From: joffrey at ne2000 dot nl
Operating system: Linux
PHP version: 5.3.0RC1
PHP Bug Type: SNMP related
Bug description: SNMP functions cause segfault
Description:
------------
Using SNMP will cause a segfault.
Tested with 5.2.9, 5.3.0RC1 and 5.3CVS(2009-05-02).
PHP 5.2.9: works correctly
5.3.0RC1 and 5.3CVS: broken
This issue could be related to #45405.
Tested using cli using -n on a clean install of CentOS5.2 x86_64 with all
updates and required development libs and removed all non-x86_64
arch-specific packages.
Compiled with: --enbale-debug --enable-snmp=/usr
Reproduce code:
---------------
echo snmpget('localhost', 'public', 'sysDescr.0');
Expected result:
----------------
STRING: Linux phptest 2.6.18-128.1.6.el5 #1 SMP Wed Apr 1 09:10:25 EDT
2009 x86_64
Actual result:
--------------
[r...@phptest cli]# gdb ./php
GNU gdb Fedora (6.8-27.el5)
Copyright (C) 2008 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later
<http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law. Type "show
copying"
and "show warranty" for details.
This GDB was configured as "x86_64-redhat-linux-gnu"...
(gdb) run -n -r "echo snmpget('localhost', 'public', 'sysDescr.0');"
Starting program: /root/php-5.3.0RC1/sapi/cli/php -n -r "echo
snmpget('localhost', 'public', 'sysDescr.0');"
[Thread debugging using libthread_db enabled]
[New Thread 0x2b88b101a7c0 (LWP 20328)]
*** glibc detected *** /root/php-5.3.0RC1/sapi/cli/php: double free or
corruption (!prev): 0x000000000ee53200 ***
======= Backtrace: =========
/lib64/libc.so.6[0x3c94e71ce2]
/lib64/libc.so.6(cfree+0x8c)[0x3c94e7590c]
/root/php-5.3.0RC1/sapi/cli/php[0x5f433f]
/root/php-5.3.0RC1/sapi/cli/php[0x5f5146]
/root/php-5.3.0RC1/sapi/cli/php[0x5f5194]
/root/php-5.3.0RC1/sapi/cli/php[0x7cc762]
/root/php-5.3.0RC1/sapi/cli/php[0x7d21c5]
/root/php-5.3.0RC1/sapi/cli/php(execute+0x333)[0x7cb9ae]
/root/php-5.3.0RC1/sapi/cli/php(zend_eval_string+0x1b5)[0x78d204]
/root/php-5.3.0RC1/sapi/cli/php(zend_eval_string_ex+0x28)[0x78d3af]
/root/php-5.3.0RC1/sapi/cli/php[0x885f4f]
/lib64/libc.so.6(__libc_start_main+0xf4)[0x3c94e1d974]
/root/php-5.3.0RC1/sapi/cli/php(realloc+0x481)[0x41e279]
======= Memory map: ========
00400000-00bc8000 r-xp 00000000 fd:00 97790
/root/php-5.3.0RC1/sapi/cli/php
00dc8000-00dd4000 rw-p 007c8000 fd:00 97790
/root/php-5.3.0RC1/sapi/cli/php
00dd4000-00dee000 rw-p 00dd4000 00:00 0
0ebf5000-0ee73000 rw-p 0ebf5000 00:00 0
[heap]
3c94a00000-3c94a1c000 r-xp 00000000 fd:00 133736
/lib64/ld-2.5.so
3c94c1b000-3c94c1c000 r--p 0001b000 fd:00 133736
/lib64/ld-2.5.so
3c94c1c000-3c94c1d000 rw-p 0001c000 fd:00 133736
/lib64/ld-2.5.so
3c94e00000-3c94f4c000 r-xp 00000000 fd:00 133737
/lib64/libc-2.5.so
3c94f4c000-3c9514c000 ---p 0014c000 fd:00 133737
/lib64/libc-2.5.so
3c9514c000-3c95150000 r--p 0014c000 fd:00 133737
/lib64/libc-2.5.so
3c95150000-3c95151000 rw-p 00150000 fd:00 133737
/lib64/libc-2.5.so
3c95151000-3c95156000 rw-p 3c95151000 00:00 0
3c95200000-3c95202000 r-xp 00000000 fd:00 133738
/lib64/libdl-2.5.so
3c95202000-3c95402000 ---p 00002000 fd:00 133738
/lib64/libdl-2.5.so
3c95402000-3c95403000 r--p 00002000 fd:00 133738
/lib64/libdl-2.5.so
3c95403000-3c95404000 rw-p 00003000 fd:00 133738
/lib64/libdl-2.5.so
3c95600000-3c95682000 r-xp 00000000 fd:00 133742
/lib64/libm-2.5.so
3c95682000-3c95881000 ---p 00082000 fd:00 133742
/lib64/libm-2.5.so
3c95881000-3c95882000 r--p 00081000 fd:00 133742
/lib64/libm-2.5.so
3c95882000-3c95883000 rw-p 00082000 fd:00 133742
/lib64/libm-2.5.so
3c95a00000-3c95a90000 r-xp 00000000 fd:00 206002
/usr/lib64/libnetsnmp.so.10.0.3
3c95a90000-3c95c8f000 ---p 00090000 fd:00 206002
/usr/lib64/libnetsnmp.so.10.0.3
3c95c8f000-3c95c93000 rw-p 0008f000 fd:00 206002
/usr/lib64/libnetsnmp.so.10.0.3
3c95c93000-3c95cc7000 rw-p 3c95c93000 00:00 0
3c96600000-3c96614000 r-xp 00000000 fd:00 230464
/usr/lib64/libz.so.1.2.3
3c96614000-3c96813000 ---p 00014000 fd:00 230464
/usr/lib64/libz.so.1.2.3
3c96813000-3c96814000 rw-p 00013000 fd:00 230464
/usr/lib64/libz.so.1.2.3
3c96a00000-3c96a07000 r-xp 00000000 fd:00 133744
/lib64/librt-2.5.so
3c96a07000-3c96c07000 ---p 00007000 fd:00 133744
/lib64/librt-2.5.so
3c96c07000-3c96c08000 r--p 00007000 fd:00 133744
/lib64/librt-2.5.so
3c96c08000-3c96c09000 rw-p 00008000 fd:00 133744
/lib64/librt-2.5.so
3c96e00000-3c96e0d000 r-xp 00000000 fd:00 133745
/lib64/libgcc_s-4.1.2-20080825.so.1
3c96e0d000-3c9700d000 ---p 0000d000 fd:00 133745
/lib64/libgcc_s-4.1.2-20080825.so.1
3c9700d000-3c9700e000 rw-p 0000d000 fd:00 133745
/lib64/libgcc_s-4.1.2-20080825.so.1
3c97200000-3c97215000 r-xp 00000000 fd:00 387260
/lib64/libnsl-2.5.so
3c97215000-3c97414000 ---p 00015000 fd:00 387260
/lib64/libnsl-2.5.so
3c97414000-3c97415000 r--p 00014000 fd:00 387260
/lib64/libnsl-2.5.so
3c9741500
Program received signal SIGABRT, Aborted.
0x0000003c94e30215 in raise () from /lib64/libc.so.6
(gdb) bt
#0 0x0000003c94e30215 in raise () from /lib64/libc.so.6
#1 0x0000003c94e31cc0 in abort () from /lib64/libc.so.6
#2 0x0000003c94e6a7fb in __libc_message () from /lib64/libc.so.6
#3 0x0000003c94e71ce2 in _int_free () from /lib64/libc.so.6
#4 0x0000003c94e7590c in free () from /lib64/libc.so.6
#5 0x00000000005f433f in php_snmp_internal (ht=3, return_value=0xee30148,
return_value_ptr=0x0, this_ptr=0x0, return_value_used=1, st=1,
session=0x7ffff9ec0e00, objid=0xee300e8 "sysDescr.0", type=0 '\0',
value=0x0)
at /root/php-5.3.0RC1/ext/snmp/snmp.c:658
#6 0x00000000005f5146 in php_snmp (ht=3, return_value=0xee30148,
return_value_ptr=0x0, this_ptr=0x0, return_value_used=1, st=1, version=0)
at /root/php-5.3.0RC1/ext/snmp/snmp.c:854
#7 0x00000000005f5194 in zif_snmpget (ht=3, return_value=0xee30148,
return_value_ptr=0x0, this_ptr=0x0, return_value_used=1) at
/root/php-5.3.0RC1/ext/snmp/snmp.c:862
#8 0x00000000007cc762 in zend_do_fcall_common_helper_SPEC
(execute_data=0x2b88b4899090) at
/root/php-5.3.0RC1/Zend/zend_vm_execute.h:313
#9 0x00000000007d21c5 in ZEND_DO_FCALL_SPEC_CONST_HANDLER
(execute_data=0x2b88b4899090) at
/root/php-5.3.0RC1/Zend/zend_vm_execute.h:1616
#10 0x00000000007cb9ae in execute (op_array=0xee2f700) at
/root/php-5.3.0RC1/Zend/zend_vm_execute.h:104
#11 0x000000000078d204 in zend_eval_string (str=0x7ffff9ec1be0 "echo
snmpget('localhost', 'public', 'sysDescr.0');", retval_ptr=0x0,
string_name=0xb6e87c "Command line code") at
/root/php-5.3.0RC1/Zend/zend_execute_API.c:1157
#12 0x000000000078d3af in zend_eval_string_ex (str=0x7ffff9ec1be0 "echo
snmpget('localhost', 'public', 'sysDescr.0');", retval_ptr=0x0,
string_name=0xb6e87c "Command line code", handle_exceptions=1)
at /root/php-5.3.0RC1/Zend/zend_execute_API.c:1192
#13 0x0000000000885f4f in main (argc=4, argv=0x7ffff9ec1878) at
/root/php-5.3.0RC1/sapi/cli/php_cli.c:1198
(gdb) frame 0
#0 0x0000003c94e30215 in raise () from /lib64/libc.so.6
(gdb) frame 1
#1 0x0000003c94e31cc0 in abort () from /lib64/libc.so.6
(gdb) frame 2
#2 0x0000003c94e6a7fb in __libc_message () from /lib64/libc.so.6
(gdb) frame 3
#3 0x0000003c94e71ce2 in _int_free () from /lib64/libc.so.6
(gdb) frame 4
#4 0x0000003c94e7590c in free () from /lib64/libc.so.6
(gdb) frame 5
#5 0x00000000005f433f in php_snmp_internal (ht=3, return_value=0xee30148,
return_value_ptr=0x0, this_ptr=0x0, return_value_used=1, st=1,
session=0x7ffff9ec0e00, objid=0xee300e8 "sysDescr.0", type=0 '\0',
value=0x0)
at /root/php-5.3.0RC1/ext/snmp/snmp.c:658
658
snmp_free_pdu(pdu);
(gdb) frame 6
#6 0x00000000005f5146 in php_snmp (ht=3, return_value=0xee30148,
return_value_ptr=0x0, this_ptr=0x0, return_value_used=1, st=1, version=0)
at /root/php-5.3.0RC1/ext/snmp/snmp.c:854
854 php_snmp_internal(INTERNAL_FUNCTION_PARAM_PASSTHRU, st,
&session, a3, type, value);
(gdb) frame 7
#7 0x00000000005f5194 in zif_snmpget (ht=3, return_value=0xee30148,
return_value_ptr=0x0, this_ptr=0x0, return_value_used=1) at
/root/php-5.3.0RC1/ext/snmp/snmp.c:862
862 php_snmp(INTERNAL_FUNCTION_PARAM_PASSTHRU,SNMP_CMD_GET,
SNMP_VERSION_1);
(gdb) frame 8
#8 0x00000000007cc762 in zend_do_fcall_common_helper_SPEC
(execute_data=0x2b88b4899090) at
/root/php-5.3.0RC1/Zend/zend_vm_execute.h:313
313 ((zend_internal_function *)
EX(function_state).function)->handler(opline->extended_value,
EX_T(opline->result.u.var).var.ptr,
EX(function_state).function->common.return_reference?&EX_T(opline->result.u.var).var.ptr:NULL,
EX(object), RETURN_VALUE_USED(opline) TSRMLS_CC);
(gdb) frame 9
#9 0x00000000007d21c5 in ZEND_DO_FCALL_SPEC_CONST_HANDLER
(execute_data=0x2b88b4899090) at
/root/php-5.3.0RC1/Zend/zend_vm_execute.h:1616
1616 return
zend_do_fcall_common_helper_SPEC(ZEND_OPCODE_HANDLER_ARGS_PASSTHRU);
(gdb) frame 10
#10 0x00000000007cb9ae in execute (op_array=0xee2f700) at
/root/php-5.3.0RC1/Zend/zend_vm_execute.h:104
104 if ((ret = EX(opline)->handler(execute_data
TSRMLS_CC)) > 0) {
(gdb) frame 11
#11 0x000000000078d204 in zend_eval_string (str=0x7ffff9ec1be0 "echo
snmpget('localhost', 'public', 'sysDescr.0');", retval_ptr=0x0,
string_name=0xb6e87c "Command line code") at
/root/php-5.3.0RC1/Zend/zend_execute_API.c:1157
1157 zend_execute(new_op_array TSRMLS_CC);
(gdb) frame 12
#12 0x000000000078d3af in zend_eval_string_ex (str=0x7ffff9ec1be0 "echo
snmpget('localhost', 'public', 'sysDescr.0');", retval_ptr=0x0,
string_name=0xb6e87c "Command line code", handle_exceptions=1)
at /root/php-5.3.0RC1/Zend/zend_execute_API.c:1192
1192 result = zend_eval_string(str, retval_ptr, string_name
TSRMLS_CC);
(gdb) frame 13
#13 0x0000000000885f4f in main (argc=4, argv=0x7ffff9ec1878) at
/root/php-5.3.0RC1/sapi/cli/php_cli.c:1198
1198 if (zend_eval_string_ex(exec_direct, NULL,
"Command line code", 1 TSRMLS_CC) == FAILURE) {
(gdb)
--
Edit bug report at http://bugs.php.net/?id=48133&edit=1
--
Try a CVS snapshot (PHP 5.2):
http://bugs.php.net/fix.php?id=48133&r=trysnapshot52
Try a CVS snapshot (PHP 5.3):
http://bugs.php.net/fix.php?id=48133&r=trysnapshot53
Try a CVS snapshot (PHP 6.0):
http://bugs.php.net/fix.php?id=48133&r=trysnapshot60
Fixed in CVS:
http://bugs.php.net/fix.php?id=48133&r=fixedcvs
Fixed in CVS and need be documented:
http://bugs.php.net/fix.php?id=48133&r=needdocs
Fixed in release:
http://bugs.php.net/fix.php?id=48133&r=alreadyfixed
Need backtrace:
http://bugs.php.net/fix.php?id=48133&r=needtrace
Need Reproduce Script:
http://bugs.php.net/fix.php?id=48133&r=needscript
Try newer version:
http://bugs.php.net/fix.php?id=48133&r=oldversion
Not developer issue:
http://bugs.php.net/fix.php?id=48133&r=support
Expected behavior:
http://bugs.php.net/fix.php?id=48133&r=notwrong
Not enough info:
http://bugs.php.net/fix.php?id=48133&r=notenoughinfo
Submitted twice:
http://bugs.php.net/fix.php?id=48133&r=submittedtwice
register_globals:
http://bugs.php.net/fix.php?id=48133&r=globals
PHP 4 support discontinued: http://bugs.php.net/fix.php?id=48133&r=php4
Daylight Savings: http://bugs.php.net/fix.php?id=48133&r=dst
IIS Stability:
http://bugs.php.net/fix.php?id=48133&r=isapi
Install GNU Sed:
http://bugs.php.net/fix.php?id=48133&r=gnused
Floating point limitations:
http://bugs.php.net/fix.php?id=48133&r=float
No Zend Extensions:
http://bugs.php.net/fix.php?id=48133&r=nozend
MySQL Configuration Error:
http://bugs.php.net/fix.php?id=48133&r=mysqlcfg
