#25275 [Com]: script crashs in _efree (ptr=0x8a8828c) at php-4.3.3/Zend/zend_alloc.c:259

Mon, 01 Sep 2003 23:07:13 -0700 

 ID:               25275
 Comment by:       moregan at flr dot follett dot com
 Reported By:      rehsack at liwing dot de
 Status:           Feedback
 Bug Type:         Reproducible crash
 Operating System: FreeBSD 5.1 i386
 PHP Version:      4.3.3
 New Comment:

Pardon me as I chime in.

With this config of php4-STABLE-200309020330 on Red Hat 8:

./configure \
        --disable-all \
        --enable-debug \
        --enable-cli \
        --disable-cgi \
        --disable-short-tags \
        --disable-xml \
        --without-mysql \
        --without-pear \
        --prefix=/usr/local \

the test script runs without apparent difficulty:

[EMAIL PROTECTED]/php4-STABLE-200309020330]$ ./sapi/cli/php bug25275.php
before deaggregate
after deaggregate

but piping the program to PHP segfaults:

[EMAIL PROTECTED]/php4-STABLE-200309020330]$ cat bug25275.php |
./sapi/cli/php
Segmentation fault (core dumped)

[EMAIL PROTECTED]/php4-STABLE-200309020330]$ gdb ./php core.32304
GNU gdb Red Hat Linux (5.2.1-4)
Copyright 2002 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and
you are
welcome to change it and/or distribute copies of it under certain
conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for
details.
This GDB was configured as "i386-redhat-linux"...
Core was generated by `./sapi/cli/php'.
Program terminated with signal 11, Segmentation fault.
Reading symbols from /lib/libcrypt.so.1...done.
Loaded symbols for /lib/libcrypt.so.1
Reading symbols from /lib/libresolv.so.2...done.
Loaded symbols for /lib/libresolv.so.2
Reading symbols from /lib/i686/libm.so.6...done.
Loaded symbols for /lib/i686/libm.so.6
Reading symbols from /lib/libdl.so.2...done.
Loaded symbols for /lib/libdl.so.2
Reading symbols from /lib/libnsl.so.1...done.
Loaded symbols for /lib/libnsl.so.1
Reading symbols from /lib/i686/libc.so.6...done.
Loaded symbols for /lib/i686/libc.so.6
Reading symbols from /lib/ld-linux.so.2...done.
Loaded symbols for /lib/ld-linux.so.2
#0  0x080c6769 in php_strlcpy (dst=0x8135ac0 "-", src=0x5a5a5a5a
<Address 0x5a5a5a5a out of bounds>, siz=1024)
    at /home/moregan/php4-STABLE-200309020330/main/strlcpy.c:58
58                if ((*d++ = *s++) == 0)
(gdb) bt full
#0  0x080c6769 in php_strlcpy (dst=0x8135ac0 "-", src=0x5a5a5a5a
<Address 0x5a5a5a5a out of bounds>, siz=1024)
    at /home/moregan/php4-STABLE-200309020330/main/strlcpy.c:58
 d = 0x8135ac0 "-"
 s = 0x5a5a5a5a <Address 0x5a5a5a5a out of bounds>
 n = 1023
#1  0x080bd020 in php_error_cb (type=8, error_filename=0x5a5a5a5a
<Address 0x5a5a5a5a out of bounds>, error_lineno=35,
    format=0x812ad40 "Use of undefined constant %s - assumed '%s'",
args=0xbfffba58 "Ü\037\027\bÜ\037\027\b¤\037\027\b\006")
    at /home/moregan/php4-STABLE-200309020330/main/main.c:615
 buffer = 0x816a4dc "Use of undefined constant STDERR - assumed
'STDERR'"
 buffer_len = 51
 display = 1
#2  0x080ee343 in zend_error (type=8, format=0x812ad40 "Use of
undefined constant %s - assumed '%s'")
    at /home/moregan/php4-STABLE-200309020330/Zend/zend.c:751
 args = 0xbfffba58 "Ü\037\027\bÜ\037\027\b¤\037\027\b\006"
 params = (struct _zval_struct ***) 0x0
 retval = (struct _zval_struct *) 0xbfffba58
 z_error_type = (struct _zval_struct *) 0x81285c0
 z_error_message = (struct _zval_struct *) 0x81716bc
 z_error_filename = (struct _zval_struct *) 0xbfffba44
 z_error_lineno = (struct _zval_struct *) 0x7
 z_context = (struct _zval_struct *) 0x8007272
 error_filename = 0x5a5a5a5a <Address 0x5a5a5a5a out of bounds>
 error_lineno = 35
 orig_user_error_handler = (struct _zval_struct *) 0x7
#3  0x080ffa0c in execute (op_array=0x8171b1c) at
/home/moregan/php4-STABLE-200309020330/Zend/zend_execute.c:1989
 execute_data = {opline = 0x8171250, function_state =
{function_symbol_table = 0x0, function = 0x8171b1c, reserved = {
      0x80fabde, 0x8171fac, 0x5a9b0765, 0x1c}}, fbc = 0x0, ce = 0x0,
object = {ptr = 0x0}, Ts = 0xbfffba60,
  original_in_execution = 1 '\001', op_array = 0x8171b1c,
prev_execute_data = 0xbfffbeb0}
#4  0x080fe633 in execute (op_array=0x816a454) at
/home/moregan/php4-STABLE-200309020330/Zend/zend_execute.c:1660
 calling_symbol_table = (struct _hashtable *) 0x813a14c
 original_return_value = (struct _zval_struct **) 0xbfffbf34
 return_value_used = 0
 execute_data = {opline = 0x816e840, function_state =
{function_symbol_table = 0x81715b4, function = 0x8171b1c, reserved = {
      0x10001, 0x4000000, 0x0, 0x0}}, fbc = 0x8171b1c, ce = 0x0, object
= {ptr = 0x81709f4}, Ts = 0xbfffbcb0,
  original_in_execution = 0 '\0', op_array = 0x816a454,
prev_execute_data = 0x0}
#5  0x080ee81c in zend_execute_scripts (type=8, retval=0x0,
file_count=3) at
/home/moregan/php4-STABLE-200309020330/Zend/zend.c:885
 files = 0xbfffbf64 ""
 i = 1
 file_handle = (struct _zend_file_handle *) 0xbfffe200
 orig_op_array = (struct _zend_op_array *) 0x0
 local_retval = (struct _zval_struct *) 0x0
#6  0x080bf239 in php_execute_script (primary_file=0xbfffe200) at
/home/moregan/php4-STABLE-200309020330/main/main.c:1723
 orig_bailout = {{__jmpbuf = {1108517584, 1073815584, -1073749356,
-1073749432, -1073749840, 135281170},
    __mask_was_saved = 0, __saved_mask = {__val = {0 <repeats 32
times>}}}}
 orig_bailout_set = 1 '\001'
 prepend_file_p = (struct _zend_file_handle *) 0x0
 append_file_p = (struct _zend_file_handle *) 0x0
 prepend_file = {type = 0 '\0', filename = 0x0, opened_path = 0x0,
handle = {fd = 0, fp = 0x0}, free_filename = 0 '\0'}
 append_file = {type = 0 '\0', filename = 0x0, opened_path = 0x0,
handle = {fd = 0, fp = 0x0}, free_filename = 0 '\0'}
---Type <return> to continue, or q <return> to quit---
 old_cwd = 0xbfffbf70 ""
 old_primary_file_path = 0x0
 retval = 0
#7  0x08104108 in main (argc=1, argv=0xbfffe294) at
/home/moregan/php4-STABLE-200309020330/sapi/cli/php_cli.c:819
 orig_bailout = {{__jmpbuf = {0, 0, 0, 0, 0, 0}, __mask_was_saved = 0,
__saved_mask = {__val = {0 <repeats 32 times>}}}}
 orig_bailout_set = 0 '\0'
 exit_status = 0
 c = -1
 file_handle = {type = 2 '\002', filename = 0x812bb4b "-", opened_path
= 0x0, handle = {fd = 1108505024, fp = 0x421271c0},
  free_filename = 0 '\0'}
 behavior = 1
 orig_optind = 1
 orig_optarg = 0x0
 arg_free = 0xbffffbbc "./sapi/cli/php"
 arg_excp = (char **) 0xbfffe294
 script_file = 0x0
 global_vars = {head = 0x0, tail = 0x0, size = 4, count = 0, dtor = 0,
persistent = 0 '\0', traverse_ptr = 0xbfffe294}
 interactive = 0
 module_started = 1
 lineno = 0
 exec_direct = 0x0
 param_error = 0x0
 hide_argv = 0
#8  0x420158d4 in __libc_start_main () from /lib/i686/libc.so.6
No symbol table info available.


When I remove --enable-debug from the config then the piped version no
longer segfaults but instead prints warnings:

[EMAIL PROTECTED]/php4-STABLE-200309020330]$ cat bug25275.php |
./sapi/cli/php

Notice: Use of undefined constant STDERR - assumed 'STDERR' in - on
line 33

Warning: fwrite(): supplied argument is not a valid stream resource in
- on line 33

Notice: Use of undefined constant STDERR - assumed 'STDERR' in - on
line 35

Warning: fwrite(): supplied argument is not a valid stream resource in
- on line 35

In all cases, valgrind has something like this to say:

[EMAIL PROTECTED]/php4-STABLE-200309020330]$ valgrind -v  --skin=memcheck
./sapi/cli/php bug25275.php
==26379== Memcheck, a.k.a. Valgrind, a memory error detector for
x86-linux.
==26379== Copyright (C) 2002-2003, and GNU GPL'd, by Julian Seward.
==26379== Using valgrind-20030725, a program supervision framework for
x86-linux.
==26379== Copyright (C) 2000-2003, and GNU GPL'd, by Julian Seward.
==26379== Startup, with flags:
==26379==    --suppressions=/usr/local/lib/valgrind/default.supp
==26379==    -v
==26379== Reading syms from
/home/moregan/php4-STABLE-200309020330/sapi/cli/php
==26379== Reading syms from /lib/ld-2.2.93.so
==26379==    object doesn't have any debug info
==26379== Reading syms from /usr/local/lib/valgrind/vgskin_memcheck.so
==26379== Reading syms from /usr/local/lib/valgrind/valgrind.so
==26379== Reading syms from /lib/libcrypt-2.2.93.so
==26379==    object doesn't have any debug info
==26379== Reading syms from /lib/libresolv-2.2.93.so
==26379==    object doesn't have any debug info
==26379== Reading syms from /lib/i686/libm-2.2.93.so
==26379==    object doesn't have any debug info
==26379== Reading syms from /lib/libdl-2.2.93.so
==26379==    object doesn't have any debug info
==26379== Reading syms from /lib/libnsl-2.2.93.so
==26379==    object doesn't have any debug info
==26379== Reading syms from /lib/i686/libc-2.2.93.so
==26379==    object doesn't have any debug info
==26379== Reading suppressions file:
/usr/local/lib/valgrind/default.supp
==26379== Estimated CPU clock rate is 2401 MHz
==26379==
before deaggregate
after deaggregate
==26379== Invalid read of size 1
==26379==    at 0x80D14C4: execute
(/home/moregan/php4-STABLE-200309020330/Zend/zend_execute.c:1702)
==26379==    by 0x80D11C9: execute
(/home/moregan/php4-STABLE-200309020330/Zend/zend_execute.c:1660)
==26379==    by 0x80C66D6: zend_execute_scripts
(/home/moregan/php4-STABLE-200309020330/Zend/zend.c:885)
==26379==    by 0x80A5706: php_execute_script
(/home/moregan/php4-STABLE-200309020330/main/main.c:1723)
==26379==    Address 0x41383B64 is 72 bytes inside a block of size 100
free'd
==26379==    at 0x40025722: free (vg_replace_malloc.c:220)
==26379==    by 0x80BA98C: _efree
(/home/moregan/php4-STABLE-200309020330/Zend/zend_alloc.c:265)
==26379==    by 0x80C9C6C: zend_hash_destroy
(/home/moregan/php4-STABLE-200309020330/Zend/zend_hash.c:560)
==26379==    by 0x80C17E3: destroy_zend_class
(/home/moregan/php4-STABLE-200309020330/Zend/zend_opcode.c:124)
==26379==
==26379== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 0 from
0)
[...]

(this valgrind not done on the same binary that produced the backtrace)


Previous Comments:
------------------------------------------------------------------------

[2003-08-30 08:52:58] [EMAIL PROTECTED]

Cool, let's keep the status set to feedback during this time then.

------------------------------------------------------------------------

[2003-08-30 08:39:35] rehsack at liwing dot de

This may take a while. I can't start before monday, so I think tuesday
you can reach results.

------------------------------------------------------------------------

[2003-08-30 07:21:47] [EMAIL PROTECTED]

Yes, that's the idea..


------------------------------------------------------------------------

[2003-08-30 06:10:26] rehsack at liwing dot de

Nope, it runs fine. Do you suggest enabling each extension I used until
it crash's?

------------------------------------------------------------------------

[2003-08-30 02:00:15] [EMAIL PROTECTED]

Try this:

# rm config.cache
# ./configure --disable-all --disable-cgi --enable-debug
# make clean && make
# sapi/cli/php yourscript.php

Does it crash now?


------------------------------------------------------------------------

The remainder of the comments for this report are too long. To view
the rest of the comments, please view the bug report online at
    http://bugs.php.net/25275

-- 
Edit this bug report at http://bugs.php.net/?id=25275&edit=1

Reply via email to