There is a core dump when running "php-cgi -i" on mips device

[VerifyL]

Description

The following code:

Running "php-cgi -i" on mips device

Resulted in this output:

<tr><td class="e">TERM </td><td class="v">vt100 </td></tr>
<tr><td class="e">SHELL </td><td class="v">/bin/bash </td></tr>
<tr><td class="e">OLDPWD </td><td class="v">/ </td></tr>
<tr><td class="e">USER </td><td class="v">admin </td></tr>
<tr><td class="e">PROMPTLENGTH </td><td class="v">11 </td></tr>
<tr><td class="e">ALU_SESMGR_RSP_SESS_IDX </td><td class="v">0 </td></tr>
<tr><td class="e">ALIASES </td><td class="v">sh=&quot;show&quot; </td></tr>
<tr><td class="e">ALU_SESMGR_RSP_AUTH_RD0 </td><td class="v">0x00000000 </td></tr>
<tr><td class="e">PATH </td><td class="v">/flash:/bin:/sbin:/usr/bin:/usr/sbin </td></tr>
<tr><td class="e">ALU_SESMGR_RSP_AUTH_RD1 </td><td class="v">0x00000000 </td></tr>
<tr><td class="e">ALU_SESMGR_RSP_AUTH_RD2 </td><td class="v">0x00000000 </td></tr>
<tr><td class="e">ALU_SESMGR_RSP_AUTH_RD3 </td><td class="v">0x00000000 </td></tr>
<tr><td class="e">PWD </td><td class="v">/flash </td></tr>
<tr><td class="e">PS1 </td><td class="v">TAURUS #-&gt;  </td></tr>
<tr><td class="e">HISTIGNORE </td><td class="v">&amp;:*password* </td></tr>
<tr><td class="e">PS2 </td><td class="v">(Continue command from previous line or Ctrl/C) -&gt;  </td></tr>
<tr><td class="e">HOME </td><td class="v">/flash </td></tr>
<tr><td class="e">SHLVL </td><td class="v">2 </td></tr>
<tr><td class="e">ALU_SESMGR_RSP_AAA_OPTS </td><td class="v">0 </td></tr>
<tr><td class="e">LOGNAME </td><td class="v">admin </td></tr>
<tr><td class="e">PROMPT_COMMAND </td><td class="v">stty echo icrnl &amp;&amp; setPrompt </td></tr>
<tr><td class="e">_ </td><td class="v">./php-cgi </td></tr>
</table>
<h2>PHP Variables</h2>
<table>
<tr class="h"><th>Variable</th><th>Value</th></tr>

Fri Jun 14 02:47:57 : COREDUMPER  ALRM message:
Segmentation fault (core dumped)

_emalloc_48 will cause the panic , and is there any solution for it?

But I expected this output instead:

Normal running 

PHP Version

PHP 8.3.4

Operating System

linux 4.4 and arch is mips

[devnexen]

Thanks for your report, would you be able to give a backtrace eventually ?

[VerifyL]

Thanks for your report, would you be able to give a backtrace eventually ?

GNU gdb (GDB) 7.6.1 Copyright (C) 2013 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html> This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Type "show copying" and "show warranty" for details. This GDB was configured as "mips-linux-gnu". For bug reporting instructions, please see: <http://www.gnu.org/software/gdb/bugs/>... Reading symbols from /flash/pmd/bin/php-cgi...(no debugging symbols found)...done. [New LWP 4670] Failed to read a valid object file image from memory. Core was generated by php-cgi -i'.
Program terminated with signal 11, Segmentation fault.
#0 0x55972c6c in _emalloc_48 ()
(gdb) bt
#0 0x55972c6c in _emalloc_48 ()
#1 0x559c7bd0 in _zend_new_array_0 ()
#2 0x559294c0 in ?? ()
warning: GDB can't find the start of the function at 0x559294be.

`

[devnexen]

Is your php instance compiled from source ? if yes, it would be helpful to compile with debug symbols enabled (--enable-debug configure option).

[VerifyL]

Is your php instance compiled from source ? if yes, it would be helpful to compile with debug symbols enabled (--enable-debug configure option).

When adding the debug symbol, the backtrace is bellowing:
GNU gdb (GDB) 7.6.1 Copyright (C) 2013 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html> This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Type "show copying" and "show warranty" for details. This GDB was configured as "mips-linux-gnu". For bug reporting instructions, please see: <http://www.gnu.org/software/gdb/bugs/>... Reading symbols from /flash/pmd/bin/php-cgi...(no debugging symbols found)...done. [New LWP 4622] Failed to read a valid object file image from memory. Core was generated by php-cgi -i'.
Program terminated with signal 11, Segmentation fault.
#0 0x55ce5014 in zend_hash_find ()
(gdb) bt
#0 0x55ce5014 in zend_hash_find ()
#1 0x55c91c9c in zend_is_auto_global ()
#2 0x55e31000 in ?? ()
warning: GDB can't find the start of the function at 0x55e30ffe.
`

[devnexen]

does not seem to be the case because

...
Reading symbols from /flash/pmd/bin/php-cgi...(no debugging symbols found)
...

Note that you do not need to replace the installed binary in /flash/pmd/bin, just running the instance sapi/cgi/php-cgi -i from your source directory should do.

[VerifyL]

does not seem to be the case because

...
Reading symbols from /flash/pmd/bin/php-cgi...(no debugging symbols found)
...

Note that you do not need to replace the installed binary in /flash/pmd/bin, just running the instance sapi/cgi/php-cgi -i from your source directory should do.

Hi,
There is a failure that "Zend/zend_types.h:1372: zval_addref_p: Assertion `((*(pz)).u1.v.type_flags != 0)' failed" when running the instance "php-cgi -i" from the source directory and enable the debug option.

[devnexen]

Thanks, what would be helpful for us

• running gdb from your source directory as follow

gdb -ex run --args sapi/cgi/php-cgi -i
<once gdb stops execution upon crash>
> bt all

• giving your ./configure command with options passed eventually e.g. ./configure --enable-debug --with-gmp ...

[VerifyL]

Thanks, what would be helpful for us

• running gdb from your source directory as follow

gdb -ex run --args sapi/cgi/php-cgi -i
<once gdb stops execution upon crash>
> bt all

• giving your ./configure command with options passed eventually e.g. ./configure --enable-debug --with-gmp ...

Hi，
There is no symbol table is loaded, and it's a crossing compilation environment.

php-cgi: /home/liuxiaoshuai/switch/OpenSSL-Based-Master/HOS-AOS86R2/sw/tps/objs/48/10/mips_common/php/Zend/zend_types.h:1372: zval_addref_p: Assertion `((*(pz)).u1.v.type_flags != 0)' failed.

Program received signal SIGABRT, Aborted.
0x772865f8 in ?? ()
(gdb) bt all
No symbol table is loaded.  Use the "file" command.

My configuration is
configure --prefix=$(BUILT_BASE) --host=$(CCPREFIX) --with-config-file-path="/lib" --disable-filter --enable-ctype --without-iconv --without-pear --with-openssl=$(BUILT_BASE) --with-kerberos=yes --with-zlib=$(BUILT_BASE) --with-libxml-dir=$(BUILT_BASE) --disable-xmlreader --disable-xmlwriter --disable-simplexml --disable-dom --disable-phar --disable-rpath --disable-fileinfo --enable-opcache=no --enable-debug

[devnexen]

What is the last release you succesfully built w/o crash ?

[VerifyL]

What is the last release you succesfully built w/o crash ?

I tried to build it on 8.3.4, 8.1.29,8.0.30. And all of them crashed. the 5.6.40 didn't crash

[devnexen]

I see. What about the 7.x serie ? Maybe something needs to be done in the engine to cater with mips being BE since php took the high optimisation route, but hard to know for now w/o more clue.

[VerifyL]

I see. What about the 7.x serie ? Maybe something needs to be done in the engine to cater with mips being BE since php took the high optimisation route, but hard to know for now w/o more clue.

Isn't php supporting openssl 3.0 since 8.x? My device adopted the openssl 3.

[devnexen]

Would it then be possible to try the following (on top of my head) ?

make clean
./configure --prefix=$(BUILT_BASE) --host=$(CCPREFIX) --with-config-file-path="/lib" --disable-filter --enable-ctype --without-iconv --without-pear --without-libxml --disable-xml --disable-xmlreader --disable-xmlwriter --disable-simplexml --disable-dom --disable-phar --disable-rpath --disable-fileinfo --enable-opcache=no --enable-debug

idea here is to test a more stripped down binary version.

[VerifyL]

Would it then be possible to try the following (on top of my head) ?

make clean
./configure --prefix=$(BUILT_BASE) --host=$(CCPREFIX) --with-config-file-path="/lib" --disable-filter --enable-ctype --without-iconv --without-pear --without-libxml --disable-xml --disable-xmlreader --disable-xmlwriter --disable-simplexml --disable-dom --disable-phar --disable-rpath --disable-fileinfo --enable-opcache=no --enable-debug

idea here is to test a more stripped down binary version.

Hi,
I tried it by following the steps above, but the error was same as before.

zend_types.h:1372: zval_addref_p: Assertion `((*(pz)).u1.v.type_flags != 0)' failed

Thanks

[devnexen]

well, how is your ENV env var looks like ?

[VerifyL]

well, how is your ENV env var looks like

Sorry, could you pls be more specific?
Thanks

[devnexen]

I meant env output.

[VerifyL]

I meant env output.

Hi, @devnexen
$ENV is NULL in my env.
In addition, do you need other information?
Thanks

[devnexen]

I m short of ideas for now, I ll try to have a look later this week and trying different scenarios, if I need I ll ask you few things. Cheers.

[VerifyL]

Hi, @devnexen
It seems that Zend has other issue besides above problem.
When i try to access a web, php will crash.

Core was generated by `/bin/php-cgi -c /lib/wv_php.ini'.
Program terminated with signal 11, Segmentation fault.
#0  0x55f58b3c in zend_resource_dtor ()
(gdb) bt
#0  0x55f58b3c in zend_resource_dtor ()
#1  0x55f58f28 in zend_list_close ()
#2  0x55ebd710 in _php_stream_free ()
#3  0x55e979d0 in php_zend_stream_closer ()
#4  0x55ff9380 in zend_file_handle_dtor ()
#5  0x55f21e58 in zend_llist_del_element ()
#6  0x55ff9af4 in zend_destroy_file_handle ()
#7  0x560a6d9c in main ()

Thanks.

[devnexen]

Yes sorry I did not forget you, I ll get back at it in the following days.

[VerifyL]

Yes sorry I did not forget you, I ll get back at it in the following days.

Hi, @devnexen
Is there any feedback?
Thanks

[devnexen]

no did not find anything yet, sorry.

[VerifyL]

no did not find anything yet, sorry.

Hi, @devnexen

So what are the points of doubt on this issue？

And the following is the register information and compile information.

(gdb) disassemble 
Dump of assembler code for function zend_hash_find:
   0x55f11fec <+0>:     lui     gp,0x2a
   0x55f11ff0 <+4>:     addiu   gp,gp,5044
   0x55f11ff4 <+8>:     addu    gp,gp,t9
   0x55f11ff8 <+12>:    addiu   sp,sp,-56
   0x55f11ffc <+16>:    sw      ra,52(sp)
   0x55f12000 <+20>:    sw      s8,48(sp)
   0x55f12004 <+24>:    sw      s5,44(sp)
   0x55f12008 <+28>:    sw      s4,40(sp)
   0x55f1200c <+32>:    sw      s3,36(sp)
   0x55f12010 <+36>:    sw      s2,32(sp)
   0x55f12014 <+40>:    sw      s1,28(sp)
   0x55f12018 <+44>:    sw      s0,24(sp)
   0x55f1201c <+48>:    move    s8,sp
=> 0x55f12020 <+52>:    sw      gp,16(sp)
   0x55f12024 <+56>:    move    s1,a0
   0x55f12028 <+60>:    lw      t8,8(a1)
   0x55f1202c <+64>:    bnez    t8,0x55f12048 <zend_hash_find+92>
   0x55f12030 <+68>:    move    s0,a1
   0x55f12034 <+72>:    move    a0,a1
   0x55f12038 <+76>:    lw      t9,-27596(gp)
   0x55f1203c <+80>:    jalr    t9
   0x55f12040 <+84>:    nop
---Type <return> to continue, or q <return> to quit---
   0x55f12044 <+88>:    lw      gp,16(s8)
   0x55f12048 <+92>:    lw      s3,8(s0)
   0x55f1204c <+96>:    lw      s2,16(s1)
   0x55f12050 <+100>:   lw      t8,12(s1)
   0x55f12054 <+104>:   or      t8,s3,t8
   0x55f12058 <+108>:   sll     t8,t8,0x2
   0x55f1205c <+112>:   addu    t8,s2,t8
   0x55f12060 <+116>:   lw      s1,0(t8)
   0x55f12064 <+120>:   li      t8,-1
   0x55f12068 <+124>:   beq     s1,t8,0x55f120e8 <zend_hash_find+252>
   0x55f1206c <+128>:   addu    s1,s2,s1
   0x55f12070 <+132>:   lw      t8,20(s1)
   0x55f12074 <+136>:   beq     s0,t8,0x55f120f4 <zend_hash_find+264>
   0x55f12078 <+140>:   move    v0,s1
   0x55f1207c <+144>:   addiu   s5,s0,16
   0x55f12080 <+148>:   li      s4,-1
   0x55f12084 <+152>:   lw      t8,16(s1)
   0x55f12088 <+156>:   bne     s3,t8,0x55f120c8 <zend_hash_find+220>
   0x55f1208c <+160>:   nop
   0x55f12090 <+164>:   lw      a0,20(s1)
   0x55f12094 <+168>:   beqz    a0,0x55f120c8 <zend_hash_find+220>
   0x55f12098 <+172>:   nop
   0x55f1209c <+176>:   lw      a2,12(a0)
---Type <return> to continue, or q <return> to quit---
   0x55f120a0 <+180>:   lw      t8,12(s0)
   0x55f120a4 <+184>:   bne     a2,t8,0x55f120c8 <zend_hash_find+220>
   0x55f120a8 <+188>:   addiu   a0,a0,16
   0x55f120ac <+192>:   move    a1,s5
   0x55f120b0 <+196>:   lw      t9,-20640(gp)
   0x55f120b4 <+200>:   jalr    t9
   0x55f120b8 <+204>:   nop
   0x55f120bc <+208>:   lw      gp,16(s8)
   0x55f120c0 <+212>:   beqz    v0,0x55f120f4 <zend_hash_find+264>
   0x55f120c4 <+216>:   move    v0,s1
   0x55f120c8 <+220>:   lw      s1,12(s1)
   0x55f120cc <+224>:   beq     s1,s4,0x55f120f0 <zend_hash_find+260>
   0x55f120d0 <+228>:   addu    s1,s2,s1
   0x55f120d4 <+232>:   lw      t8,20(s1)
   0x55f120d8 <+236>:   bne     s0,t8,0x55f12084 <zend_hash_find+152>
   0x55f120dc <+240>:   nop
   0x55f120e0 <+244>:   b       0x55f120f4 <zend_hash_find+264>
   0x55f120e4 <+248>:   move    v0,s1
   0x55f120e8 <+252>:   b       0x55f120f4 <zend_hash_find+264>
   0x55f120ec <+256>:   move    v0,zero
   0x55f120f0 <+260>:   move    v0,zero
   0x55f120f4 <+264>:   move    sp,s8
   0x55f120f8 <+268>:   lw      ra,52(sp)
---Type <return> to continue, or q <return> to quit---
   0x55f120fc <+272>:   lw      s8,48(sp)
   0x55f12100 <+276>:   lw      s5,44(sp)
   0x55f12104 <+280>:   lw      s4,40(sp)
   0x55f12108 <+284>:   lw      s3,36(sp)
   0x55f1210c <+288>:   lw      s2,32(sp)
   0x55f12110 <+292>:   lw      s1,28(sp)
   0x55f12114 <+296>:   lw      s0,24(sp)
   0x55f12118 <+300>:   jr      ra
   0x55f1211c <+304>:   addiu   sp,sp,56
End of assembler dump

Thanks

[devnexen]

The root issue occurs likely before that but I have not found the time yet to go into this.

[VerifyL]

The root issue occurs likely before that but I have not found the time yet to go into this.

Ok, And from the compilation above, it seems that the stack is broken.

[VerifyL]

Hi, @devnexen

There is an earlier error when executing the "php-cgi -i".
It indicates that error is "php_autoglobal_merge(Z_ARRVAL(form_variables), Z_ARRVAL(PG(http_globals)[TRACK_VARS_GET]));", the second parameter is NULL.

Thanks

[devnexen]

oh I think it s not normal it s NULL. empty (hashtable) yes but not NULL.

[VerifyL]

oh I think it s not normal it s NULL. empty (hashtable) yes but not NULL.

Hi,
The following is the gdb information, and the second parameter of php_autoglobal_merge "src" is 0x0. It seems that the "http_globals" wasn't initialized.

(gdb) bt
#0  0x55a25090 in php_autoglobal_merge (dest=0x772560a0, src=0x0)
    at php/main/php_variables.c:752
#1  0x55a26264 in php_auto_globals_create_request (name=0x55f15e58)
    at php/main/php_variables.c:936
#2  0x55aaeefc in zend_is_auto_global (name=0x77258038)
    at php/Zend/zend_compile.c:1913
#3  0x55934400 in php_print_gpcse_array (name=0x55e14a14 "_REQUEST",
    name_length=8)
    at php/ext/standard/info.c:175
#4  0x559363ec in php_print_info (flag=-1)
    at php/ext/standard/info.c:1023
#5  0x55d4ab78 in main (argc=2, argv=0x7ffffbd4)
    at php/sapi/cgi/cgi_main.c:2319

(gdb) i r
          zero       at       v0       v1       a0       a1       a2       a3
 R0   00000000 55e14f46 772560a0 77200040 772560a0 00000000 55b01304 00000000
            t0       t1       t2       t3       t4       t5       t6       t7
 R8   00000000 00000001 00000000 55455354 7ffff648 55ef7820 00000000 00000005
            s0       s1       s2       s3       s4       s5       s6       s7
 R16  00000000 00000000 004fe008 00000000 004fe008 00000000 00000000 00000000
            t8       t9       k0       k1       gp       sp       s8       ra
 R24  00000000 55a25038 7ffff6c4 00000000 55ef7820 7ffff600 7ffff600 55a26264
        status       lo       hi badvaddr    cause       pc
      00000413 00000000 00000000 00000008 08800008 55a25090
          fcsr      fir  restart
      00000000 00730000 00000000
(gdb) disassemble
Dump of assembler code for function php_autoglobal_merge:
   0x55a25038 <+0>:     lui     gp,0x4d
   0x55a2503c <+4>:     addiu   gp,gp,10216
   0x55a25040 <+8>:     addu    gp,gp,t9
   0x55a25044 <+12>:    addiu   sp,sp,-104
   0x55a25048 <+16>:    sw      ra,100(sp)
   0x55a2504c <+20>:    sw      s8,96(sp)
   0x55a25050 <+24>:    move    s8,sp
   0x55a25054 <+28>:    sw      gp,16(sp)
   0x55a25058 <+32>:    sw      a0,104(s8)
   0x55a2505c <+36>:    sw      a1,108(s8)
   0x55a25060 <+40>:    lw      v0,104(s8)
   0x55a25064 <+44>:    lw      t8,-32308(gp)
   0x55a25068 <+48>:    addiu   t8,t8,168
   0x55a2506c <+52>:    subu    t8,v0,t8
   0x55a25070 <+56>:    sltiu   t8,t8,1
   0x55a25074 <+60>:    andi    t8,t8,0xff
   0x55a25078 <+64>:    sw      t8,48(s8)
   0x55a2507c <+68>:    lw      t8,108(s8)
   0x55a25080 <+72>:    sw      t8,52(s8)
   0x55a25084 <+76>:    sw      zero,32(s8)
   0x55a25088 <+80>:    sw      zero,36(s8)
   0x55a2508c <+84>:    lw      t8,52(s8)
---Type <return> to continue, or q <return> to quit---
=> 0x55a25090 <+88>:    lw      t8,8(t8)
   0x55a25094 <+92>:    nor     t8,zero,t8
   0x55a25098 <+96>:    andi    t8,t8,0x4
   0x55a2509c <+100>:   addiu   t8,t8,8
   0x55a250a0 <+104>:   sll     t8,t8,0x1
   0x55a250a4 <+108>:   sw      t8,56(s8)
   0x55a250a8 <+112>:   lw      t8,52(s8)
   0x55a250ac <+116>:   lw      t8,16(t8)
   0x55a250b0 <+120>:   lw      v1,36(s8)
   0x55a250b4 <+124>:   lw      v0,56(s8)
   0x55a250b8 <+128>:   mult    v1,v0
   0x55a250bc <+132>:   mflo    v0
   0x55a250c0 <+136>:   addu    t8,t8,v0
   0x55a250c4 <+140>:   sw      t8,40(s8)
   0x55a250c8 <+144>:   lw      t8,52(s8)
   0x55a250cc <+148>:   lw      v0,20(t8)
   0x55a250d0 <+152>:   lw      t8,36(s8)
   0x55a250d4 <+156>:   subu    t8,v0,t8
   0x55a250d8 <+160>:   sw      t8,44(s8)
   0x55a250dc <+164>:   b       0x55a25464 <php_autoglobal_merge+1068>
   0x55a250e0 <+168>:   nop
   0x55a250e4 <+172>:   lw      t8,40(s8)
   0x55a250e8 <+176>:   sw      t8,60(s8)
---Type <return> to continue, or q <return> to quit---
   0x55a250ec <+180>:   lw      t8,52(s8)
   0x55a250f0 <+184>:   lw      t8,8(t8)
   0x55a250f4 <+188>:   andi    t8,t8,0x4
   0x55a250f8 <+192>:   beqz    t8,0x55a25128 <php_autoglobal_merge+240>
   0x55a250fc <+196>:   nop
   0x55a25100 <+200>:   lw      t8,40(s8)
   0x55a25104 <+204>:   addiu   t8,t8,16
   0x55a25108 <+208>:   sw      t8,40(s8)
   0x55a2510c <+212>:   lw      t8,36(s8)
   0x55a25110 <+216>:   sw      t8,28(s8)
   0x55a25114 <+220>:   lw      t8,36(s8)
   0x55a25118 <+224>:   addiu   t8,t8,1
   0x55a2511c <+228>:   sw      t8,36(s8)
   0x55a25120 <+232>:   b       0x55a25154 <php_autoglobal_merge+284>
   0x55a25124 <+236>:   nop
   0x55a25128 <+240>:   lw      t8,40(s8)
   0x55a2512c <+244>:   sw      t8,64(s8)
   0x55a25130 <+248>:   lw      t8,64(s8)
   0x55a25134 <+252>:   addiu   t8,t8,24
   0x55a25138 <+256>:   sw      t8,40(s8)
   0x55a2513c <+260>:   lw      t8,64(s8)
   0x55a25140 <+264>:   lw      t8,16(t8)
   0x55a25144 <+268>:   sw      t8,28(s8)
---Type <return> to continue, or q <return> to quit---
   0x55a25148 <+272>:   lw      t8,64(s8)
   0x55a2514c <+276>:   lw      t8,20(t8)
   0x55a25150 <+280>:   sw      t8,32(s8)
   0x55a25154 <+284>:   lw      a0,60(s8)
   0x55a25158 <+288>:   lw      t8,-26196(gp)
   0x55a2515c <+292>:   addiu   t8,t8,-18016
   0x55a25160 <+296>:   move    t9,t8
   0x55a25164 <+300>:   jalr    t9
   0x55a25168 <+304>:   nop
   0x55a2516c <+308>:   lw      gp,16(s8)
   0x55a25170 <+312>:   move    t8,v0
   0x55a25174 <+316>:   sltiu   t8,t8,1
   0x55a25178 <+320>:   andi    t8,t8,0xff
   0x55a2517c <+324>:   beqz    t8,0x55a2518c <php_autoglobal_merge+340>
   0x55a25180 <+328>:   nop
   0x55a25184 <+332>:   b       0x55a25458 <php_autoglobal_merge+1056>
   0x55a25188 <+336>:   nop
   0x55a2518c <+340>:   lw      t8,28(s8)
   0x55a25190 <+344>:   sw      t8,68(s8)
   0x55a25194 <+348>:   lw      t8,32(s8)
   0x55a25198 <+352>:   sw      t8,72(s8)
   0x55a2519c <+356>:   lw      t8,60(s8)
   0x55a251a0 <+360>:   sw      t8,76(s8)
---Type <return> to continue, or q <return> to quit---
   0x55a251a4 <+364>:   lw      a0,76(s8)
   0x55a251a8 <+368>:   lw      t8,-26196(gp)
   0x55a251ac <+372>:   addiu   t8,t8,-18016
   0x55a251b0 <+376>:   move    t9,t8
   0x55a251b4 <+380>:   jalr    t9
   0x55a251b8 <+384>:   nop
   0x55a251bc <+388>:   lw      gp,16(s8)
   0x55a251c0 <+392>:   move    t8,v0
   0x55a251c4 <+396>:   move    v0,t8
   0x55a251c8 <+400>:   li      t8,7
   0x55a251cc <+404>:   bne     v0,t8,0x55a25274 <php_autoglobal_merge+572>
   0x55a251d0 <+408>:   nop
   0x55a251d4 <+412>:   lw      t8,72(s8)
   0x55a251d8 <+416>:   beqz    t8,0x55a2520c <php_autoglobal_merge+468>
   0x55a251dc <+420>:   nop
   0x55a251e0 <+424>:   lw      a0,104(s8)
   0x55a251e4 <+428>:   lw      a1,72(s8)
   0x55a251e8 <+432>:   lw      t8,-31532(gp)
   0x55a251ec <+436>:   move    t9,t8
   0x55a251f0 <+440>:   jalr    t9
   0x55a251f4 <+444>:   nop
   0x55a251f8 <+448>:   lw      gp,16(s8)
   0x55a251fc <+452>:   sw      v0,24(s8)
---Type <return> to continue, or q <return> to quit---
   0x55a25200 <+456>:   lw      t8,24(s8)
   0x55a25204 <+460>:   beqz    t8,0x55a25274 <php_autoglobal_merge+572>
   0x55a25208 <+464>:   nop
   0x55a2520c <+468>:   lw      t8,72(s8)
   0x55a25210 <+472>:   bnez    t8,0x55a25244 <php_autoglobal_merge+524>
   0x55a25214 <+476>:   nop
   0x55a25218 <+480>:   lw      a0,104(s8)
   0x55a2521c <+484>:   lw      a1,68(s8)
   0x55a25220 <+488>:   lw      t8,-31152(gp)
   0x55a25224 <+492>:   move    t9,t8
   0x55a25228 <+496>:   jalr    t9
   0x55a2522c <+500>:   nop
   0x55a25230 <+504>:   lw      gp,16(s8)
   0x55a25234 <+508>:   sw      v0,24(s8)
   0x55a25238 <+512>:   lw      t8,24(s8)
   0x55a2523c <+516>:   beqz    t8,0x55a25274 <php_autoglobal_merge+572>
   0x55a25240 <+520>:   nop
   0x55a25244 <+524>:   lw      a0,24(s8)
   0x55a25248 <+528>:   lw      t8,-26196(gp)
   0x55a2524c <+532>:   addiu   t8,t8,-18016
   0x55a25250 <+536>:   move    t9,t8
   0x55a25254 <+540>:   jalr    t9
   0x55a25258 <+544>:   nop
---Type <return> to continue, or q <return> to quit---
   0x55a2525c <+548>:   lw      gp,16(s8)
   0x55a25260 <+552>:   move    t8,v0
   0x55a25264 <+556>:   move    v0,t8
   0x55a25268 <+560>:   li      t8,7
   0x55a2526c <+564>:   beq     v0,t8,0x55a25380 <php_autoglobal_merge+840>
   0x55a25270 <+568>:   nop
   0x55a25274 <+572>:   lw      t8,76(s8)
   0x55a25278 <+576>:   lbu     t8,9(t8)
   0x55a2527c <+580>:   beqz    t8,0x55a252a0 <php_autoglobal_merge+616>
   0x55a25280 <+584>:   nop
   0x55a25284 <+588>:   lw      a0,76(s8)
   0x55a25288 <+592>:   lw      t8,-26196(gp)
   0x55a2528c <+596>:   addiu   t8,t8,-17512
   0x55a25290 <+600>:   move    t9,t8
   0x55a25294 <+604>:   jalr    t9
   0x55a25298 <+608>:   nop
   0x55a2529c <+612>:   lw      gp,16(s8)
   0x55a252a0 <+616>:   lw      t8,72(s8)
   0x55a252a4 <+620>:   beqz    t8,0x55a25350 <php_autoglobal_merge+792>
   0x55a252a8 <+624>:   nop
   0x55a252ac <+628>:   lw      t8,48(s8)
   0x55a252b0 <+632>:   beqz    t8,0x55a252f4 <php_autoglobal_merge+700>
   0x55a252b4 <+636>:   nop
---Type <return> to continue, or q <return> to quit---
   0x55a252b8 <+640>:   lw      a0,72(s8)
   0x55a252bc <+644>:   lw      t8,-26272(gp)
   0x55a252c0 <+648>:   addiu   a1,t8,-28684
   0x55a252c4 <+652>:   li      a2,7
   0x55a252c8 <+656>:   lw      t8,-26196(gp)
   0x55a252cc <+660>:   addiu   t8,t8,-15688
   0x55a252d0 <+664>:   move    t9,t8
   0x55a252d4 <+668>:   jalr    t9
   0x55a252d8 <+672>:   nop
   0x55a252dc <+676>:   lw      gp,16(s8)
   0x55a252e0 <+680>:   move    t8,v0
   0x55a252e4 <+684>:   xori    t8,t8,0x1
   0x55a252e8 <+688>:   andi    t8,t8,0xff
   0x55a252ec <+692>:   beqz    t8,0x55a2531c <php_autoglobal_merge+740>
   0x55a252f0 <+696>:   nop
   0x55a252f4 <+700>:   lw      a0,104(s8)
   0x55a252f8 <+704>:   lw      a1,72(s8)
   0x55a252fc <+708>:   lw      a2,76(s8)
   0x55a25300 <+712>:   lw      t8,-31384(gp)
   0x55a25304 <+716>:   move    t9,t8
   0x55a25308 <+720>:   jalr    t9
   0x55a2530c <+724>:   nop
   0x55a25310 <+728>:   lw      gp,16(s8)
---Type <return> to continue, or q <return> to quit---
   0x55a25314 <+732>:   b       0x55a25378 <php_autoglobal_merge+832>
   0x55a25318 <+736>:   nop
   0x55a2531c <+740>:   lw      t8,76(s8)
   0x55a25320 <+744>:   lbu     t8,9(t8)
   0x55a25324 <+748>:   beqz    t8,0x55a25378 <php_autoglobal_merge+832>
   0x55a25328 <+752>:   nop
   0x55a2532c <+756>:   lw      a0,76(s8)
   0x55a25330 <+760>:   lw      t8,-26196(gp)
   0x55a25334 <+764>:   addiu   t8,t8,-17348
   0x55a25338 <+768>:   move    t9,t8
   0x55a2533c <+772>:   jalr    t9
   0x55a25340 <+776>:   nop
   0x55a25344 <+780>:   lw      gp,16(s8)
   0x55a25348 <+784>:   b       0x55a25378 <php_autoglobal_merge+832>
   0x55a2534c <+788>:   nop
   0x55a25350 <+792>:   lw      a0,104(s8)
   0x55a25354 <+796>:   lw      a1,68(s8)
   0x55a25358 <+800>:   lw      a2,76(s8)
   0x55a2535c <+804>:   lw      t8,-31328(gp)
   0x55a25360 <+808>:   move    t9,t8
   0x55a25364 <+812>:   jalr    t9
   0x55a25368 <+816>:   nop
   0x55a2536c <+820>:   lw      gp,16(s8)
---Type <return> to continue, or q <return> to quit---
   0x55a25370 <+824>:   b       0x55a25458 <php_autoglobal_merge+1056>
   0x55a25374 <+828>:   nop
   0x55a25378 <+832>:   b       0x55a25458 <php_autoglobal_merge+1056>
   0x55a2537c <+836>:   nop
   0x55a25380 <+840>:   lw      t8,24(s8)
   0x55a25384 <+844>:   sw      t8,80(s8)
   0x55a25388 <+848>:   lw      t8,80(s8)
   0x55a2538c <+852>:   lw      t8,0(t8)
   0x55a25390 <+856>:   sw      t8,84(s8)
   0x55a25394 <+860>:   lw      t8,84(s8)
   0x55a25398 <+864>:   move    a0,t8
   0x55a2539c <+868>:   lw      t8,-26196(gp)
   0x55a253a0 <+872>:   addiu   t8,t8,-17920
   0x55a253a4 <+876>:   move    t9,t8
   0x55a253a8 <+880>:   jalr    t9
   0x55a253ac <+884>:   nop
   0x55a253b0 <+888>:   lw      gp,16(s8)
   0x55a253b4 <+892>:   move    t8,v0
   0x55a253b8 <+896>:   sltiu   t8,t8,2
   0x55a253bc <+900>:   xori    t8,t8,0x1
   0x55a253c0 <+904>:   andi    t8,t8,0xff
   0x55a253c4 <+908>:   beqz    t8,0x55a25428 <php_autoglobal_merge+1008>
   0x55a253c8 <+912>:   nop
---Type <return> to continue, or q <return> to quit---
   0x55a253cc <+916>:   lw      a0,84(s8)
   0x55a253d0 <+920>:   lw      t8,-32164(gp)
   0x55a253d4 <+924>:   move    t9,t8
   0x55a253d8 <+928>:   jalr    t9
   0x55a253dc <+932>:   nop
   0x55a253e0 <+936>:   lw      gp,16(s8)
   0x55a253e4 <+940>:   sw      v0,88(s8)
   0x55a253e8 <+944>:   lw      t8,80(s8)
   0x55a253ec <+948>:   sw      t8,92(s8)
   0x55a253f0 <+952>:   lw      t8,92(s8)
   0x55a253f4 <+956>:   lw      v0,88(s8)
   0x55a253f8 <+960>:   sw      v0,0(t8)
   0x55a253fc <+964>:   lw      t8,92(s8)
   0x55a25400 <+968>:   li      v0,775
   0x55a25404 <+972>:   sw      v0,8(t8)
   0x55a25408 <+976>:   lw      t8,84(s8)
   0x55a2540c <+980>:   move    a0,t8
   0x55a25410 <+984>:   lw      t8,-26196(gp)
   0x55a25414 <+988>:   addiu   t8,t8,-17740
   0x55a25418 <+992>:   move    t9,t8
   0x55a2541c <+996>:   jalr    t9
   0x55a25420 <+1000>:  nop
   0x55a25424 <+1004>:  lw      gp,16(s8)
---Type <return> to continue, or q <return> to quit---
   0x55a25428 <+1008>:  lw      t8,24(s8)
   0x55a2542c <+1012>:  lw      v0,0(t8)
   0x55a25430 <+1016>:  lw      t8,76(s8)
   0x55a25434 <+1020>:  lw      t8,0(t8)
   0x55a25438 <+1024>:  move    a0,v0
   0x55a2543c <+1028>:  move    a1,t8
   0x55a25440 <+1032>:  lw      t8,-26196(gp)
   0x55a25444 <+1036>:  addiu   t8,t8,56
   0x55a25448 <+1040>:  move    t9,t8
   0x55a2544c <+1044>:  jalr    t9
   0x55a25450 <+1048>:  nop
   0x55a25454 <+1052>:  lw      gp,16(s8)
   0x55a25458 <+1056>:  lw      t8,44(s8)
   0x55a2545c <+1060>:  addiu   t8,t8,-1
   0x55a25460 <+1064>:  sw      t8,44(s8)
   0x55a25464 <+1068>:  lw      t8,44(s8)
   0x55a25468 <+1072>:  bnez    t8,0x55a250e4 <php_autoglobal_merge+172>
   0x55a2546c <+1076>:  nop
   0x55a25470 <+1080>:  move    sp,s8
   0x55a25474 <+1084>:  lw      ra,100(sp)
   0x55a25478 <+1088>:  lw      s8,96(sp)
   0x55a2547c <+1092>:  addiu   sp,sp,104
   0x55a25480 <+1096>:  jr      ra
---Type <return> to continue, or q <return> to quit---
   0x55a25484 <+1100>:  nop
End of assembler dump.

Thanks

[devnexen]

thanks, but what I m saying

#0 0x55a25090 in php_autoglobal_merge (dest=0x772560a0, src=0x0)

src should not be NULL, we need to figure out the root cause which occur somewhere else do not know well enough the engine but I ll go back at it in few days.

[VerifyL]

thanks, but what I m saying

#0 0x55a25090 in php_autoglobal_merge (dest=0x772560a0, src=0x0)

src should not be NULL, we need to figure out the root cause which occur somewhere else do not know well enough the engine but I ll go back at it in few days.

Ok, look forward to your reply.

[devnexen]

@VerifyL, let s try to move to the previous step. would it be possible for you to put a breakpoint to php_auto_globals_create_get and go step by step within ?

[VerifyL]

@devnexen
Yes, i can.
However the php_auto_globals_create_get wasn't executed. It means that the php is corrupted before executing the php_auto_globals_create_get .
And I found that it will skip the loop in zend_activate_auto_globals(),
ZEND_HASH_MAP_FOREACH_PTR(CG(auto_globals), auto_global) is false whereas the autoglobals is not NULL.

ZEND_API void zend_activate_auto_globals(void) /* {{{ */
 {
     zend_auto_global *auto_global;

     ZEND_HASH_MAP_FOREACH_PTR(CG(auto_globals), auto_global) {
         if (auto_global->jit) {
              auto_global->armed = 1;
         } else if (auto_global->auto_global_callback) {
              auto_global->armed = auto_global->auto_global_callback(auto_global->name);
         } else {
              auto_global->armed = 0;
          }
     } ZEND_HASH_FOREACH_END();
 }



Program received signal SIGSEGV, Segmentation fault.
0x55a25090 in php_autoglobal_merge (dest=0x772560a0, src=0x0)
    at php/main/php_variables.c:752
752     in php/main/php_variables.c

(gdb) info b
Num     Type           Disp Enb Address    What
1       breakpoint     keep y   0x55a2555c in php_auto_globals_create_get
                                           at php/main/php_variables.c:789
(gdb) bt
#0  0x55a25090 in php_autoglobal_merge (dest=0x772560a0, src=0x0)
    at php/main/php_variables.c:752
#1  0x55a26264 in php_auto_globals_create_request (name=0x55f15e58)
    at php/main/php_variables.c:936
#2  0x55aaeefc in zend_is_auto_global (name=0x77258038)
    at php/Zend/zend_compile.c:1913
#3  0x55934400 in php_print_gpcse_array (name=0x55e14a14 "_REQUEST",
    name_length=8)
    at php/ext/standard/info.c:175
#4  0x559363ec in php_print_info (flag=-1)
    at php/ext/standard/info.c:1023
#5  0x55d4ab78 in main (argc=2, argv=0x7ffffbd4)
    at php/sapi/cgi/cgi_main.c:2319



(gdb) p *compiler_globals.auto_globals
$2 = {gc = {refcount = 1, u = {type_info = 151}}, u = {v = {flags = 0 '\000',
      _unused = 0 '\000', nIteratorsCount = 0 '\000', _unused2 = 16 '\020'},
    flags = 16}, nTableMask = 4294967280, {arHash = 0x55f25e88,
    arData = 0x55f25e88, arPacked = 0x55f25e88}, nNumUsed = 8,
  nNumOfElements = 8, nTableSize = 8, nInternalPointer = 0,
  nNextFreeElement = -2147483648, pDestructor = 0x55b054e8 <auto_global_dtor>}

[devnexen]

However the php_auto_globals_create_get wasn't executed

Thanks for confirming my suspicion this was the only way I could reproduce locally by disabling this call. Now, needs to figure out why..

[devnexen]

Hi, is zend_register_auto_global ever called by any chance ?

[VerifyL]

@devnexen Hello, the issue has solved. Need set as Big-endian. Thanks