ID: 46074
Comment by: dgarciacampos at gmail dot com
Reported By: neko at nekochan dot net
Status: Assigned
Bug Type: Reproducible crash
Operating System: IRIX 6.5.30
PHP Version: 5.3.0alpha2
Assigned To: dmitry
New Comment:
I just finished compiling and "make test"ing php on a linux-sparc
machine.
bash-3.2$ uname -a
Linux gcars0kq 2.6.27.12-78.2.9.fc9.sparc64.smp #1 SMP Sat Jan 24
22:46:27 EST 2009 sparc64 sparc64 sparc64 GNU/Linux
I'd like to point out that the last patch from the e-mail thread below
is slightly wrong, thread heading: ([12 Jul 5:20am UTC] pogma at
thewrittenword dot com)
The changes made to Zend/zend_vm_execute.h a somewhat misleading.
If anybody needs a copy of this file or the the other two files
mentioned in the patch, i can gladly send them to you, just e-mail me at
dgarciacampos at gmail dot com.
Thanks,
David A. Garcia-Campos
Previous Comments:
------------------------------------------------------------------------
[2009-07-14 02:49:51] pogma at thewrittenword dot com
Well, even though it built and tested ok, the patch had an error.
+ sizeof(temp_variable) * op_array->T TSRMLS_CC));
should be
+ sizeof(temp_variable) * op_array->T) TSRMLS_CC);
Seems to be that building php with an apxs that was built with
mpm=worker requires this.
------------------------------------------------------------------------
[2009-07-12 17:56:14] neko at nekochan dot net
I've tested the new patch and it is also working well on IRIX. Thanks
much!
------------------------------------------------------------------------
[2009-07-12 05:20:52] pogma at thewrittenword dot com
Ok, so the problem is that, by changing the size of execute_data and
the alignment of the Ts member, when an exception occurs, zend no longer
knows when to stop unwinding the stack.
We added another member to execute_data that keeps a record of the
stack top at the time of creation, we can no longer get there via the Ts
member, because we may have moved it, and the variables used to
calculate it, though they are stored in the execute_data struct, are not
constant, and may have different values at stack unwind time.
We see far fewer problems on ia64-hp-hpux with this patch.
Index: Zend/zend.c
===================================================================
--- Zend/zend.c.orig 2009-07-11 02:57:58.525910184 +0000
+++ Zend/zend.c 2009-07-11 02:59:39.702014580 +0000
@@ -271,12 +276,12 @@
}
break;
case IS_DOUBLE:
- *expr_copy = *expr;
+ memcpy(expr_copy,expr,sizeof(zval));
zval_copy_ctor(expr_copy);
zend_locale_sprintf_double(expr_copy
ZEND_FILE_LINE_CC);
break;
default:
- *expr_copy = *expr;
+ memcpy(expr_copy,expr,sizeof(zval));
zval_copy_ctor(expr_copy);
convert_to_string(expr_copy);
break;
Index: Zend/zend_vm_execute.h
===================================================================
--- Zend/zend_vm_execute.h.orig 2009-07-12 00:32:46.000000000 +0000
+++ Zend/zend_vm_execute.h 2009-07-12 01:38:46.131809202 +0000
@@ -35,6 +35,22 @@
#undef EX
#define EX(element) execute_data->element
+#ifndef ZEND_MM_ALIGNMENT
+# define ZEND_MM_ALIGNMENT 8
+# define ZEND_MM_ALIGNMENT_LOG2 3
+#elif ZEND_MM_ALIGNMENT < 4
+# undef ZEND_MM_ALIGNMENT
+# undef ZEND_MM_ALIGNMENT_LOG2
+# define ZEND_MM_ALIGNMENT 4
+# define ZEND_MM_ALIGNMENT_LOG2 2
+#endif
+#ifndef ZEND_MM_ALIGNMENT_MASK
+#define ZEND_MM_ALIGNMENT_MASK ~(ZEND_MM_ALIGNMENT-1)
+#endif
+/* Aligned header size */
+#ifndef ZEND_MM_ALIGNED_SIZE
+#define ZEND_MM_ALIGNED_SIZE(size) ((size + ZEND_MM_ALIGNMENT - 1) &
ZEND_MM_ALIGNMENT_MASK)
+#endif
ZEND_API void execute(zend_op_array *op_array TSRMLS_DC)
{
@@ -52,13 +68,14 @@
zend_vm_enter:
/* Initialize execute_data */
execute_data = (zend_execute_data *)zend_vm_stack_alloc(
+ (ZEND_MM_ALIGNMENT -1) + (
sizeof(zend_execute_data) +
sizeof(zval**) * op_array->last_var *
(EG(active_symbol_table) ? 1 : 2) +
- sizeof(temp_variable) * op_array->T TSRMLS_CC);
-
+ sizeof(temp_variable) * op_array->T TSRMLS_CC));
EX(CVs) = (zval***)((char*)execute_data +
sizeof(zend_execute_data));
memset(EX(CVs), 0, sizeof(zval**) * op_array->last_var);
- EX(Ts) = (temp_variable *)(EX(CVs) + op_array->last_var *
(EG(active_symbol_table) ? 1 : 2));
+ EX(top) = zend_vm_stack_top(TSRMLS_C);
+ EX(Ts) = (temp_variable *)
ZEND_MM_ALIGNED_SIZE((size_t)(EX(CVs) + op_array->last_var *
(EG(active_symbol_table) ? 1 : 2)));
EX(fbc) = NULL;
EX(called_scope) = NULL;
EX(object) = NULL;
@@ -602,10 +619,7 @@
int catched = 0;
zval restored_error_reporting;
- void **stack_frame = (void**)EX(Ts) +
- (sizeof(temp_variable) * EX(op_array)->T) /
sizeof(void*);
-
- while (zend_vm_stack_top(TSRMLS_C) != stack_frame) {
+ while (zend_vm_stack_top(TSRMLS_C) != EX(top)) {
zval *stack_zval_p = zend_vm_stack_pop(TSRMLS_C);
zval_ptr_dtor(&stack_zval_p);
}
Index: Zend/zend_execute.c
===================================================================
--- Zend/zend_execute.c.orig 2009-07-11 02:57:58.486572714 +0000
+++ Zend/zend_execute.c 2009-07-11 02:59:40.324003151 +0000
@@ -135,7 +135,7 @@
#define IS_TMP_FREE(should_free) ((zend_uintptr_t)should_free.var &
1L)
#define INIT_PZVAL_COPY(z,v) \
- (z)->value = (v)->value; \
+ memcpy(&((z)->value),&((v)->value),sizeof(zvalue_value)); \
Z_TYPE_P(z) = Z_TYPE_P(v); \
Z_SET_REFCOUNT_P(z, 1); \
Z_UNSET_ISREF_P(z);
@@ -722,7 +722,7 @@
} else {
ALLOC_ZVAL(*variable_ptr_ptr);
Z_SET_REFCOUNT_P(value, 1);
- **variable_ptr_ptr = *value;
+
memcpy(*variable_ptr_ptr,value,sizeof(zval));
}
}
Z_UNSET_ISREF_PP(variable_ptr_ptr);
Index: Zend/zend_compile.h
===================================================================
--- Zend/zend_compile.h.orig 2009-07-10 03:47:36.000000000 +0000
+++ Zend/zend_compile.h 2009-07-12 01:37:37.230504746 +0000
@@ -324,6 +324,7 @@
zval *current_this;
zval *current_object;
struct _zend_op *call_opline;
+ void **top;
};
#define EX(element) execute_data.element
------------------------------------------------------------------------
[2009-07-11 17:53:35] neko at nekochan dot net
It's still a huge leap in the right direction. I've been running
phpBB3,
MediaWiki and Gallery2 under it since shortly after you posted the
patch
and it's been nothing but fast and stable so far. Previously, I was
confined to using the 5.2.X branch under IRIX.
Many thanks for tracking this down.
------------------------------------------------------------------------
[2009-07-11 02:13:50] pogma at thewrittenword dot com
Failing a lot of tests. Patch must not be 100% correct. :(
------------------------------------------------------------------------
The remainder of the comments for this report are too long. To view
the rest of the comments, please view the bug report online at
http://bugs.php.net/46074
--
Edit this bug report at http://bugs.php.net/?id=46074&edit=1
