Bug #63191 [Opn]: SIGSEGV (phpunit)

Edit report at https://bugs.php.net/bug.php?id=63191&edit=1

 ID:                 63191
 Updated by:         [email protected]
 Reported by:        sh at isecure dot cz
 Summary:            SIGSEGV (phpunit)
 Status:             Open
 Type:               Bug
 Package:            Unknown/Other Function
 Operating System:   Freebsd 9 & Ubuntu 12.04
 PHP Version:        Irrelevant
 Block user comment: N
 Private report:     N

 New Comment:

Can you give us a reproduce script?


Previous Comments:
------------------------------------------------------------------------
[2012-10-18 15:56:17] dispyfree at googlemail dot com

I just tested PHP 5.4.7 I compiled from source - same behavior. Obviously, this 
issue has not been fixed yet. 

Regards

------------------------------------------------------------------------
[2012-10-18 14:31:49] dispyfree at googlemail dot com

I can confirm this issue. 
The interesting part is that this issue does only come up if you use a newer 
version than PHPUnit 3.7.1 - I guess they used a new feature starting from that 
version. 
I'm running PHP 5.3.10-1ubuntu3.4 with Suhosin-Patch (cli) on Linux version 
3.2.0-32-generic-pae (buildd@roseapple) (gcc version 4.6.3 (Ubuntu/Linaro 
4.6.3-1ubuntu5) ) #51-Ubuntu SMP Wed Sep 26 21:54:23 UTC 2012. 

And another one: the newest debian php binary does _not_ crash. 

Regards,

------------------------------------------------------------------------
[2012-10-03 20:34:58] sh at isecure dot cz

By Xdebug i steped on this line

if(!$this->formatter) {
    // irelevant
}

Expression itself throw sigsegv, but only after several itterations with almost 
same variables (this->formatter is always simple object - 
https://github.com/Seldaek/monolog/blob/master/src/Monolog/Formatter/LineFormatt
er.php)

If i change row to if(empty($this->formatter)), code miraculously works. 
I am 
unable to simulate it nor simplify current conditions to write example script. 
Please can you tell me how to investigate this bug more?

------------------------------------------------------------------------
[2012-10-01 15:30:49] [email protected]

could you give us a reproduce script? thanks

------------------------------------------------------------------------
[2012-09-30 19:55:40] sh at isecure dot cz

Description:
------------
Crash with Symfony 2 & phpunit use. Can't localize root cause of problem, same 
error shows on freebsd 9 with PHP 5.4.6 also in Ubuntus PHP 5.3.10-1

Actual result:
--------------
(gdb) r
Starting program: /usr/local/bin/php /usr/local/bin/phpunit -c app 
src/Foo/ShopBundle/Demo/DemoCreationTest
[New LWP 108705]
[New Thread 80217a400 (LWP 108705/php)]
PHPUnit 3.6.10 by Sebastian Bergmann.

Configuration read from /home/sh/public_html/eshop/app/phpunit.xml.dist


Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 80217a400 (LWP 108705/php)]
0x000000000069b7d2 in zend_std_object_get_class (object=0x80fabc6f8) at 
/usr/ports/lang/php5/work/php-5.4.6/Zend/zend_object_handlers.c:1454
1454            return zobj->ce;
(gdb) 


(gdb) bt full
#0  0x000000000069b7d2 in zend_std_object_get_class (object=0x80fabc6f8) at 
/usr/ports/lang/php5/work/php-5.4.6/Zend/zend_object_handlers.c:1454
        zobj = (zend_object *) 0x800000763
#1  0x0000000000663745 in zend_get_class_entry (zobject=0x80fabc6f8) at 
/usr/ports/lang/php5/work/php-5.4.6/Zend/zend_API.c:238
No locals.
#2  0x00000000006f7998 in ZEND_INIT_METHOD_CALL_SPEC_VAR_CONST_HANDLER 
(execute_data=0x80203fff0) at zend_vm_execute.h:13450
        opline = (zend_op *) 0x80dea2a10
        function_name = (zval *) 0x80dea3a08
        function_name_strval = 0x802092578 "format"
        function_name_strlen = 6
        free_op1 = {var = 0x0}
#3  0x00000000006a1071 in execute (op_array=0x80ded34f0) at 
zend_vm_execute.h:410
        ret = 3
        execute_data = (zend_execute_data *) 0x80203fff0
        nested = 1 '\001'
        original_in_execution = 1 '\001'
#4  0x000000000064d3ff in zend_call_function (fci=0x7fffffffa550, 
fci_cache=0x7fffffffa4e0) at /usr/ports/lang/php5/work/php-
5.4.6/Zend/zend_execute_API.c:958
        i = 0
        original_return_value = (zval **) 0x0
        calling_symbol_table = (HashTable *) 0x0
        original_op_array = (zend_op_array *) 0x80ea99b58
        original_opline_ptr = (zend_op **) 0x80203dcd8
        current_scope = (zend_class_entry *) 0x0
        current_called_scope = (zend_class_entry *) 0x80226d200
        calling_scope = (zend_class_entry *) 0x80e1d3e60
        called_scope = (zend_class_entry *) 0x80e1d3e60
        current_this = (zval *) 0x8109ec370
        execute_data = {opline = 0x0, function_state = {function = 0x80e1deb80, 
arguments = 0x80203efb8}, fbc = 0x0, called_scope = 0x3, op_array = 0x0, 
  object = 0x810a89d28, Ts = 0x80203de88, CVs = 0x80203dd68, symbol_table = 
0x0, 
prev_execute_data = 0x80203dcd8, old_error_reporting = 0x0, 
  nested = 1 '\001', original_return_value = 0x8109ec370, current_scope = 
0x80ea7edc0, current_called_scope = 0x80ea7edc0, current_this = 0x8109ef510, 
  current_object = 0x0}
        fci_cache_local = {initialized = 208 '�', function_handler = 
0x68e437, 
calling_scope = 0x1ffffa1e0, called_scope = 0x80f513510, 
  object_ptr = 0x80f3c0c70}
#5  0x0000000000683141 in zend_call_method (object_pp=0x7fffffffa650, 
obj_ce=0x80e1d3e60, fn_proxy=0x7fffffffa658, function_name=0x84e866 
"__destruct", 
    function_name_len=10, retval_ptr_ptr=0x0, param_count=0, arg1=0x0, 
arg2=0x0) 
at /usr/ports/lang/php5/work/php-5.4.6/Zend/zend_interfaces.c:97
        fcic = {initialized = 1 '\001', function_handler = 0x80e1deb80, 
calling_scope = 0x80e1d3e60, called_scope = 0x80e1d3e60, object_ptr = 
0x810a89d28}
        result = 0
        fci = {size = 72, function_table = 0x3b10064a618, function_name = 
0x7fffffffa530, symbol_table = 0x0, retval_ptr_ptr = 0x7fffffffa528, 
  param_count = 0, params = 0x7fffffffa510, object_ptr = 0x810a89d28, 
no_separation = 1 '\001'}
        z_fname = {value = {lval = 8691136, dval = 4.2939917209341081e-317, str 
= {
      val = 0x849dc0 "/usr/ports/lang/php5/work/php-
5.4.6/Zend/zend_execute_API.c", len = 279485768}, ht = 0x849dc0, obj = {handle 
= 
8691136, 
      handlers = 0x810a89d48}}, refcount__gc = 8710008, type = 0 '\0', 
is_ref__gc = 0 '\0'}
        retval = (zval *) 0x0
        function_table = (HashTable *) 0x80e1d3e88
        params = {0x7fffffffa5d8, 0x7fffffffa5e0}
#6  0x000000000069187a in zend_objects_destroy_object (object=0x80fa8e540, 
handle=945) at /usr/ports/lang/php5/work/php-5.4.6/Zend/zend_objects.c:123
        old_exception = (zval *) 0x0
        obj = (zval *) 0x810a89d28
        obj_bucket = (zend_object_store_bucket *) 0x810095ca0
        destructor = (zend_function *) 0x80e1deb80
#7  0x000000000068e9dc in gc_collect_cycles () at /usr/ports/lang/php5/work/php-
5.4.6/Zend/zend_gc.c:814
        p = (zval_gc_info *) 0x80fa8e048
        q = (zval_gc_info *) 0x84f478
        orig_free_list = (zval_gc_info *) 0x0
        orig_next_to_free = (zval_gc_info *) 0x0
        count = 10689
#8  0x000000000068ceda in gc_zobj_possible_root (zv=0x8109ec370) at 
/usr/ports/lang/php5/work/php-5.4.6/Zend/zend_gc.c:221
        newRoot = (gc_root_buffer *) 0x0
        obj = (struct _store_object *) 0x8100a47a8
#9  0x000000000068cbac in gc_zval_possible_root (zv=0x8109ec370) at 
/usr/ports/lang/php5/work/php-5.4.6/Zend/zend_gc.c:143
No locals.
#10 0x00000000006a35b6 in zend_do_fcall_common_helper_SPEC 
(execute_data=0x80203dcd8) at zend_gc.h:183
        opline = (zend_op *) 0x80eaa29e0
        should_change_scope = 1 '\001'
        fbc = (zend_function *) 0x80228a800
#11 0x00000000006a3e15 in ZEND_DO_FCALL_BY_NAME_SPEC_HANDLER 
(execute_data=0x80203dcd8) at zend_vm_execute.h:752
No locals.
#12 0x00000000006a1071 in execute (op_array=0x80ea99b58) at 
zend_vm_execute.h:410
        ret = 0
        execute_data = (zend_execute_data *) 0x80203dcd8
        nested = 1 '\001'
        original_in_execution = 1 '\001'
#13 0x000000000064d3ff in zend_call_function (fci=0x7fffffffaed0, 
fci_cache=0x7fffffffaea0) at /usr/ports/lang/php5/work/php-
5.4.6/Zend/zend_execute_API.c:958
        i = 0
        original_return_value = (zval **) 0x80203a788
        calling_symbol_table = (HashTable *) 0x0
        original_op_array = (zend_op_array *) 0x80d437d68
        original_opline_ptr = (zend_op **) 0x80203a838
        current_scope = (zend_class_entry *) 0x80d434170
        current_called_scope = (zend_class_entry *) 0x80d43e7c0
        calling_scope = (zend_class_entry *) 0x810505f78
        called_scope = (zend_class_entry *) 0x810505f78
        current_this = (zval *) 0x8108fdeb0
        execute_data = {opline = 0x0, function_state = {function = 0x8104cf500, 
arguments = 0x80203b300}, fbc = 0x0, called_scope = 0x0, op_array = 0x0, 
  object = 0x810a30770, Ts = 0x80203a948, CVs = 0x80203a8c8, symbol_table = 
0x0, 
prev_execute_data = 0x80203a838, old_error_reporting = 0x0, 
  nested = 1 '\001', original_return_value = 0x80203a788, current_scope = 
0x80d434170, current_called_scope = 0x80d43e7c0, current_this = 0x8108fdeb0, 
  current_object = 0x0}
        fci_cache_local = {initialized = 0 '\0', function_handler = 
0xc7500000048, calling_scope = 0x84b258, called_scope = 0x0, object_ptr = 
0x80200d600}
#14 0x00000000004d4bbc in zif_call_user_func_array (ht=2, 
return_value=0x810a5e478, return_value_ptr=0x0, this_ptr=0x0, 
return_value_used=1)
    at /usr/ports/lang/php5/work/php-5.4.6/ext/standard/basic_functions.c:4749
        params = (zval *) 0x810a5c858
        retval_ptr = (zval *) 0x0
        fci = {size = 72, function_table = 0x810505fa0, function_name = 
0x810a70150, symbol_table = 0x0, retval_ptr_ptr = 0x7fffffffaf20, param_count = 
0, 
  params = 0x810a53400, object_ptr = 0x810a30770, no_separation = 1 '\001'}
        fci_cache = {initialized = 1 '\001', function_handler = 0x8104cf500, 
calling_scope = 0x810505f78, called_scope = 0x810505f78, 
  object_ptr = 0x810a30770}
#15 0x00000000006a2a90 in zend_do_fcall_common_helper_SPEC 
(execute_data=0x80203a838) at zend_vm_execute.h:642
        ret = (temp_variable *) 0x80203aea8
        opline = (zend_op *) 0x80d43ca08
        should_change_scope = 0 '\0'
        fbc = (zend_function *) 0x8021f3a00
#16 0x00000000006a3e15 in ZEND_DO_FCALL_BY_NAME_SPEC_HANDLER 
(execute_data=0x80203a838) at zend_vm_execute.h:752
No locals.
#17 0x00000000006a1071 in execute (op_array=0x80df5cd00) at 
zend_vm_execute.h:410
        ret = 0
        execute_data = (zend_execute_data *) 0x80203a838
        nested = 1 '\001'
        original_in_execution = 1 '\001'
#18 0x000000000064d3ff in zend_call_function (fci=0x7fffffffb710, 
fci_cache=0x7fffffffb6e0) at /usr/ports/lang/php5/work/php-
5.4.6/Zend/zend_execute_API.c:958
        i = 0
        original_return_value = (zval **) 0x802037248
        calling_symbol_table = (HashTable *) 0x0
        original_op_array = (zend_op_array *) 0x80d9f5380

        original_opline_ptr = (zend_op **) 0x802037ec8
        current_scope = (zend_class_entry *) 0x0
        current_called_scope = (zend_class_entry *) 0x80226cf00
        calling_scope = (zend_class_entry *) 0x80d915018
        called_scope = (zend_class_entry *) 0x80d915018
        current_this = (zval *) 0x80da58b40
        execute_data = {opline = 0x0, function_state = {function = 0x80d9152a8, 
arguments = 0x802038800}, fbc = 0x0, called_scope = 0x0, op_array = 0x0, 
  object = 0x80da628b8, Ts = 0x802037fa8, CVs = 0x802037f58, symbol_table = 
0x0, 
prev_execute_data = 0x802037ec8, old_error_reporting = 0x0, 
  nested = 1 '\001', original_return_value = 0x0, current_scope = 0x80d9163d0, 
current_called_scope = 0x80d915018, current_this = 0x80da628b8, 
  current_object = 0x0}
        fci_cache_local = {initialized = 240 '�', function_handler = 
0x9e100000000, calling_scope = 0x847268, called_scope = 0x200000002, object_ptr 
= 0x0}
#19 0x0000000000479632 in zim_reflection_method_invokeArgs (ht=2, 
return_value=0x80da58890, return_value_ptr=0x0, this_ptr=0x80da58b40, 
return_value_used=1)
    at /usr/ports/lang/php5/work/php-5.4.6/ext/reflection/php_reflection.c:3024
        retval_ptr = (zval *) 0x0
        params = (zval ***) 0x802067758
        object = (zval *) 0x80da628b8
        intern = (reflection_object *) 0x80da0a778
        mptr = (zend_function *) 0x80d9152a8
        argc = 0
        result = 8
        fci = {size = 72, function_table = 0x0, function_name = 0x0, 
symbol_table = 0x0, retval_ptr_ptr = 0x7fffffffb768, param_count = 0, 
  params = 0x802067758, object_ptr = 0x80da628b8, no_separation = 1 '\001'}
        fcc = {initialized = 1 '\001', function_handler = 0x80d9152a8, 
calling_scope = 0x80d915018, called_scope = 0x80d915018, object_ptr = 
0x80da628b8}
        obj_ce = (zend_class_entry *) 0x80d915018
        param_array = (zval *) 0x80da585d8
#20 0x00000000006a2a90 in zend_do_fcall_common_helper_SPEC 
(execute_data=0x802037ec8) at zend_vm_execute.h:642
        ret = (temp_variable *) 0x802038288
        opline = (zend_op *) 0x80d92af50
        should_change_scope = 1 '\001'
        fbc = (zend_function *) 0x802288c00
#21 0x00000000006a3e15 in ZEND_DO_FCALL_BY_NAME_SPEC_HANDLER 
(execute_data=0x802037ec8) at zend_vm_execute.h:752
No locals.
#22 0x00000000006a1071 in execute (op_array=0x80d9f5380) at 
zend_vm_execute.h:410
        ret = 0
        execute_data = (zend_execute_data *) 0x802037ec8
        nested = 1 '\001'
        original_in_execution = 0 '\0'
#23 0x0000000000662a79 in zend_execute_scripts (type=8, retval=0x0, 
file_count=3) at /usr/ports/lang/php5/work/php-5.4.6/Zend/zend.c:1289
        files = {{gp_offset = 40, fp_offset = 48, overflow_arg_area = 
0x7fffffffbd10, reg_save_area = 0x7fffffffbc50}}
        i = 1
        file_handle = (zend_file_handle *) 0x7fffffffd840
        orig_op_array = (zend_op_array *) 0x0
        orig_retval_ptr_ptr = (zval **) 0x0
        orig_interactive = 0
#24 0x00000000005cad46 in php_execute_script (primary_file=0x7fffffffd840) at 
/usr/ports/lang/php5/work/php-5.4.6/main/main.c:2473
        realfile = 
"/usr/local/bin/phpunit\000\000\002\000\000\000\001\000\000\0008W\006\002\b\000\
000\000�E�\000\003\000\000\000�����
\177\000\000�~g\000\000\000\000\000@V\006\002\b\000\000\000\020\000\000\000\002
\000\000\000@V\006\002\b", '\0' <repeats 11 times>, 
"h\233\203\000\000\000\000\000�\000\000\000\003\000\000\000\200����
\177\000\000;\\^\000\000\000\000\000��@\000\000\000\000\000\026", '\0' 
<repeats 15 times>, 
"@\223\000\000\000\000\000\000@V\006\002\b\000\000\000@V\006\002\b\000\000\000�
\214\202\000\000\000\000\000�U\006\002r\001\000\000@V\006\002\b\000\000\000�
\211\000\000\002\000"...
        __orig_bailout = (sigjmp_buf *) 0x7fffffffd790
        __bailout = {{_sjb = {6072965, 5, 140737488338184, 140737488343808, 
140737488345912, 140737488345864, 0, 0, 140737488290431, 6453169, 34584016184, 
      0}}}
        prepend_file_p = (zend_file_handle *) 0x0
        append_file_p = (zend_file_handle *) 0x0
        prepend_file = {type = ZEND_HANDLE_FILENAME, filename = 0x0, 
opened_path 
= 0x0, handle = {fd = 0, fp = 0x0, stream = {handle = 0x0, isatty = 0, 
      mmap = {len = 0, pos = 0, map = 0x0, buf = 0x0, old_handle = 0x0, 
old_closer = 0}, reader = 0, fsizer = 0, closer = 0}}, free_filename = 0 '\0'}

        append_file = {type = ZEND_HANDLE_FILENAME, filename = 0x0, opened_path 
= 0x0, handle = {fd = 0, fp = 0x0, stream = {handle = 0x0, isatty = 0, 
      mmap = {len = 0, pos = 0, map = 0x0, buf = 0x0, old_handle = 0x0, 
old_closer = 0}, reader = 0, fsizer = 0, closer = 0}}, free_filename = 0 '\0'}
        old_cwd = 0x7fffffffbd30 ""
        use_heap = 0 '\0'
        retval = 0
#25 0x00000000007ba584 in do_cli (argc=5, argv=0x7fffffffdb08) at 
/usr/ports/lang/php5/work/php-5.4.6/sapi/cli/php_cli.c:988
        __orig_bailout = (sigjmp_buf *) 0x7fffffffd9e0
        __bailout = {{_sjb = {8100629, 5, 140737488343816, 140737488345504, 
140737488345912, 140737488345864, 0, 0, 895, 8605600, 8605648, 0}}}
        c = -1
        file_handle = {type = ZEND_HANDLE_MAPPED, filename = 0x7fffffffdd73 
"/usr/local/bin/phpunit", opened_path = 0x0, handle = {fd = 33971248, 
    fp = 0x802065c30, stream = {handle = 0x802065c30, isatty = 0, mmap = {len = 
2031, pos = 0, map = 0x800b17000, 
        buf = 0x800b17015 <Error reading address 0x800b17015: Bad address>, 
old_handle = 0x801f12d40, old_closer = 0x681d00 <zend_stream_stdio_closer>}, 
      reader = 0x681cd0 <zend_stream_stdio_reader>, fsizer = 0x681d40 
<zend_stream_stdio_fsizer>, closer = 0x681ea0 <zend_stream_mmap_closer>}}, 
  free_filename = 0 '\0'}
        behavior = 1
        reflection_what = 0x0
        request_started = 1
        exit_status = 0
        php_optarg = 0x0
        orig_optarg = 0x0
        php_optind = 2
        orig_optind = 1
        exec_direct = 0x0
        exec_run = 0x0
        exec_begin = 0x0
        exec_end = 0x0
        arg_free = 0x7fffffffdd73 "/usr/local/bin/phpunit"
        arg_excp = (char **) 0x7fffffffdb10
        script_file = 0x7fffffffdd73 "/usr/local/bin/phpunit"
        translated_path = 0x80d5d6260 "/usr/local/bin/phpunit"
        interactive = 0
        lineno = 2
        param_error = 0x0
        hide_argv = 0
#26 0x00000000007bb569 in main (argc=5, argv=0x7fffffffdb08) at 
/usr/ports/lang/php5/work/php-5.4.6/sapi/cli/php_cli.c:1364
        __orig_bailout = (sigjmp_buf *) 0x0
        __bailout = {{_sjb = {8107334, 5, 140737488345512, 140737488345776, 
140737488345912, 140737488345864, 0, 0, 895, 5, 140737488345824, 
      140733193388032}}}
        c = -1
        exit_status = 0
        module_started = 1
        sapi_started = 1
        php_optarg = 0x0
        php_optind = 1
        use_extended_info = 0
        ini_path_override = 0x0
        ini_entries = 0x8020080f0 
"html_errors=0\nregister_argc_argv=1\nimplicit_flush=1\noutput_buffering=0\nmax_
execution_time=0\nmax_input_time=-1\n"
        ini_entries_len = 110
        ini_ignore = 0
        sapi_module = (sapi_module_struct *) 0xb16940



------------------------------------------------------------------------



-- 
Edit this bug report at https://bugs.php.net/bug.php?id=63191&edit=1