php (interpreter): SIGSEV on ZEND_MM_IS_FREE_BLOCK(next_block)

eantoranz · 08-03-2012, 11:05 AM

Hi!

I'm hacking the PHP interpreter. I want it to be able to get files that I have loaded into memory.

I create the php_streams by hand for them inside PHPAPI php_stream *_php_stream_fopen_with_path (in plain_wrapper.c).

The problem I'm facing is that I get a SIGSEV here:

Code:

Program received signal SIGSEGV, Segmentation fault.
_zend_mm_free_int (heap=0x84241d8, p=0x85197c0) at /home/antoranz/Descargas/php/php-5.2.17/Zend/zend_alloc.c:1978
1978            if (ZEND_MM_IS_FREE_BLOCK(next_block)) {
(gdb) backtrace
#0  _zend_mm_free_int (heap=0x84241d8, p=0x85197c0) at /home/antoranz/Descargas/php/php-5.2.17/Zend/zend_alloc.c:1978
#1  0x082adcd0 in ZEND_INCLUDE_OR_EVAL_SPEC_CONST_HANDLER (execute_data=0xbfffcbdc) at /home/antoranz/Descargas/php/php-5.2.17/Zend/zend_vm_execute.h:2111
#2  0x082ec658 in execute (op_array=0x84e4e5c) at /home/antoranz/Descargas/php/php-5.2.17/Zend/zend_vm_execute.h:92
#3  0x082adc34 in ZEND_INCLUDE_OR_EVAL_SPEC_CONST_HANDLER (execute_data=0xbfffcd1c) at /home/antoranz/Descargas/php/php-5.2.17/Zend/zend_vm_execute.h:2104
#4  0x082ec658 in execute (op_array=0x84e4bf4) at /home/antoranz/Descargas/php/php-5.2.17/Zend/zend_vm_execute.h:92
#5  0x08285089 in zend_execute_scripts (type=8, retval=0x0, file_count=3) at /home/antoranz/Descargas/php/php-5.2.17/Zend/zend.c:1134
#6  0x082421ff in php_execute_script (primary_file=0xbffff0d4) at /home/antoranz/Descargas/php/php-5.2.17/main/main.c:2036
#7  0x080884c7 in main (argc=2, argv=0xbffff1f4) at /home/antoranz/Descargas/php/php-5.2.17/sapi/cli/php_cli.c:1165

By the way, this is php 5.2.17 (I will move my hacks to later versions when we move our php code base to those later versions).

Keep in mind I'm probably been not the most neat guy in order to create the php_stream I use to read the file from memory so perhaps I'm skipping a needed step in that regard.

Thanks in advance.

eantoranz · 08-03-2012, 11:18 AM

Following this guide from php [a]https://bugs.php.net/bugs-generating-backtrace.php[/a] I have found that in the last execute(), the value they print in debug is 0x0:

Code:

Program received signal SIGSEGV, Segmentation fault.
_zend_mm_free_int (heap=0x84241d8, p=0x85197c0) at /home/antoranz/Descargas/php/php-5.2.17/Zend/zend_alloc.c:1978
1978            if (ZEND_MM_IS_FREE_BLOCK(next_block)) {
(gdb) backtrace
#0  _zend_mm_free_int (heap=0x84241d8, p=0x85197c0) at /home/antoranz/Descargas/php/php-5.2.17/Zend/zend_alloc.c:1978
#1  0x082adcd0 in ZEND_INCLUDE_OR_EVAL_SPEC_CONST_HANDLER (execute_data=0xbfffcbdc) at /home/antoranz/Descargas/php/php-5.2.17/Zend/zend_vm_execute.h:2111
#2  0x082ec658 in execute (op_array=0x84e4e5c) at /home/antoranz/Descargas/php/php-5.2.17/Zend/zend_vm_execute.h:92
#3  0x082adc34 in ZEND_INCLUDE_OR_EVAL_SPEC_CONST_HANDLER (execute_data=0xbfffcd1c) at /home/antoranz/Descargas/php/php-5.2.17/Zend/zend_vm_execute.h:2104
#4  0x082ec658 in execute (op_array=0x84e4bf4) at /home/antoranz/Descargas/php/php-5.2.17/Zend/zend_vm_execute.h:92
#5  0x08285089 in zend_execute_scripts (type=8, retval=0x0, file_count=3) at /home/antoranz/Descargas/php/php-5.2.17/Zend/zend.c:1134
#6  0x082421ff in php_execute_script (primary_file=0xbffff0d4) at /home/antoranz/Descargas/php/php-5.2.17/main/main.c:2036
#7  0x080884c7 in main (argc=2, argv=0xbffff1f4) at /home/antoranz/Descargas/php/php-5.2.17/sapi/cli/php_cli.c:1165
(gdb) frame 2
#2  0x082ec658 in execute (op_array=0x84e4e5c) at /home/antoranz/Descargas/php/php-5.2.17/Zend/zend_vm_execute.h:92
92                      if (EX(opline)->handler(&execute_data TSRMLS_CC) > 0) {
(gdb) print (char *)(executor_globals.function_state_ptr->function)->common.function_name
$1 = 0x0

What does that mean?

eantoranz · 08-03-2012, 03:53 PM

What does mm_block represent?

Code:

(gdb) print size
$21 = 1936877892
(gdb) print mm_block
$22 = (zend_mm_block *) 0x85197b8
(gdb) print *mm_block
$23 = {info = {_size = 1936877894, _prev = 2036473972}}

Is it important that there is a difference between size and mm_block->info._size?

eantoranz · 08-03-2012, 04:06 PM

I'm wondering.... in order to create my dynamic structures I'm using malloc. Do I have to use a different function to allocate memory in php?

Thanks in advance.

eantoranz · 08-03-2012, 04:23 PM

_malloc/_efree? Now I get a sigsegv but in a different spot:

Code:

(gdb) backtrace
#0  0xb7d4b2c0 in ?? () from /lib/i386-linux-gnu/libc.so.6
#1  0x08253408 in _php_stream_read (stream=0x84e5078, buf=0x8b004e8 "", size=8192) at /usr/include/i386-linux-gnu/bits/string3.h:52
#2  0x08296ff1 in zend_stream_read (file_handle=0xbfffcbd8, buf=0x8b004e8 "", len=8192) at /home/antoranz/Descargas/php/php-5.2.17/Zend/zend_stream.c:121
#3  0x08266f99 in yy_get_next_buffer () at /home/antoranz/Descargas/php/php-5.2.17/Zend/zend_language_scanner.c:5850
#4  lex_scan (zendlval=0xbfffc97c) at /home/antoranz/Descargas/php/php-5.2.17/Zend/zend_language_scanner.c:5685
#5  0x08274f3f in zendlex (zendlval=0xbfffc978) at /home/antoranz/Descargas/php/php-5.2.17/Zend/zend_compile.c:4196
#6  0x08260d4f in zendparse () at /home/antoranz/Descargas/php/php-5.2.17/Zend/zend_language_parser.c:2946
#7  0x082652cf in compile_file (file_handle=0xbfffcbd8, type=8) at /home/antoranz/Descargas/php/php-5.2.17/Zend/zend_language_scanner.c:3420
#8  0x08264d0e in compile_filename (type=8, filename=0x84e4d8c) at /home/antoranz/Descargas/php/php-5.2.17/Zend/zend_language_scanner.c:3465
#9  0x082ade58 in ZEND_INCLUDE_OR_EVAL_SPEC_CONST_HANDLER (execute_data=0xbfffcd1c) at /home/antoranz/Descargas/php/php-5.2.17/Zend/zend_vm_execute.h:2074
#10 0x082ec728 in execute (op_array=0x84e4bf4) at /home/antoranz/Descargas/php/php-5.2.17/Zend/zend_vm_execute.h:91
#11 0x08285159 in zend_execute_scripts (type=8, retval=0x0, file_count=3) at /home/antoranz/Descargas/php/php-5.2.17/Zend/zend.c:1134
#12 0x08242296 in php_execute_script (primary_file=0xbffff0d4) at /home/antoranz/Descargas/php/php-5.2.17/main/main.c:2052
#13 0x080884b7 in main (argc=2, argv=0xbffff1f4) at /home/antoranz/Descargas/php/php-5.2.17/sapi/cli/php_cli.c:1165