Bug #61046 [Com]: Segfault when memory limit is hit while copying hash table

arrtedone at gmail dot com Thu, 20 Dec 2012 03:18:15 -0800

Edit report at https://bugs.php.net/bug.php?id=61046&edit=1


 ID:                 61046
 Comment by:         arrtedone at gmail dot com
 Reported by:        ni...@php.net
 Summary:            Segfault when memory limit is hit while copying hash
                     table
 Status:             Open
 Type:               Bug
 Package:            Reproducible crash
 PHP Version:        5.4.0RC7
 Block user comment: N
 Private report:     N

 New Comment:

Description:
------------
Same here, reproducable, but with memory limit set to 128M (note that i am not 
using the provided test script, it crached randomly)

Test script:
-------------
-

System information :
OS : Fedora 17 Linux nask0 3.6.10-2.fc17.x86_64 #1 SMP Tue Dec 11 18:07:34 UTC 
2012 x86_64
PHP version 5.4.9 :
PHP API : 20100412
PHP Extension : 20100525
Zend Extension : 220100525
Zend Extension Build : API220100525,NTS
PHP Extension Build : API20100525,NTS
Thread Safety: disabled
Zend Signal Handling: disabled
Zend Memory Manager: enabled 
Apache Version: Apache/2.2.22 (Fedora) DAV/2 PHP/5.4.9
Apache API Version : 20051115 


GDB backtrace : 
---------------
Program received signal SIGSEGV, Segmentation fault.
zend_mm_remove_from_free_list (heap=0x7f75283c10d0, mm_block=0x7f752a24b3f8) at 
/usr/src/debug/php-5.4.9/Zend/zend_alloc.c:833
833                     if (UNEXPECTED(prev->next_free_block != mm_block) || 
UNEXPECTED(next->prev_free_block != mm_block)) {
(gdb) continue 
Continuing.

Program terminated with signal SIGSEGV, Segmentation fault.
The program no longer exists.


Previous Comments:
------------------------------------------------------------------------
[2012-02-10 18:08:37] ras...@php.net

Same here. Reproducable on 64-bit Linux with memory_limit set to "512k".

The segfault is here:

zend_mm_remove_from_free_list (heap=0xf71730, mm_block=0x7ffff7fae1c8) at 
/home/rasmus/php-src/branches/PHP_5_4/Zend/zend_alloc.c:805
805                             ZEND_MM_CHECK_TREE(mm_block);

(gdb) p *mm_block
$2 = {info = {_size = 16400, _prev = 57}, prev_free_block = 0x7ffff7fae1c8, 
next_free_block = 0x7ffff7fae1c8, parent = 0x0, child = {0x0, 0x0}}

Note that parent is NULL there and ZEND_MM_CHECK_TREE tries to dereference 
*parent

------------------------------------------------------------------------
[2012-02-10 17:46:09] jpa...@php.net

Notice that I only reproduce with memory_limit set to accurate 512k , not 500k 
as 
in bug text, nor even 511k

------------------------------------------------------------------------
[2012-02-10 17:34:21] jpa...@php.net

What I can say :

- I dont reproduce on 5.3.10
- For 5.4, disabling ZendMM with USE_ZEND_ALLOC=0 makes the segfault disappear
- For 5.4, changing the ZendMM segment size with ZEND_MM_SEG_SIZE={val} makes 
the 
segfault disappear, I havent tested all the possible values for SEG_SIZE.
As a reminder, ZendMM default SEG_SIZE is set to 256k

------------------------------------------------------------------------
[2012-02-10 17:31:28] ni...@php.net

GDB Stacktrace:

#0  zend_mm_remove_from_free_list (heap=0x88da8d8, mm_block=0xb7fc5308)
    at /home/nikic/dev/php-src-git/Zend/zend_alloc.c:805
#1  0x083ad608 in _zend_mm_free_int (heap=0x88da8d8, p=0xb7fc52f0)
    at /home/nikic/dev/php-src-git/Zend/zend_alloc.c:2101
#2  0x083cd657 in destroy_op_array (op_array=0x8a5d4c8, tsrm_ls=0x88d9050)
    at /home/nikic/dev/php-src-git/Zend/zend_opcode.c:380
#3  0x083cd777 in zend_function_dtor (function=0x8a5d4c8)
    at /home/nikic/dev/php-src-git/Zend/zend_opcode.c:124
#4  0x083e49ae in zend_hash_apply_deleter (ht=0x88dae70, p=0x8a5d498)
    at /home/nikic/dev/php-src-git/Zend/zend_hash.c:650
#5  0x083e63b1 in zend_hash_reverse_apply (ht=0x88dae70, 
    apply_func=0x83c7310 <clean_non_persistent_function>, tsrm_ls=0x88d9050)
    at /home/nikic/dev/php-src-git/Zend/zend_hash.c:804
#6  0x083c7ecb in shutdown_executor (tsrm_ls=0x88d9050)
    at /home/nikic/dev/php-src-git/Zend/zend_execute_API.c:304
#7  0x083d7c11 in zend_deactivate (tsrm_ls=0x88d9050)
    at /home/nikic/dev/php-src-git/Zend/zend.c:934
#8  0x0836be33 in php_request_shutdown (dummy=0x0)
    at /home/nikic/dev/php-src-git/main/main.c:1782
#9  0x0848d723 in do_cli (argc=4, argv=0xbffff3b4, tsrm_ls=0x88d9050)
    at /home/nikic/dev/php-src-git/sapi/cli/php_cli.c:1169
#10 0x0806eaa3 in main (argc=4, argv=0xbffff3b4)
    at /home/nikic/dev/php-src-git/sapi/cli/php_cli.c:1356

------------------------------------------------------------------------
[2012-02-10 17:28:02] ni...@php.net

Description:
------------
The attached test script triggers a segfault. It happens during the shutdown 
after the memory limit is reached in the byRef($array) line.

Test script:
---------------
<?php

function byRef(&$ref) {}

ini_set('memory_limit', '500k');

$array = array_fill(0, 2000, '*');
$ref = $array;

byRef($array);



------------------------------------------------------------------------



-- 
Edit this bug report at https://bugs.php.net/bug.php?id=61046&edit=1

Bug #61046 [Com]: Segfault when memory limit is hit while copying hash table

Reply via email to