Edit report at https://bugs.php.net/bug.php?id=64836&edit=1
ID: 64836 Updated by: a...@php.net Reported by: r dot biegel at gmx dot at Summary: segfault in softmagic.c -Status: Assigned +Status: Suspended Type: Bug Package: Unknown/Other Function Operating System: Gentoo Linux PHP Version: 5.4.15 Assigned To: ab Block user comment: N Private report: N New Comment: Hi, thanks for investing so much time in this ticket. After looking at the Gentoo tickets - #470828 seems to report about SVN issue in apache, PHP is only mentioned aside - #467756 looks related to PHP, however 5.4.14. As i've mentioned, libmagic is upgraded in 5.4.15, though one small regression was present. The crash in that ticket is therefore most likely not relevant for 5.4.15 and later. - The BT in this ticket isn't reproducible anymore by you, nor I could get it crashy Conclusion - I would suspend this bug and check when the new PHP version is out. May be also some more info is present in the Gentoo tickets by that time. Have a nice weekend :) Previous Comments: ------------------------------------------------------------------------ [2013-05-23 11:04:18] r dot biegel at gmx dot at OK, in short: I can't reproduce the segfault behaviour anymore. Longer version: - updated kernel from gentoo-hardened 3.8.12 to 3.9.2 - updated gcc to 4.7.3 - compiled php 5.4.13 and 5.4.14 and both work fine - compiled php 5.4.15 again which now works fine too - downgraded kernel and gcc to previous versions - compiled php 5.4.15, still works I just don't get it... I already had re-compiled php and apache before reporting as bug. With "-D SVN" I meant the startup-arguments for apache on the command line. Don't know if this is Gentoo specific, but it controls the loading of the svn DAV module. At last I'd like to link these two bugs on gentoo bugzilla, which might be related: https://bugs.gentoo.org/show_bug.cgi?id=467756 https://bugs.gentoo.org/show_bug.cgi?id=470828 Thanks for your help! ------------------------------------------------------------------------ [2013-05-21 08:00:47] a...@php.net I've just compiled apache 2.4 with subversion 1.7.x module plus PHP-5.5, TS build. But it still doesn't crash for me. Note that the libmagic is the same in 5.4 and 5.5 and was upgraded in 5.4.15 and 5.5.0 beta4. To diagnose it further, is it possible you to check if the behavior is the same with the earlier php versions? May be 5.4.14 or 5.5.0 beta3. Also i think this behaviour is TS specific, svn might be even not the cause, too. btw what do you mean "not using -D SVN"? As i've experienced the mod_dav_svn.so has to be built from the subversion sources and is not contained in the apache source tree. Thanks. ------------------------------------------------------------------------ [2013-05-19 15:31:46] r dot biegel at gmx dot at I used this little script to test the finfo_file function on its own. Crashes in apache (if the file $fn exists, filetype doesn't matter), but it works on cli: <?php $finfo = finfo_open(); $fn = "index.html"; echo "File ".$fn." is of type ".finfo_file($finfo,$fn); finfo_close($finfo); ?> So it has something to do with apache i thought and it turned out that disabling SVN DAV in apache (not using -D SVN) fixes the problem. How can I investigate further? Btw, I already upgraded from apache 2.2 to 2.4 before my first report. Here another (more detailed) bt: Thread 28 (Thread 0x7fffd9feb700 (LWP 24821)): #0 0x00007fffeeec2e6b in mget (ms=0x7fffd411c5f0, s=0x7fffd8896030 "GIF89a", m=0x7fffd8a69268, nbytes=1218, o=0, cont_level=0, mode=32, text=0, flip=0, recursion_level=1, printed_something=0x7fffd9fe7dd4, need_separator=0x7fffd9fe7dd8, returnval=0x7fffd9fe7d24) at ext/fileinfo/libmagic/softmagic.c:1610 off = 0 soffset = 410814606 offset = 0 count = 0 rv = -207172457 oneed_separator = 994741513 sbuf = 0x5cb76acd3615aac9 <Address 0x5cb76acd3615aac9 out of bounds> rbuf = 0x8efc10f4e7cb6d6d <Address 0x8efc10f4e7cb6d6d out of bounds> p = 0x7fffd411c660 ml = {magic = 0x180ffedff931d7c7, nmagic = 1473718312, map = 0xd8c865c8, next = 0x7fffd411c5f0, prev = 0x1a09a2a9d9c97089} #1 0x00007fffeeebede8 in match (ms=0x7fffd411c5f0, magic=0x7fffd89170e8, nmagic=9629, s=0x7fffd8896030 "GIF89a", nbytes=1218, offset=0, mode=32, text=0, flip=0, recursion_level=0, printed_something=0x7fffd9fe7dd4, need_separator=0x7fffd9fe7dd8, returnval=0x7fffd9fe7d24) at ext/fileinfo/libmagic/softmagic.c:157 flush = 0 m = 0x7fffd8a69268 magindex = 5584 cont_level = 0 returnvalv = 0 e = -647236122 firstline = 1 print = 0 #2 0x00007fffeeebeb19 in file_softmagic (ms=0x7fffd411c5f0, buf=0x7fffd8896030 "GIF89a", nbytes=1218, mode=32, text=0) at ext/fileinfo/libmagic/softmagic.c:82 ml = 0x7fffd40efb50 rv = 32767 printed_something = 0 need_separator = 0 #3 0x00007fffeeebc3a5 in file_buffer (ms=0x7fffd411c5f0, stream=0x7fffd8d70388, inname=0x0, buf=0x7fffd8896030, nb=1218) at ext/fileinfo/libmagic/funcs.c:238 m = 0 rv = 0 looks_text = 0 mime = 16 ubuf = 0x7fffd8896030 "GIF89a" u8buf = 0x7fffd4255aa0 ulen = 3 code = 0x0 code_mime = 0x7fffef6f618f "binary" type = 0x7fffef6f5f84 "binary" #4 0x00007fffeeebd698 in file_or_stream (ms=0x7fffd411c5f0, inname=0x0, stream=0x7fffd8d70388) at ext/fileinfo/libmagic/magic.c:413 rv = -1 buf = 0x7fffd8896030 "GIF89a" sb = {st_dev = 2058, st_ino = 105911862, st_nlink = 1, st_mode = 33188, st_uid = 81, st_gid = 81, __pad0 = 0, st_rdev = 0, st_size = 1218, st_blksize = 4096, st_blocks = 8, st_atim = {tv_sec = 1322087240, tv_nsec = 505034622}, st_mtim = {tv_sec = 1276182426, tv_nsec = 0}, st_ctim = { tv_sec = 1368462842, tv_nsec = 483233520}, __unused = {0, 0, 0}} nbytes = 1218 no_in_stream = 0 tsrm_ls = 0x7fffd40068f0 #5 0x00007fffeeebd441 in magic_stream (ms=0x7fffd411c5f0, stream=0x7fffd8d70388) at ext/fileinfo/libmagic/magic.c:345 No locals. #6 0x00007fffeeeae9b8 in _php_finfo_get_type (ht=2, return_value=0x7fffd49f1e50, return_value_ptr=0x0, this_ptr=0x7fffd49f3d58, return_value_used=1, tsrm_ls=0x7fffd40068f0, mode=2, mimetype_emu=0) at ext/fileinfo/fileinfo.c:540 stream = 0x7fffd8d70388 context = 0x7fffd8b84610 tmp2 = 0x7fffd49db410 "/xxx/yyy/zzz/fileadmin/template/head.gif" wrap = 0x7fffefb6c700 <php_plain_files_wrapper> ssb = {sb = {st_dev = 2058, st_ino = 105911862, st_nlink = 1, st_mode = 33188, st_uid = 81, st_gid = 81, __pad0 = 0, st_rdev = 0, st_size = 1218, st_blksize = 4096, st_blocks = 8, st_atim = {tv_sec = 1322087240, tv_nsec = 505034622}, st_mtim = {tv_sec = 1276182426, tv_nsec = 0}, st_ctim = {tv_sec = 1368462842, tv_nsec = 483233520}, __unused = {0, 0, 0}}} options = 16 ret_val = 0x0 buffer = 0x7fffd49db410 "/xxx/yyy/zzz/fileadmin/template/head.gif" buffer_len = 53 finfo = 0x7fffd49e7e08 zfinfo = 0x7fffef8234f1 zcontext = 0x0 what = 0x7fffef8234fc mime_directory = "directory" magic = 0x7fffd411c5f0 object = 0x7fffd49f3d58 #7 0x00007fffeeeaec40 in zif_finfo_file (ht=2, return_value=0x7fffd49f1e50, return_value_ptr=0x0, this_ptr=0x7fffd49f3d58, return_value_used=1, tsrm_ls=0x7fffd40068f0) at ext/fileinfo/fileinfo.c:578 No locals. #8 0x00007fffef2f0da2 in zend_do_fcall_common_helper_SPEC (execute_data=0x7ffff7e61c98, tsrm_ls=0x7fffd40068f0) at Zend/zend_vm_execute.h:643 ret = 0x7ffff7e61e28 opline = 0x7fffd4903300 should_change_scope = 1 '\001' fbc = 0x555555b0ef20 #9 0x00007fffef2f220e in ZEND_DO_FCALL_BY_NAME_SPEC_HANDLER (execute_data=0x7ffff7e61c98, tsrm_ls=0x7fffd40068f0) at Zend/zend_vm_execute.h:754 No locals. (More stack frames follow...) ------------------------------------------------------------------------ [2013-05-17 15:57:47] a...@php.net @r dot biegel at gmx dot at Exactly, and the same way you could see with which options finfo_open() was invoked. That were very helpful. Thanks ------------------------------------------------------------------------ [2013-05-17 15:56:07] a...@php.net @r dot biegel at gmx dot at Could you at least share the file it crashes on please? You can do that walking back in the stack when using gdb. Let me know if you need help with that. ------------------------------------------------------------------------ The remainder of the comments for this report are too long. To view the rest of the comments, please view the bug report online at https://bugs.php.net/bug.php?id=64836 -- Edit this bug report at https://bugs.php.net/bug.php?id=64836&edit=1
