ID: 23333
Comment by: moregan at flr dot follett dot com
Reported By: smgallo at ccr dot buffalo dot edu
Status: Closed
Bug Type: Reproducible crash
Operating System: RedHat 7.3, glibc-2.2.5-39
PHP Version: 4.3.0
New Comment:
This config of php4-STABLE-200309020330 under Red Hat 8, glibc 2.2.93
segfaults with the sample code (CLI):
./configure \
--disable-all \
--enable-cli \
--disable-cgi \
--disable-short-tags \
--disable-xml \
--without-mysql \
--without-pear \
--prefix=/usr/local \
[EMAIL PROTECTED]/php4-STABLE-200309020330]$ ./sapi/cli/php
bug23333.php
Start
Middle
0..1..Segmentation fault (core dumped)
[EMAIL PROTECTED]/php4-STABLE-200309020330]$ gdb ./php core.5679
GNU gdb Red Hat Linux (5.2.1-4)
Copyright 2002 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and
you are
welcome to change it and/or distribute copies of it under certain
conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB. Type "show warranty" for
details.
This GDB was configured as "i386-redhat-linux"...
Core was generated by `./sapi/cli/php bug23333.php'.
Program terminated with signal 11, Segmentation fault.
Reading symbols from /lib/libcrypt.so.1...done.
Loaded symbols for /lib/libcrypt.so.1
Reading symbols from /lib/libresolv.so.2...done.
Loaded symbols for /lib/libresolv.so.2
Reading symbols from /lib/i686/libm.so.6...done.
Loaded symbols for /lib/i686/libm.so.6
Reading symbols from /lib/libdl.so.2...done.
Loaded symbols for /lib/libdl.so.2
Reading symbols from /lib/libnsl.so.1...done.
Loaded symbols for /lib/libnsl.so.1
Reading symbols from /lib/i686/libc.so.6...done.
Loaded symbols for /lib/i686/libc.so.6
Reading symbols from /lib/ld-linux.so.2...done.
Loaded symbols for /lib/ld-linux.so.2
#0 _efree (ptr=0x0) at
/home/moregan/php4-STABLE-200309020330/Zend/zend_alloc.c:241
241 CALCULATE_REAL_SIZE_AND_CACHE_INDEX(p->size);
(gdb) bt full
#0 _efree (ptr=0x0) at
/home/moregan/php4-STABLE-200309020330/Zend/zend_alloc.c:241
p = (struct _zend_mem_header *) 0xfffffff4
cache_index = 135497876
#1 0x080c5528 in _zval_dtor (zvalue=0x8138894) at
/home/moregan/php4-STABLE-200309020330/Zend/zend_variables.c:51
No locals.
#2 0x080bfdb5 in _zval_ptr_dtor (zval_ptr=0x8c483d8) at
/home/moregan/php4-STABLE-200309020330/Zend/zend_execute_API.c:291
No locals.
#3 0x080c9b4b in zend_hash_del_key_or_index (ht=0x8b2a294, arKey=0x0,
nKeyLength=0, h=34464, flag=135003516)
at /home/moregan/php4-STABLE-200309020330/Zend/zend_hash.c:524
nIndex = 34464
p = (struct bucket *) 0x8c483cc
#4 0x080d2811 in execute (op_array=0x8138dac) at
/home/moregan/php4-STABLE-200309020330/Zend/zend_execute.c:2265
execute_data = {opline = 0x813f7cc, function_state =
{function_symbol_table = 0x8138e1c, function = 0x8138dac, reserved = {
0x80c1262, 0x8138e1c, 0xbfffe1e0, 0x0}}, fbc = 0x0, ce = 0x0,
object = {ptr = 0x0}, Ts = 0xbfffb730,
original_in_execution = 0 '\0', op_array = 0x8138dac,
prev_execute_data = 0x0}
#5 0x080c66d7 in zend_execute_scripts (type=8, retval=0x0,
file_count=3) at
/home/moregan/php4-STABLE-200309020330/Zend/zend.c:885
files = 0xbfffbf64 ""
i = 1
file_handle = (struct _zend_file_handle *) 0xbfffe1e0
orig_op_array = (struct _zend_op_array *) 0x0
local_retval = (struct _zval_struct *) 0x0
#6 0x080a5707 in php_execute_script (primary_file=0xbfffe1e0) at
/home/moregan/php4-STABLE-200309020330/main/main.c:1723
prepend_file_p = (struct _zend_file_handle *) 0x0
append_file_p = (struct _zend_file_handle *) 0x0
prepend_file = {type = 0 '\0', filename = 0x0, opened_path = 0x0,
handle = {fd = 0, fp = 0x0}, free_filename = 0 '\0'}
append_file = {type = 0 '\0', filename = 0x0, opened_path = 0x0,
handle = {fd = 0, fp = 0x0}, free_filename = 0 '\0'}
old_cwd = 0xbfffbf70 ""
old_primary_file_path = 0xbffffb27 "bug23333.php"
retval = 0
#7 0x080d5168 in main (argc=2, argv=0xbfffe264) at
/home/moregan/php4-STABLE-200309020330/sapi/cli/php_cli.c:819
exit_status = 0
c = 135497876
file_handle = {type = 2 '\002', filename = 0xbfffcfa0
"/home/moregan/php4-STABLE-200309020330/bug23333.php",
opened_path = 0x0, handle = {fd = 135433592, fp = 0x8128d78},
free_filename = 0 '\0'}
behavior = 1
orig_optind = 1
orig_optarg = 0x0
arg_free = 0xbffffb27 "bug23333.php"
arg_excp = (char **) 0x8b2a294
script_file = 0xbffffb27 "bug23333.php"
global_vars = {head = 0x0, tail = 0x0, size = 4, count = 0, dtor = 0,
persistent = 0 '\0', traverse_ptr = 0x4001287c}
interactive = 0
module_started = 1
lineno = 1
exec_direct = 0x0
param_error = 0x0
hide_argv = 0
#8 0x420158d4 in __libc_start_main () from /lib/i686/libc.so.6
No symbol table info available.
Adding --enable-debug to the config gives us results without the
segfault but with warnings from PHP:
Start
Middle
0..[Tue Sep 2 01:19:13 2003] Script: 'bug23333.php'
---------------------------------------
/home/moregan/php4-STABLE-200309020330/Zend/zend_execute.h(44) : Block
0x0816C660 status:
Beginning: Overrun (magic=0x4212B214, expected=0x7312F8DC)
End: Unknown
---------------------------------------
1..[Tue Sep 2 01:19:14 2003] Script: 'bug23333.php'
---------------------------------------
/home/moregan/php4-STABLE-200309020330/Zend/zend_execute.h(44) : Block
0x0816C660 status:
Beginning: Overrun (magic=0x4212B214, expected=0x7312F8DC)
End: Unknown
---------------------------------------
2..[Tue Sep 2 01:19:14 2003] Script: 'bug23333.php'
---------------------------------------
/home/moregan/php4-STABLE-200309020330/Zend/zend_execute.h(44) : Block
0x0816C660 status:
Beginning: Overrun (magic=0x4212B214, expected=0x7312F8DC)
End: Unknown
---------------------------------------
3..[Tue Sep 2 01:19:15 2003] Script: 'bug23333.php'
---------------------------------------
/home/moregan/php4-STABLE-200309020330/Zend/zend_execute.h(44) : Block
0x0816C660 status:
Beginning: Overrun (magic=0x4212B214, expected=0x7312F8DC)
End: Unknown
---------------------------------------
4..[Tue Sep 2 01:19:15 2003] Script: 'bug23333.php'
---------------------------------------
/home/moregan/php4-STABLE-200309020330/Zend/zend_execute.h(44) : Block
0x0816C660 status:
Beginning: Overrun (magic=0x4212B214, expected=0x7312F8DC)
End: Unknown
---------------------------------------
5..[Tue Sep 2 01:19:15 2003] Script: 'bug23333.php'
---------------------------------------
/home/moregan/php4-STABLE-200309020330/Zend/zend_execute.h(44) : Block
0x0816C660 status:
Beginning: Overrun (magic=0x4212B214, expected=0x7312F8DC)
End: Unknown
---------------------------------------
6..[Tue Sep 2 01:19:16 2003] Script: 'bug23333.php'
---------------------------------------
/home/moregan/php4-STABLE-200309020330/Zend/zend_execute.h(44) : Block
0x0816C660 status:
Beginning: Overrun (magic=0x4212B214, expected=0x7312F8DC)
End: Unknown
---------------------------------------
7..[Tue Sep 2 01:19:16 2003] Script: 'bug23333.php'
---------------------------------------
/home/moregan/php4-STABLE-200309020330/Zend/zend_execute.h(44) : Block
0x0816C660 status:
Beginning: Overrun (magic=0x4212B214, expected=0x7312F8DC)
End: Unknown
---------------------------------------
8..[Tue Sep 2 01:19:17 2003] Script: 'bug23333.php'
---------------------------------------
/home/moregan/php4-STABLE-200309020330/Zend/zend_execute.h(44) : Block
0x0816C660 status:
Beginning: Overrun (magic=0x4212B214, expected=0x7312F8DC)
End: Unknown
---------------------------------------
9..[Tue Sep 2 01:19:17 2003] Script: 'bug23333.php'
---------------------------------------
/home/moregan/php4-STABLE-200309020330/Zend/zend_execute.h(44) : Block
0x0816C660 status:
Beginning: Overrun (magic=0x4212B214, expected=0x7312F8DC)
End: Unknown
---------------------------------------
10..[Tue Sep 2 01:19:17 2003] Script: 'bug23333.php'
---------------------------------------
/home/moregan/php4-STABLE-200309020330/Zend/zend_execute.h(44) : Block
0x0816C660 status:
Beginning: Overrun (magic=0x4212B214, expected=0x7312F8DC)
End: Unknown
---------------------------------------
11..[Tue Sep 2 01:19:18 2003] Script: 'bug23333.php'
---------------------------------------
/home/moregan/php4-STABLE-200309020330/Zend/zend_execute.h(44) : Block
0x0816C660 status:
Beginning: Overrun (magic=0x4212B214, expected=0x7312F8DC)
End: Unknown
---------------------------------------
12..[Tue Sep 2 01:19:18 2003] Script: 'bug23333.php'
---------------------------------------
/home/moregan/php4-STABLE-200309020330/Zend/zend_execute.h(44) : Block
0x0816C660 status:
Beginning: Overrun (magic=0x4212B214, expected=0x7312F8DC)
End: Unknown
---------------------------------------
13..[Tue Sep 2 01:19:19 2003] Script: 'bug23333.php'
---------------------------------------
/home/moregan/php4-STABLE-200309020330/Zend/zend_execute.h(44) : Block
0x0816C660 status:
Beginning: Overrun (magic=0x4212B214, expected=0x7312F8DC)
End: Unknown
---------------------------------------
14..[Tue Sep 2 01:19:19 2003] Script: 'bug23333.php'
---------------------------------------
/home/moregan/php4-STABLE-200309020330/Zend/zend_execute.h(44) : Block
0x0816C660 status:
Beginning: Overrun (magic=0x4212B214, expected=0x7312F8DC)
End: Unknown
---------------------------------------
15..[Tue Sep 2 01:19:19 2003] Script: 'bug23333.php'
---------------------------------------
/home/moregan/php4-STABLE-200309020330/Zend/zend_execute.h(44) : Block
0x0816C660 status:
Beginning: Overrun (magic=0x4212B214, expected=0x7312F8DC)
End: Unknown
---------------------------------------
16..[Tue Sep 2 01:19:20 2003] Script: 'bug23333.php'
---------------------------------------
/home/moregan/php4-STABLE-200309020330/Zend/zend_execute.h(44) : Block
0x0816C660 status:
Beginning: Overrun (magic=0x4212B214, expected=0x7312F8DC)
End: Unknown
---------------------------------------
17..[Tue Sep 2 01:19:20 2003] Script: 'bug23333.php'
---------------------------------------
/home/moregan/php4-STABLE-200309020330/Zend/zend_execute.h(44) : Block
0x0816C660 status:
Beginning: Overrun (magic=0x4212B214, expected=0x7312F8DC)
End: Unknown
---------------------------------------
18..[Tue Sep 2 01:19:20 2003] Script: 'bug23333.php'
---------------------------------------
/home/moregan/php4-STABLE-200309020330/Zend/zend_execute.h(44) : Block
0x0816C660 status:
Beginning: Overrun (magic=0x4212B214, expected=0x7312F8DC)
End: Unknown
---------------------------------------
19..[Tue Sep 2 01:19:21 2003] Script: 'bug23333.php'
---------------------------------------
/home/moregan/php4-STABLE-200309020330/Zend/zend_execute.h(44) : Block
0x0816C660 status:
Beginning: Overrun (magic=0x4212B214, expected=0x7312F8DC)
End: Unknown
---------------------------------------
End
valgrind on the --enable-debug version gives us:
[EMAIL PROTECTED]/php4-STABLE-200309020330]$ valgrind --skin=memcheck -v
./php bug23333.php
==11446== Memcheck, a.k.a. Valgrind, a memory error detector for
x86-linux.
==11446== Copyright (C) 2002-2003, and GNU GPL'd, by Julian Seward.
==11446== Using valgrind-20030725, a program supervision framework for
x86-linux.
==11446== Copyright (C) 2000-2003, and GNU GPL'd, by Julian Seward.
==11446== Startup, with flags:
==11446== --suppressions=/usr/local/lib/valgrind/default.supp
==11446== -v
==11446== Reading syms from
/home/moregan/php4-STABLE-200309020330/sapi/cli/php
==11446== Reading syms from /lib/ld-2.2.93.so
==11446== object doesn't have any debug info
==11446== Reading syms from /usr/local/lib/valgrind/vgskin_memcheck.so
==11446== Reading syms from /usr/local/lib/valgrind/valgrind.so
==11446== Reading syms from /lib/libcrypt-2.2.93.so
==11446== object doesn't have any debug info
==11446== Reading syms from /lib/libresolv-2.2.93.so
==11446== object doesn't have any debug info
==11446== Reading syms from /lib/i686/libm-2.2.93.so
==11446== object doesn't have any debug info
==11446== Reading syms from /lib/libdl-2.2.93.so
==11446== object doesn't have any debug info
==11446== Reading syms from /lib/libnsl-2.2.93.so
==11446== object doesn't have any debug info
==11446== Reading syms from /lib/i686/libc-2.2.93.so
==11446== object doesn't have any debug info
==11446== Reading suppressions file:
/usr/local/lib/valgrind/default.supp
==11446== Estimated CPU clock rate is 2388 MHz
==11446==
Start
Middle
0..==11446== Invalid read of size 2
==11446== at 0x80E4DA7: _zval_ptr_dtor
(/home/moregan/php4-STABLE-200309020330/Zend/zend_execute_API.c:289)
==11446== by 0x80ED316: _zval_ptr_dtor_wrapper
(/home/moregan/php4-STABLE-200309020330/Zend/zend_variables.c:167)
==11446== by 0x80F3629: zend_hash_del_key_or_index
(/home/moregan/php4-STABLE-200309020330/Zend/zend_hash.c:524)
==11446== by 0x810085D: execute
(/home/moregan/php4-STABLE-200309020330/Zend/zend_execute.c:2265)
==11446== Address 0x413BCAE6 is 46 bytes inside a block of size 56
free'd
==11446== at 0x40025722: free (vg_replace_malloc.c:220)
==11446== by 0x80DDA05: _efree
(/home/moregan/php4-STABLE-200309020330/Zend/zend_alloc.c:265)
==11446== by 0x80E6256: safe_free_zval_ptr
(/home/moregan/php4-STABLE-200309020330/Zend/zend_execute.h:44)
==11446== by 0x80E4DDD: _zval_ptr_dtor
(/home/moregan/php4-STABLE-200309020330/Zend/zend_execute_API.c:292)
==11446==
==11446== Invalid read of size 2
==11446== at 0x80E4DB0: _zval_ptr_dtor
(/home/moregan/php4-STABLE-200309020330/Zend/zend_execute_API.c:290)
==11446== by 0x80ED316: _zval_ptr_dtor_wrapper
(/home/moregan/php4-STABLE-200309020330/Zend/zend_variables.c:167)
==11446== by 0x80F3629: zend_hash_del_key_or_index
(/home/moregan/php4-STABLE-200309020330/Zend/zend_hash.c:524)
==11446== by 0x810085D: execute
(/home/moregan/php4-STABLE-200309020330/Zend/zend_execute.c:2265)
==11446== Address 0x413BCAE6 is 46 bytes inside a block of size 56
free'd
==11446== at 0x40025722: free (vg_replace_malloc.c:220)
==11446== by 0x80DDA05: _efree
(/home/moregan/php4-STABLE-200309020330/Zend/zend_alloc.c:265)
==11446== by 0x80E6256: safe_free_zval_ptr
(/home/moregan/php4-STABLE-200309020330/Zend/zend_execute.h:44)
==11446== by 0x80E4DDD: _zval_ptr_dtor
(/home/moregan/php4-STABLE-200309020330/Zend/zend_execute_API.c:292)
==11446==
==11446== Invalid read of size 2
==11446== at 0x80E4DE8: _zval_ptr_dtor
(/home/moregan/php4-STABLE-200309020330/Zend/zend_execute_API.c:293)
==11446== by 0x80ED316: _zval_ptr_dtor_wrapper
(/home/moregan/php4-STABLE-200309020330/Zend/zend_variables.c:167)
==11446== by 0x80F3629: zend_hash_del_key_or_index
(/home/moregan/php4-STABLE-200309020330/Zend/zend_hash.c:524)
==11446== by 0x810085D: execute
(/home/moregan/php4-STABLE-200309020330/Zend/zend_execute.c:2265)
==11446== Address 0x413BCAE6 is 46 bytes inside a block of size 56
free'd
==11446== at 0x40025722: free (vg_replace_malloc.c:220)
==11446== by 0x80DDA05: _efree
(/home/moregan/php4-STABLE-200309020330/Zend/zend_alloc.c:265)
==11446== by 0x80E6256: safe_free_zval_ptr
(/home/moregan/php4-STABLE-200309020330/Zend/zend_execute.h:44)
==11446== by 0x80E4DDD: _zval_ptr_dtor
(/home/moregan/php4-STABLE-200309020330/Zend/zend_execute_API.c:292)
==11446==
==11446== More than 30000 total errors detected. I'm not reporting any
more.
==11446== Final error counts will be inaccurate. Go fix your program!
==11446== Rerun with --error-limit=no to disable this cutoff. Note
==11446== that errors may occur in your program without prior warning
from
==11446== Valgrind, because errors are no longer being displayed.
==11446==
1..2..3..4..5..6..7..8..9..10..11..12..13..14..15..16..17..18..19..
End
Previous Comments:
------------------------------------------------------------------------
[2003-04-24 12:06:05] [EMAIL PROTECTED]
Please try using this CVS snapshot:
http://snaps.php.net/php4-STABLE-latest.tar.gz
For Windows:
http://snaps.php.net/win32/php4-win32-STABLE-latest.zip
Seems to be fixed, I just get this:
Fatal error: Allowed memory size of 8388608 bytes exhausted (tried to
allocate 35 bytes) in /home/jani/t2.php on line 19
When I set memory_limit=100M and max_execution_time=0, it
works fine and doesn't segfault.
(huge memory usage is normal as this array of yours is huge)
------------------------------------------------------------------------
[2003-04-24 11:01:31] smgallo at ccr dot buffalo dot edu
<?php
$big = array();
$test = array();
fwrite(STDOUT, "Start\n");
for($i=0; $i < 100000; $i++) {
$big[$i] = $i;
}
fwrite(STDOUT, "Middle\n");
for ($k=0; $k < 20; $k++) {
fwrite(STDOUT,"$k");
$test = array();
fwrite(STDOUT,".");
for($i=0; $i < 100000; $i++) {
$test[$i] = $big;
}
fwrite(STDOUT,".");
for($i=0; $i < 100000; $i++) {
unset($test[$i]);
}
// unset($test);
}
fwrite(STDOUT, "\nEnd\n");
?>
Running the above script produces the following output:
Start
Middle
0..1..2..
Segmentation fault
A trace in gdb produces:
Program received signal SIGSEGV, Segmentation fault.
0x4207ad8e in chunk_free () from /lib/i686/libc.so.6
(gdb) where
#0 0x4207ad8e in chunk_free () from /lib/i686/libc.so.6
#1 0x4207ad14 in free () from /lib/i686/libc.so.6
#2 0x08121bdc in zend_hash_destroy ()
#3 0x0811c5fa in _zval_dtor ()
#4 0x08114e01 in _zval_ptr_dtor ()
#5 0x08121aa6 in zend_hash_del_key_or_index ()
#6 0x0813587a in execute ()
#7 0x0811db3c in zend_execute_scripts ()
#8 0x080f75cd in php_execute_script ()
#9 0x081384a0 in main ()
#10 0x42017589 in __libc_start_main () from /lib/i686/libc.so.6
If I comment out the for loop containing the unset() and
instead use:
unset($test);
Then the script hangs. strace shows the following output and seems to
be in an infinite loop:
brk(0x8f73000) = 0x8f73000
brk(0x8f74000) = 0x8f74000
write(5, ".", 1.) = 1
munmap(0x40256000, 528384) = 0
brk(0x8a21000) = 0x8a21000
munmap(0x402d7000, 528384) = 0
write(5, "1", 11) = 1
write(5, ".", 1.) = 1
write(5, ".", 1.) = 1
munmap(0xcac4, 136005040) = -1 EINVAL (Invalid argument)
munmap(0xff797a94, 144821032) = -1 EINVAL (Invalid argument)
munmap(0x8658cc, 136016488) = -1 EINVAL (Invalid argument)
munmap(0xc608927c, 1108533240) = -1 EINVAL (Invalid argument)
munmap(0xffffffcc, 136028904) = -1 EINVAL (Invalid argument)
munmap(0xffffffcc, 136028960) = -1 EINVAL (Invalid argument)
munmap(0xffffffcc, 136029016) = -1 EINVAL (Invalid argument)
munmap(0xffffffcc, 136029072) = -1 EINVAL (Invalid argument)
munmap(0xffffffcc, 136029128) = -1 EINVAL (Invalid argument)
munmap(0xffffffcc, 136029184) = -1 EINVAL (Invalid argument)
munmap(0xffffffcc, 136029240) = -1 EINVAL (Invalid argument)
munmap(0xffffffcc, 136029296) = -1 EINVAL (Invalid argument)
munmap(0xffffffcc, 136029352) = -1 EINVAL (Invalid argument)
munmap(0xffffffcc, 136029408) = -1 EINVAL (Invalid argument)
------------------------------------------------------------------------
--
Edit this bug report at http://bugs.php.net/?id=23333&edit=1
