Bug 1152738

Summary: [abrt] php-fpm: zend_std_object_get_class_name(): php-fpm killed by SIGSEGV
Product: [Fedora] Fedora Reporter: Mikhail <mikhail.v.gavrilov>
Component: php-xcacheAssignee: Remi Collet <fedora>
Status: CLOSED UPSTREAM QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 21CC: fedora, jorton
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Unspecified   
URL: https://retrace.fedoraproject.org/faf/reports/bthash/9dd8c7f9ae9389add79fbce90045f03241de642d
Whiteboard: abrt_hash:b4f06cdffb67ab94e280b615a6b278d975a2c781
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-11-04 14:27:28 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
File: backtrace
none
File: cgroup
none
File: core_backtrace
none
File: dso_list
none
File: environ
none
File: exploitable
none
File: limits
none
File: maps
none
File: open_fds
none
File: proc_pid_status
none
File: var_log_messages
none
xcache.patch
none
xcache.patch none

Description Mikhail 2014-10-14 20:13:56 UTC 
Description of problem:
Running this script twice:

<?php
	if(xcache_isset('boroda')) $a = xcache_get('boroda'); else $a = array();
	print_r($a);
	$db = new PDO('mysql:dbname=BPLnew;unix_socket=/var/lib/mysql/mysql.sock','root','');
	$a[] = $db->query("SELECT 1");
	xcache_set('boroda', $a, 3000);
?>

leads to crash

Version-Release number of selected component:
php-fpm-5.6.1-1.fc21

Additional info:
reporter:       libreport-2.2.3
backtrace_rating: 4
cmdline:        'php-fpm: pool mikhail' '' '' '' '' '' '' '' '' '' ''
crash_function: zend_std_object_get_class_name
executable:     /usr/sbin/php-fpm
kernel:         3.17.0-301.fc21.x86_64+debug
runlevel:       N 5
type:           CCpp
uid:            1000

Truncated backtrace:
Thread no. 1 (10 frames)
 #0 zend_std_object_get_class_name at /usr/src/debug/php-5.6.1/Zend/zend_object_handlers.c:1536
 #1 zend_print_zval_r_ex at /usr/src/debug/php-5.6.1/Zend/zend.c:420
 #2 print_hash at /usr/src/debug/php-5.6.1/Zend/zend.c:184
 #3 zend_print_zval_r_ex at /usr/src/debug/php-5.6.1/Zend/zend.c:409
 #4 zend_print_zval_r at /usr/src/debug/php-5.6.1/Zend/zend.c:395
 #5 zif_print_r at /usr/src/debug/php-5.6.1/ext/standard/basic_functions.c:5527
 #6 dtrace_execute_internal at /usr/src/debug/php-5.6.1/Zend/zend_dtrace.c:97
 #7 zend_do_fcall_common_helper_SPEC at /usr/src/debug/php-5.6.1/Zend/zend_vm_execute.h:560
 #8 execute_ex at /usr/src/debug/php-5.6.1/Zend/zend_vm_execute.h:363
 #9 dtrace_execute_ex at /usr/src/debug/php-5.6.1/Zend/zend_dtrace.c:73
Comment 1 Mikhail 2014-10-14 20:14:02 UTC 
Created attachment 947022 [details]
File: backtrace
Comment 2 Mikhail 2014-10-14 20:14:04 UTC 
Created attachment 947023 [details]
File: cgroup
Comment 3 Mikhail 2014-10-14 20:14:05 UTC 
Created attachment 947024 [details]
File: core_backtrace
Comment 4 Mikhail 2014-10-14 20:14:07 UTC 
Created attachment 947025 [details]
File: dso_list
Comment 5 Mikhail 2014-10-14 20:14:08 UTC 
Created attachment 947026 [details]
File: environ
Comment 6 Mikhail 2014-10-14 20:14:09 UTC 
Created attachment 947027 [details]
File: exploitable
Comment 7 Mikhail 2014-10-14 20:14:11 UTC 
Created attachment 947028 [details]
File: limits
Comment 8 Mikhail 2014-10-14 20:14:13 UTC 
Created attachment 947029 [details]
File: maps
Comment 9 Mikhail 2014-10-14 20:14:15 UTC 
Created attachment 947030 [details]
File: open_fds
Comment 10 Mikhail 2014-10-14 20:14:16 UTC 
Created attachment 947031 [details]
File: proc_pid_status
Comment 11 Mikhail 2014-10-14 20:14:18 UTC 
Created attachment 947032 [details]
File: var_log_messages
Comment 12 Remi Collet 2014-10-15 06:24:59 UTC 
First, this is not a PHP bug, so re-affecting to XCache.

Sorry but your code doesn't have any sense. You should not cache the query (PDOStatement) but the result of the Query.


Despite, XCache should not crash, and properly detect the error.

If you try 
   $a = $db->query("SELECT 1");
It will raise a fatal error
   Fatal error: xcache_set(): Objects cannot be stored in the variable cache.
   Use serialize before xcache_set in

But with 
  $a[] = $db->query("SELECT 1");
Xcache is unable to detect that the value cannot be cached.
Comment 13 Remi Collet 2014-10-15 06:26:10 UTC 
Created attachment 947099 [details]
xcache.patch

This patch seems to solve this issue anc correctly raise a fatal error with an array of objects.

Need to get upstream feedback.
Comment 14 Remi Collet 2014-10-15 06:31:36 UTC 
Upstream report: https://groups.google.com/forum/#!topic/xcache/vwlzkQBkeHI
Comment 15 Remi Collet 2014-10-15 07:42:03 UTC 
Created attachment 947116 [details]
xcache.patch

Improve previous, protect against recursion
Comment 16 Remi Collet 2014-11-04 14:27:28 UTC 
Closing as workaround (good code) exists, and this but have be reported upstream with a patch proposal. 

Even if it seems, upstream don't care of segfault on bad code.
Comment 17 Remi Collet 2015-07-04 07:53:35 UTC 
*** Bug 1238879 has been marked as a duplicate of this bug. ***