Re: [PHP-DEV] segfault after an "invalid read of size 8"

[Olivier Bonvalet]

So, I reduce the script which throw the segmentation fault.
My environment :
   Debian Lenny, 64bits
   Latest PHP 5.2 from CVS (php5.2-200810151030) compiled with :
       ./configure --prefix=/home/dev-olivier/usr/ --disable-all 
--enable-debug


In "first.php" I have this code :
============================================================
<?php
class main
{
   public static $dummy        = NULL ;
   public static $dataAccessor = NULL ;
}

class dataAccessor
{
}

class relay
{
   public function __get( $name )
   {
       main::$dataAccessor = new dataAccessor;
   }
}

class dummy
{
}

main::$dummy        = new dummy();
main::$dataAccessor = new relay();
?>
============================================================

And in "second.php" I have this :
(if I regroup all code in one file, there is no segfault)

============================================================
<?php
error_reporting( E_ALL | E_NOTICE );

require 'first.php';

main::$dataAccessor->bar;
?>
============================================================


If I do :
export USE_ZEND_ALLOC=1 ; /home/dev-olivier/usr/bin/php second.php
==> no segfault
export USE_ZEND_ALLOC=0 ; /home/dev-olivier/usr/bin/php second.php
==> segfault

Sometimes I obtain this output :
*** glibc detected *** /home/dev-olivier/usr/bin/php: corrupted 
double-linked list: 0x0000000002603800 ***
======= Backtrace: =========
/lib/libc.so.6[0x7f038ba39948]
/lib/libc.so.6[0x7f038ba39bda]
/lib/libc.so.6[0x7f038ba3b708]
/lib/libc.so.6(cfree+0x76)[0x7f038ba3ba56]
/home/dev-olivier/usr/bin/php[0x53ec31]
/home/dev-olivier/usr/bin/php[0x53ecb3]
/home/dev-olivier/usr/bin/php[0x541d2b]
/home/dev-olivier/usr/bin/php(zend_mm_shutdown+0x4c)[0x540a80]
/home/dev-olivier/usr/bin/php(shutdown_memory_manager+0x20)[0x5436ae]
/home/dev-olivier/usr/bin/php(php_request_shutdown+0x31c)[0x50add9]
/home/dev-olivier/usr/bin/php(main+0x17c1)[0x5e6c24]
/lib/libc.so.6(__libc_start_main+0xe6)[0x7f038b9e41a6]
/home/dev-olivier/usr/bin/php[0x425c39]
======= Memory map: ========
00400000-006ad000 r-xp 00000000 fd:04 1968300                            
/home/dev-olivier/usr/bin/php
008ac000-008ca000 rw-p 002ac000 fd:04 1968300                            
/home/dev-olivier/usr/bin/php
008ca000-008cf000 rw-p 008ca000 00:00 0
0253b000-0260c000 rw-p 0253b000 00:00 0                                  
[heap]
7f0384000000-7f0384021000 rw-p 7f0384000000 00:00 0
7f0384021000-7f0388000000 ---p 7f0384021000 00:00 0
7f038b5fe000-7f038b614000 r-xp 00000000 09:01 285898                     
/lib/libgcc_s.so.1
7f038b614000-7f038b814000 ---p 00016000 09:01 285898                     
/lib/libgcc_s.so.1
7f038b814000-7f038b815000 rw-p 00016000 09:01 285898                     
/lib/libgcc_s.so.1
7f038b815000-7f038b9c6000 r--p 00000000 09:01 261814                     
/usr/lib/locale/locale-archive
7f038b9c6000-7f038bb10000 r-xp 00000000 09:01 288347                     
/lib/libc-2.7.so
7f038bb10000-7f038bd0f000 ---p 0014a000 09:01 288347                     
/lib/libc-2.7.so
7f038bd0f000-7f038bd12000 r--p 00149000 09:01 288347                     
/lib/libc-2.7.so
7f038bd12000-7f038bd14000 rw-p 0014c000 09:01 288347                     
/lib/libc-2.7.so
7f038bd14000-7f038bd19000 rw-p 7f038bd14000 00:00 0
7f038bd19000-7f038bd2e000 r-xp 00000000 09:01 288291                     
/lib/libnsl-2.7.so
7f038bd2e000-7f038bf2d000 ---p 00015000 09:01 288291                     
/lib/libnsl-2.7.so
7f038bf2d000-7f038bf2f000 rw-p 00014000 09:01 288291                     
/lib/libnsl-2.7.so
7f038bf2f000-7f038bf31000 rw-p 7f038bf2f000 00:00 0
7f038bf31000-7f038bf33000 r-xp 00000000 09:01 288283                     
/lib/libdl-2.7.so
7f038bf33000-7f038c133000 ---p 00002000 09:01 288283                     
/lib/libdl-2.7.so
7f038c133000-7f038c135000 rw-p 00002000 09:01 288283                     
/lib/libdl-2.7.so
7f038c135000-7f038c1b7000 r-xp 00000000 09:01 301994                     
/lib/libm-2.7.so
7f038c1b7000-7f038c3b6000 ---p 00082000 09:01 301994                     
/lib/libm-2.7.so
7f038c3b6000-7f038c3b8000 rw-p 00081000 09:01 301994                     
/lib/libm-2.7.so
7f038c3b8000-7f038c3c8000 r-xp 00000000 09:01 301990                     
/lib/libresolv-2.7.so
7f038c3c8000-7f038c5c8000 ---p 00010000 09:01 301990                     
/lib/libresolv-2.7.so
7f038c5c8000-7f038c5ca000 rw-p 00010000 09:01 301990                     
/lib/libresolv-2.7.so
7f038c5ca000-7f038c5cc000 rw-p 7f038c5ca000 00:00 0
7f038c5cc000-7f038c5d4000 r-xp 00000000 09:01 288290                     
/lib/libcrypt-2.7.so
7f038c5d4000-7f038c7d4000 ---p 00008000 09:01 288290                     
/lib/libcrypt-2.7.so
7f038c7d4000-7f038c7d6000 rw-p 00008000 09:01 288290                     
/lib/libcrypt-2.7.so
7f038c7d6000-7f038c804000 rw-p 7f038c7d6000 00:00 0
7f038c804000-7f038c820000 r-xp 00000000 09:01 288285                     
/lib/ld-2.7.so
7f038ca0a000-7f038ca0e000 rw-p 7f038ca0a000 00:00 0
7f038ca19000-7f038ca1a000 rw-p 7f038ca19000 00:00 0
7f038ca1c000-7f038ca1f000 rw-p 7f038ca1c000 00:00 0
7f038ca1f000-7f038ca21000 rw-p 0001b000 09:01 288285                     
/lib/ld-2.7.so
7fff94a0b000-7fff94a20000 rw-p 7ffffffea000 00:00 0                      
[stack]
7fff94bfe000-7fff94bff000 r-xp 7fff94bfe000 00:00 0                      
[vdso]
ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0                  
[vsyscall]
Abort


And valgrind outputs this :
==12485== Memcheck, a memory error detector.
==12485== Copyright (C) 2002-2007, and GNU GPL'd, by Julian Seward et al.
==12485== Using LibVEX rev 1854, a library for dynamic binary translation.
==12485== Copyright (C) 2004-2007, and GNU GPL'd, by OpenWorks LLP.
==12485== Using valgrind-3.3.1-Debian, a dynamic binary instrumentation 
framework.
==12485== Copyright (C) 2000-2007, and GNU GPL'd, by Julian Seward et al.
==12485== For more details, rerun with: -v
==12485==
==12485== Invalid write of size 1
==12485==    at 0x585F25: zend_std_read_property 
(zend_object_handlers.c:333)
==12485==    by 0x5A796E: 
zend_fetch_property_address_read_helper_SPEC_VAR_CONST 
(zend_vm_execute.h:9107)
==12485==    by 0x5A7AE6: ZEND_FETCH_OBJ_R_SPEC_VAR_CONST_HANDLER 
(zend_vm_execute.h:9130)
==12485==    by 0x58AE3A: execute (zend_vm_execute.h:92)
==12485==    by 0x562D40: zend_execute_scripts (zend.c:1134)
==12485==    by 0x50B98C: php_execute_script (main.c:2011)
==12485==    by 0x5E635D: main (php_cli.c:1134)
==12485==  Address 0x5db37d8 is 0 bytes inside a block of size 5 free'd
==12485==    at 0x4C20B6E: free (vg_replace_malloc.c:323)
==12485==    by 0x5430AC: _efree (zend_alloc.c:2293)
==12485==    by 0x56FF50: zend_hash_destroy (zend_hash.c:529)
==12485==    by 0x584837: zend_object_std_dtor (zend_objects.c:41)
==12485==    by 0x584C71: zend_objects_free_object_storage 
(zend_objects.c:122)
==12485==    by 0x588E46: zend_objects_store_del_ref_by_handle 
(zend_objects_API.c:206)
==12485==    by 0x588C9E: zend_objects_store_del_ref 
(zend_objects_API.c:168)
==12485==    by 0x560748: _zval_dtor_func (zend_variables.c:52)
==12485==    by 0x551772: _zval_dtor (zend_variables.h:35)
==12485==    by 0x551986: _zval_ptr_dtor (zend_execute_API.c:414)
==12485==    by 0x554323: zend_call_function (zend_execute_API.c:1040)
==12485==    by 0x57C4A1: zend_call_method (zend_interfaces.c:88)
==12485==
==12485== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 8 from 1)
==12485== malloc/free: in use at exit: 0 bytes in 0 blocks.
==12485== malloc/free: 4,998 allocs, 4,998 frees, 1,397,127 bytes allocated.
==12485== For counts of detected errors, rerun with: -v
==12485== All heap blocks were freed -- no leaks are possible.


I hope this will help.

Olivier

--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php