ID: 50145
Updated by: srina...@php.net
Reported By: srina...@php.net
Status: Open
Bug Type: Reproducible crash
Operating System: solaris, linux
PHP Version: 5.3.1RC3
Assigned To: srinatar
New Comment:
as i expected, this is what valgrind reports..
==8398== Memcheck, a memory error detector.
==8398== Copyright (C) 2002-2006, and GNU GPL'd, by Julian Seward et
al.
==8398== Using LibVEX rev 1658, a library for dynamic binary
translation.
==8398== Copyright (C) 2004-2006, and GNU GPL'd, by OpenWorks LLP.
==8398== Using valgrind-3.2.1, a dynamic binary instrumentation
framework.
==8398== Copyright (C) 2000-2006, and GNU GPL'd, by Julian Seward et
al.
==8398== For more details, rerun with: -v
==8398==
==8398== Invalid read of size 4
==8398== at 0x82B0A73: _zend_mm_alloc_int (zend_alloc.c:1892)
==8398== by 0x82A17A7: open_file_for_scanning
(zend_language_scanner.l:272)
==8398== by 0x82A1D2B: compile_file (zend_language_scanner.l:331)
==8398== by 0x82A18AD: compile_filename
(zend_language_scanner.l:386)
==8398== by 0x830CE73: ZEND_INCLUDE_OR_EVAL_SPEC_CONST_HANDLER
(zend_vm_execute.h:1916)
==8398== by 0x82EEA67: execute (zend_vm_execute.h:104)
==8398== by 0x82C1F35: zend_call_function (zend_execute_API.c:942)
==8398== by 0x82C29B7: call_user_function_ex
(zend_execute_API.c:734)
==8398== by 0x82CD76C: zend_error (zend.c:1101)
==8398== by 0x82BC0D3: zend_do_begin_function_declaration
(zend_compile.c:1289)
==8398== by 0x829CD59: zendparse (zend_language_parser.y:517)
==8398== by 0x82A1D5E: compile_file (zend_language_scanner.l:343)
==8398== Address 0x66690A70 is not stack'd, malloc'd or (recently)
free'd
==8398==
==8398== Process terminating with default action of signal 11
(SIGSEGV)
==8398== Access not within mapped region at address 0x66690A70
==8398== at 0x82B0A73: _zend_mm_alloc_int (zend_alloc.c:1892)
==8398== by 0x82A17A7: open_file_for_scanning
(zend_language_scanner.l:272)
==8398== by 0x82A1D2B: compile_file (zend_language_scanner.l:331)
==8398== by 0x82A18AD: compile_filename
(zend_language_scanner.l:386)
==8398== by 0x830CE73: ZEND_INCLUDE_OR_EVAL_SPEC_CONST_HANDLER
(zend_vm_execute.h:1916)
==8398== by 0x82EEA67: execute (zend_vm_execute.h:104)
==8398== by 0x82C1F35: zend_call_function (zend_execute_API.c:942)
==8398== by 0x82C29B7: call_user_function_ex
(zend_execute_API.c:734)
==8398== by 0x82CD76C: zend_error (zend.c:1101)
==8398== by 0x82BC0D3: zend_do_begin_function_declaration
(zend_compile.c:1289)
==8398== by 0x829CD59: zendparse (zend_language_parser.y:517)
==8398== by 0x82A1D5E: compile_file (zend_language_scanner.l:343)
==8398==
==8398== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 25 from
1)
==8398== malloc/free: in use at exit: 1,475,924 bytes in 11,420
blocks.
==8398== malloc/free: 11,877 allocs, 457 frees, 1,767,115 bytes
allocated.
==8398== For counts of detected errors, rerun with: -v
==8398== searching for pointers to 11,420 not-freed blocks.
==8398== checked 903,284 bytes.
==8398==
==8398== LEAK SUMMARY:
==8398== definitely lost: 0 bytes in 0 blocks.
==8398== possibly lost: 0 bytes in 0 blocks.
==8398== still reachable: 1,475,924 bytes in 11,420 blocks.
==8398== suppressed: 0 bytes in 0 blocks.
==8398== Reachable blocks (those to which a pointer was found) are not
shown.
Previous Comments:
------------------------------------------------------------------------
[2009-11-16 02:08:53] srina...@php.net
looking at the source of the crash and that it happens only when used
with --enable-zend-multibyte , i think, this issue has nothing to do
with phar is enabled or not. (yes, it happens even if it is
disabled).
i think, my gut feeling it that this issue has some thing to do how to
memory is allocated / reallocated when the file is being parsed with
zend-multi-byte mode is enabled. just a theory at this point. i need
to debug more though. any useful pointers will be much appreciated ..
with respect to the platform,if you notice closely, you will notice
that the bug report mentions both solaris and linux. yes, i do luv
and Linux and valgrind..
unfortunately, i didn't get time to look into this last thursday and
friday as I had to deal with some urgent family matters but i hope to
look into this more on monday (it is still sunday for me here .. :-) )
------------------------------------------------------------------------
[2009-11-15 21:54:52] ka...@php.net
Just wondering, does --disable-phar change anything here? How about on
other systems than Solaris?
------------------------------------------------------------------------
[2009-11-11 08:33:23] srina...@php.net
af course, this issue is not reproduced when used with
USE_ZEND_ALLOC=0. this can be a temporary work around until this issue
is further investigated.
------------------------------------------------------------------------
[2009-11-11 08:26:55] srina...@php.net
Description:
------------
with recent php 5.3.1 RC3, i noticed a crash when compiled with
mbstring and zend-multibyte and running the bug35634.phpt script found
under Zend/tests
Reproduce code:
---------------
'./configure' \
'--enable-cli' \
'--enable-mbstring' \
'--enable-zend-multibyte'
while running the test script Zend/tests/bug35634.phpt
<?php
if (defined("pass3")) {
class ErrorClass {
}
} else if (defined("pass2")) {
class TestClass {
function __construct() {
}
function TestClass() {
$this->__construct();
}
}
} else {
function errorHandler($errorNumber, $errorMessage, $fileName,
$lineNumber) {
define("pass3", 1);
include(__FILE__);
die("Error: $errorMessage ($fileName:$lineNumber)\n");
}
set_error_handler('errorHandler');
define("pass2", 1);
include(__FILE__);
}
?>
Expected result:
----------------
Error: Redefining already defined constructor for class TestClass
(/tmp/c.php:12)
Actual result:
--------------
here is the stack trace of this crash..
@1 (l...@1) program terminated by signal SEGV (no mapping at the fault
address)
Current function is _zend_mm_alloc_int
1892 ZEND_MM_CHECK_BLOCK_LINKAGE(best_fit);
(dbx 1) where
current thread: t...@1
=>[1] _zend_mm_alloc_int(heap = 0x8b7f2f0, size = 496U), line 1892 in
"zend_alloc.c"
[2] _emalloc(size = 496U), line 2295 in "zend_alloc.c"
[3] open_file_for_scanning(file_handle = 0x80454f8), line 272 in
"zend_language_scanner.l"
[4] compile_file(file_handle = 0x80454f8, type = 2), line 331 in
"zend_language_scanner.l"
[5] phar_compile_file(file_handle = 0x80454f8, type = 2), line 3390
in "phar.c"
[6] compile_filename(type = 2, filename = 0x8b910b8), line 386 in
"zend_language_scanner.l"
[7] ZEND_INCLUDE_OR_EVAL_SPEC_CONST_HANDLER(execute_data =
0x8cd6560), line 1915 in "zend_vm_execute.h"
[8] execute(op_array = 0x8cd4438), line 104 in "zend_vm_execute.h"
[9] zend_call_function(fci = 0x80456a8, fci_cache = 0x8045608), line
942 in "zend_execute_API.c"
[10] call_user_function_ex(function_table = 0x8bbf5a0, object_pp =
(nil), function_name = 0x8b8db78, retval_ptr_ptr = 0x804572c,
param_count = 5U, params = 0x8b906d0, no_separation = 1, symbol_table =
(nil)), line 734 in "zend_execute_API.c"
[11] zend_error(type = 2048, format = 0x8b145e8 "Redefining already
defined constructor for class %s", ... = 0x8b8e730, ...), line 1101 in
"zend.c"
[12] zend_do_begin_function_declaration(function_token = 0x8045b00,
function_name = 0x8045b28, is_method = 1, return_reference = 0,
fn_flags_znode = 0x8045aec), line 1289 in "zend_compile.c"
[13] zendparse(), line 4082 in "zend_language_parser.c"
[14] compile_file(file_handle = 0x8046da8, type = 2), line 343 in
"zend_language_scanner.l"
[15] phar_compile_file(file_handle = 0x8046da8, type = 2), line 3390
in "phar.c"
[16] compile_filename(type = 2, filename = 0x8b8e4b4), line 386 in
"zend_language_scanner.l"
[17] ZEND_INCLUDE_OR_EVAL_SPEC_CONST_HANDLER(execute_data =
0x8cd6440), line 1915 in "zend_vm_execute.h"
[18] execute(op_array = 0x8b8d970), line 104 in "zend_vm_execute.h"
[19] zend_execute_scripts(type = 8, retval = (nil), file_count = 3,
... = (nil), ...), line 1194 in "zend.c"
[20] php_execute_script(primary_file = 0x8047850), line 2225 in
"main.c"
[21] main(argc = 2, argv = 0x80478c4), line 1190 in "php_cli.c"
and here looks like best_fit seems to have been corrupted..
(dbx 2) p *best_fit
dbx: cannot access address 0x66690a70
(dbx 3) p *heap
*heap = {
use_zend_alloc = 1
_malloc = (nil)
_free = (nil)
_realloc = (nil)
free_bitmap = 1073741824U
large_free_bitmap = 133376U
block_size = 262144U
compact_size = 2097152U
segments_list = 0x8cd6410
storage = 0x8b7eef0
real_size = 524288U
real_peak = 524288U
limit = 134217728U
size = 341616U
peak = 342120U
reserve_size = 8192U
reserve = 0x8b7f560
overflow = 0
internal = 0
cached = 456U
cache = (0x8b90590, 0x8b90700, 0x8b90718, 0x8b90558,
0x8b90918, (nil), (nil), (nil), (nil), (nil), 0x8b8faa0, (nil), (nil),
(nil), (nil), 0x8b8c1e8, (nil), (nil), (nil), (nil), (nil), (nil),
(nil), (nil), (nil), (nil), (nil), (nil), (nil), (nil), (nil), (nil))
free_buckets = (0x8b7f3b8, 0x8b7f3b8, 0x8b7f3c0, 0x8b7f3c0,
0x8b7f3c8, 0x8b7f3c8, 0x8b7f3d0, 0x8b7f3d0, 0x8b7f3d8, 0x8b7f3d8,
0x8b7f3e0, 0x8b7f3e0, 0x8b7f3e8, 0x8b7f3e8, 0x8b7f3f0, 0x8b7f3f0,
0x8b7f3f8, 0x8b7f3f8, 0x8b7f400, 0x8b7f400, 0x8b7f408, 0x8b7f408,
0x8b7f410, 0x8b7f410, 0x8b7f418, 0x8b7f418, 0x8b7f420, 0x8b7f420,
0x8b7f428, 0x8b7f428, 0x8b7f430, 0x8b7f430, 0x8b7f438, 0x8b7f438,
0x8b7f440, 0x8b7f440, 0x8b7f448, 0x8b7f448, 0x8b7f450, 0x8b7f450,
0x8b7f458, 0x8b7f458, 0x8b7f460, 0x8b7f460, 0x8b7f468, 0x8b7f468,
0x8b7f470, 0x8b7f470, 0x8b7f478, 0x8b7f478, 0x8b7f480, 0x8b7f480,
0x8b7f488, 0x8b7f488, 0x8b7f490, 0x8b7f490, 0x8b7f498, 0x8b7f498,
0x8b7f4a0, 0x8b7f4a0, 0x8b90b20, 0x8b90b20, 0x8b7f4b0, 0x8b7f4b0)
large_free_buckets = ((nil), (nil), (nil), (nil), (nil), (nil),
(nil), (nil), 0x8b8fef8, (nil), (nil), 0x8b8e7a8, (nil), (nil), (nil),
(nil), (nil), 0x8b93a00, (nil), (nil), (nil), (nil), (nil), (nil),
(nil), (nil), (nil), (nil), (nil), (nil), (nil), (nil))
rest_buckets = (0x8b7f538, 0x8b7f538)
}
------------------------------------------------------------------------
--
Edit this bug report at http://bugs.php.net/?id=50145&edit=1
