Edit report at https://bugs.php.net/bug.php?id=62525&edit=1
ID: 62525 Updated by: fel...@php.net Reported by: perryjp at gmail dot com Summary: sigabrt while converting floating point to string -Status: Open +Status: Closed Type: Bug Package: Reproducible crash Operating System: Ubuntu 10.04.3 LTS PHP Version: master-Git-2012-07-10 (Git) -Assigned To: +Assigned To: felipe Block user comment: N Private report: N New Comment: This bug has been fixed in SVN. Snapshots of the sources are packaged every three hours; this change will be in the next snapshot. You can grab the snapshot at http://snaps.php.net/. For Windows: http://windows.php.net/snapshots/ Thank you for the report, and for helping us make PHP better. I've committed a slight different patch. Thanks. Previous Comments: ------------------------------------------------------------------------ [2012-07-14 18:17:05] fel...@php.net Automatic comment on behalf of felipe...@gmail.com Revision: http://git.php.net/?p=php-src.git;a=commit;h=63f3962a9015cd119b028e4c6e3f5533fb9f38e0 Log: - Fixed bug #62525 (sigabrt while converting floating point to string) ------------------------------------------------------------------------ [2012-07-10 19:48:57] perryjp at gmail dot com I fixed it the master because the version that I'm using isn't open for bug reports but looking at the code I can tell that the incorrect code still exists in the tree. I don't want to get too much in the weeds here, my compile issues caused zend_dtoa() to mis-evaluate the value so it wouldn't think it could represent the number and thus zend_dtoa() returns decopt=9999 (snprintf.c:91) and so snprintf.c:97 returns a string from the data section of the program rather than allocated memory as it does for snprintf:88 and snprintf:121 My environment doesn't have the necessary dependencies to build the newer versions of PHP for my target which is why I'm still on the older one so getting a bt on master could prove untenable. Still, I decided to submit the crash report/bug because it should be clear that doing a free on something from the data portion of the code (what I called a statically declared string) is incorrect. You can't do free("NAN") or free("INF") which is essentially what happens. ------------------------------------------------------------------------ [2012-07-10 18:55:15] a...@php.net I'm not sure i get you right, the bt is from 5.2, but you fix it for master? Could you produce a bt for the current master so one could evaluate that? Also, which compilation do you mean? Dynamic memory operations usually don't affect the compilation of C programs. Despite like it looks like it could be a bug. a valid bt should be there to ensure that. I'll try to make an erroneous prog too. ------------------------------------------------------------------------ [2012-07-10 17:44:04] perryjp at gmail dot com Apologies, I should have mentioned that the core dump is from 5.2.6 but I looked at the head in git and the issue still exists and the line numbers in my description are based on the head as of today as is the patch file. As I mentioned previously, the core of my issue was a compilation issue so I'm not entirely sure how you would reproduce it with a good build but if you look at php_conv_fp(snprintf:396) it blindly frees p_orig which was initialized by the calls to php_fcvt()/php_ecvt() which both call __cvt. If __cvt detects Infinity or Nan, it returns the static strings "INF" or "NAN"(snprintf.c:97) which can't be freed and thus the sigabrt. ------------------------------------------------------------------------ [2012-07-10 17:32:06] a...@php.net But your trace says snprintf.c:399. Could you give a piece of code causing this? ------------------------------------------------------------------------ The remainder of the comments for this report are too long. To view the rest of the comments, please view the bug report online at https://bugs.php.net/bug.php?id=62525 -- Edit this bug report at https://bugs.php.net/bug.php?id=62525&edit=1
