There is a core dump when running "php-cgi -i" on mips device

[VerifyL]

Description

The following code:

Running "php-cgi -i" on mips device

Resulted in this output:

<tr><td class="e">TERM </td><td class="v">vt100 </td></tr>
<tr><td class="e">SHELL </td><td class="v">/bin/bash </td></tr>
<tr><td class="e">OLDPWD </td><td class="v">/ </td></tr>
<tr><td class="e">USER </td><td class="v">admin </td></tr>
<tr><td class="e">PROMPTLENGTH </td><td class="v">11 </td></tr>
<tr><td class="e">ALU_SESMGR_RSP_SESS_IDX </td><td class="v">0 </td></tr>
<tr><td class="e">ALIASES </td><td class="v">sh=&quot;show&quot; </td></tr>
<tr><td class="e">ALU_SESMGR_RSP_AUTH_RD0 </td><td class="v">0x00000000 </td></tr>
<tr><td class="e">PATH </td><td class="v">/flash:/bin:/sbin:/usr/bin:/usr/sbin </td></tr>
<tr><td class="e">ALU_SESMGR_RSP_AUTH_RD1 </td><td class="v">0x00000000 </td></tr>
<tr><td class="e">ALU_SESMGR_RSP_AUTH_RD2 </td><td class="v">0x00000000 </td></tr>
<tr><td class="e">ALU_SESMGR_RSP_AUTH_RD3 </td><td class="v">0x00000000 </td></tr>
<tr><td class="e">PWD </td><td class="v">/flash </td></tr>
<tr><td class="e">PS1 </td><td class="v">TAURUS #-&gt;  </td></tr>
<tr><td class="e">HISTIGNORE </td><td class="v">&amp;:*password* </td></tr>
<tr><td class="e">PS2 </td><td class="v">(Continue command from previous line or Ctrl/C) -&gt;  </td></tr>
<tr><td class="e">HOME </td><td class="v">/flash </td></tr>
<tr><td class="e">SHLVL </td><td class="v">2 </td></tr>
<tr><td class="e">ALU_SESMGR_RSP_AAA_OPTS </td><td class="v">0 </td></tr>
<tr><td class="e">LOGNAME </td><td class="v">admin </td></tr>
<tr><td class="e">PROMPT_COMMAND </td><td class="v">stty echo icrnl &amp;&amp; setPrompt </td></tr>
<tr><td class="e">_ </td><td class="v">./php-cgi </td></tr>
</table>
<h2>PHP Variables</h2>
<table>
<tr class="h"><th>Variable</th><th>Value</th></tr>

Fri Jun 14 02:47:57 : COREDUMPER  ALRM message:
Segmentation fault (core dumped)

_emalloc_48 will cause the panic , and is there any solution for it?

But I expected this output instead:

Normal running 

PHP Version

PHP 8.3.4

Operating System

linux 4.4 and arch is mips

[devnexen]

Thanks for your report, would you be able to give a backtrace eventually ?

[VerifyL]

Thanks for your report, would you be able to give a backtrace eventually ?

GNU gdb (GDB) 7.6.1 Copyright (C) 2013 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html> This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Type "show copying" and "show warranty" for details. This GDB was configured as "mips-linux-gnu". For bug reporting instructions, please see: <http://www.gnu.org/software/gdb/bugs/>... Reading symbols from /flash/pmd/bin/php-cgi...(no debugging symbols found)...done. [New LWP 4670] Failed to read a valid object file image from memory. Core was generated byphp-cgi -i'. Program terminated with signal 11, Segmentation fault.

0 0x55972c6c in _emalloc_48 ()

(gdb) bt

0 0x55972c6c in _emalloc_48 ()

1 0x559c7bd0 in _zend_new_array_0 ()

2 0x559294c0 in ?? ()

warning: GDB can't find the start of the function at 0x559294be.

`

[devnexen]

Is your php instance compiled from source ? if yes, it would be helpful to compile with debug symbols enabled (--enable-debug configure option).

[VerifyL]

Is your php instance compiled from source ? if yes, it would be helpful to compile with debug symbols enabled (--enable-debug configure option).

When adding the debug symbol, the backtrace is bellowing: GNU gdb (GDB) 7.6.1 Copyright (C) 2013 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html> This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Type "show copying" and "show warranty" for details. This GDB was configured as "mips-linux-gnu". For bug reporting instructions, please see: <http://www.gnu.org/software/gdb/bugs/>... Reading symbols from /flash/pmd/bin/php-cgi...(no debugging symbols found)...done. [New LWP 4622] Failed to read a valid object file image from memory. Core was generated byphp-cgi -i'. Program terminated with signal 11, Segmentation fault.

0 0x55ce5014 in zend_hash_find ()

(gdb) bt

0 0x55ce5014 in zend_hash_find ()

1 0x55c91c9c in zend_is_auto_global ()

2 0x55e31000 in ?? ()

warning: GDB can't find the start of the function at 0x55e30ffe. `

[devnexen]

does not seem to be the case because

...
Reading symbols from /flash/pmd/bin/php-cgi...(no debugging symbols found)
...

Note that you do not need to replace the installed binary in /flash/pmd/bin, just running the instance sapi/cgi/php-cgi -i from your source directory should do.

[VerifyL]

does not seem to be the case because

...
Reading symbols from /flash/pmd/bin/php-cgi...(no debugging symbols found)
...

Note that you do not need to replace the installed binary in /flash/pmd/bin, just running the instance sapi/cgi/php-cgi -i from your source directory should do.

Hi, There is a failure that "Zend/zend_types.h:1372: zval_addref_p: Assertion `((*(pz)).u1.v.type_flags != 0)' failed" when running the instance "php-cgi -i" from the source directory and enable the debug option.

[devnexen]

Thanks, what would be helpful for us

• running gdb from your source directory as follow

  gdb -ex run --args sapi/cgi/php-cgi -i
  <once gdb stops execution upon crash>
  > bt all

• giving your ./configure command with options passed eventually e.g. ./configure --enable-debug --with-gmp ...

[VerifyL]

Thanks, what would be helpful for us

• running gdb from your source directory as follow

gdb -ex run --args sapi/cgi/php-cgi -i
<once gdb stops execution upon crash>
> bt all

• giving your ./configure command with options passed eventually e.g. ./configure --enable-debug --with-gmp ...

Hi， There is no symbol table is loaded, and it's a crossing compilation environment.

php-cgi: /home/liuxiaoshuai/switch/OpenSSL-Based-Master/HOS-AOS86R2/sw/tps/objs/48/10/mips_common/php/Zend/zend_types.h:1372: zval_addref_p: Assertion `((*(pz)).u1.v.type_flags != 0)' failed.

Program received signal SIGABRT, Aborted.
0x772865f8 in ?? ()
(gdb) bt all
No symbol table is loaded.  Use the "file" command.

My configuration is configure --prefix=$(BUILT_BASE) --host=$(CCPREFIX) --with-config-file-path="/lib" --disable-filter --enable-ctype --without-iconv --without-pear --with-openssl=$(BUILT_BASE) --with-kerberos=yes --with-zlib=$(BUILT_BASE) --with-libxml-dir=$(BUILT_BASE) --disable-xmlreader --disable-xmlwriter --disable-simplexml --disable-dom --disable-phar --disable-rpath --disable-fileinfo --enable-opcache=no --enable-debug

[devnexen]

What is the last release you succesfully built w/o crash ?

[VerifyL]

What is the last release you succesfully built w/o crash ?

I tried to build it on 8.3.4, 8.1.29,8.0.30. And all of them crashed. the 5.6.40 didn't crash

[devnexen]

I see. What about the 7.x serie ? Maybe something needs to be done in the engine to cater with mips being BE since php took the high optimisation route, but hard to know for now w/o more clue.

[VerifyL]

I see. What about the 7.x serie ? Maybe something needs to be done in the engine to cater with mips being BE since php took the high optimisation route, but hard to know for now w/o more clue.

Isn't php supporting openssl 3.0 since 8.x? My device adopted the openssl 3.

[devnexen]

Would it then be possible to try the following (on top of my head) ?

make clean
./configure --prefix=$(BUILT_BASE) --host=$(CCPREFIX) --with-config-file-path="/lib" --disable-filter --enable-ctype --without-iconv --without-pear --without-libxml --disable-xml --disable-xmlreader --disable-xmlwriter --disable-simplexml --disable-dom --disable-phar --disable-rpath --disable-fileinfo --enable-opcache=no --enable-debug

idea here is to test a more stripped down binary version.

[VerifyL]

Would it then be possible to try the following (on top of my head) ?

make clean
./configure --prefix=$(BUILT_BASE) --host=$(CCPREFIX) --with-config-file-path="/lib" --disable-filter --enable-ctype --without-iconv --without-pear --without-libxml --disable-xml --disable-xmlreader --disable-xmlwriter --disable-simplexml --disable-dom --disable-phar --disable-rpath --disable-fileinfo --enable-opcache=no --enable-debug

idea here is to test a more stripped down binary version.

Hi, I tried it by following the steps above, but the error was same as before.

zend_types.h:1372: zval_addref_p: Assertion `((*(pz)).u1.v.type_flags != 0)' failed

Thanks

[devnexen]

Few questions:

• I assume it is really mips arch (as opposed to mipsel) ?
• What is your cross compiling toolchain ? e.g. gcc-mips-linux-gnu ... etc

[VerifyL]

• I assume it is really mips arch (as opposed to mipsel) ?

Hi,

1. It's really mips arch。

   Linux VerifyL 4.4.153 #2 SMP Wed Jun 19 16:34:50 CST 2024 mips GNU/Linux

2. My cross compiling toochain is "mips-linux-gnu-", and the version is 4.8.5

Thanks

[devnexen]

Ok. sapi/cli/php -i might crash all the same.

@kocsismate @bukka any idea what would cause it ?

[VerifyL]

Hi, @devnexen Any idea for it? Whether if the architecture of mips is incompatible or other reasons? In addition, Cross compiling with option "--enable-debug", new errors would be occurred.

-> php-cgi -v
PHP 8.3.4 (cgi-fcgi) (built: Jun 19 2024 16:51:56) (DEBUG)
Copyright (c) The PHP Group
Zend Engine v4.3.4, Copyright (c) Zend Technologies
[Thu Jun 20 08:31:11 2024]  Script:  '-'
php/Zend/zend_hash.c(291) :  Freeing 0x77056050 (44 bytes), script=-
=== Total 1 memory leaks detected ===
*** Error in `php-cgi': free(): invalid pointer: 0x560f4050 ***

-> php-cgi -m
[PHP Modules]

[Zend Modules]

php-cgi: php/Zend/zend_opcode.c:152: zend_function_dtor: Assertion `function->type == 1' failed.
Aborted (core dumped)

Thanks

[devnexen]

Let's say the debug build "reveals it". The underlying issue could be an architecture thing

Maybe something needs to be done in the engine to cater with mips being BE since php took the high optimisation route, but hard to know for now w/o more clue.

It would be helpful if you could provide a real backtrace though.

[VerifyL]

Let's say the debug build "reveals it". The underlying issue could be an architecture thing

Maybe something needs to be done in the engine to cater with mips being BE since php took the high optimisation route, but hard to know for now w/o more clue.

It would be helpful if you could provide a real backtrace though.

Yes, But how can i generate the symbol table and import it to my device? There is no symbol table even if compiling it with option "--enable-debug"

Thanks

[devnexen]

You might be able to use objcopy to separate debug symbols from the binary as follow :

objcopy --only-keep-debug sapi/cgi/php-cgi sapi/cgi/php-cgi.dbg
objcopy --strip-debug sapi/cgi/php-cgi
objcopy --add-gnu-debuglink=sapi/cgi/php-cgi.dbg sapi/cgi/php-cgi

then this sapi/cgi/php-cgi.dbg needs to be transferred as well into your device. you can then launch gdb like this

gdb --args sapi/cgi/php-cgi -i
> symbol-file sapi/cgi/php-cgi.dbg
> r
...

Hope it helps and works :)

After that, won t be able to help for few hours unless someone chimes in ;)

[VerifyL]

You might be able to use objcopy to separate debug symbols from the binary as follow :

objcopy --only-keep-debug sapi/cgi/php-cgi sapi/cgi/php-cgi.dbg
objcopy --strip-debug sapi/cgi/php-cgi
objcopy --add-gnu-debuglink=sapi/cgi/php-cgi.dbg sapi/cgi/php-cgi

then this sapi/cgi/php-cgi.dbg needs to be transferred as well into your device. you can then launch gdb like this

gdb --args sapi/cgi/php-cgi -i
> symbol-file sapi/cgi/php-cgi.dbg
> r
...

Hope it helps and works :) After that, won t be able to help for few hours unless someone chimes in ;)

Hi, @devnexen

There is the completed backtrace.

<tr class="h"><th>Variable</th><th>Value</th></tr>

Program received signal SIGSEGV, Segmentation fault.
0x558d191c in zend_hash_find ()
(gdb) bt
#0  0x558d191c in zend_hash_find ()
#1  0x5587e5bc in zend_is_auto_global ()
#2  0x55a1d920 in cgi_php_import_environment_variables ()
#3  0x55827e50 in php_auto_globals_create_env ()
#4  0x5587e5e8 in zend_is_auto_global ()
#5  0x55a1d920 in cgi_php_import_environment_variables ()
#6  0x55827e50 in php_auto_globals_create_env ()
#7  0x5587e5e8 in zend_is_auto_global ()
#8  0x55a1d920 in cgi_php_import_environment_variables ()
#9  0x55827e50 in php_auto_globals_create_env ()
#10 0x5587e5e8 in zend_is_auto_global ()
#11 0x55a1d920 in cgi_php_import_environment_variables ()
#12 0x55827e50 in php_auto_globals_create_env ()
#13 0x5587e5e8 in zend_is_auto_global ()
#14 0x55a1d920 in cgi_php_import_environment_variables ()
#15 0x55827e50 in php_auto_globals_create_env ()
#16 0x5587e5e8 in zend_is_auto_global ()
#17 0x55a1d920 in cgi_php_import_environment_variables ()
#18 0x55827e50 in php_auto_globals_create_env ()
#19 0x5587e5e8 in zend_is_auto_global ()
#20 0x55a1d920 in cgi_php_import_environment_variables ()
#21 0x55827e50 in php_auto_globals_create_env ()
#22 0x5587e5e8 in zend_is_auto_global ()
---Type <return> to continue, or q <return> to quit---
#23 0x55a1d920 in cgi_php_import_environment_variables ()
#24 0x55827e50 in php_auto_globals_create_env ()
#25 0x5587e5e8 in zend_is_auto_global ()
#26 0x55a1d920 in cgi_php_import_environment_variables ()
#27 0x55827e50 in php_auto_globals_create_env ()
#28 0x5587e5e8 in zend_is_auto_global ()
#29 0x55a1d920 in cgi_php_import_environment_variables ()
#30 0x55827e50 in php_auto_globals_create_env ()
#31 0x5587e5e8 in zend_is_auto_global ()
#32 0x55a1d920 in cgi_php_import_environment_variables ()
#33 0x55827e50 in php_auto_globals_create_env ()
#34 0x5587e5e8 in zend_is_auto_global ()
#35 0x55a1d920 in cgi_php_import_environment_variables ()
#36 0x55827e50 in php_auto_globals_create_env ()
#37 0x5587e5e8 in zend_is_auto_global ()
#38 0x55a1d920 in cgi_php_import_environment_variables ()
#39 0x55827e50 in php_auto_globals_create_env ()
#40 0x5587e5e8 in zend_is_auto_global ()
#41 0x55a1d920 in cgi_php_import_environment_variables ()
#42 0x55827e50 in php_auto_globals_create_env ()
#43 0x5587e5e8 in zend_is_auto_global ()
#44 0x55a1d920 in cgi_php_import_environment_variables ()
#45 0x55827e50 in php_auto_globals_create_env ()
---Type <return> to continue, or q <return> to quit---

Thanks

[devnexen]

That s a tad better and give a better idea where this happens, it confirms some little suspicions but I wish we could inspect the frames though. Maybe because we need to use architecture related objcopy rather than the host one e.g. mips-linux-gnu-objcopy.

[VerifyL]

That s a tad better and give a better idea where this happens, it confirms some little suspicions but I wish we could inspect the frames though. Maybe because we need to use architecture related objcopy rather than the host one e.g. mips-linux-gnu-objcopy.

Hi， I didn't use the objcopy to generate the symbol table. I used "mips-linux-gnu-strip" to strip it before so there is no sysmbol in php-cgi binary. And i don't strip it any more now. In addition, the php-cgi is compiled by "mips-linux-gnu-" tools rather the host's Thanks.

[devnexen]

Ok we might need to keep trying to narrow down cases. What would be great is to try a php 7.3 and a php 7.4 (w/o openssl support). If the latter crashes, that would confirm one thing.

[VerifyL]

Ok we might need to keep trying to narrow down cases. What would be great is to try a php 7.3 and a php 7.4 (w/o openssl support). If the latter crashes, that would confirm one thing.

Hi, @devnexen I tried the php 7.4 and php 7.3, and still crash.

php 7.4/php7.3:

<tr class="h"><th>Variable</th><th>Value</th></tr>

Program received signal SIGSEGV, Segmentation fault.
0x557e57cc in php_autoglobal_merge ()
(gdb) bt
#0  0x557e57cc in php_autoglobal_merge ()
#1  0x557e5ac8 in php_auto_globals_create_request ()
#2  0x55830dbc in zend_is_auto_global ()
#3  0x55767478 in php_print_gpcse_array ()
#4  0x557695e8 in php_print_info ()
#5  0x55948fac in main ()
(gdb)
#0  0x557e57cc in php_autoglobal_merge ()
#1  0x557e5ac8 in php_auto_globals_create_request ()
#2  0x55830dbc in zend_is_auto_global ()
#3  0x55767478 in php_print_gpcse_array ()
#4  0x557695e8 in php_print_info ()
#5  0x55948fac in main ()
(gdb)
#0  0x557e57cc in php_autoglobal_merge ()
#1  0x557e5ac8 in php_auto_globals_create_request ()
#2  0x55830dbc in zend_is_auto_global ()
#3  0x55767478 in php_print_gpcse_array ()
#4  0x557695e8 in php_print_info ()
#5  0x55948fac in main ()
(gdb)
#0  0x557e57cc in php_autoglobal_merge ()
#1  0x557e5ac8 in php_auto_globals_create_request ()
#2  0x55830dbc in zend_is_auto_global ()
#3  0x55767478 in php_print_gpcse_array ()
#4  0x557695e8 in php_print_info ()
#5  0x55948fac in main ()
(gdb)
#0  0x557e57cc in php_autoglobal_merge ()
#1  0x557e5ac8 in php_auto_globals_create_request ()
#2  0x55830dbc in zend_is_auto_global ()
#3  0x55767478 in php_print_gpcse_array ()
#4  0x557695e8 in php_print_info ()
#5  0x55948fac in main ()
(gdb)
#0  0x557e57cc in php_autoglobal_merge ()
#1  0x557e5ac8 in php_auto_globals_create_request ()
#2  0x55830dbc in zend_is_auto_global ()
#3  0x55767478 in php_print_gpcse_array ()
#4  0x557695e8 in php_print_info ()
#5  0x55948fac in main ()

Thanks

[devnexen]

Question, did you compile yourself 5.6.40 or does it comes from your package manager ? If yes, would you try php 7.0 pls ?

[VerifyL]

Question, did you compile yourself 5.6.40 or does it comes from your package manager ? If yes, would you try php 7.0 pls ?

Hi, @devnexen

there is a error when i tried the php 7.0.33

-> php-cgi -i
zend_mm_heap corrupted

And my configuration is following:

./configure --prefix=$(BUILT_BASE) --host=$(CCPREFIX)  --disable-xmlwriter --disable-xml --disable-libxml --with-config-file-path="/lib" --disable-filter --enable-ctype --without-iconv --without-pear --without-libxml --disable-xml --disable-xmlreader --disable-xmlwriter --disable-simplexml --disable-dom --disable-phar --disable-rpath --disable-fileinfo --enable-opcache=no

In php 5.6.40, php is no problem with the same configuration. Thanks.

[devnexen]

it seems to have a hard time building $_ENV but no idea yet why.

[VerifyL]

it seems to have a hard time building $_ENV but no idea yet why.

Is the building of $_ENV related with my environment? Or is it just about the php itself?

Thanks

[devnexen]

An associative [array](https://www.php.net/manual/en/language.types.array.php) of variables passed to the current script via the environment method.

These variables are imported into PHP's global namespace from the environment under which the PHP parser is running.

[VerifyL]

An associative [array](https://www.php.net/manual/en/language.types.array.php) of variables passed to the current script via the environment method.

These variables are imported into PHP's global namespace from the environment under which the PHP parser is running.

Hi, So any idea for it? Did the update of php cause it?

Thanks

[devnexen]

well, how is your ENV env var looks like ?

[VerifyL]

well, how is your ENV env var looks like

Sorry, could you pls be more specific? Thanks

[devnexen]

I meant env output.

[VerifyL]

I meant env output.

Hi, @devnexen $ENV is NULL in my env. In addition, do you need other information? Thanks

[devnexen]

I m short of ideas for now, I ll try to have a look later this week and trying different scenarios, if I need I ll ask you few things. Cheers.

[VerifyL]

Hi, @devnexen It seems that Zend has other issue besides above problem. When i try to access a web, php will crash.

Core was generated by `/bin/php-cgi -c /lib/wv_php.ini'.
Program terminated with signal 11, Segmentation fault.
#0  0x55f58b3c in zend_resource_dtor ()
(gdb) bt
#0  0x55f58b3c in zend_resource_dtor ()
#1  0x55f58f28 in zend_list_close ()
#2  0x55ebd710 in _php_stream_free ()
#3  0x55e979d0 in php_zend_stream_closer ()
#4  0x55ff9380 in zend_file_handle_dtor ()
#5  0x55f21e58 in zend_llist_del_element ()
#6  0x55ff9af4 in zend_destroy_file_handle ()
#7  0x560a6d9c in main ()

Thanks.

[devnexen]

Yes sorry I did not forget you, I ll get back at it in the following days.

[VerifyL]

Yes sorry I did not forget you, I ll get back at it in the following days.

Hi, @devnexen Is there any feedback? Thanks

[devnexen]

no did not find anything yet, sorry.

[VerifyL]

no did not find anything yet, sorry.

Hi, @devnexen

So what are the points of doubt on this issue？

And the following is the register information and compile information.

(gdb) disassemble 
Dump of assembler code for function zend_hash_find:
   0x55f11fec <+0>:     lui     gp,0x2a
   0x55f11ff0 <+4>:     addiu   gp,gp,5044
   0x55f11ff4 <+8>:     addu    gp,gp,t9
   0x55f11ff8 <+12>:    addiu   sp,sp,-56
   0x55f11ffc <+16>:    sw      ra,52(sp)
   0x55f12000 <+20>:    sw      s8,48(sp)
   0x55f12004 <+24>:    sw      s5,44(sp)
   0x55f12008 <+28>:    sw      s4,40(sp)
   0x55f1200c <+32>:    sw      s3,36(sp)
   0x55f12010 <+36>:    sw      s2,32(sp)
   0x55f12014 <+40>:    sw      s1,28(sp)
   0x55f12018 <+44>:    sw      s0,24(sp)
   0x55f1201c <+48>:    move    s8,sp
=> 0x55f12020 <+52>:    sw      gp,16(sp)
   0x55f12024 <+56>:    move    s1,a0
   0x55f12028 <+60>:    lw      t8,8(a1)
   0x55f1202c <+64>:    bnez    t8,0x55f12048 <zend_hash_find+92>
   0x55f12030 <+68>:    move    s0,a1
   0x55f12034 <+72>:    move    a0,a1
   0x55f12038 <+76>:    lw      t9,-27596(gp)
   0x55f1203c <+80>:    jalr    t9
   0x55f12040 <+84>:    nop
---Type <return> to continue, or q <return> to quit---
   0x55f12044 <+88>:    lw      gp,16(s8)
   0x55f12048 <+92>:    lw      s3,8(s0)
   0x55f1204c <+96>:    lw      s2,16(s1)
   0x55f12050 <+100>:   lw      t8,12(s1)
   0x55f12054 <+104>:   or      t8,s3,t8
   0x55f12058 <+108>:   sll     t8,t8,0x2
   0x55f1205c <+112>:   addu    t8,s2,t8
   0x55f12060 <+116>:   lw      s1,0(t8)
   0x55f12064 <+120>:   li      t8,-1
   0x55f12068 <+124>:   beq     s1,t8,0x55f120e8 <zend_hash_find+252>
   0x55f1206c <+128>:   addu    s1,s2,s1
   0x55f12070 <+132>:   lw      t8,20(s1)
   0x55f12074 <+136>:   beq     s0,t8,0x55f120f4 <zend_hash_find+264>
   0x55f12078 <+140>:   move    v0,s1
   0x55f1207c <+144>:   addiu   s5,s0,16
   0x55f12080 <+148>:   li      s4,-1
   0x55f12084 <+152>:   lw      t8,16(s1)
   0x55f12088 <+156>:   bne     s3,t8,0x55f120c8 <zend_hash_find+220>
   0x55f1208c <+160>:   nop
   0x55f12090 <+164>:   lw      a0,20(s1)
   0x55f12094 <+168>:   beqz    a0,0x55f120c8 <zend_hash_find+220>
   0x55f12098 <+172>:   nop
   0x55f1209c <+176>:   lw      a2,12(a0)
---Type <return> to continue, or q <return> to quit---
   0x55f120a0 <+180>:   lw      t8,12(s0)
   0x55f120a4 <+184>:   bne     a2,t8,0x55f120c8 <zend_hash_find+220>
   0x55f120a8 <+188>:   addiu   a0,a0,16
   0x55f120ac <+192>:   move    a1,s5
   0x55f120b0 <+196>:   lw      t9,-20640(gp)
   0x55f120b4 <+200>:   jalr    t9
   0x55f120b8 <+204>:   nop
   0x55f120bc <+208>:   lw      gp,16(s8)
   0x55f120c0 <+212>:   beqz    v0,0x55f120f4 <zend_hash_find+264>
   0x55f120c4 <+216>:   move    v0,s1
   0x55f120c8 <+220>:   lw      s1,12(s1)
   0x55f120cc <+224>:   beq     s1,s4,0x55f120f0 <zend_hash_find+260>
   0x55f120d0 <+228>:   addu    s1,s2,s1
   0x55f120d4 <+232>:   lw      t8,20(s1)
   0x55f120d8 <+236>:   bne     s0,t8,0x55f12084 <zend_hash_find+152>
   0x55f120dc <+240>:   nop
   0x55f120e0 <+244>:   b       0x55f120f4 <zend_hash_find+264>
   0x55f120e4 <+248>:   move    v0,s1
   0x55f120e8 <+252>:   b       0x55f120f4 <zend_hash_find+264>
   0x55f120ec <+256>:   move    v0,zero
   0x55f120f0 <+260>:   move    v0,zero
   0x55f120f4 <+264>:   move    sp,s8
   0x55f120f8 <+268>:   lw      ra,52(sp)
---Type <return> to continue, or q <return> to quit---
   0x55f120fc <+272>:   lw      s8,48(sp)
   0x55f12100 <+276>:   lw      s5,44(sp)
   0x55f12104 <+280>:   lw      s4,40(sp)
   0x55f12108 <+284>:   lw      s3,36(sp)
   0x55f1210c <+288>:   lw      s2,32(sp)
   0x55f12110 <+292>:   lw      s1,28(sp)
   0x55f12114 <+296>:   lw      s0,24(sp)
   0x55f12118 <+300>:   jr      ra
   0x55f1211c <+304>:   addiu   sp,sp,56
End of assembler dump

Thanks

[devnexen]

The root issue occurs likely before that but I have not found the time yet to go into this.

[VerifyL]

The root issue occurs likely before that but I have not found the time yet to go into this.

Ok, And from the compilation above, it seems that the stack is broken.

[VerifyL]

Hi, @devnexen

There is an earlier error when executing the "php-cgi -i". It indicates that error is "php_autoglobal_merge(Z_ARRVAL(form_variables), Z_ARRVAL(PG(http_globals)[TRACK_VARS_GET]));", the second parameter is NULL.

Thanks

[devnexen]

oh I think it s not normal it s NULL. empty (hashtable) yes but not NULL.

[VerifyL]

oh I think it s not normal it s NULL. empty (hashtable) yes but not NULL.

Hi, The following is the gdb information, and the second parameter of php_autoglobal_merge "src" is 0x0. It seems that the "http_globals" wasn't initialized.

(gdb) bt
#0  0x55a25090 in php_autoglobal_merge (dest=0x772560a0, src=0x0)
    at php/main/php_variables.c:752
#1  0x55a26264 in php_auto_globals_create_request (name=0x55f15e58)
    at php/main/php_variables.c:936
#2  0x55aaeefc in zend_is_auto_global (name=0x77258038)
    at php/Zend/zend_compile.c:1913
#3  0x55934400 in php_print_gpcse_array (name=0x55e14a14 "_REQUEST",
    name_length=8)
    at php/ext/standard/info.c:175
#4  0x559363ec in php_print_info (flag=-1)
    at php/ext/standard/info.c:1023
#5  0x55d4ab78 in main (argc=2, argv=0x7ffffbd4)
    at php/sapi/cgi/cgi_main.c:2319

(gdb) i r
          zero       at       v0       v1       a0       a1       a2       a3
 R0   00000000 55e14f46 772560a0 77200040 772560a0 00000000 55b01304 00000000
            t0       t1       t2       t3       t4       t5       t6       t7
 R8   00000000 00000001 00000000 55455354 7ffff648 55ef7820 00000000 00000005
            s0       s1       s2       s3       s4       s5       s6       s7
 R16  00000000 00000000 004fe008 00000000 004fe008 00000000 00000000 00000000
            t8       t9       k0       k1       gp       sp       s8       ra
 R24  00000000 55a25038 7ffff6c4 00000000 55ef7820 7ffff600 7ffff600 55a26264
        status       lo       hi badvaddr    cause       pc
      00000413 00000000 00000000 00000008 08800008 55a25090
          fcsr      fir  restart
      00000000 00730000 00000000
(gdb) disassemble
Dump of assembler code for function php_autoglobal_merge:
   0x55a25038 <+0>:     lui     gp,0x4d
   0x55a2503c <+4>:     addiu   gp,gp,10216
   0x55a25040 <+8>:     addu    gp,gp,t9
   0x55a25044 <+12>:    addiu   sp,sp,-104
   0x55a25048 <+16>:    sw      ra,100(sp)
   0x55a2504c <+20>:    sw      s8,96(sp)
   0x55a25050 <+24>:    move    s8,sp
   0x55a25054 <+28>:    sw      gp,16(sp)
   0x55a25058 <+32>:    sw      a0,104(s8)
   0x55a2505c <+36>:    sw      a1,108(s8)
   0x55a25060 <+40>:    lw      v0,104(s8)
   0x55a25064 <+44>:    lw      t8,-32308(gp)
   0x55a25068 <+48>:    addiu   t8,t8,168
   0x55a2506c <+52>:    subu    t8,v0,t8
   0x55a25070 <+56>:    sltiu   t8,t8,1
   0x55a25074 <+60>:    andi    t8,t8,0xff
   0x55a25078 <+64>:    sw      t8,48(s8)
   0x55a2507c <+68>:    lw      t8,108(s8)
   0x55a25080 <+72>:    sw      t8,52(s8)
   0x55a25084 <+76>:    sw      zero,32(s8)
   0x55a25088 <+80>:    sw      zero,36(s8)
   0x55a2508c <+84>:    lw      t8,52(s8)
---Type <return> to continue, or q <return> to quit---
=> 0x55a25090 <+88>:    lw      t8,8(t8)
   0x55a25094 <+92>:    nor     t8,zero,t8
   0x55a25098 <+96>:    andi    t8,t8,0x4
   0x55a2509c <+100>:   addiu   t8,t8,8
   0x55a250a0 <+104>:   sll     t8,t8,0x1
   0x55a250a4 <+108>:   sw      t8,56(s8)
   0x55a250a8 <+112>:   lw      t8,52(s8)
   0x55a250ac <+116>:   lw      t8,16(t8)
   0x55a250b0 <+120>:   lw      v1,36(s8)
   0x55a250b4 <+124>:   lw      v0,56(s8)
   0x55a250b8 <+128>:   mult    v1,v0
   0x55a250bc <+132>:   mflo    v0
   0x55a250c0 <+136>:   addu    t8,t8,v0
   0x55a250c4 <+140>:   sw      t8,40(s8)
   0x55a250c8 <+144>:   lw      t8,52(s8)
   0x55a250cc <+148>:   lw      v0,20(t8)
   0x55a250d0 <+152>:   lw      t8,36(s8)
   0x55a250d4 <+156>:   subu    t8,v0,t8
   0x55a250d8 <+160>:   sw      t8,44(s8)
   0x55a250dc <+164>:   b       0x55a25464 <php_autoglobal_merge+1068>
   0x55a250e0 <+168>:   nop
   0x55a250e4 <+172>:   lw      t8,40(s8)
   0x55a250e8 <+176>:   sw      t8,60(s8)
---Type <return> to continue, or q <return> to quit---
   0x55a250ec <+180>:   lw      t8,52(s8)
   0x55a250f0 <+184>:   lw      t8,8(t8)
   0x55a250f4 <+188>:   andi    t8,t8,0x4
   0x55a250f8 <+192>:   beqz    t8,0x55a25128 <php_autoglobal_merge+240>
   0x55a250fc <+196>:   nop
   0x55a25100 <+200>:   lw      t8,40(s8)
   0x55a25104 <+204>:   addiu   t8,t8,16
   0x55a25108 <+208>:   sw      t8,40(s8)
   0x55a2510c <+212>:   lw      t8,36(s8)
   0x55a25110 <+216>:   sw      t8,28(s8)
   0x55a25114 <+220>:   lw      t8,36(s8)
   0x55a25118 <+224>:   addiu   t8,t8,1
   0x55a2511c <+228>:   sw      t8,36(s8)
   0x55a25120 <+232>:   b       0x55a25154 <php_autoglobal_merge+284>
   0x55a25124 <+236>:   nop
   0x55a25128 <+240>:   lw      t8,40(s8)
   0x55a2512c <+244>:   sw      t8,64(s8)
   0x55a25130 <+248>:   lw      t8,64(s8)
   0x55a25134 <+252>:   addiu   t8,t8,24
   0x55a25138 <+256>:   sw      t8,40(s8)
   0x55a2513c <+260>:   lw      t8,64(s8)
   0x55a25140 <+264>:   lw      t8,16(t8)
   0x55a25144 <+268>:   sw      t8,28(s8)
---Type <return> to continue, or q <return> to quit---
   0x55a25148 <+272>:   lw      t8,64(s8)
   0x55a2514c <+276>:   lw      t8,20(t8)
   0x55a25150 <+280>:   sw      t8,32(s8)
   0x55a25154 <+284>:   lw      a0,60(s8)
   0x55a25158 <+288>:   lw      t8,-26196(gp)
   0x55a2515c <+292>:   addiu   t8,t8,-18016
   0x55a25160 <+296>:   move    t9,t8
   0x55a25164 <+300>:   jalr    t9
   0x55a25168 <+304>:   nop
   0x55a2516c <+308>:   lw      gp,16(s8)
   0x55a25170 <+312>:   move    t8,v0
   0x55a25174 <+316>:   sltiu   t8,t8,1
   0x55a25178 <+320>:   andi    t8,t8,0xff
   0x55a2517c <+324>:   beqz    t8,0x55a2518c <php_autoglobal_merge+340>
   0x55a25180 <+328>:   nop
   0x55a25184 <+332>:   b       0x55a25458 <php_autoglobal_merge+1056>
   0x55a25188 <+336>:   nop
   0x55a2518c <+340>:   lw      t8,28(s8)
   0x55a25190 <+344>:   sw      t8,68(s8)
   0x55a25194 <+348>:   lw      t8,32(s8)
   0x55a25198 <+352>:   sw      t8,72(s8)
   0x55a2519c <+356>:   lw      t8,60(s8)
   0x55a251a0 <+360>:   sw      t8,76(s8)
---Type <return> to continue, or q <return> to quit---
   0x55a251a4 <+364>:   lw      a0,76(s8)
   0x55a251a8 <+368>:   lw      t8,-26196(gp)
   0x55a251ac <+372>:   addiu   t8,t8,-18016
   0x55a251b0 <+376>:   move    t9,t8
   0x55a251b4 <+380>:   jalr    t9
   0x55a251b8 <+384>:   nop
   0x55a251bc <+388>:   lw      gp,16(s8)
   0x55a251c0 <+392>:   move    t8,v0
   0x55a251c4 <+396>:   move    v0,t8
   0x55a251c8 <+400>:   li      t8,7
   0x55a251cc <+404>:   bne     v0,t8,0x55a25274 <php_autoglobal_merge+572>
   0x55a251d0 <+408>:   nop
   0x55a251d4 <+412>:   lw      t8,72(s8)
   0x55a251d8 <+416>:   beqz    t8,0x55a2520c <php_autoglobal_merge+468>
   0x55a251dc <+420>:   nop
   0x55a251e0 <+424>:   lw      a0,104(s8)
   0x55a251e4 <+428>:   lw      a1,72(s8)
   0x55a251e8 <+432>:   lw      t8,-31532(gp)
   0x55a251ec <+436>:   move    t9,t8
   0x55a251f0 <+440>:   jalr    t9
   0x55a251f4 <+444>:   nop
   0x55a251f8 <+448>:   lw      gp,16(s8)
   0x55a251fc <+452>:   sw      v0,24(s8)
---Type <return> to continue, or q <return> to quit---
   0x55a25200 <+456>:   lw      t8,24(s8)
   0x55a25204 <+460>:   beqz    t8,0x55a25274 <php_autoglobal_merge+572>
   0x55a25208 <+464>:   nop
   0x55a2520c <+468>:   lw      t8,72(s8)
   0x55a25210 <+472>:   bnez    t8,0x55a25244 <php_autoglobal_merge+524>
   0x55a25214 <+476>:   nop
   0x55a25218 <+480>:   lw      a0,104(s8)
   0x55a2521c <+484>:   lw      a1,68(s8)
   0x55a25220 <+488>:   lw      t8,-31152(gp)
   0x55a25224 <+492>:   move    t9,t8
   0x55a25228 <+496>:   jalr    t9
   0x55a2522c <+500>:   nop
   0x55a25230 <+504>:   lw      gp,16(s8)
   0x55a25234 <+508>:   sw      v0,24(s8)
   0x55a25238 <+512>:   lw      t8,24(s8)
   0x55a2523c <+516>:   beqz    t8,0x55a25274 <php_autoglobal_merge+572>
   0x55a25240 <+520>:   nop
   0x55a25244 <+524>:   lw      a0,24(s8)
   0x55a25248 <+528>:   lw      t8,-26196(gp)
   0x55a2524c <+532>:   addiu   t8,t8,-18016
   0x55a25250 <+536>:   move    t9,t8
   0x55a25254 <+540>:   jalr    t9
   0x55a25258 <+544>:   nop
---Type <return> to continue, or q <return> to quit---
   0x55a2525c <+548>:   lw      gp,16(s8)
   0x55a25260 <+552>:   move    t8,v0
   0x55a25264 <+556>:   move    v0,t8
   0x55a25268 <+560>:   li      t8,7
   0x55a2526c <+564>:   beq     v0,t8,0x55a25380 <php_autoglobal_merge+840>
   0x55a25270 <+568>:   nop
   0x55a25274 <+572>:   lw      t8,76(s8)
   0x55a25278 <+576>:   lbu     t8,9(t8)
   0x55a2527c <+580>:   beqz    t8,0x55a252a0 <php_autoglobal_merge+616>
   0x55a25280 <+584>:   nop
   0x55a25284 <+588>:   lw      a0,76(s8)
   0x55a25288 <+592>:   lw      t8,-26196(gp)
   0x55a2528c <+596>:   addiu   t8,t8,-17512
   0x55a25290 <+600>:   move    t9,t8
   0x55a25294 <+604>:   jalr    t9
   0x55a25298 <+608>:   nop
   0x55a2529c <+612>:   lw      gp,16(s8)
   0x55a252a0 <+616>:   lw      t8,72(s8)
   0x55a252a4 <+620>:   beqz    t8,0x55a25350 <php_autoglobal_merge+792>
   0x55a252a8 <+624>:   nop
   0x55a252ac <+628>:   lw      t8,48(s8)
   0x55a252b0 <+632>:   beqz    t8,0x55a252f4 <php_autoglobal_merge+700>
   0x55a252b4 <+636>:   nop
---Type <return> to continue, or q <return> to quit---
   0x55a252b8 <+640>:   lw      a0,72(s8)
   0x55a252bc <+644>:   lw      t8,-26272(gp)
   0x55a252c0 <+648>:   addiu   a1,t8,-28684
   0x55a252c4 <+652>:   li      a2,7
   0x55a252c8 <+656>:   lw      t8,-26196(gp)
   0x55a252cc <+660>:   addiu   t8,t8,-15688
   0x55a252d0 <+664>:   move    t9,t8
   0x55a252d4 <+668>:   jalr    t9
   0x55a252d8 <+672>:   nop
   0x55a252dc <+676>:   lw      gp,16(s8)
   0x55a252e0 <+680>:   move    t8,v0
   0x55a252e4 <+684>:   xori    t8,t8,0x1
   0x55a252e8 <+688>:   andi    t8,t8,0xff
   0x55a252ec <+692>:   beqz    t8,0x55a2531c <php_autoglobal_merge+740>
   0x55a252f0 <+696>:   nop
   0x55a252f4 <+700>:   lw      a0,104(s8)
   0x55a252f8 <+704>:   lw      a1,72(s8)
   0x55a252fc <+708>:   lw      a2,76(s8)
   0x55a25300 <+712>:   lw      t8,-31384(gp)
   0x55a25304 <+716>:   move    t9,t8
   0x55a25308 <+720>:   jalr    t9
   0x55a2530c <+724>:   nop
   0x55a25310 <+728>:   lw      gp,16(s8)
---Type <return> to continue, or q <return> to quit---
   0x55a25314 <+732>:   b       0x55a25378 <php_autoglobal_merge+832>
   0x55a25318 <+736>:   nop
   0x55a2531c <+740>:   lw      t8,76(s8)
   0x55a25320 <+744>:   lbu     t8,9(t8)
   0x55a25324 <+748>:   beqz    t8,0x55a25378 <php_autoglobal_merge+832>
   0x55a25328 <+752>:   nop
   0x55a2532c <+756>:   lw      a0,76(s8)
   0x55a25330 <+760>:   lw      t8,-26196(gp)
   0x55a25334 <+764>:   addiu   t8,t8,-17348
   0x55a25338 <+768>:   move    t9,t8
   0x55a2533c <+772>:   jalr    t9
   0x55a25340 <+776>:   nop
   0x55a25344 <+780>:   lw      gp,16(s8)
   0x55a25348 <+784>:   b       0x55a25378 <php_autoglobal_merge+832>
   0x55a2534c <+788>:   nop
   0x55a25350 <+792>:   lw      a0,104(s8)
   0x55a25354 <+796>:   lw      a1,68(s8)
   0x55a25358 <+800>:   lw      a2,76(s8)
   0x55a2535c <+804>:   lw      t8,-31328(gp)
   0x55a25360 <+808>:   move    t9,t8
   0x55a25364 <+812>:   jalr    t9
   0x55a25368 <+816>:   nop
   0x55a2536c <+820>:   lw      gp,16(s8)
---Type <return> to continue, or q <return> to quit---
   0x55a25370 <+824>:   b       0x55a25458 <php_autoglobal_merge+1056>
   0x55a25374 <+828>:   nop
   0x55a25378 <+832>:   b       0x55a25458 <php_autoglobal_merge+1056>
   0x55a2537c <+836>:   nop
   0x55a25380 <+840>:   lw      t8,24(s8)
   0x55a25384 <+844>:   sw      t8,80(s8)
   0x55a25388 <+848>:   lw      t8,80(s8)
   0x55a2538c <+852>:   lw      t8,0(t8)
   0x55a25390 <+856>:   sw      t8,84(s8)
   0x55a25394 <+860>:   lw      t8,84(s8)
   0x55a25398 <+864>:   move    a0,t8
   0x55a2539c <+868>:   lw      t8,-26196(gp)
   0x55a253a0 <+872>:   addiu   t8,t8,-17920
   0x55a253a4 <+876>:   move    t9,t8
   0x55a253a8 <+880>:   jalr    t9
   0x55a253ac <+884>:   nop
   0x55a253b0 <+888>:   lw      gp,16(s8)
   0x55a253b4 <+892>:   move    t8,v0
   0x55a253b8 <+896>:   sltiu   t8,t8,2
   0x55a253bc <+900>:   xori    t8,t8,0x1
   0x55a253c0 <+904>:   andi    t8,t8,0xff
   0x55a253c4 <+908>:   beqz    t8,0x55a25428 <php_autoglobal_merge+1008>
   0x55a253c8 <+912>:   nop
---Type <return> to continue, or q <return> to quit---
   0x55a253cc <+916>:   lw      a0,84(s8)
   0x55a253d0 <+920>:   lw      t8,-32164(gp)
   0x55a253d4 <+924>:   move    t9,t8
   0x55a253d8 <+928>:   jalr    t9
   0x55a253dc <+932>:   nop
   0x55a253e0 <+936>:   lw      gp,16(s8)
   0x55a253e4 <+940>:   sw      v0,88(s8)
   0x55a253e8 <+944>:   lw      t8,80(s8)
   0x55a253ec <+948>:   sw      t8,92(s8)
   0x55a253f0 <+952>:   lw      t8,92(s8)
   0x55a253f4 <+956>:   lw      v0,88(s8)
   0x55a253f8 <+960>:   sw      v0,0(t8)
   0x55a253fc <+964>:   lw      t8,92(s8)
   0x55a25400 <+968>:   li      v0,775
   0x55a25404 <+972>:   sw      v0,8(t8)
   0x55a25408 <+976>:   lw      t8,84(s8)
   0x55a2540c <+980>:   move    a0,t8
   0x55a25410 <+984>:   lw      t8,-26196(gp)
   0x55a25414 <+988>:   addiu   t8,t8,-17740
   0x55a25418 <+992>:   move    t9,t8
   0x55a2541c <+996>:   jalr    t9
   0x55a25420 <+1000>:  nop
   0x55a25424 <+1004>:  lw      gp,16(s8)
---Type <return> to continue, or q <return> to quit---
   0x55a25428 <+1008>:  lw      t8,24(s8)
   0x55a2542c <+1012>:  lw      v0,0(t8)
   0x55a25430 <+1016>:  lw      t8,76(s8)
   0x55a25434 <+1020>:  lw      t8,0(t8)
   0x55a25438 <+1024>:  move    a0,v0
   0x55a2543c <+1028>:  move    a1,t8
   0x55a25440 <+1032>:  lw      t8,-26196(gp)
   0x55a25444 <+1036>:  addiu   t8,t8,56
   0x55a25448 <+1040>:  move    t9,t8
   0x55a2544c <+1044>:  jalr    t9
   0x55a25450 <+1048>:  nop
   0x55a25454 <+1052>:  lw      gp,16(s8)
   0x55a25458 <+1056>:  lw      t8,44(s8)
   0x55a2545c <+1060>:  addiu   t8,t8,-1
   0x55a25460 <+1064>:  sw      t8,44(s8)
   0x55a25464 <+1068>:  lw      t8,44(s8)
   0x55a25468 <+1072>:  bnez    t8,0x55a250e4 <php_autoglobal_merge+172>
   0x55a2546c <+1076>:  nop
   0x55a25470 <+1080>:  move    sp,s8
   0x55a25474 <+1084>:  lw      ra,100(sp)
   0x55a25478 <+1088>:  lw      s8,96(sp)
   0x55a2547c <+1092>:  addiu   sp,sp,104
   0x55a25480 <+1096>:  jr      ra
---Type <return> to continue, or q <return> to quit---
   0x55a25484 <+1100>:  nop
End of assembler dump.

Thanks

[devnexen]

thanks, but what I m saying

0 0x55a25090 in php_autoglobal_merge (dest=0x772560a0, src=0x0)

src should not be NULL, we need to figure out the root cause which occur somewhere else do not know well enough the engine but I ll go back at it in few days.

[VerifyL]

thanks, but what I m saying

0 0x55a25090 in php_autoglobal_merge (dest=0x772560a0, src=0x0)

src should not be NULL, we need to figure out the root cause which occur somewhere else do not know well enough the engine but I ll go back at it in few days.

Ok, look forward to your reply.

[devnexen]

@VerifyL, let s try to move to the previous step. would it be possible for you to put a breakpoint to php_auto_globals_create_get and go step by step within ?