From: sixd
Operating system: Ubuntu 32 bit
PHP version: trunk-SVN-2011-02-09 (SVN)
Package: *General Issues
Bug Type: Bug
Bug description:Crash in trunk zend_dtoa() with unmet loop condition
Description:
------------
A segfault occurs after a few reloads of a phpinfo() script with PHP trunk
on Ubuntu 10.04 and 10.10, both 32bit. It doesn't occur with PHP_5_3.
Test script:
---------------
Steps:
- Start Apache: httpd -x
- Repeatedly load a script <?php phpinfo(); ?>.
- Within 10 reloads, Apache segfaults.
Actual result:
--------------
Program received signal SIGSEGV, Segmentation fault.
0x009064ae in zend_dtoa (_d=197618504, mode=2, ndigits=14,
decpt=0xbfffc8cc, sign=0xbfffc8c8, rve=0x0) at
/home/cjones/phpsrc/php/php-src/trunk/Zend/zend_strtod.c:1670
(gdb) bt
#0 0x009064ae in zend_dtoa (_d=197618504, mode=2, ndigits=14,
decpt=0xbfffc8cc, sign=0xbfffc8c8, rve=0x0) at
/home/cjones/phpsrc/php/php-src/trunk/Zend/zend_strtod.c:1670
#1 0x0086d374 in php_gcvt (value=197618504, ndigit=14, dec_point=46 '.',
exponent=69 'E', buf=0xbfffc9cd "5\217") at
/home/cjones/phpsrc/php/php-src/trunk/main/snprintf.c:142
#2 0x008703a5 in xbuf_format_converter (xbuf=0xbfffcbf4, fmt=0xcfb477 "G",
ap=0xbfffcc58 "_(\210") at
/home/cjones/phpsrc/php/php-src/trunk/main/spprintf.c:669
#3 0x00870db5 in vspprintf (pbuf=0xbfffcd04, max_len=0, format=0xcfb474
"%.*G", ap=0xbfffcc4c "\016") at
/home/cjones/phpsrc/php/php-src/trunk/main/spprintf.c:797
#4 0x00903c63 in zend_spprintf (message=0xbfffcd04, max_len=0,
format=0xcfb474 "%.*G") at
/home/cjones/phpsrc/php/php-src/trunk/Zend/zend_exceptions.c:545
#5 0x008dc2ec in _convert_to_string (op=0xbfffcd04,
__zend_filename=0xccd72c
"/home/cjones/phpsrc/php/php-src/trunk/ext/standard/info.c",
__zend_lineno=252) at
/home/cjones/phpsrc/php/php-src/trunk/Zend/zend_operators.c:578
#6 0x007b4fc3 in php_print_gpcse_array (name=0xcce134 "_SERVER",
name_length=7) at
/home/cjones/phpsrc/php/php-src/trunk/ext/standard/info.c:252
#7 0x007b5e46 in php_print_info (flag=-1) at
/home/cjones/phpsrc/php/php-src/trunk/ext/standard/info.c:885
#8 0x007b66d4 in zif_phpinfo (ht=0, return_value=0xb7fc1734,
return_value_ptr=0x0, this_ptr=0x0, return_value_used=0) at
/home/cjones/phpsrc/php/php-src/trunk/ext/standard/info.c:1141
#9 0x0091a7d0 in zend_do_fcall_common_helper_SPEC
(execute_data=0xb7fa6074) at
/home/cjones/phpsrc/php/php-src/trunk/Zend/zend_vm_execute.h:638
#10 0x0091fac5 in ZEND_DO_FCALL_SPEC_CONST_HANDLER
(execute_data=0xb7fa6074) at
/home/cjones/phpsrc/php/php-src/trunk/Zend/zend_vm_execute.h:1935
#11 0x00919632 in execute (op_array=0xb7fc0808) at
/home/cjones/phpsrc/php/php-src/trunk/Zend/zend_vm_execute.h:410
#12 0x008e629e in zend_execute_scripts (type=8, retval=0x0, file_count=3)
at /home/cjones/phpsrc/php/php-src/trunk/Zend/zend.c:1212
#13 0x0086cc4f in php_execute_script (primary_file=0xbffff3ac) at
/home/cjones/phpsrc/php/php-src/trunk/main/main.c:2344
#14 0x009ed1f8 in php_handler (r=0x83299c8) at
/home/cjones/phpsrc/php/php-src/trunk/sapi/apache2handler/sapi_apache2.c:667
#15 0x0807c556 in ap_run_handler (r=0x83299c8) at config.c:158
#16 0x0807fc01 in ap_invoke_handler (r=0x83299c8) at config.c:372
#17 0x080974e0 in ap_process_request (r=0x83299c8) at http_request.c:282
#18 0x08094520 in ap_process_http_connection (c=0x8323b48) at
http_core.c:190
#19 0x08083fe6 in ap_run_process_connection (c=0x8323b48) at
connection.c:43
#20 0x080b472d in child_main (child_num_arg=<value optimized out>) at
prefork.c:662
#21 0x080b49df in make_child (s=0x80e5db8, slot=0) at prefork.c:702
#22 0x080b509c in ap_mpm_run (_pconf=0x80df0a8, plog=0x811d1a0,
s=0x80e5db8) at prefork.c:978
#23 0x08069134 in main (argc=2, argv=0xbffff8f4) at main.c:740
(gdb) p j1
$1 = -2147483648
(gdb) p j
$2 = -1
(gdb) p *decpt
$3 = 9154443
(gdb) p *sign
$4 = 0
(gdb) p i
$5 = 4678168
(gdb) p d
$6 = {
d = nan(0xfffffffffffff),
ul = {4294967295, 2147483647}
}
The crash is at the assignment of bigtens[i] in:
else if ((j1 = -k)) {
value(d) *= tens[j1 & 0xf];
for(j = j1 >> 4; j; j >>= 1, i++)
if (j & 1) {
ieps++;
value(d) *= bigtens[i];
}
}
Because j is -1 it can never satisfy the loop condition
The relevant code in the file is unchanged from PHP 5.3 and dropping in PHP
5.3 zend_strtod.[ch] files into trunk and rebuilding doesn't fix it.
--
Edit bug report at http://bugs.php.net/bug.php?id=53974&edit=1
--
Try a snapshot (PHP 5.2):
http://bugs.php.net/fix.php?id=53974&r=trysnapshot52
Try a snapshot (PHP 5.3):
http://bugs.php.net/fix.php?id=53974&r=trysnapshot53
Try a snapshot (trunk):
http://bugs.php.net/fix.php?id=53974&r=trysnapshottrunk
Fixed in SVN:
http://bugs.php.net/fix.php?id=53974&r=fixed
Fixed in SVN and need be documented:
http://bugs.php.net/fix.php?id=53974&r=needdocs
Fixed in release:
http://bugs.php.net/fix.php?id=53974&r=alreadyfixed
Need backtrace:
http://bugs.php.net/fix.php?id=53974&r=needtrace
Need Reproduce Script:
http://bugs.php.net/fix.php?id=53974&r=needscript
Try newer version:
http://bugs.php.net/fix.php?id=53974&r=oldversion
Not developer issue:
http://bugs.php.net/fix.php?id=53974&r=support
Expected behavior:
http://bugs.php.net/fix.php?id=53974&r=notwrong
Not enough info:
http://bugs.php.net/fix.php?id=53974&r=notenoughinfo
Submitted twice:
http://bugs.php.net/fix.php?id=53974&r=submittedtwice
register_globals:
http://bugs.php.net/fix.php?id=53974&r=globals
PHP 4 support discontinued: http://bugs.php.net/fix.php?id=53974&r=php4
Daylight Savings: http://bugs.php.net/fix.php?id=53974&r=dst
IIS Stability:
http://bugs.php.net/fix.php?id=53974&r=isapi
Install GNU Sed:
http://bugs.php.net/fix.php?id=53974&r=gnused
Floating point limitations:
http://bugs.php.net/fix.php?id=53974&r=float
No Zend Extensions:
http://bugs.php.net/fix.php?id=53974&r=nozend
MySQL Configuration Error:
http://bugs.php.net/fix.php?id=53974&r=mysqlcfg
