From: moregan at flr dot follett dot com
Operating system: RedHat8 + Windows 2000
PHP version: 4.3.3
PHP Bug Type: Reproducible crash
Bug description: building 64K arrays of 64K elements segfaults
Description:
------------
(This arose from working with script from the now-closed bug 23333. I
accidentally put material intended for 23333 into 25275, but this now
seems to me to be a separate bug.)
A CLI script that builds an array of 65536 numbers and then makes 65536
copies segfaults. True for /php4-STABLE-200309020330 on RedHat 8 and for
the binary from php4-win32-STABLE-200309022030.zip on Windows 2000.
The example may seem contrived, but I'm hoping that this is one of the
causes of a thorny heap corruption problem we're seeing.
Reproduce code:
---------------
<?php
$elements = 65536;
$big = array();
$test = array();
for($i=0; $i < $elements; $i++) {
$big[$i] = $i;
}
for($i=0; $i < $elements; $i++) {
$test[$i] = $big;
}
?>
If you change $elements to 65535 then there's no segfault.
Expected result:
----------------
nothing
Actual result:
--------------
(gdb) bt full
#0 0x080c6769 in php_strlcpy (dst=0x8135ac0 "-", src=0x5a5a5a5a <Address
0x5a5a5a5a out of bounds>, siz=1024)
at /home/moregan/php4-STABLE-200309020330/main/strlcpy.c:58
d = 0x8135ac0 "-"
s = 0x5a5a5a5a <Address 0x5a5a5a5a out of bounds>
n = 1023
#1 0x080bd020 in php_error_cb (type=8, error_filename=0x5a5a5a5a <Address
0x5a5a5a5a out of bounds>, error_lineno=35,
format=0x812ad40 "Use of undefined constant %s - assumed '%s'",
args=0xbfffb9c8 "�\037\027\b�\037\027\b�\037\027\b\006")
at /home/moregan/php4-STABLE-200309020330/main/main.c:615
buffer = 0x816a4ec "Use of undefined constant STDERR - assumed
'STDERR'"
buffer_len = 51
display = 1
#2 0x080ee343 in zend_error (type=8, format=0x812ad40 "Use of undefined
constant %s - assumed '%s'")
at /home/moregan/php4-STABLE-200309020330/Zend/zend.c:751
args = 0xbfffb9c8 "�\037\027\b�\037\027\b�\037\027\b\006"
params = (struct _zval_struct ***) 0x0
retval = (struct _zval_struct *) 0xbfffb9c8
z_error_type = (struct _zval_struct *) 0x81285c0
z_error_message = (struct _zval_struct *) 0x81716cc
z_error_filename = (struct _zval_struct *) 0xbfffb9b4
z_error_lineno = (struct _zval_struct *) 0x7
z_context = (struct _zval_struct *) 0x8007272
error_filename = 0x5a5a5a5a <Address 0x5a5a5a5a out of bounds>
error_lineno = 35
orig_user_error_handler = (struct _zval_struct *) 0x7
#3 0x080ffa0c in execute (op_array=0x8171b2c) at
/home/moregan/php4-STABLE-200309020330/Zend/zend_execute.c:1989
execute_data = {opline = 0x8171260, function_state =
{function_symbol_table = 0x0, function = 0x8171b2c, reserved = {
0x80fabde, 0x8171fbc, 0x5a9b0765, 0x1c}}, fbc = 0x0, ce = 0x0,
object = {ptr = 0x0}, Ts = 0xbfffb9d0,
original_in_execution = 1 '\001', op_array = 0x8171b2c,
prev_execute_data = 0xbfffbe20}
#4 0x080fe633 in execute (op_array=0x816a464) at
/home/moregan/php4-STABLE-200309020330/Zend/zend_execute.c:1660
calling_symbol_table = (struct _hashtable *) 0x813a14c
original_return_value = (struct _zval_struct **) 0xbfffbea4
return_value_used = 0
execute_data = {opline = 0x816e850, function_state =
{function_symbol_table = 0x81715c4, function = 0x8171b2c, reserved = {
0x10001, 0x4000000, 0x0, 0x0}}, fbc = 0x8171b2c, ce = 0x0, object =
{ptr = 0x8170a04}, Ts = 0xbfffbc20,
original_in_execution = 0 '\0', op_array = 0x816a464, prev_execute_data
= 0x0}
#5 0x080ee81c in zend_execute_scripts (type=8, retval=0x0, file_count=3)
at /home/moregan/php4-STABLE-200309020330/Zend/zend.c:885
files = 0xbfffbed4 ""
i = 1
file_handle = (struct _zend_file_handle *) 0xbfffe170
orig_op_array = (struct _zend_op_array *) 0x0
local_retval = (struct _zval_struct *) 0x0
#6 0x080bf239 in php_execute_script (primary_file=0xbfffe170) at
/home/moregan/php4-STABLE-200309020330/main/main.c:1723
orig_bailout = {{__jmpbuf = {1108517584, 1073815584, -1073749500,
-1073749576, -1073749984, 135281170},
__mask_was_saved = 0, __saved_mask = {__val = {0 <repeats 32
times>}}}}
orig_bailout_set = 1 '\001'
prepend_file_p = (struct _zend_file_handle *) 0x0
append_file_p = (struct _zend_file_handle *) 0x0
prepend_file = {type = 0 '\0', filename = 0x0, opened_path = 0x0,
handle = {fd = 0, fp = 0x0}, free_filename = 0 '\0'}
append_file = {type = 0 '\0', filename = 0x0, opened_path = 0x0,
handle = {fd = 0, fp = 0x0}, free_filename = 0 '\0'}
old_cwd = 0xbfffbee0 ""
old_primary_file_path = 0x0
retval = 0
#7 0x08104108 in main (argc=1, argv=0xbfffe204) at
/home/moregan/php4-STABLE-200309020330/sapi/cli/php_cli.c:819
orig_bailout = {{__jmpbuf = {0, 0, 0, 0, 0, 0}, __mask_was_saved =
0, __saved_mask = {__val = {0 <repeats 32 times>}}}}
orig_bailout_set = 0 '\0'
exit_status = 0
c = -1
file_handle = {type = 2 '\002', filename = 0x812bb4b "-",
opened_path = 0x0, handle = {fd = 1108505024, fp = 0x421271c0},
free_filename = 0 '\0'}
behavior = 1
orig_optind = 1
orig_optarg = 0x0
arg_free = 0xbffffbb1 "./sapi/cli/php"
arg_excp = (char **) 0xbfffe204
script_file = 0x0
global_vars = {head = 0x0, tail = 0x0, size = 4, count = 0, dtor =
0, persistent = 0 '\0', traverse_ptr = 0xbfffe204}
interactive = 0
module_started = 1
lineno = 0
exec_direct = 0x0
param_error = 0x0
hide_argv = 0
#8 0x420158d4 in __libc_start_main () from /lib/i686/libc.so.6
No symbol table info available.
--
Edit bug report at http://bugs.php.net/?id=25369&edit=1
--
Try a CVS snapshot (php4): http://bugs.php.net/fix.php?id=25369&r=trysnapshot4
Try a CVS snapshot (php5): http://bugs.php.net/fix.php?id=25369&r=trysnapshot5
Fixed in CVS: http://bugs.php.net/fix.php?id=25369&r=fixedcvs
Fixed in release: http://bugs.php.net/fix.php?id=25369&r=alreadyfixed
Need backtrace: http://bugs.php.net/fix.php?id=25369&r=needtrace
Try newer version: http://bugs.php.net/fix.php?id=25369&r=oldversion
Not developer issue: http://bugs.php.net/fix.php?id=25369&r=support
Expected behavior: http://bugs.php.net/fix.php?id=25369&r=notwrong
Not enough info: http://bugs.php.net/fix.php?id=25369&r=notenoughinfo
Submitted twice: http://bugs.php.net/fix.php?id=25369&r=submittedtwice
register_globals: http://bugs.php.net/fix.php?id=25369&r=globals
PHP 3 support discontinued: http://bugs.php.net/fix.php?id=25369&r=php3
Daylight Savings: http://bugs.php.net/fix.php?id=25369&r=dst
IIS Stability: http://bugs.php.net/fix.php?id=25369&r=isapi
Install GNU Sed: http://bugs.php.net/fix.php?id=25369&r=gnused
