Ticket #55 (closed defect: fixed)

Opened 20 months ago

Last modified 13 months ago

xcache crashes php tokenizer on certain special situation

Reported by: judas_iscariote Owned by: moo
Priority: major Milestone: 1.2.2
Component: cacher Version: 1.2-dev
Keywords: Cc:
Blocked By: PHP Version:
Application: Need User Feedback: no
Other Exts: SAPI: Irrelevant
Probability: Always Blocking:

Description

xcache crashes php tokenizer, on a special situation, only with xcache_readonly_protection=On in both zts and non-zts mode.

Im yet to isolate shortly,currenlty I have only the backtrace. 

#0  0x00000000006df60f in lex_scan (zendlval=0x7fffaf90dd00, tsrm_ls=0x9f5030) at /home/cristian/php5/Zend/zend_language_scanner.l:1310
1310            zendlval->value.str.len = strlen(func_name);
(gdb) bt full
#0  0x00000000006df60f in lex_scan (zendlval=0x7fffaf90dd00, tsrm_ls=0x9f5030) at /home/cristian/php5/Zend/zend_language_scanner.l:1310
        func_name = 0x5a5a5a5a0000007b <Address 0x5a5a5a5a0000007b out of bounds>
        yy_current_state = 614
        yy_cp = 0x2b42fc5e3938 ""
        yy_bp = 0x2b42fc5e392c "__FUNCTION__"
        yy_act = 108
#1  0x000000000068c80b in tokenize (return_value=0x2b42fd0cb018, tsrm_ls=0x9f5030) at /home/cristian/php5/ext/tokenizer/tokenizer.c:314
        token = {value = {lval = 47566701869343, dval = 2.3501073279614979e-310, str = {
      val = 0x2b42fc5e391f "\n", ' ' <repeats 12 times>, "__FUNCTION__", len = 13}, ht = 0x2b42fc5e391f, obj = {handle = 4234033439,
      handlers = 0xd}}, refcount = 0, type = 0 '\0', is_ref = 127 '\177'}
        keyword = (zval *) 0x2b42fcace9f0
        token_type = 370
        destroy = 0 '\0'
#2  0x000000000068cfac in zif_token_get_all (ht=1, return_value=0x2b42fd0cb018, return_value_ptr=0x0, this_ptr=0x0, return_value_used=1,
    tsrm_ls=0x9f5030) at /home/cristian/php5/ext/tokenizer/tokenizer.c:498
        source = 0x2b42fc5de2e0 "<?php\n/**\n * ezcConsoleToolsOutputTest \n * \n * @package ConsoleTools\n * @subpackage Tests\n * @version 1.1.3\n * @copyright Copyright (C) 2005, 2006 eZ systems as. All rights reserved.\n * @license http:"...
        argc = 1
        source_len = 16622
        source_z = {value = {lval = 47566701866400, dval = 2.3501073278160943e-310, str = {
      val = 0x2b42fc5e2da0 "<?php\n/**\n * ezcConsoleToolsOutputTest \n * \n * @package ConsoleTools\n * @subpackage Tests\n * @version 1.1.3\n * @copyright Copyright (C) 2005, 2006 eZ systems as. All rights reserved.\n * @license http:"..., len = 16622}, ht = 0x2b42fc5e2da0, obj = {
      handle = 4234030496, handlers = 0x40ee}}, refcount = 0, type = 6 '\006', is_ref = 0 '\0'}
        original_lex_state = {buffer_state = 0x0, state = 0, in = 0x0, lineno = 0, filename = 0x0}
#3  0x000000000074506a in zend_do_fcall_common_helper_SPEC (execute_data=0x7fffaf90e0d0, tsrm_ls=0x9f5030)
    at /home/cristian/php5/Zend/zend_vm_execute.h:200
        return_reference = 0 '\0'
        opline = (zend_op *) 0x2b42fb28dfd0
        original_return_value = (zval **) 0x9f5030
        current_scope = (zend_class_entry *) 0x0
        current_this = (zval *) 0x0
        return_value_used = 1
        should_change_scope = 0 '\0'
        ctor_opline = (zend_op *) 0x2b42fb28df58
---Type <return> to continue, or q <return> to quit---
#4  0x00000000007462b5 in ZEND_DO_FCALL_BY_NAME_SPEC_HANDLER (execute_data=0x7fffaf90e0d0, tsrm_ls=0x9f5030)
    at /home/cristian/php5/Zend/zend_vm_execute.h:322
No locals.
#5  0x00000000007449fd in execute (op_array=0x2b42fb28cf90, tsrm_ls=0x9f5030) at /home/cristian/php5/Zend/zend_vm_execute.h:92
        execute_data = {opline = 0x2b42fb28dfd0, function_state = {function_symbol_table = 0x0, function = 0xb41600, reserved = {
      0x2b42fb27dae8, 0x7fffaf90e110, 0x726fb09c0ebad7ed, 0x2b42fb208ea0}}, fbc = 0xb41600, op_array = 0x2b42fb28cf90, object = 0x0,
  Ts = 0x7fffaf90df10, CVs = 0x7fffaf90def0, original_in_execution = 1 '\001', symbol_table = 0x2b42fc54eea8,
  prev_execute_data = 0x7fffaf90f860, old_error_reporting = 0x0}
#6  0x0000000000745317 in zend_do_fcall_common_helper_SPEC (execute_data=0x7fffaf90f860, tsrm_ls=0x9f5030)
    at /home/cristian/php5/Zend/zend_vm_execute.h:234
        opline = (zend_op *) 0x2b42fb1e0630
        original_return_value = (zval **) 0x7fffaf90fa50
        current_scope = (zend_class_entry *) 0x2b42fb27dab8
        current_this = (zval *) 0x2b42fb279cb0
        return_value_used = 1
        should_change_scope = 1 '\001'
        ctor_opline = (zend_op *) 0x2b42fb1e05b8
#7  0x00000000007462b5 in ZEND_DO_FCALL_BY_NAME_SPEC_HANDLER (execute_data=0x7fffaf90f860, tsrm_ls=0x9f5030)
    at /home/cristian/php5/Zend/zend_vm_execute.h:322
No locals.
#8  0x00000000007449fd in execute (op_array=0x2b42fb278878, tsrm_ls=0x9f5030) at /home/cristian/php5/Zend/zend_vm_execute.h:92
        execute_data = {opline = 0x2b42fb1e0630, function_state = {function_symbol_table = 0x2b42fc54eea8, function = 0x2b42fb28cf90,
    reserved = {0x8, 0x7fffaf90f8a0, 0x2b42fc554960, 0x7fffaf90f8f0}}, fbc = 0x2b42fb28cf90, op_array = 0x2b42fb278878,
  object = 0x2b42fb279cb0, Ts = 0x7fffaf90e310, CVs = 0x7fffaf90e270, original_in_execution = 1 '\001', symbol_table = 0x2b42fc5548c8,
  prev_execute_data = 0x7fffaf90faa0, old_error_reporting = 0x0}
#9  0x0000000000745317 in zend_do_fcall_common_helper_SPEC (execute_data=0x7fffaf90faa0, tsrm_ls=0x9f5030)
    at /home/cristian/php5/Zend/zend_vm_execute.h:234
        opline = (zend_op *) 0x2b42fb295510
        original_return_value = (zval **) 0x7fffaf90fe08
        current_scope = (zend_class_entry *) 0x2b42fb27dab8
        current_this = (zval *) 0x2b42fb279cb0
        return_value_used = 1
        should_change_scope = 1 '\001'
        ctor_opline = (zend_op *) 0x2b42fb295498
---Type <return> to continue, or q <return> to quit---
#10 0x00000000007462b5 in ZEND_DO_FCALL_BY_NAME_SPEC_HANDLER (execute_data=0x7fffaf90faa0, tsrm_ls=0x9f5030)
    at /home/cristian/php5/Zend/zend_vm_execute.h:322
No locals.
#11 0x00000000007449fd in execute (op_array=0x2b42fb294eb0, tsrm_ls=0x9f5030) at /home/cristian/php5/Zend/zend_vm_execute.h:92
        execute_data = {opline = 0x2b42fb295510, function_state = {function_symbol_table = 0x2b42fc5548c8, function = 0x2b42fb278878,
    reserved = {0x8, 0x7fffaf90fae0, 0x2b42fc5546f8, 0x7fffaf90fb30}}, fbc = 0x2b42fb278878, op_array = 0x2b42fb294eb0,
  object = 0x2b42fb279cb0, Ts = 0x7fffaf90fa20, CVs = 0x7fffaf90fa00, original_in_execution = 1 '\001', symbol_table = 0x2b42fc554660,
  prev_execute_data = 0x7fffaf90feb0, old_error_reporting = 0x0}
#12 0x0000000000745317 in zend_do_fcall_common_helper_SPEC (execute_data=0x7fffaf90feb0, tsrm_ls=0x9f5030)
    at /home/cristian/php5/Zend/zend_vm_execute.h:234
        opline = (zend_op *) 0x2b42fb276aa8
        original_return_value = (zval **) 0x7fffaf90ffe8
        current_scope = (zend_class_entry *) 0x0
        current_this = (zval *) 0x0
        return_value_used = 1
        should_change_scope = 1 '\001'
        ctor_opline = (zend_op *) 0x2b42fb276a30
#13 0x00000000007462b5 in ZEND_DO_FCALL_BY_NAME_SPEC_HANDLER (execute_data=0x7fffaf90feb0, tsrm_ls=0x9f5030)
    at /home/cristian/php5/Zend/zend_vm_execute.h:322
No locals.
#14 0x00000000007449fd in execute (op_array=0x2b42fb275c68, tsrm_ls=0x9f5030) at /home/cristian/php5/Zend/zend_vm_execute.h:92
        execute_data = {opline = 0x2b42fb276aa8, function_state = {function_symbol_table = 0x2b42fc554660, function = 0x2b42fb294eb0,
    reserved = {0x2b42fb275da0, 0x7fffaf912570, 0x9f5030, 0x7fffaf90ff20}}, fbc = 0x2b42fb294eb0, op_array = 0x2b42fb275c68,
  object = 0x2b42fb279cb0, Ts = 0x7fffaf90fc70, CVs = 0x7fffaf90fc40, original_in_execution = 0 '\0', symbol_table = 0x9f9488,
  prev_execute_data = 0x0, old_error_reporting = 0x0}
#15 0x0000000000718215 in zend_execute_scripts (type=8, tsrm_ls=0x9f5030, retval=0x0, file_count=3) at /home/cristian/php5/Zend/zend.c:1100
        files = {{gp_offset = 48, fp_offset = 48, overflow_arg_area = 0x7fffaf910180, reg_save_area = 0x7fffaf9100b0}}
        i = 1
        file_handle = (zend_file_handle *) 0x7fffaf912570
        orig_op_array = (zend_op_array *) 0x0
        orig_retval_ptr_ptr = (zval **) 0x0
        local_retval = (zval *) 0x0
#16 0x00000000006a2d35 in php_execute_script (primary_file=0x7fffaf912570, tsrm_ls=0x9f5030) at /home/cristian/php5/main/main.c:1781
        realfile = "/srv/www/htdocs/flyspray/compat.php\000lar_text\000\000\000\000\006\000\000\177\000\000�q\000\000\000\000\000strip_tags\---Type <return> to continue, or q <return> to quit---
000\000\000\000\000\000\006\000\000\177\000\000�q\000\000\000\000\000ltrim\000\000\000m\206\000\000\000\000\000�\001B+\000\000�\001B+\000\000\000\000\000\000\000\000\000\000�\000\000\000\000\000\020\001\000\000\000\000\000\000\200I\001B+\000\000�\001B+\000\000@\000\000\000\000\000\000\000\020\002\000\000\000\000\000\000\235i\000\000\000\000\000�024\221\177\000\000"...
        __orig_bailout = (jmp_buf *) 0x7fffaf912420
        __bailout = {{__jmpbuf = {13, -69681406510797953, 0, 140736138913744, 0, 0, -69681406510806673, -69789443644300871},
    __mask_was_saved = 0, __saved_mask = {__val = {8809896, 47566693528520, 13, 140736138908336, 47566680651074, 8024600, 0, 11698912,
        11725152, 47566695774080, 32768, 47566695774080, 47566693883056, 13, 8024624, 0}}}}
        prepend_file_p = (zend_file_handle *) 0x0
        append_file_p = (zend_file_handle *) 0x0
        prepend_file = {type = 0 '\0', filename = 0x0, opened_path = 0x0, handle = {fd = 0, fp = 0x0, stream = {handle = 0x0, reader = 0,
      closer = 0, fteller = 0, interactive = 0}}, free_filename = 0 '\0'}
        append_file = {type = 0 '\0', filename = 0x0, opened_path = 0x0, handle = {fd = 0, fp = 0x0, stream = {handle = 0x0, reader = 0,
      closer = 0, fteller = 0, interactive = 0}}, free_filename = 0 '\0'}
        old_cwd = 0x7fffaf9101a0 ""
        retval = 0
#17 0x00000000007a8c0d in main (argc=4, argv=0x7fffaf9127d8) at /home/cristian/php5/sapi/cli/php_cli.c:1108
        __orig_bailout = (jmp_buf *) 0x0
        __bailout = {{__jmpbuf = {13, -69681406510797281, 0, 140736138913744, 0, 0, -69681406510798001, -69789443643226079},
    __mask_was_saved = 0, __saved_mask = {__val = {0, 0, 0, 0, 0, 0, 0, 140736138913072, 0, 0, 0, 0, 3941092235, 47566681744960,
        47566681746784, 281474976710656}}}}
        exit_status = 0
        c = -1
        file_handle = {type = 2 '\002', filename = 0x7fffaf91329d "/home/cristian/public_html/flyspray/compat.php", opened_path = 0x0,
  handle = {fd = 12283136, fp = 0xbb6d00, stream = {handle = 0xbb6d00, reader = 0x733e88 <zend_stream_stdio_reader>,
      closer = 0x733eb8 <zend_stream_stdio_closer>, fteller = 0x733ee3 <zend_stream_stdio_fteller>, interactive = 0}}, free_filename = 0 '\0'}
        behavior = 1
        reflection_what = 0x0
        orig_optind = 1
        orig_optarg = 0x0
        arg_free = 0x7fffaf91329d "/home/cristian/public_html/flyspray/compat.php"
        arg_excp = (char **) 0x7fffaf9127f0
        script_file = 0x7fffaf91329d "/home/cristian/public_html/flyspray/compat.php"
        interactive = 0
        module_started = 1
---Type <return> to continue, or q <return> to quit---
        request_started = 1
        lineno = 1
        exec_direct = 0x0
        exec_run = 0x0
        exec_begin = 0x0
        exec_end = 0x0
        param_error = 0x0
        hide_argv = 0
        compiler_globals = (zend_compiler_globals *) 0x9f5030
        executor_globals = (zend_executor_globals *) 0x9f5030
        core_globals = (php_core_globals *) 0x9f5030
        sapi_globals = (sapi_globals_struct *) 0x9f51d0
        tsrm_ls = (void ***) 0x9f5030
        ini_entries_len = 143

Im using 1.2 SVN branch with php 5.2.1-dev but reproduced in released 5.2.0 too .

I'll try to isolate a short script later today.

Change History

Changed 20 months ago by moo

  • status changed from new to assigned

Changed 14 months ago by moo

  • pending set

still reproducable?

Changed 14 months ago by judas_iscariote

  • pending unset

sorry for the lack of feedback, I 'll try again and post results-reproduce code within this weekend.

Changed 14 months ago by moo

thanks, as it's rare for a production server to use tokenizer, i think it ok to release before this issue is address, in case when time's up

Changed 13 months ago by moo

  • milestone changed from 1.2.1 to 1.2.2

Changed 13 months ago by judas_iscariote

  • status changed from assigned to closed
  • resolution set to fixed
  • sapi set to Irrelevant
  • probability set to Always

this is fixed in changeset:444 and changeset:446 after some IRC debugging session ;-)

Note: See TracTickets for help on using tickets.