Ubuntu
php5 package

Crash in _get_zval_ptr_ptr_var

Bug #1236733 reported by Paul Gauret
20
This bug affects 3 people
Affects Status Importance Assigned to Milestone
php
Unknown
Unknown
php5 (Ubuntu)
Fix Released
High
Unassigned

Bug Description

Hello,

I'm getting a systematic php segmentation fault when accessing my Zenphoto http://www.zenphoto.org/ album (fresh install).

The following php packages are installed on the system (Saucy).

ii libapache2-mod-php5 5.5.3+dfsg-1ubuntu1 amd64 server-side, HTML-embedded scripting language (Apache 2 module)
ii php5 5.5.3+dfsg-1ubuntu1 all server-side, HTML-embedded scripting language (metapackage)
ii php5-common 5.5.3+dfsg-1ubuntu1 amd64 Common files for packages built from the php5 source
ii php5-gd 5.5.3+dfsg-1ubuntu1 amd64 GD module for php5
ii php5-mysql 5.5.3+dfsg-1ubuntu1 amd64 MySQL module for php5

The same code/config combo runs fine with php 5.3.10 on another server. It also runs fine with PHP 5.5.4 from ppa:chris-lea/php5.5

In apache's log I only get:

[Tue Oct 08 09:48:36.746162 2013] [core:notice] [pid 8891] AH00052: child pid 8896 exit signal Segmentation fault (11)

After enabling core dumps, I could get a backtrace:

(gdb) bt
#0 zval_delref_p (pz=<optimized out>) at /build/buildd/php5-5.5.3+dfsg/Zend/zend.h:409
#1 zend_pzval_unlock_func (unref=1, should_free=<synthetic pointer>, z=0x0) at /build/buildd/php5-5.5.3+dfsg/Zend/zend_execute.c:72
#2 _get_zval_ptr_ptr_var (should_free=<synthetic pointer>, execute_data=0x7fddc2d28b28, var=<optimized out>) at /build/buildd/php5-5.5.3+dfsg/Zend/zend_execute.c:384
#3 ZEND_FETCH_DIM_R_SPEC_VAR_CONST_HANDLER (execute_data=0x7fddc2d28b28) at /build/buildd/php5-5.5.3+dfsg/Zend/zend_vm_execute.h:14783
#4 0x00007fddbb473928 in execute_ex (execute_data=0x7fddc2d28b28) at /build/buildd/php5-5.5.3+dfsg/Zend/zend_vm_execute.h:356
#5 0x00007fddbb44b760 in zend_execute_scripts (type=type@entry=8, retval=retval@entry=0x0, file_count=file_count@entry=3) at /build/buildd/php5-5.5.3+dfsg/Zend/zend.c:1316
#6 0x00007fddbb3eba95 in php_execute_script (primary_file=primary_file@entry=0x7fff77a9be20) at /build/buildd/php5-5.5.3+dfsg/main/main.c:2484
#7 0x00007fddbb4fb8ca in php_handler (r=<optimized out>) at /build/buildd/php5-5.5.3+dfsg/sapi/apache2handler/sapi_apache2.c:667
#8 0x00007fddc2f1f320 in ap_run_handler ()
#9 0x00007fddc2f1f6f9 in ap_invoke_handler ()
#10 0x00007fddc2f3458a in ap_process_async_request ()
#11 0x00007fddc2f34874 in ap_process_request ()
#12 0x00007fddc2f31302 in ?? ()
#13 0x00007fddc2f28210 in ap_run_process_connection ()
#14 0x00007fddbbe1a767 in ?? () from /usr/lib/apache2/modules/mod_mpm_prefork.so
#15 0x00007fddbbe1a9a6 in ?? () from /usr/lib/apache2/modules/mod_mpm_prefork.so
#16 0x00007fddbbe1aa06 in ?? () from /usr/lib/apache2/modules/mod_mpm_prefork.so
#17 0x00007fddbbe1b6f0 in ?? () from /usr/lib/apache2/modules/mod_mpm_prefork.so
#18 0x00007fddc2f064ae in ap_run_mpm ()
#19 0x00007fddc2effc66 in main ()

I also get the same segfault in running php in CGI mode.

Revision history for this message
Robie Basak (racb) wrote :

Thank you for reporting this bug and helping to make Ubuntu better.

This could be upstream bug https://bugs.php.net/bug.php?id=65510 fixed in http://git.php.net/?p=php-src.git;a=commitdiff;h=5015c4af6c1d2af992e0525f10e93b01043730e1 but it isn't clear without a test case. Do you have a minimal test case we can use to test proposed fixes, please?

Revision history for this message
Robie Basak (racb) wrote :

In fact, there's a test case in the commit. What I want to understand is if this patch fixes your problem.

Revision history for this message
Paul Gauret (pgauret) wrote :

Thank you so much for your help.

I've rebuilt the package with the patch you mentioned applied. This appears to have solved the issue, and Zenphoto is now running fine.

Robie Basak (racb)
Changed in php5 (Ubuntu):
status: New → Triaged
importance: Undecided → High
summary: - php 5.5.3 segfault
+ Crash in _get_zval_ptr_ptr_var
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package php5 - 5.5.3+dfsg-1ubuntu2

---------------
php5 (5.5.3+dfsg-1ubuntu2) saucy; urgency=low

  * d/p/crash_in_get_zval_ptr_ptr_var.patch: cherry-pick from upstream to fix
    segfault (LP: #1236733).
 -- Robie Basak <email address hidden> Wed, 09 Oct 2013 11:29:29 +0000

Changed in php5 (Ubuntu):
status: Triaged → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Duplicates of this bug

Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.