Re: [PHP-DEV] ZE2 broken by newer gcc

Mon, 12 Sep 2011 05:35:48 -0700 

On 09/12/2011 08:45 AM, Dmitry Stogov wrote:

Hi Flavius,

Unfortunately, the proposed fix is wrong.
It changes the operators precedence and it's definitely wrong.
I suppose the crash caused by side effect of some other bug.

Try to run the same script with valgrind.

Thanks. Dmitry.
Please test the following POC with gcc 4.6.1 on x64 first (perhaps slightly earlier versions behave the same, but this one is for sure), the dump_container() function simulates what the ZE does in zend_call_function() and many other places. You can also look at what valgrind says too and compare. I haven't dwelt on it at the ASM level, but certainly something has changed. My bet is that GCC has had wrong the operator precedence, and now they've fixed it.
I'm not speaking from my imagination, I'm speaking from what I've seen and what I've tested, in practice. No theory. In the "meta" extension I am calling zend_call_function(), which is how I've discovered this. The POC resembles what is happenning as close as possible. 


#include <stdio.h>
#include <stdlib.h>

#define NUMS 10

/* a "zval" */
typedef struct _foo {
    char *t;
    int i;
} foo;

/* a "zend_fcall_info" */
typedef struct _foo_container {
    foo ***foos;
} container;

foo** init_foos(void) {
    foo** f, *f2;
    int i;
    f = malloc(sizeof(foo*)*NUMS);
    for(i=0; i < NUMS; i++) {
        f2 = malloc(sizeof(foo));
        printf("allocated %p ", f2);
        f[i] = f2;
        f[i]->i = i*11+1;
        printf("with value %d\n", i*11+1);
    }
    return f;
}

void dump_container(container *c) {
    int i;
    for(i=0; i < NUMS; i++) {
        //working:
        printf("foo[%d]=%d at %p\n", i, (*c->foos)[i]->i, (*c->foos)[i]);
//similar to ZE, crashing (not at i=0, but on my machine at i=1 it already delivers garbage, at i=2 it finnaly crashes 
        //if you're lucky, increase NUMS at the top
        printf("foo[%d]=%d at %p\n", i, (*c->foos)[i]->i, *c->foos[i]);
    }
}

int main(void) {
    container c;
    foo **foos;

    foos = init_foos();

    c.foos = &foos;
    int i;
    for(i=0; i < NUMS; i++) {
        printf("%d %d at %p\n", i, foos[i]->i, foos[i]);
    }
    printf("------------------\n");
    dump_container(&c);
    free(foos);
    return EXIT_SUCCESS;
}



--
What I cannot create, I do not understand. -- Feynman

--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to