From: porwig at uci dot edu
Operating system: RHEL 4
PHP version: 5.2.6
PHP Bug Type: Reproducible crash
Bug description: Memory allocation errors on typecast of array to object
Description:
------------
Reproducible crashes occur in zend_assign_to_variable on typecast from
array to object. Refer to bug #44323 for code example of issue.
Reproduce code:
---------------
See bug #44323 -- this occurs in a large Moodle installation, which is
hard to isolate.
Expected result:
----------------
PHP should not crash.
Actual result:
--------------
Backtrace of code:
GNU gdb Red Hat Linux (6.3.0.0-1.153.el4_6.2rh)
Copyright 2004 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you
are
welcome to change it and/or distribute copies of it under certain
conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB. Type "show warranty" for
details.
This GDB was configured as "x86_64-redhat-linux-gnu"...Using host
libthread_db library "/lib64/tls/libthread_db.so.1".
Core was generated by `/local/www/bin/httpd'.
Program terminated with signal 6, Aborted.
Reading symbols from /lib64/tls/libm.so.6...done.
Loaded symbols for /lib64/tls/libm.so.6
Reading symbols from /var/local/www/lib/libaprutil-1.so.0...done.
Loaded symbols for /var/local/www/lib/libaprutil-1.so.0
Reading symbols from /usr/lib64/libexpat.so.0...done.
Loaded symbols for /usr/lib64/libexpat.so.0
Reading symbols from /var/local/www/lib/libapr-1.so.0...done.
Loaded symbols for /var/local/www/lib/libapr-1.so.0
Reading symbols from /lib64/libuuid.so.1...done.
Loaded symbols for /lib64/libuuid.so.1
Reading symbols from /lib64/tls/librt.so.1...done.
Loaded symbols for /lib64/tls/librt.so.1
Reading symbols from /lib64/libcrypt.so.1...done.
Loaded symbols for /lib64/libcrypt.so.1
Reading symbols from /lib64/tls/libpthread.so.0...done.
Loaded symbols for /lib64/tls/libpthread.so.0
Reading symbols from /lib64/libdl.so.2...done.
Loaded symbols for /lib64/libdl.so.2
Reading symbols from /lib64/tls/libc.so.6...done.
Loaded symbols for /lib64/tls/libc.so.6
Reading symbols from /lib64/ld-linux-x86-64.so.2...done.
Loaded symbols for /lib64/ld-linux-x86-64.so.2
Reading symbols from /lib64/libnsl.so.1...done.
Loaded symbols for /lib64/libnsl.so.1
Reading symbols from /lib64/libnss_files.so.2...done.
Loaded symbols for /lib64/libnss_files.so.2
Reading symbols from /lib64/libnss_nis.so.2...done.
Loaded symbols for /lib64/libnss_nis.so.2
Reading symbols from /var/local/www/modules/libphp5.so...done.
Loaded symbols for /var/local/www/modules/libphp5.so
Reading symbols from /usr/lib64/libmysqlclient.so.15...done.
Loaded symbols for /opt/lib/libmysqlclient.so.15
Reading symbols from /usr/lib64/libldap-2.2.so.7...done.
Loaded symbols for /opt/lib/libldap-2.2.so.7
Reading symbols from /usr/lib64/liblber-2.2.so.7...done.
Loaded symbols for /opt/lib/liblber-2.2.so.7
Reading symbols from /usr/lib64/libttf.so.2...done.
Loaded symbols for /opt/lib/libttf.so.2
Reading symbols from /usr/lib64/libpng12.so.0...done.
Loaded symbols for /opt/lib/libpng12.so.0
Reading symbols from /usr/lib64/libz.so.1...done.
Loaded symbols for /opt/lib/libz.so.1
Reading symbols from /usr/lib64/libjpeg.so.62...done.
Loaded symbols for /opt/lib/libjpeg.so.62
Reading symbols from /usr/lib64/libbz2.so.1...done.
Loaded symbols for /opt/lib/libbz2.so.1
Reading symbols from /lib64/libresolv.so.2...done.
Loaded symbols for /lib64/libresolv.so.2
Reading symbols from /lib64/libssl.so.4...done.
Loaded symbols for /lib64/libssl.so.4
Reading symbols from /lib64/libcrypto.so.4...done.
Loaded symbols for /lib64/libcrypto.so.4
Reading symbols from /usr/lib64/libgssapi_krb5.so.2...done.
Loaded symbols for /opt/lib/libgssapi_krb5.so.2
Reading symbols from /usr/lib64/libkrb5.so.3...done.
Loaded symbols for /opt/lib/libkrb5.so.3
Reading symbols from /lib64/libcom_err.so.2...done.
Loaded symbols for /lib64/libcom_err.so.2
Reading symbols from /usr/lib64/libk5crypto.so.3...done.
Loaded symbols for /opt/lib/libk5crypto.so.3
Reading symbols from /usr/lib64/libxml2.so.2...done.
Loaded symbols for /opt/lib/libxml2.so.2
Reading symbols from /usr/lib64/libsasl2.so.2...done.
Loaded symbols for /opt/lib/libsasl2.so.2
Reading symbols from
/var/local/www/lib/php/extensions/no-debug-non-zts-20060613/memcache.so...done.
Loaded symbols for
/var/local/www/lib/php/extensions/no-debug-non-zts-20060613/memcache.so
Reading symbols from
/var/local/www/lib/php/extensions/no-debug-non-zts-20060613/fileinfo.so...done.
Loaded symbols for
/var/local/www/lib/php/extensions/no-debug-non-zts-20060613/fileinfo.so
Reading symbols from /usr/lib64/libmagic.so.1...done.
Loaded symbols for /usr/lib64/libmagic.so.1
Reading symbols from
/var/local/www/lib/php/extensions/no-debug-non-zts-20060613/apc.so...done.
Loaded symbols for
/var/local/www/lib/php/extensions/no-debug-non-zts-20060613/apc.so
Reading symbols from /lib64/libnss_dns.so.2...done.
Loaded symbols for /lib64/libnss_dns.so.2
#0 0x00000034e322e25d in raise () from /lib64/tls/libc.so.6
(gdb) bt
#0 0x00000034e322e25d in raise () from /lib64/tls/libc.so.6
#1 0x00000034e322fa5e in abort () from /lib64/tls/libc.so.6
#2 0x00000034e32635e1 in __libc_message () from /lib64/tls/libc.so.6
#3 0x00000034e32691ee in _int_free () from /lib64/tls/libc.so.6
#4 0x00000034e3269586 in free () from /lib64/tls/libc.so.6
#5 0x0000002a95c38e86 in zend_assign_to_variable (result=0x2a9beea568,
op1=Variable "op1" is not available.
)
at /local/src/php-5.2.5/Zend/zend_execute.c:767
#6 0x0000002a95c7666a in ZEND_ASSIGN_DIM_SPEC_VAR_CV_HANDLER
(execute_data=0x7fbfff3e80)
at /local/src/php-5.2.5/Zend/zend_vm_execute.h:14215
#7 0x0000002a95c39f01 in execute (op_array=0x1aa80f0) at
/local/src/php-5.2.5/Zend/zend_vm_execute.h:92
#8 0x0000002a95c3a203 in zend_do_fcall_common_helper_SPEC
(execute_data=0x7fbfffac50)
at /local/src/php-5.2.5/Zend/zend_vm_execute.h:234
#9 0x0000002a95c39f01 in execute (op_array=0x1ad4700) at
/local/src/php-5.2.5/Zend/zend_vm_execute.h:92
#10 0x0000002a95c3a203 in zend_do_fcall_common_helper_SPEC
(execute_data=0x7fbfffc390)
at /local/src/php-5.2.5/Zend/zend_vm_execute.h:234
#11 0x0000002a95c39f01 in execute (op_array=0x1ac4d50) at
/local/src/php-5.2.5/Zend/zend_vm_execute.h:92
#12 0x0000002a95c3a203 in zend_do_fcall_common_helper_SPEC
(execute_data=0x7fbfffcf60)
at /local/src/php-5.2.5/Zend/zend_vm_execute.h:234
#13 0x0000002a95c39f01 in execute (op_array=0x11b0530) at
/local/src/php-5.2.5/Zend/zend_vm_execute.h:92
#14 0x0000002a95c1b194 in zend_execute_scripts (type=8, retval=Variable
"retval" is not available.
) at /local/src/php-5.2.5/Zend/zend.c:1134
#15 0x0000002a95bd897d in php_execute_script (primary_file=0x7fbffff430)
at /local/src/php-5.2.5/main/main.c:2004
#16 0x0000002a95ca9ff6 in php_handler (r=0x893098) at
/local/src/php-5.2.5/sapi/apache2handler/sapi_apache2.c:631
#17 0x0000000000434923 in ap_run_handler (r=0x893098) at config.c:157
#18 0x0000000000434dc1 in ap_invoke_handler (r=0x893098) at config.c:372
#19 0x0000000000462380 in ap_process_request (r=0x893098) at
http_request.c:258
#20 0x000000000045fb6d in ap_process_http_connection (c=0x882f68) at
http_core.c:190
#21 0x000000000043b2e3 in ap_run_process_connection (c=0x882f68) at
connection.c:43
#22 0x000000000047c0e0 in child_main (child_num_arg=Variable
"child_num_arg" is not available.
) at prefork.c:640
#23 0x000000000047c434 in make_child (s=0x5c7938, slot=6) at
prefork.c:736
#24 0x000000000047cfb9 in ap_mpm_run (_pconf=Variable "_pconf" is not
available.
) at prefork.c:871
#25 0x00000000004225c5 in main (argc=Variable "argc" is not available.
) at main.c:730
Valgrind report (on snippet from other bug)
==3083== Memcheck, a memory error detector.
==3083== Copyright (C) 2002-2005, and GNU GPL'd, by Julian Seward et al.
==3083== Using LibVEX rev 1575, a library for dynamic binary translation.
==3083== Copyright (C) 2004-2005, and GNU GPL'd, by OpenWorks LLP.
==3083== Using valgrind-3.1.1, a dynamic binary instrumentation
framework.
==3083== Copyright (C) 2000-2005, and GNU GPL'd, by Julian Seward et al.
==3083== For more details, rerun with: -v
==3083==
==3083== Conditional jump or move depends on uninitialised value(s)
==3083== at 0x69BC61: _zval_ptr_dtor (zend_execute_API.c:413)
==3083== by 0x6C9415: zend_assign_to_variable (zend_execute.c:767)
==3083== by 0x71F0A7: ZEND_ASSIGN_DIM_SPEC_CV_CONST_HANDLER
(zend_vm_execute.h:21203)
==3083== by 0x6CA490: execute (zend_vm_execute.h:92)
==3083== by 0x6AB723: zend_execute_scripts (zend.c:1134)
==3083== by 0x668F0C: php_execute_script (main.c:2004)
==3083== by 0x73AF4E: main (php_cli.c:1140)
==3083==
==3083== Conditional jump or move depends on uninitialised value(s)
==3083== at 0x69BC82: _zval_ptr_dtor (zend_execute_API.c:416)
==3083== by 0x6C9415: zend_assign_to_variable (zend_execute.c:767)
==3083== by 0x71F0A7: ZEND_ASSIGN_DIM_SPEC_CV_CONST_HANDLER
(zend_vm_execute.h:21203)
==3083== by 0x6CA490: execute (zend_vm_execute.h:92)
==3083== by 0x6AB723: zend_execute_scripts (zend.c:1134)
==3083== by 0x668F0C: php_execute_script (main.c:2004)
==3083== by 0x73AF4E: main (php_cli.c:1140)
==3083==
==3083== ERROR SUMMARY: 6 errors from 2 contexts (suppressed: 4 from 1)
==3083== malloc/free: in use at exit: 36,832 bytes in 1,174 blocks.
==3083== malloc/free: 14,183 allocs, 13,009 frees, 2,273,429 bytes
allocated.
==3083== For counts of detected errors, rerun with: -v
==3083== searching for pointers to 1,174 not-freed blocks.
==3083== checked 2,430,768 bytes.
==3083==
==3083== LEAK SUMMARY:
==3083== definitely lost: 96 bytes in 2 blocks.
==3083== possibly lost: 0 bytes in 0 blocks.
==3083== still reachable: 36,736 bytes in 1,172 blocks.
==3083== suppressed: 0 bytes in 0 blocks.
==3083== Use --leak-check=full to see details of leaked memory.
--
Edit bug report at http://bugs.php.net/?id=45255&edit=1
--
Try a CVS snapshot (PHP 5.2):
http://bugs.php.net/fix.php?id=45255&r=trysnapshot52
Try a CVS snapshot (PHP 5.3):
http://bugs.php.net/fix.php?id=45255&r=trysnapshot53
Try a CVS snapshot (PHP 6.0):
http://bugs.php.net/fix.php?id=45255&r=trysnapshot60
Fixed in CVS: http://bugs.php.net/fix.php?id=45255&r=fixedcvs
Fixed in release:
http://bugs.php.net/fix.php?id=45255&r=alreadyfixed
Need backtrace: http://bugs.php.net/fix.php?id=45255&r=needtrace
Need Reproduce Script: http://bugs.php.net/fix.php?id=45255&r=needscript
Try newer version: http://bugs.php.net/fix.php?id=45255&r=oldversion
Not developer issue: http://bugs.php.net/fix.php?id=45255&r=support
Expected behavior: http://bugs.php.net/fix.php?id=45255&r=notwrong
Not enough info:
http://bugs.php.net/fix.php?id=45255&r=notenoughinfo
Submitted twice:
http://bugs.php.net/fix.php?id=45255&r=submittedtwice
register_globals: http://bugs.php.net/fix.php?id=45255&r=globals
PHP 4 support discontinued: http://bugs.php.net/fix.php?id=45255&r=php4
Daylight Savings: http://bugs.php.net/fix.php?id=45255&r=dst
IIS Stability: http://bugs.php.net/fix.php?id=45255&r=isapi
Install GNU Sed: http://bugs.php.net/fix.php?id=45255&r=gnused
Floating point limitations: http://bugs.php.net/fix.php?id=45255&r=float
No Zend Extensions: http://bugs.php.net/fix.php?id=45255&r=nozend
MySQL Configuration Error: http://bugs.php.net/fix.php?id=45255&r=mysqlcfg
