Search code examples
phpc++csegmentation-faultphp-extension

PHP Extension - Segfault With PHP Release Compile

I've written a PHP extension and I have really really weird segfault now.

It's ok if I run the test script by php test.php or php < test.php, but if I input exactly the same commands in the interactive mode (php -a), there will be a segfault.

46              char *_class_name = (char *)emalloc(_class_name_len);
(gdb) s

Program received signal SIGSEGV, Segmentation fault.
0x000055555578f664 in _emalloc ()

I firstly thought that there may be some issues with the copy of PHP binaries from Launchpad and I compiled my own one. The configure command was './configure' '--prefix=/opt/php7-dbg' '--with-gd' '--with-mysqli' '--with-readline' '--with-curl'. (The optimizer argument was -O2.)

I got exactly the same issue again, but this time I could go further.

46              char *_class_name = (char *)emalloc(_class_name_len);
(gdb) s
_emalloc (size=4) at /home/frederick/Programming/C/php-7.0.6/Zend/zend_alloc.c:2439
2439    {
(gdb) n
2442            if (UNEXPECTED(AG(mm_heap)->use_custom_heap)) {
(gdb) n
2450            return zend_mm_alloc_heap(AG(mm_heap), size ZEND_FILE_LINE_RELAY_CC ZEND_FILE_LINE_ORIG_RELAY_CC);
(gdb) s
zend_mm_alloc_heap (size=4, heap=0x7fffef000040) at /home/frederick/Programming/C/php-7.0.6/Zend/zend_alloc.c:1365
1365            if (size <= ZEND_MM_MAX_SMALL_SIZE) {
(gdb) n
1366                    ptr = zend_mm_alloc_small(heap, size, ZEND_MM_SMALL_SIZE_TO_BIN(size) ZEND_FILE_LINE_RELAY_CC ZEND_FILE_LINE_ORIG_RELAY_CC);
(gdb) s
zend_mm_small_size_to_bin (size=4) at /home/frederick/Programming/C/php-7.0.6/Zend/zend_alloc.c:1211
1211            if (size <= 64) {
(gdb) n
1213                    return (size - !!size) >> 3;
(gdb) s
zend_mm_alloc_heap (size=<optimised out>, heap=0x7fffef000040) at /home/frederick/Programming/C/php-7.0.6/Zend/zend_alloc.c:1366
1366                    ptr = zend_mm_alloc_small(heap, size, ZEND_MM_SMALL_SIZE_TO_BIN(size) ZEND_FILE_LINE_RELAY_CC ZEND_FILE_LINE_ORIG_RELAY_CC);
(gdb) s
zend_mm_alloc_small (bin_num=<optimised out>, size=<optimised out>, heap=0x7fffef000040) at /home/frederick/Programming/C/php-7.0.6/Zend/zend_alloc.c:1286
1286                    size_t size = heap->size + bin_data_size[bin_num];
(gdb) n
1287                    size_t peak = MAX(heap->peak, size);
(gdb) n
1288                    heap->size = size;
(gdb) n
1289                    heap->peak = peak;
(gdb) n
1293            if (EXPECTED(heap->free_slot[bin_num] != NULL)) {
(gdb) n
1295                    heap->free_slot[bin_num] = p->next_free_slot;
(gdb) p bin_num
$1 = <optimised out>
(gdb) n

Program received signal SIGSEGV, Segmentation fault.
zend_mm_alloc_small (bin_num=<optimised out>, size=<optimised out>, heap=0x7fffef000040) at /home/frederick/Programming/C/php-7.0.6/Zend/zend_alloc.c:1295
1295                    heap->free_slot[bin_num] = p->next_free_slot;

The corresponding function in my code is:

static std::string bnode_object_get_class_name(zval *object) {
    char *ini_ns_key = estrdup("bencode.namespace");
    zend_bool ini_ns = zend_ini_long(ini_ns_key, strlen(ini_ns_key), 0);
    efree(ini_ns_key);
    size_t _class_name_len = ZSTR_LEN(Z_OBJ_P(object)->ce->name);

    // segfault line!
    char *_class_name = (char *)emalloc(_class_name_len);

    strcpy(_class_name, ZSTR_VAL(Z_OBJ_P(object)->ce->name));
    std::string class_name(_class_name);
    efree(_class_name);
    if (ini_ns) {
        return class_name.substr(8);
    } else {
        return class_name;
    }
}

I then knew which line produced the segfault and I'd like to solve the problem. So I immediately compiled a debug build of PHP (configure command: './configure' '--prefix=/opt/php7-dbg' '--with-gd' '--with-mysqli' '--with-readline' '--with-curl' '--enable-debug', optimizer: -O0).

But with the debug build, based on the same codes, the segfault's simply gone!

I'm not a quite experienced C/C++ developer and this is the first time that I've bumped into an issue like this. Please help, thanks a lot.

UPDATE

It seems that the problem was caused by a stupid mistake. The line, which caused segfault, should be 

char *_class_name = (char *)emalloc(_class_name_len + 1);

as C strings should be ended with '\0'

But why it's ok with the debug build?

Solution

  • My guess is that your program is crashing at strcpy, emalloc line is just the last one before crash. And there you really have an error and need to add +1 to emalloc because of 0 byte at the end of string.

    But you have complicated it too much. Since you are using C++, you can replace all the lines from size_t to efree (including them) with one line:

    std::string class_name(ZSTR_VAL(Z_OBJ_P(object)->ce->name), ZSTR_LEN(Z_OBJ_P(object)->ce->name));

    This is also crash-proof.

    Also, you complicated the beginning of function:

    char *ini_ns_key = estrdup("bencode.namespace"); zend_bool ini_ns = zend_ini_long(ini_ns_key, strlen(ini_ns_key), 0); efree(ini_ns_key);

    This should be written this way:

    zend_long ini_ns_long = zend_ini_long("bencode.namespace", strlen("bencode.namespace"), 0); bool ini_ns=(ini_ns_long!=0);