Edit report at https://bugs.php.net/bug.php?id=62525&edit=1
ID: 62525
User updated by: perryjp at gmail dot com
Reported by: perryjp at gmail dot com
Summary: sigabrt while converting floating point to string
Status: Open
Type: Bug
Package: Reproducible crash
Operating System: Ubuntu 10.04.3 LTS
PHP Version: master-Git-2012-07-10 (Git)
Block user comment: N
Private report: N
New Comment:
I fixed it the master because the version that I'm using isn't open for bug
reports but looking at the code I can tell that the incorrect code still exists
in the tree.
I don't want to get too much in the weeds here, my compile issues caused
zend_dtoa() to mis-evaluate the value so it wouldn't think it could represent
the number and thus zend_dtoa() returns decopt=9999 (snprintf.c:91) and so
snprintf.c:97 returns a string from the data section of the program rather than
allocated memory as it does for snprintf:88 and snprintf:121
My environment doesn't have the necessary dependencies to build the newer
versions of PHP for my target which is why I'm still on the older one so
getting a bt on master could prove untenable.
Still, I decided to submit the crash report/bug because it should be clear that
doing a free on something from the data portion of the code (what I called a
statically declared string) is incorrect. You can't do free("NAN") or
free("INF") which is essentially what happens.
Previous Comments:
------------------------------------------------------------------------
[2012-07-10 18:55:15] a...@php.net
I'm not sure i get you right, the bt is from 5.2, but you fix it for master?
Could you produce a bt for the current master so one could evaluate that?
Also, which compilation do you mean? Dynamic memory operations usually don't
affect the compilation of C programs.
Despite like it looks like it could be a bug. a valid bt should be there to
ensure that. I'll try to make an erroneous prog too.
------------------------------------------------------------------------
[2012-07-10 17:44:04] perryjp at gmail dot com
Apologies, I should have mentioned that the core dump is from 5.2.6 but I
looked at the head in git and the issue still exists and the line numbers in my
description are based on the head as of today as is the patch file.
As I mentioned previously, the core of my issue was a compilation issue so I'm
not entirely sure how you would reproduce it with a good build but if you look
at php_conv_fp(snprintf:396) it blindly frees p_orig which was initialized by
the calls to php_fcvt()/php_ecvt() which both call __cvt. If __cvt detects
Infinity or Nan, it returns the static strings "INF" or "NAN"(snprintf.c:97)
which can't be freed and thus the sigabrt.
------------------------------------------------------------------------
[2012-07-10 17:32:06] a...@php.net
But your trace says snprintf.c:399. Could you give a piece of code causing this?
------------------------------------------------------------------------
[2012-07-10 17:06:00] perryjp at gmail dot com
Description:
------------
I traced the root of my problem to compilation issues but I while debugging my
issues I traced a sigabrt to a bug in snprintf.c freeing a static string.
php_conv_fp(snprintf.c:396) tries to free the static strings "NAN" or "INF"
returned from __cvt(snprintf.c:97)
Actual result:
--------------
#0 0x0f8fc0d0 in raise () from /lib/tls/libc.so.6
#1 0x0f8fd924 in abort () from /lib/tls/libc.so.6
#2 0x0f93f658 in __libc_message () from /lib/tls/libc.so.6
#3 0x0f945f70 in malloc_printerr () from /lib/tls/libc.so.6
#4 0x0f947330 in _int_free () from /lib/tls/libc.so.6
#5 0x0f9478c0 in free () from /lib/tls/libc.so.6
#6 0x102bb960 in php_conv_fp (format=70 'F', num=2.0824708938098908,
add_dp=NO, precision=8, dec_point=46 '.', is_negative=0xbfb8d040,
buf=0xbfb8ce3d "NAN", len=0xbfb8ce38)
at /php/main/snprintf.c:399
#7 0x102bffdc in xbuf_format_converter (xbuf=0xbfb8d138, fmt=0x104463b7 "F",
ap=0xbfb8d16c)
at /php/main/spprintf.c:588
#8 0x102c0d14 in vspprintf (pbuf=0xbfb8d29c, max_len=0,
format=0x104463a8 "%.15s%ld%ld%0.8F", ap=0xbfb8d16c)
at /php/main/spprintf.c:769
#9 0x102c0df0 in spprintf (pbuf=0xbfb8d29c, max_len=0,
format=0x104463a8 "%.15s%ld%ld%0.8F")
at /php/main/spprintf.c:788
#10 0x1017a59c in php_session_create_id (mod_data=0x104b3f08, newlen=0x0)
at /php/ext/session/session.c:736
#11 0x1017aa2c in php_session_initialize ()
at /php/ext/session/session.c:830
#12 0x1017d530 in php_session_start ()
at /php/ext/session/session.c:1325
#13 0x1017fe48 in zif_session_start (ht=0, return_value=0x105695c0,
return_value_ptr=0x0, this_ptr=0x0, return_value_used=0)
at /php/ext/session/session.c:1815
#14 0x103539d4 in zend_do_fcall_common_helper_SPEC (execute_data=0xbfb8dff8)
at /php/Zend/zend_vm_execute.h:200
#15 0x1035b428 in ZEND_DO_FCALL_SPEC_CONST_HANDLER (execute_data=0xbfb8dff8)
at /php/Zend/zend_vm_execute.h:1679
#16 0x1035334c in execute (op_array=0x10596f88)
at /php/Zend/zend_vm_execute.h:92
#17 0x10353ba4 in zend_do_fcall_common_helper_SPEC (execute_data=0xbfb8e148)
at /php/Zend/zend_vm_execute.h:234
#18 0x1035b428 in ZEND_DO_FCALL_SPEC_CONST_HANDLER (execute_data=0xbfb8e148)
at /php/Zend/zend_vm_execute.h:1679
#19 0x1035334c in execute (op_array=0x10560418)
at /php/Zend/zend_vm_execute.h:92
#20 0x10365278 in ZEND_INCLUDE_OR_EVAL_SPEC_TMP_HANDLER (
execute_data=0xbfb8f2e8)
at /php/Zend/zend_vm_execute.h:4612
#21 0x1035334c in execute (op_array=0x1055d000)
at /php/Zend/zend_vm_execute.h:92
#22 0x10322798 in zend_execute_scripts (type=8, retval=0x0, file_count=3)
at /php/Zend/zend.c:1134
#23 0x102ba7c0 in php_execute_script (primary_file=0xbfb9175c)
at /php/main/main.c:2005
#24 0x103cb7dc in main (argc=3, argv=0xbfb93d24)
at /php/sapi/cgi/cgi_main.c:1919
------------------------------------------------------------------------
--
Edit this bug report at https://bugs.php.net/bug.php?id=62525&edit=1
