ID: 38268 User updated by: marc dot dassonneville at gmail dot com Reported By: marc dot dassonneville at gmail dot com -Status: Feedback +Status: Open Bug Type: Reproducible crash Operating System: linux PHP Version: 5.1.4 New Comment:
I tried http://snaps.php.net/php5.2-latest.tar.gz I have compiled it on 2 different box using : gcc 4.0.3 (Ubuntu 4.0.3-1ubuntu5) gcc version 3.3.2 (old linux box) and with configure options ./configure --disable-libxml --disable-dom --disable-simplexml --disable-xml --disable-xmlwriter --disable-xmlreader --without-pear --enable-sockets I was writing you that it worked when I saw an error :( It used to segfault after 1 sec with php 5.1.4. Now, with the CVS snapshot, it segfault after a random time (> 10 sec, sometimes > 1 min) It segfault both on kubuntu with a recent gcc and the old linux box with an old gcc. On the ubuntu box, I launched it several times with Valgrind, and it ends up in different ways : 1/ ==1202== Stack overflow in thread 1: can't grow stack to 0xBE47AFF4 ==1202== ==1202== Process terminating with default action of signal 11 (SIGSEGV) ==1202== Access not within mapped region at address 0xBE47AFF4 ==1202== at 0x81F765E: zend_objects_store_del_ref_by_handle (zend_objects_API.c:174) ==1202== Stack overflow in thread 1: can't grow stack to 0xBE47AFDC ==1202== ==1202== Process terminating with default action of signal 11 (SIGSEGV) ==1202== Access not within mapped region at address 0xBE47AFDC ==1202== at 0x4019308: _vgw_freeres (vg_preloaded.c:58) ==1202== ==1202== ERROR SUMMARY: 10 errors from 10 contexts (suppressed: 21 from 1) ==1202== malloc/free: in use at exit: 1,639,071 bytes in 9,876 blocks. ==1202== malloc/free: 16,722 allocs, 6,846 frees, 2,591,007 bytes allocated. ==1202== For counts of detected errors, rerun with: -v ==1202== searching for pointers to 9,876 not-freed blocks. ==1202== checked 5,609,488 bytes. 2/ ==1231== Invalid write of size 4 ==1231== at 0x81C8F04: _zend_mm_alloc_int (zend_alloc.c:478) ==1231== by 0x81C92A1: _estrndup (zend_alloc.c:1729) ==1231== by 0x81F56CB: zend_std_object_get_class_name (zend_object_handlers.c:1062) ==1231== by 0x81EAA38: zif_get_parent_class (zend_builtin_functions.c:607) ==1231== by 0x81F9AA7: zend_do_fcall_common_helper_SPEC (zend_vm_execute.h:200) ==1231== by 0x81F7C8A: execute (zend_vm_execute.h:92) ==1231== by 0x81D42FE: zend_eval_string (zend_execute_API.c:1130) ==1231== by 0x8186AA3: zif_assert (assert.c:152) ==1231== by 0x81F9AA7: zend_do_fcall_common_helper_SPEC (zend_vm_execute.h:200) ==1231== by 0x81F7C8A: execute (zend_vm_execute.h:92) ==1231== by 0x81F963A: zend_do_fcall_common_helper_SPEC (zend_vm_execute.h:234) ==1231== by 0x81F7C8A: execute (zend_vm_execute.h:92) ==1231== Address 0xD is not stack'd, malloc'd or (recently) free'd ==1231== ==1231== Process terminating with default action of signal 11 (SIGSEGV) ==1231== Access not within mapped region at address 0xD ==1231== at 0x81C8F04: _zend_mm_alloc_int (zend_alloc.c:478) ==1231== by 0x81C92A1: _estrndup (zend_alloc.c:1729) ==1231== by 0x81F56CB: zend_std_object_get_class_name (zend_object_handlers.c:1062) ==1231== by 0x81EAA38: zif_get_parent_class (zend_builtin_functions.c:607) ==1231== by 0x81F9AA7: zend_do_fcall_common_helper_SPEC (zend_vm_execute.h:200) ==1231== by 0x81F7C8A: execute (zend_vm_execute.h:92) ==1231== by 0x81D42FE: zend_eval_string (zend_execute_API.c:1130) ==1231== by 0x8186AA3: zif_assert (assert.c:152) ==1231== by 0x81F9AA7: zend_do_fcall_common_helper_SPEC (zend_vm_execute.h:200) ==1231== by 0x81F7C8A: execute (zend_vm_execute.h:92) ==1231== by 0x81F963A: zend_do_fcall_common_helper_SPEC (zend_vm_execute.h:234) ==1231== by 0x81F7C8A: execute (zend_vm_execute.h:92) 3/ ==1236== Stack overflow in thread 1: can't grow stack to 0xBE3A9FF4 ==1236== ==1236== Process terminating with default action of signal 11 (SIGSEGV) ==1236== Access not within mapped region at address 0xBE3A9FF4 ==1236== at 0x81F765E: zend_objects_store_del_ref_by_handle (zend_objects_API.c:174) ==1236== Stack overflow in thread 1: can't grow stack to 0xBE3A9FDC ==1236== ==1236== Process terminating with default action of signal 11 (SIGSEGV) ==1236== Access not within mapped region at address 0xBE3A9FDC ==1236== at 0x4019308: _vgw_freeres (vg_preloaded.c:58) With GDB on the old linux box : 1/ Program received signal SIGSEGV, Segmentation fault. _zend_mm_free_int (heap=0x82fe190, p=0x0) at /home/marc/tmp/PHP/php5.2-200607311230/Zend/zend_alloc.c:477 477 prev->next_free_block = next; (gdb) where #0 _zend_mm_free_int (heap=0x82fe190, p=0x0) at /home/marc/tmp/PHP/php5.2-200607311230/Zend/zend_alloc.c:477 #1 0x081bfcca in _efree (ptr=0x0) at /home/marc/tmp/PHP/php5.2-200607311230/Zend/zend_alloc.c:1621 #2 0x081f592d in ZEND_ECHO_SPEC_TMP_HANDLER (execute_data=0xbfffacd0) at /home/marc/tmp/PHP/php5.2-200607311230/Zend/zend_variables.h:35 #3 0x081ee2c8 in execute (op_array=0xbfffacd0) at /home/marc/tmp/PHP/php5.2-200607311230/Zend/zend_vm_execute.h:92 #4 0x081ee838 in zend_do_fcall_common_helper_SPEC (execute_data=0xbfffb800) at /home/marc/tmp/PHP/php5.2-200607311230/Zend/zend_vm_execute.h:234 #5 0x081ee2c8 in execute (op_array=0x400a1254) at /home/marc/tmp/PHP/php5.2-200607311230/Zend/zend_vm_execute.h:92 #6 0x081d585e in zend_execute_scripts (type=8, retval=0x0, file_count=3) at /home/marc/tmp/PHP/php5.2-200607311230/Zend/zend.c:1095 #7 0x0819a2b6 in php_execute_script (primary_file=0xbfffdc10) at /home/marc/tmp/PHP/php5.2-200607311230/main/main.c:1759 #8 0x0823ae2d in main (argc=3, argv=0xbfffdcc4) at /home/marc/tmp/PHP/php5.2-200607311230/sapi/cli/php_cli.c:1097 #9 0x42017589 in __libc_start_main () from /lib/i686/libc.so.6 2/ Program received signal SIGSEGV, Segmentation fault. 0x401a2dff in ?? () (gdb) where #0 0x401a2dff in ?? () #1 0x081ee2c8 in execute (op_array=0x401a2df8) at /home/marc/tmp/PHP/php5.2-200607311230/Zend/zend_vm_execute.h:92 #2 0x081d585e in zend_execute_scripts (type=8, retval=0x0, file_count=3) at /home/marc/tmp/PHP/php5.2-200607311230/Zend/zend.c:1095 #3 0x0819a2b6 in php_execute_script (primary_file=0xbffff590) at /home/marc/tmp/PHP/php5.2-200607311230/main/main.c:1759 #4 0x0823ae2d in main (argc=3, argv=0xbffff644) at /home/marc/tmp/PHP/php5.2-200607311230/sapi/cli/php_cli.c:1097 #5 0x42017589 in __libc_start_main () from /lib/i686/libc.so.6 Previous Comments: ------------------------------------------------------------------------ [2006-07-31 14:44:48] [EMAIL PROTECTED] Please try using this CVS snapshot: http://snaps.php.net/php5.2-latest.tar.gz For Windows: http://snaps.php.net/win32/php5.2-win32-latest.zip ------------------------------------------------------------------------ [2006-07-31 14:40:16] marc dot dassonneville at gmail dot com Description: ------------ zend_hash_find segfault when calling property of null object I can reproduce the SEGFAULT, but can't reduce the code (code of 7KLines). It seems that the bug occurs when an object A returns null instead of an object B, + try to access a property of B. Exemple : $foo->give_me_A()->property_of_B = $bar; // crash when give_me_A() return null. If I test that $foo->give_me_A() don't return null before doing this call, it doesn't segfault. BUT .. I can't manage to reproduce this bug in a smaller code :/ I gave below some GDB debug. Segfault tested on : PHP 5.1.4 (cli) (built: Jul 19 2006 12:36:47) on an old linux box (2.4.20) It also segfault on : PHP 5.1.2 (cgi-fcgi) (built: Jul 19 2006 00:02:34) on the last KUbuntu (2.6.15) Actual result: -------------- GDB Result on the old linux box : 0x081e0098 in zend_std_get_method (object_ptr=0xbfffbe98, method_name=0x8374b64 "get_client", method_len=10) at /home/marc/tmp/PHP/php-5.1.4/Zend/zend_object_handlers.c:738 738 if (zend_hash_find(&zobj->ce->function_table, lc_method_name, method_len+1, (void **)&fbc) == FAILURE) { (gdb) where #0 0x081e0098 in zend_std_get_method (object_ptr=0xbfffbe98, method_name=0x8374b64 "get_client", method_len=10) at /home/marc/tmp/PHP/php-5.1.4/Zend/zend_object_handlers.c:738 #1 0x08218f6a in ZEND_INIT_METHOD_CALL_SPEC_CV_CONST_HANDLER (execute_data=0xbfffc9e0) at /home/marc/tmp/PHP/php-5.1.4/Zend/zend_vm_execute.h:20875 #2 0x081e28f8 in execute (op_array=0x83701b4) at /home/marc/tmp/PHP/php-5.1.4/Zend/zend_vm_execute.h:92 #3 0x081ca270 in zend_execute_scripts (type=8, retval=0x0, file_count=3) at /home/marc/tmp/PHP/php-5.1.4/Zend/zend.c:1109 #4 0x08190dc3 in php_execute_script (primary_file=0xbfffee10) at /home/marc/tmp/PHP/php-5.1.4/main/main.c:1732 #5 0x0822eea3 in main (argc=3, argv=0xbfffeec4) at /home/marc/tmp/PHP/php-5.1.4/sapi/cli/php_cli.c:1092 #6 0x400a45d9 in __libc_start_main () from /lib/libc.so.6 Some valgrind info on KUbuntu : ==32660== ==32660== Invalid read of size 4 ==32660== at 0x8282B54: (within /usr/bin/php5-cgi) ==32660== by 0x82B5896: (within /usr/bin/php5-cgi) ==32660== by 0x8286381: execute (in /usr/bin/php5-cgi) ==32660== by 0x826B814: zend_execute_scripts (in /usr/bin/php5-cgi) ==32660== by 0x822D2F7: php_execute_script (in /usr/bin/php5-cgi) ==32660== by 0x8300285: main (in /usr/bin/php5-cgi) ==32660== Address 0xA is not stack'd, malloc'd or (recently) free'd ==32660== ==32660== Process terminating with default action of signal 11 (SIGSEGV) ==32660== Access not within mapped region at address 0xA ==32660== at 0x8282B54: (within /usr/bin/php5-cgi) ==32660== by 0x82B5896: (within /usr/bin/php5-cgi) ==32660== by 0x8286381: execute (in /usr/bin/php5-cgi) ==32660== by 0x826B814: zend_execute_scripts (in /usr/bin/php5-cgi) ==32660== by 0x822D2F7: php_execute_script (in /usr/bin/php5-cgi) ==32660== by 0x8300285: main (in /usr/bin/php5-cgi) ------------------------------------------------------------------------ -- Edit this bug report at http://bugs.php.net/?id=38268&edit=1
