dtrace_compile_file (file_handle=0xbfa206f8, type=2)
    at /usr/src/debug/php-5.5.1/Zend/zend_dtrace.c:40
#3  0xb6a4390a in zend_execute_scripts (type=type@entry=2, 
retval=retval@entry=0x0,
    file_count=file_count@entry=1) at /usr/src/debug/php-5.5.1/Zend/zend.c:1308
#4  0xb6afeccf in php_handler (r=0xb9938c48)
    at /usr/src/debug/php-5.5.1/sapi/apache2handler/sapi_apache2.c:669
(gdb) backtrace full
#0  0xb6a40af2 in zend_stack_push (stack=stack@entry=0xb6c0d3d0 
<compiler_globals+368>,
    element=element@entry=0xb6c0d3ac <compiler_globals+332>, size=size@entry=36)
    at /usr/src/debug/php-5.5.1/Zend/zend_stack.c:42
No locals.
#1  0xb6a09eca in compile_file (file_handle=file_handle@entry=0xbfa206f8, 
type=type@entry=2)
    at Zend/zend_language_scanner.l:586
        original_lex_state = {yy_leng = 0, yy_start = 0x0, yy_text = 0x0, 
yy_cursor = 0x0, yy_marker = 0x0,
          yy_limit = 0x0, yy_state = 0, state_stack = {top = 0, max = 0, 
elements = 0x0},
          heredoc_label_stack = {top = 0, max = 0, elements = 0x0, top_element 
= 
0x0, persistent = 0 '\000'},
          in = 0x0, lineno = 0, filename = 0x0, script_org = 0x0, 
script_org_size = 0, script_filtered = 0x0,
          script_filtered_size = 0, input_filter = 0x0, output_filter = 0x0, 
script_encoding = 0x0}
        op_array = 0xb662112c
        original_active_op_array = 0x0
        retval = 0xb662112c
        compiler_result = <optimized out>
        compilation_successful = 0 '\000'
        retval_znode = {op_type = 1, u = {op = {constant = 1, var = 1, num = 1, 
hash = 1, opline_num = 1,
              jmp_addr = 0x1, zv = 0x1, literal = 0x1, ptr = 0x1}, constant = 
{value = {lval = 1,
                dval = -1.4312713536766795e+179, str = {val = 0x1 <Address 0x1 
out of bounds>,
                  len = -450778880}, ht = 0x1, obj = {handle = 1, handlers = 
0xe521a900}}, refcount__gc = 1,
              type = 1 '\001', is_ref__gc = 0 '\000'}, op_array = 0x1}, EA = 
3073921433}
        original_in_compilation = 0 '\000'
#2  0xb6a30f56 in dtrace_compile_file (file_handle=0xbfa206f8, type=2)
    at /usr/src/debug/php-5.5.1/Zend/zend_dtrace.c:40
        res = 0xb6621b88
#3  0xb6a4390a in zend_execute_scripts (type=type@entry=2, 
retval=retval@entry=0x0,
    file_count=file_count@entry=1) at /usr/src/debug/php-5.5.1/Zend/zend.c:1308
        files = 0xbfa206d0 "\031P-·QQ-·"
        i = 0
        file_handle = 0xbfa206f8
        orig_op_array = 0x0
        orig_retval_ptr_ptr = 0x0
        orig_interactive = 0
#4  0xb6afeccf in php_handler (r=0xb9938c48)
    at /usr/src/debug/php-5.5.1/sapi/apache2handler/sapi_apache2.c:669
        zfd = {type = ZEND_HANDLE_MAPPED,
          filename = 0xb9939f30 
"/var/www/system/video.infolan.by/frames/thumb.php",
          opened_path = 0xb6621204 
"/var/www/system/video.infolan.by/frames/thumb.php", handle = {
            fd = -1235086660, fp = 0xb66212bc, stream = {handle = 0xb66212bc, 
isatty = 0, mmap = {len = 745,
                pos = 0, map = 0x0,
                buf = 0xb70a6000 "<?\n  if (!isset($_GET['m'], $_GET['n'])) {\n 
   
echo \"No parameters in thumb.php, _GET is \".var_export($_GET, true).\"!\";\n  
  
die();\n  }\n  $m = (integer)$_GET['m'];\n  $n = (integer)$_GET['n'];\n  \n  
$dn 
"..., old_handle = 0x0, old_closer = 0x0}, reader = 0xb69f5690 
<_php_stream_read>,
              fsizer = 0xb69da0a0 <php_zend_stream_fsizer>,
              closer = 0xb69da060 <php_zend_stream_mmap_closer>}}, 
free_filename 
= 0 '\000'}
        __orig_bailout = 0x0
        __bailout = {{__jmpbuf = {-1228988416, -1183831224, -1229662672, 
-1181512632, -1770762997,
              -1917897447}, __mask_was_saved = 0, __saved_mask = {__val = 
{3111136096, 3113461616,
                3071472077, 3071483740, 3111264800, 3113454664, 3071483904, 
3071473021, 3109372568, 1,
                3073921433, 3070734156, 3113454664, 3111265368, 3109399248, 
3070717099, 3113454600,
                4294967295, 3073885849, 3070496172, 3113454664, 4294967295, 
3113454664, 3070442654,
                3113457088, 3070480937, 3109424016, 3844188416, 3113454664, 
3109424016, 3070279966,
                3064982056}}}}
        ctx = 0xb9950f08
        conf = <optimized out>
        brigade = 0xb9969368
        bucket = <optimized out>
        rv = <optimized out>
        parent_req = 0xb994f3f8



------------------------------------------------------------------------



-- 
Edit this bug report at https://bugs.php.net/bug.php?id=65451&edit=1

Reply via email to