From: chupaka at gmail dot com
Operating system: Fedora 19
PHP version: 5.5.1
Package: Reproducible crash
Bug Type: Bug
Bug description:Segmentation fault on compiling the script
Description:
------------
I faced the problem after upgrading from php-5.3 to php-5.4, and now it
continues
in php-5.5 on Apache 2.4.6.
The script (thumb.php) works correctly almost all the time (clients open
webpage
normally), but in Apache logs, there are messages:
[Wed Aug 14 19:33:31.106671 2013] [core:notice] [pid 9968] AH00052: child
pid
21804 exit signal Segmentation fault (11)
[Wed Aug 14 19:33:31.106736 2013] [core:notice] [pid 9968] AH00052: child
pid
23371 exit signal Segmentation fault (11)
[Wed Aug 14 19:33:31.106762 2013] [core:notice] [pid 9968] AH00052: child
pid
23373 exit signal Segmentation fault (11)
Test script:
---------------
thumb.php (it's the only file I saw so far that provokes segfaults):
<?
if (!isset($_GET['m'], $_GET['n'])) {
echo "No parameters in thumb.php, _GET is ".var_export($_GET,
true)."!";
die();
}
$m = (integer)$_GET['m'];
$n = (integer)$_GET['n'];
$dn = (floor($m / 100))."/";
$fn = $dn."$m-$n.jpg";
if (!file_exists($fn)) die("No frame found!");
if (!file_exists("thumbs/".$fn) or (filemtime($fn) >
filemtime("thumbs/".$fn)) or (filesize("thumbs/".$fn) == 0)) {
if (!file_exists("thumbs/".$dn)) mkdir("thumbs/".$dn);
$img = imagecreatefromjpeg($fn);
$size = getimagesize($fn);
$nimg = imagecreatetruecolor(80, 40);
imagecopyresampled($nimg, $img, 0, 0, 0, 0, 80, 40, $size[0],
$size[1]);
imagejpeg($nimg, "thumbs/".$fn, 85);
}
readfile("thumbs/".$fn);
?>
Expected result:
----------------
No Segmentation faults
Actual result:
--------------
gdb attached to a child shows this after failure:
Program received signal SIGSEGV, Segmentation fault.
0xb6a40af2 in zend_stack_push (stack=stack@entry=0xb6c0d3d0
<compiler_globals+368>,
element=element@entry=0xb6c0d3ac <compiler_globals+332>,
size=size@entry=36)
at /usr/src/debug/php-5.5.1/Zend/zend_stack.c:42
42 stack->elements[stack->top] = (void *) emalloc(size);
(gdb) backtrace
#0 0xb6a40af2 in zend_stack_push (stack=stack@entry=0xb6c0d3d0
<compiler_globals+368>,
element=element@entry=0xb6c0d3ac <compiler_globals+332>,
size=size@entry=36)
at /usr/src/debug/php-5.5.1/Zend/zend_stack.c:42
#1 0xb6a09eca in compile_file (file_handle=file_handle@entry=0xbfa206f8,
type=type@entry=2)
at Zend/zend_language_scanner.l:586
#2 0xb6a30f56 in dtrace_compile_file (file_handle=0xbfa206f8, type=2)
at /usr/src/debug/php-5.5.1/Zend/zend_dtrace.c:40
#3 0xb6a4390a in zend_execute_scripts (type=type@entry=2,
retval=retval@entry=0x0,
file_count=file_count@entry=1) at
/usr/src/debug/php-5.5.1/Zend/zend.c:1308
#4 0xb6afeccf in php_handler (r=0xb9938c48)
at /usr/src/debug/php-5.5.1/sapi/apache2handler/sapi_apache2.c:669
(gdb) backtrace full
#0 0xb6a40af2 in zend_stack_push (stack=stack@entry=0xb6c0d3d0
<compiler_globals+368>,
element=element@entry=0xb6c0d3ac <compiler_globals+332>,
size=size@entry=36)
at /usr/src/debug/php-5.5.1/Zend/zend_stack.c:42
No locals.
#1 0xb6a09eca in compile_file (file_handle=file_handle@entry=0xbfa206f8,
type=type@entry=2)
at Zend/zend_language_scanner.l:586
original_lex_state = {yy_leng = 0, yy_start = 0x0, yy_text = 0x0,
yy_cursor = 0x0, yy_marker = 0x0,
yy_limit = 0x0, yy_state = 0, state_stack = {top = 0, max = 0,
elements = 0x0},
heredoc_label_stack = {top = 0, max = 0, elements = 0x0,
top_element =
0x0, persistent = 0 '\000'},
in = 0x0, lineno = 0, filename = 0x0, script_org = 0x0,
script_org_size = 0, script_filtered = 0x0,
script_filtered_size = 0, input_filter = 0x0, output_filter =
0x0,
script_encoding = 0x0}
op_array = 0xb662112c
original_active_op_array = 0x0
retval = 0xb662112c
compiler_result = <optimized out>
compilation_successful = 0 '\000'
retval_znode = {op_type = 1, u = {op = {constant = 1, var = 1, num
= 1,
hash = 1, opline_num = 1,
jmp_addr = 0x1, zv = 0x1, literal = 0x1, ptr = 0x1}, constant
=
{value = {lval = 1,
dval = -1.4312713536766795e+179, str = {val = 0x1 <Address
0x1
out of bounds>,
len = -450778880}, ht = 0x1, obj = {handle = 1, handlers
=
0xe521a900}}, refcount__gc = 1,
type = 1 '\001', is_ref__gc = 0 '\000'}, op_array = 0x1}, EA
=
3073921433}
original_in_compilation = 0 '\000'
#2 0xb6a30f56 in dtrace_compile_file (file_handle=0xbfa206f8, type=2)
at /usr/src/debug/php-5.5.1/Zend/zend_dtrace.c:40
res = 0xb6621b88
#3 0xb6a4390a in zend_execute_scripts (type=type@entry=2,
retval=retval@entry=0x0,
file_count=file_count@entry=1) at
/usr/src/debug/php-5.5.1/Zend/zend.c:1308
files = 0xbfa206d0 "\031P-·QQ-·"
i = 0
file_handle = 0xbfa206f8
orig_op_array = 0x0
orig_retval_ptr_ptr = 0x0
orig_interactive = 0
#4 0xb6afeccf in php_handler (r=0xb9938c48)
at /usr/src/debug/php-5.5.1/sapi/apache2handler/sapi_apache2.c:669
zfd = {type = ZEND_HANDLE_MAPPED,
filename = 0xb9939f30
"/var/www/system/video.infolan.by/frames/thumb.php",
opened_path = 0xb6621204
"/var/www/system/video.infolan.by/frames/thumb.php", handle = {
fd = -1235086660, fp = 0xb66212bc, stream = {handle =
0xb66212bc,
isatty = 0, mmap = {len = 745,
pos = 0, map = 0x0,
buf = 0xb70a6000 "<?\n if (!isset($_GET['m'], $_GET['n']))
{\n
echo \"No parameters in thumb.php, _GET is \".var_export($_GET,
true).\"!\";\n
die();\n }\n $m = (integer)$_GET['m'];\n $n = (integer)$_GET['n'];\n \n
$dn
"..., old_handle = 0x0, old_closer = 0x0}, reader = 0xb69f5690
<_php_stream_read>,
fsizer = 0xb69da0a0 <php_zend_stream_fsizer>,
closer = 0xb69da060 <php_zend_stream_mmap_closer>}},
free_filename
= 0 '\000'}
__orig_bailout = 0x0
__bailout = {{__jmpbuf = {-1228988416, -1183831224, -1229662672,
-1181512632, -1770762997,
-1917897447}, __mask_was_saved = 0, __saved_mask = {__val =
{3111136096, 3113461616,
3071472077, 3071483740, 3111264800, 3113454664, 3071483904,
3071473021, 3109372568, 1,
3073921433, 3070734156, 3113454664, 3111265368, 3109399248,
3070717099, 3113454600,
4294967295, 3073885849, 3070496172, 3113454664, 4294967295,
3113454664, 3070442654,
3113457088, 3070480937, 3109424016, 3844188416, 3113454664,
3109424016, 3070279966,
3064982056}}}}
ctx = 0xb9950f08
conf = <optimized out>
brigade = 0xb9969368
bucket = <optimized out>
rv = <optimized out>
parent_req = 0xb994f3f8
--
Edit bug report at https://bugs.php.net/bug.php?id=65451&edit=1
--
Try a snapshot (PHP 5.4):
https://bugs.php.net/fix.php?id=65451&r=trysnapshot54
Try a snapshot (PHP 5.3):
https://bugs.php.net/fix.php?id=65451&r=trysnapshot53
Try a snapshot (trunk):
https://bugs.php.net/fix.php?id=65451&r=trysnapshottrunk
Fixed in SVN: https://bugs.php.net/fix.php?id=65451&r=fixed
Fixed in release: https://bugs.php.net/fix.php?id=65451&r=alreadyfixed
Need backtrace: https://bugs.php.net/fix.php?id=65451&r=needtrace
Need Reproduce Script: https://bugs.php.net/fix.php?id=65451&r=needscript
Try newer version: https://bugs.php.net/fix.php?id=65451&r=oldversion
Not developer issue: https://bugs.php.net/fix.php?id=65451&r=support
Expected behavior: https://bugs.php.net/fix.php?id=65451&r=notwrong
Not enough info:
https://bugs.php.net/fix.php?id=65451&r=notenoughinfo
Submitted twice:
https://bugs.php.net/fix.php?id=65451&r=submittedtwice
register_globals: https://bugs.php.net/fix.php?id=65451&r=globals
PHP 4 support discontinued: https://bugs.php.net/fix.php?id=65451&r=php4
Daylight Savings: https://bugs.php.net/fix.php?id=65451&r=dst
IIS Stability: https://bugs.php.net/fix.php?id=65451&r=isapi
Install GNU Sed: https://bugs.php.net/fix.php?id=65451&r=gnused
Floating point limitations: https://bugs.php.net/fix.php?id=65451&r=float
No Zend Extensions: https://bugs.php.net/fix.php?id=65451&r=nozend
MySQL Configuration Error: https://bugs.php.net/fix.php?id=65451&r=mysqlcfg
