LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Programming (http://www.linuxquestions.org/questions/programming-9/)
-   -   php (interpreter): sigsegv with empty backtrace (http://www.linuxquestions.org/questions/programming-9/php-interpreter-sigsegv-with-empty-backtrace-4175420663/)

eantoranz 08-06-2012 10:43 AM

php (interpreter): sigsegv with empty backtrace
 
Hi!

I'm hacking php (the interpreter). I've got it to almost do what I need (getting some php files from memory instead of FS).

Now, the problem is that I'm getting a sigsegv and the backtrace is basically empty:

Code:

Program received signal SIGSEGV, Segmentation fault.
0x0000004d in ?? ()
(gdb) backtrace
#0  0x0000004d in ?? ()

That's when running php from cli. In apache I get the same kind of sigsegv stuff in the error log:

Code:

[Mon Aug 06 10:32:06 2012] [notice] child pid 10088 exit signal Segmentation fault (11)
Could anybody tell me what's going on? Thanks in advance.

NevemTeve 08-06-2012 11:14 AM

You managed to overwrite the stack:(

eantoranz 08-06-2012 11:17 AM

No kidding!

eantoranz 08-06-2012 02:18 PM

This has been a great crash course for using gdb. I'm "stepping" and I think I got very close to the moment when the sigsegv is thrown.

I think within the next two or 3 next's the signal is thrown.

Code:

(gdb) bt full
#0  ZEND_INCLUDE_OR_EVAL_SPEC_CONST_HANDLER (execute_data=0xbfffcbdc) at /home/antoranz/Descargas/php/php-5.2.17/Zend/zend_vm_execute.h:2143
        opline = <optimized out>
        new_op_array = <optimized out>
        original_return_value = 0xbfffcce4
        return_value_used = 0
        inc_filename = <optimized out>
        tmp_inc_filename = {value = {lval = 7, dval = 5.0055584978380607e-270, str = {val = 0x7 <Address 0x7 out of bounds>, len = 134555584}, ht = 0x7, obj = {handle = 7,
              handlers = 0x80527c0}}, refcount = 3221211496, type = 116 't', is_ref = 250 '\372'}
        failure_retval = <optimized out>
#1  0x0830eeb8 in execute (op_array=0x8537454) at /home/antoranz/Descargas/php/php-5.2.17/Zend/zend_vm_execute.h:95
        execute_data = {opline = 0x85377f8, function_state = {function_symbol_table = 0x0, function = 0x8537454, reserved = {0x82759d0, 0x8262010, 0x8262000, 0x0}}, fbc = 0x0,
          op_array = 0x8537454, object = 0x0, Ts = 0xbfffc940, CVs = 0xbfffc930, original_in_execution = 1 '\001', symbol_table = 0x846fe50, prev_execute_data = 0xbfffcd1c,
          old_error_reporting = 0x0}
#2  0x082d03e4 in ZEND_INCLUDE_OR_EVAL_SPEC_CONST_HANDLER (execute_data=0xbfffcd1c) at /home/antoranz/Descargas/php/php-5.2.17/Zend/zend_vm_execute.h:2107
        saved_object = 0x0
        saved_function = <optimized out>
        opline = 0x8537368
        new_op_array = 0x8537454
        original_return_value = 0xbfffcda0
        return_value_used = 0
        inc_filename = <optimized out>
        tmp_inc_filename = {value = {lval = 7, dval = 6.3659873732416629e-313, str = {val = 0x7 <Address 0x7 out of bounds>, len = 30}, ht = 0x7, obj = {handle = 7,
              handlers = 0x1e}}, refcount = 138296164, type = 211 '\323', is_ref = 65 'A'}
        failure_retval = <optimized out>
#3  0x0830eeb8 in execute (op_array=0x85371fc) at /home/antoranz/Descargas/php/php-5.2.17/Zend/zend_vm_execute.h:95
        execute_data = {opline = 0x8537368, function_state = {function_symbol_table = 0xb7d7b980, function = 0x8537454, reserved = {0x1e, 0xb7c3e758, 0xb7d7b980, 0x83e3b64}},
          fbc = 0x0, op_array = 0x85371fc, object = 0x0, Ts = 0xbfffcce0, CVs = 0xbfffccd0, original_in_execution = 0 '\000', symbol_table = 0x846fe50, prev_execute_data = 0x0,
          old_error_reporting = 0x0}
#4  0x082a780a in zend_execute_scripts (type=8, retval=0x0, file_count=3) at /home/antoranz/Descargas/php/php-5.2.17/Zend/zend.c:1140
        files = 0xbfffcde4 ""
        i = <optimized out>
        file_handle = <optimized out>
        orig_op_array = 0x0
        orig_retval_ptr_ptr = 0x0
        local_retval = 0x0
#5  0x082648db in php_execute_script (primary_file=0xbffff0d4) at /home/antoranz/Descargas/php/php-5.2.17/main/main.c:2039
        realfile = "/home/antoranz/proyectos/sanos/repo/local/prueba.php", '\000' <repeats 2004 times>, "Mv\376\267\257˾\267\304\344ܷ", '\000' <repeats 20 times>, "\002\000\000\000F\342ܷ\020\245۷\000\000\000\000\364\357\377\267\024̽\267\n\000\000\000L\251۷\234|\376\267", '\000' <repeats 12 times>, "Mv\376\267-̾\267\033\345ܷ\000\000\000\000L\251۷", '\000' <repeats 12 times>, "\f\000\000\000\220u\202\r\363\003\000\000\000\000\000\000\310(\276\267\310\327\275\267<\235\377\267\070\336\275\267\234|\376\267\000\000\000\000\021\360ķ\000\000\000\000\000\000\000\000\001\000\000\000\021\360ķP\223\275\267X\245۷\341ZܷXq\276\267\270\345۷\001\000\000\000S\325r~I\345ķ\001\000\000\000\020'\000\000H\000\000\000I\345ķx\264"...
        __orig_bailout = 0xbfffef78
        __bailout = {{__jmpbuf = {1, 1, -1073750280, -1073746168, -111239871, 1246479918}, __mask_was_saved = 0, __saved_mask = {__val = {0, 10000, 48, 0, 134633872, 138699680,
                40, 3083112830, 0, 3082675240, 0, 0, 134888, 3084365812, 3084368416, 3083065202, 3084368416, 3086952096, 138910112, 3083065088, 3084365812, 139639320, 138869736,
                137425312, 3084368416, 0, 40, 3083148604, 3084365812, 139639320, 138869736, 136752535}}}}
        prepend_file_p = 0x0
        append_file_p = <optimized out>
        prepend_file = {type = 0 '\000', filename = 0x0, opened_path = 0x0, handle = {fd = 0, fp = 0x0, stream = {handle = 0x0, reader = 0, closer = 0, fteller = 0,
              interactive = 0}}, free_filename = 0 '\000'}
        append_file = {type = 0 '\000', filename = 0x0, opened_path = 0x0, handle = {fd = 0, fp = 0x0, stream = {handle = 0x0, reader = 0, closer = 0, fteller = 0,
              interactive = 0}}, free_filename = 0 '\000'}
        old_cwd = 0xbfffcdf0 ""
        retval = 0
#6  0x0808bc89 in main (argc=2, argv=0xbffff1f4) at /home/antoranz/Descargas/php/php-5.2.17/sapi/cli/php_cli.c:1170
        __orig_bailout = 0x0
        __bailout = {{__jmpbuf = {-1210601484, 110, 2, -1073745576, -115663551, 396177966}, __mask_was_saved = 0, __saved_mask = {__val = {0, 0, 0, 0, 3086906957, 3082734511,
                134740059, 0, 0, 0, 3086906511, 3086757888, 2, 134639817, 3084625168, 3087003636, 3087003636, 3082673200, 10, 3084626252, 3086908572, 0, 0, 0, 0, 0, 0, 0,
                3084626252, 0, 0, 0}}}}
        exit_status = 0
        c = <optimized out>
        file_handle = {type = 2 '\002', filename = 0xbffff3c3 "/var/www/sanoslocal/prueba.php", opened_path = 0x0, handle = {fd = 139901480, fp = 0x856ba28, stream = {
              handle = 0x856ba28, reader = 0x82b9500 <zend_stream_stdio_reader>, closer = 0x82b94e0 <zend_stream_stdio_closer>, fteller = 0x82b94d0 <zend_stream_stdio_fteller>,
              interactive = 0}}, free_filename = 0 '\000'}
        behavior = 1
        reflection_what = 0x0
        orig_optind = 1
        orig_optarg = 0x0
        arg_free = <optimized out>
        arg_excp = <optimized out>
        script_file = <optimized out>
        interactive = <optimized out>
        module_started = 1
        request_started = 1
        lineno = 1
        exec_direct = 0x0
        exec_run = 0x0
        exec_begin = 0x0
        exec_end = 0x0
        param_error = <optimized out>
        hide_argv = 0
        ini_entries_len = <optimized out>

Is frame 0's tmp_inc_filename->value->str->val the problem?

NevemTeve 08-06-2012 04:32 PM

Perhaps. You are the only one who could decide -- but first turn of optimization: -O0

eantoranz 08-06-2012 04:41 PM

Well... I'll keep that trick in mind next time I face something like this. It took me some hours but thanks to gdb I was able to get to the place where the brown thing was hitting the fan and I hacked it to support our own PHP hacks (that I think are causing the whole problem).

Thanks for yuor kind help, anyway.


All times are GMT -5. The time now is 05:05 PM.