From:
Operating system: Mac OS X and Solaris
PHP version: trunk-SVN-2010-11-13 (snap)
Package: Reproducible crash
Bug Type: Bug
Bug description:php crashes with segfault when DTrace "exception-thrown" probe
fires
Description:
------------
When DTrace is present, and a DTrace consumer has enabled the
"php*:::exception-
thrown" probe, php will crash when the probe fires, due to a null reference
passed
to zend_get_object_classname() from within the probe context. The code
within the
DTrace probe context (inside zend_throw_exception_internal() ) doesn't
check that
the 'exception' argument is non-NULL. The test described here obviously
creates
an instance where 'exception' is NULL, and when the enabled probe fires -
the
enabled code calls zend_get_object_classname() with a null argument,
resulting in
the segfault.
Test script:
---------------
In order to reproduce this, you must be running on a system that supports
DTrace (OS X, Solaris, FreeBSD?), and php must have been built with
--enable-dtrace.
The following script will trigger the exception codepath we're interested
in:
<html><head><title>Test for PHP Exceptions</title></head><body>
<?php
function my_func($my_arg) {
if ($my_arg == 0)
throw new Exception('You cannot do that.');
}
try {
echo '<p>attempting to call my_func with my_arg == 0';
my_func(0);
echo 'this will not be executed';
} catch (Exception $e) {
echo "<p>caught exception: " . $e->getMessage();
}
?>
</body></html>
This will run fine when DTrace hasn't enabled the exception-thrown probe,
but if we run the following command (as root) at the time that the above
script is requested, php will crash.
# dtrace -n 'php*:::exception-thrown {}'
The attached patch shows how the problem could be avoided - though I'd like
to hear from someone familiar with the Zend framework - to see if there may
be an upstream bug that's causing the NULL value to come into
zend_throw_exception_internal() in the first place. If this is expected
behavior, we should anticipate it and provide appropriate handling within
the DTrace probe.
Expected result:
----------------
PHP shouldn't crash.
Actual result:
--------------
PHP crashes as shown:
Program received signal EXC_BAD_ACCESS, Could not access memory.
Reason: KERN_INVALID_ADDRESS at address: 0x0000000000000008
0x000000010156818b in zend_get_object_classname (object=0x0,
class_name=0x7fff5fbfeb60,
class_name_len=0x7fff5fbfeb6c) at /Users/michaelharsch/Desktop/php-trunk-
201011131530/Zend/zend_API.c:253
253 if (Z_OBJ_HT_P(object)->get_class_name == NULL ||
(gdb) bt
#0 0x000000010156818b in zend_get_object_classname (object=0x0,
class_name=0x7fff5fbfeb60,
class_name_len=0x7fff5fbfeb6c) at /Users/michaelharsch/Desktop/php-trunk-
201011131530/Zend/zend_API.c:253
#1 0x0000000101589e2e in zend_throw_exception_internal (exception=0x0) at
/Users/michaelharsch/Desktop/php-trunk-
201011131530/Zend/zend_exceptions.c:90
#2 0x00000001015a6543 in zend_do_fcall_common_helper_SPEC
(execute_data=0x10051a0d8) at zend_vm_execute.h:735
#3 0x00000001015acc98 in ZEND_DO_FCALL_SPEC_CONST_HANDLER
(execute_data=0x10051a0d8) at zend_vm_execute.h:2015
#4 0x00000001015a4075 in execute (op_array=0x10054f030) at
zend_vm_execute.h:410
#5 0x000000010154e6e5 in dtrace_execute (op_array=0x10054f030) at
/Users/michaelharsch/Desktop/php-trunk-
201011131530/Zend/zend_dtrace.c:75
#6 0x00000001015674c6 in zend_execute_scripts (type=8, retval=0x0,
file_count=3) at
/Users/michaelharsch/Desktop/php-trunk-201011131530/Zend/zend.c:1195
#7 0x00000001014d28e3 in php_execute_script (primary_file=0x7fff5fbff810)
at
/Users/michaelharsch/Desktop/php-trunk-
201011131530/main/main.c:2340
#8 0x00000001016a39c5 in php_handler (r=0x10098a2a8) at
/Users/michaelharsch/Desktop/php-trunk-
201011131530/sapi/apache2handler/sapi_apache2.c:667
#9 0x00000001000021db in ap_run_handler ()
#10 0x0000000100002aba in ap_invoke_handler ()
#11 0x000000010002f738 in ap_process_request ()
#12 0x000000010002bfa9 in ap_process_http_connection ()
#13 0x0000000100013737 in ap_run_process_connection ()
#14 0x0000000100013bd1 in ap_process_connection ()
#15 0x00000001000363f2 in child_main ()
#16 0x00000001000364dc in make_child ()
#17 0x0000000100036aaf in ap_mpm_run ()
#18 0x000000010000a821 in main ()
--
Edit bug report at http://bugs.php.net/bug.php?id=53306&edit=1
--
Try a snapshot (PHP 5.2):
http://bugs.php.net/fix.php?id=53306&r=trysnapshot52
Try a snapshot (PHP 5.3):
http://bugs.php.net/fix.php?id=53306&r=trysnapshot53
Try a snapshot (trunk):
http://bugs.php.net/fix.php?id=53306&r=trysnapshottrunk
Fixed in SVN:
http://bugs.php.net/fix.php?id=53306&r=fixed
Fixed in SVN and need be documented:
http://bugs.php.net/fix.php?id=53306&r=needdocs
Fixed in release:
http://bugs.php.net/fix.php?id=53306&r=alreadyfixed
Need backtrace:
http://bugs.php.net/fix.php?id=53306&r=needtrace
Need Reproduce Script:
http://bugs.php.net/fix.php?id=53306&r=needscript
Try newer version:
http://bugs.php.net/fix.php?id=53306&r=oldversion
Not developer issue:
http://bugs.php.net/fix.php?id=53306&r=support
Expected behavior:
http://bugs.php.net/fix.php?id=53306&r=notwrong
Not enough info:
http://bugs.php.net/fix.php?id=53306&r=notenoughinfo
Submitted twice:
http://bugs.php.net/fix.php?id=53306&r=submittedtwice
register_globals:
http://bugs.php.net/fix.php?id=53306&r=globals
PHP 4 support discontinued: http://bugs.php.net/fix.php?id=53306&r=php4
Daylight Savings: http://bugs.php.net/fix.php?id=53306&r=dst
IIS Stability:
http://bugs.php.net/fix.php?id=53306&r=isapi
Install GNU Sed:
http://bugs.php.net/fix.php?id=53306&r=gnused
Floating point limitations:
http://bugs.php.net/fix.php?id=53306&r=float
No Zend Extensions:
http://bugs.php.net/fix.php?id=53306&r=nozend
MySQL Configuration Error:
http://bugs.php.net/fix.php?id=53306&r=mysqlcfg
