From:
Operating system: Debian GNU/Linux 4.0
PHP version: 5.2SVN-2010-03-10 (SVN)
Package: Reproducible crash
Bug Type: Bug
Bug description:Segfault because of wrong memory allocation
Description:
------------
Hallo,
I have found a bug in _emalloc logic where an allocation returns a pointer
to a cached block smaller than requested; when this block is used some
memory after that goes corrupted and we get a segfault.
The problem is reproducible with our project code, that is a version of
papaya cms, but I am not able to reconstruct all circumstances with an
example script to send you, sorry. I am debugging it itself, but need
perhaps some help from you to understand how exact does memory allocation
works here and where will be such one error possible: such a wrong pointer
comes from the case on Lines 1778...1790 in zend_alloc.c :
if (EXPECTED(heap->cache[index] != NULL)) { ...
also, that is a previously freed cached block, but I have actually no idea
where should I look any further. Please, give me some advice.
My configuration:
PHP Version from
http://svn.php.net/repository/php/php-src/branches/PHP_5_2
Revision: 296029
compiled with ./configure --disable-cli --disable-cgi --disable-fastcgi
--with-apxs2=/usr/bin/apxs2 --enable-debug --with-mysql --with-xsl
OS: Debian GNU/Linux 4.0
I have also tested this problem on a build from actually 5.3 branch, but
was not able to reproduce, perhaps because of many changes in another logic
there. But if this bug really comes from _zend_mm_alloc_int function their
code did not changed in 5.3 and the problem may also occur there.
The bug is not critical for our company, we have found a workaround where
this will not be triggered any more, but this is of course not a solution
an I want to repair it at the source.
Thank you in advance,
Viktor Gotwig.
Actual result:
--------------
My Debuging:
br /data/extern/php_svn/php-src-5.2/Zend/zend_alloc.c:1761
#0 _zend_mm_alloc_int (heap=0x81de2a0, size=41) at
/data/extern/php_svn/php-src-5.2/Zend/zend_alloc.c:1761
#1 0xb767fbb5 in zend_is_callable_ex (callable=0xb6c420cc, check_flags=0,
callable_name=0xbf87c2f4, callable_name_len=0xbf87c278, ce_ptr=0xbf87c274,
fptr_ptr=0xbf87c26c, zobj_ptr_ptr=0xbf87c268) at
/data/extern/php_svn/php-src-5.2/Zend/zend_API.c:2287
#2 0xb767ff97 in zend_is_callable (callable=0xb6c420cc, check_flags=0,
callable_name=0xbf87c2f4) at
/data/extern/php_svn/php-src-5.2/Zend/zend_API.c:2363
#3 0xb74bd2a4 in preg_replace_impl (ht=3, return_value=0xb6c42290,
return_value_ptr=<value optimized out>, this_ptr=0x0, return_value_used=1,
is_callable_replace=1 '\001') at
/data/extern/php_svn/php-src-5.2/ext/pcre/php_pcre.c:1319
(gdb) x/21wx 0x81de2a0
0x81de2a0: 0x00000001 0x00000002 0x00025000 0x00040000
0x81de2b0: 0x00200000 0xb6b89008 0x0818b4f0 0x00340000
0x81de2c0: 0x00340000 0x08000000 0x00306030 0x0030c124
0x81de2d0: 0x00002000 0xb6fcd018 0x00000000 0x00000000
0x81de2e0: 0x00001bfc 0xb6c2b22c 0xb6c41b10 0x00000000
0x81de2f0: 0xb6c41f50
until /data/extern/php_svn/php-src-5.2/Zend/zend_alloc.c:1934
(gdb) p/x $eax
$8 = 0xb6c4207c
(gdb) x/21wx 0x81de2a0
0x81de2a0: 0x00000001 0x00000002 0x00025000 0x00040000
0x81de2b0: 0x00200000 0xb6b89008 0x0818b4f0 0x00340000
0x81de2c0: 0x00340000 0x08000000 0x00306030 0x0030c124
0x81de2d0: 0x00002000 0xb6fcd018 0x00000000 0x00000000
0x81de2e0: 0x00001bc8 0xb6c2b22c 0xb6c41b10 0x00000000
0x81de2f0: 0xb6c41f50
(gdb) x/20wx $eax-8
0xb6c42074: 0x00000035 0x00000019 0x00000000 0x74556179
0xb6c42084: 0x74536c69 0x676e6972 0x38667455 0x6e653a3a
0xb6c42094: 0x65727573 0x72616843 0x6c6c6143 0x6b636162
0xb6c420a4: 0x5c2d3000 0x0000001d 0x00000035 0x00000000
0xb6c420b4: 0x68636572 0x61637261 0x61626c6c 0x20006b63
(gdb) x/s 0xb6c42080
0xb6c42080: "yaUtilStringUtf8::ensureCharCallback"
--
Edit bug report at http://bugs.php.net/bug.php?id=51265&edit=1
--
Try a snapshot (PHP 5.2):
http://bugs.php.net/fix.php?id=51265&r=trysnapshot52
Try a snapshot (PHP 5.3):
http://bugs.php.net/fix.php?id=51265&r=trysnapshot53
Try a snapshot (PHP 6.0):
http://bugs.php.net/fix.php?id=51265&r=trysnapshot60
Fixed in SVN:
http://bugs.php.net/fix.php?id=51265&r=fixed
Fixed in SVN and need be documented:
http://bugs.php.net/fix.php?id=51265&r=needdocs
Fixed in release:
http://bugs.php.net/fix.php?id=51265&r=alreadyfixed
Need backtrace:
http://bugs.php.net/fix.php?id=51265&r=needtrace
Need Reproduce Script:
http://bugs.php.net/fix.php?id=51265&r=needscript
Try newer version:
http://bugs.php.net/fix.php?id=51265&r=oldversion
Not developer issue:
http://bugs.php.net/fix.php?id=51265&r=support
Expected behavior:
http://bugs.php.net/fix.php?id=51265&r=notwrong
Not enough info:
http://bugs.php.net/fix.php?id=51265&r=notenoughinfo
Submitted twice:
http://bugs.php.net/fix.php?id=51265&r=submittedtwice
register_globals:
http://bugs.php.net/fix.php?id=51265&r=globals
PHP 4 support discontinued: http://bugs.php.net/fix.php?id=51265&r=php4
Daylight Savings: http://bugs.php.net/fix.php?id=51265&r=dst
IIS Stability:
http://bugs.php.net/fix.php?id=51265&r=isapi
Install GNU Sed:
http://bugs.php.net/fix.php?id=51265&r=gnused
Floating point limitations:
http://bugs.php.net/fix.php?id=51265&r=float
No Zend Extensions:
http://bugs.php.net/fix.php?id=51265&r=nozend
MySQL Configuration Error:
http://bugs.php.net/fix.php?id=51265&r=mysqlcfg
