Segmentation fault in ds_vector_from_buffer

[enumag]

Originally reported at https://bugs.php.net/bug.php?id=79938

Note that the segfault does happen without xdebug as well (I just don't get the stacktrace that way).

Unfortunately it's not something I can easily reproduce. It just happens occasionally in our long-running process. Therefore I'm unable to give you a simple reproducing script unfortunately.

Stack trace:

 #0  0x000055799417898d in _emalloc ()
 No symbol table info available.
 #1  0x000055799417980b in _ecalloc ()
 No symbol table info available.
 #2  0x00007f263ec59ac2 in ds_vector_from_buffer (buffer=buffer@entry=0x7f263bef5380, capacity=8, size=2) at /tmp/pear/temp/ds/src/ds/ds_vector.c:59
         vector = <optimized out>
 #3  0x00007f263ec5aaaa in ds_vector_map (vector=0x7f2639f28a38, fci=..., fci_cache=...) at /tmp/pear/temp/ds/src/ds/ds_vector.c:579
         retval = {value = {lval = 139802148938816, dval = 6.9071439005450267e-310, counted = 0x7f26396d2440, str = 0x7f26396d2440, arr = 0x7f26396d2440, obj = 0x7f26396d2440, res = 0x7f26396d2440, ref = 0x7f26396d2440, ast = 0x7f26396d2440, zv = 0x7f26396d2440, ptr = 0x7f26396d2440, ce = 0x7f26396d2440, func = 0x7f26396d2440, ww = {w1 = 963454016, w2 = 32550}}, u1 = {v = {type = 6 '\006', type_flags = 1 '\001', u = {extra = 0}}, type_info = 262}, u2 = {next = 0, cache_slot = 0, opline_num = 0, lineno = 0, num_args = 0, fe_pos = 0, fe_iter_idx = 0, access_flags = 0, property_guard = 0, constant_flags = 0, extra = 0}}
         value = <optimized out>
         buffer = 0x7f263bef5380
         target = <optimized out>
 #4  0x00007f263ec65a4d in zim_Vector_map (execute_data=0x7f264f215150, return_value=0x7f264f2150b0) at /tmp/pear/temp/ds/src/php/classes/php_vector_ce.c:134
         _v = <optimized out>
         fci = {size = 56, function_name = {value = {lval = 139802149083328, dval = 6.9071439076848682e-310, counted = 0x7f26396f58c0, str = 0x7f26396f58c0, arr = 0x7f26396f58c0, obj = 0x7f26396f58c0, res = 0x7f26396f58c0, ref = 0x7f26396f58c0, ast = 0x7f26396f58c0, zv = 0x7f26396f58c0, ptr = 0x7f26396f58c0, ce = 0x7f26396f58c0, func = 0x7f26396f58c0, ww = {w1 = 963598528, w2 = 32550}}, u1 = {v = {type = 8 '\b', type_flags = 3 '\003', u = {extra = 0}}, type_info = 776}, u2 = {next = 0, cache_slot = 0, opline_num = 0, lineno = 0, num_args = 0, fe_pos = 0, fe_iter_idx = 0, access_flags = 0, property_guard = 0, constant_flags = 0, extra = 0}}, retval = 0x0, params = 0x0, object = 0x0, no_separation = 1 '\001', param_count = 0}
         fci_cache = {function_handler = 0x7f26396f58f8, calling_scope = 0x7f263ad97b28, called_scope = 0x7f263ad97b28, object = 0x0}
 #5  0x00007f264e92d4f5 in xdebug_execute_internal (current_execute_data=0x7f264f215150, return_value=0x7f264f2150b0) at ./build-7.4/src/base/base.c:466
         edata = <optimized out>
         fse = 0x557995aa5d30
         function_nr = 115239821
         function_call_traced = 0
         restore_error_handler_situation = 0
         tmp_error_cb = 0x0
 #6  0x0000557993feffe3 in ?? ()
 No symbol table info available.
 #7  0x000055799422438b in execute_ex ()
 No symbol table info available.
 #8  0x00007f264e92cb6c in xdebug_execute_ex (execute_data=0x7f264f215020) at ./build-7.4/src/base/base.c:380
         op_array = 0x7f263ad851c0
         edata = <optimized out>
         fse = 0x557995a51600
         xfse = <optimized out>
         function_nr = 115239820
         le = <optimized out>
         code_coverage_function_name = 0x0
         code_coverage_file_name = 0x0
         code_coverage_init = 0

[rtheunissen]

I will look into this asap, thank you for the stack trace.

[rtheunissen]

@enumag this should be fixed and released now.