Edit report at https://bugs.php.net/bug.php?id=61046&edit=1
ID: 61046 Updated by: larue...@php.net Reported by: ni...@php.net Summary: Segfault when memory limit is hit while copying hash table Status: Feedback Type: Bug Package: Reproducible crash PHP Version: 5.4.0RC7 Block user comment: N Private report: N New Comment: another way to fix this is promote the ht point assignment in ctor(list blow), but there is still a chance that alloc failed when try to alloc memory for ht. so I still think the fix I attached is the better one. diff --git a/Zend/zend_variables.c b/Zend/zend_variables.c index 25a66a1..bb6927a 100644 --- a/Zend/zend_variables.c +++ b/Zend/zend_variables.c @@ -134,9 +134,9 @@ ZEND_API void _zval_copy_ctor_func(zval *zvalue ZEND_FILE_LINE_DC) return; /* do nothing */ } ALLOC_HASHTABLE_REL(tmp_ht); + zvalue->value.ht = tmp_ht; zend_hash_init(tmp_ht, zend_hash_num_elements(original_ht), NULL, ZVAL_PTR_DTOR, 0); zend_hash_copy(tmp_ht, original_ht, (copy_ctor_func_t) zval_add_ref, (void *) &tmp, sizeof(zval *)); - zvalue->value.ht = tmp_ht; } break; case IS_OBJECT: Previous Comments: ------------------------------------------------------------------------ [2012-12-20 15:08:30] larue...@php.net quick fix attached, could you please verify it? ------------------------------------------------------------------------ [2012-12-20 15:07:27] larue...@php.net The following patch has been added/updated: Patch Name: bug61046.patch Revision: 1356016047 URL: https://bugs.php.net/patch-display.php?bug=61046&patch=bug61046.patch&revision=1356016047 ------------------------------------------------------------------------ [2012-12-20 11:18:02] arrtedone at gmail dot com Description: ------------ Same here, reproducable, but with memory limit set to 128M (note that i am not using the provided test script, it crached randomly) Test script: ------------- - System information : OS : Fedora 17 Linux nask0 3.6.10-2.fc17.x86_64 #1 SMP Tue Dec 11 18:07:34 UTC 2012 x86_64 PHP version 5.4.9 : PHP API : 20100412 PHP Extension : 20100525 Zend Extension : 220100525 Zend Extension Build : API220100525,NTS PHP Extension Build : API20100525,NTS Thread Safety: disabled Zend Signal Handling: disabled Zend Memory Manager: enabled Apache Version: Apache/2.2.22 (Fedora) DAV/2 PHP/5.4.9 Apache API Version : 20051115 GDB backtrace : --------------- Program received signal SIGSEGV, Segmentation fault. zend_mm_remove_from_free_list (heap=0x7f75283c10d0, mm_block=0x7f752a24b3f8) at /usr/src/debug/php-5.4.9/Zend/zend_alloc.c:833 833 if (UNEXPECTED(prev->next_free_block != mm_block) || UNEXPECTED(next->prev_free_block != mm_block)) { (gdb) continue Continuing. Program terminated with signal SIGSEGV, Segmentation fault. The program no longer exists. ------------------------------------------------------------------------ [2012-02-10 18:08:37] ras...@php.net Same here. Reproducable on 64-bit Linux with memory_limit set to "512k". The segfault is here: zend_mm_remove_from_free_list (heap=0xf71730, mm_block=0x7ffff7fae1c8) at /home/rasmus/php-src/branches/PHP_5_4/Zend/zend_alloc.c:805 805 ZEND_MM_CHECK_TREE(mm_block); (gdb) p *mm_block $2 = {info = {_size = 16400, _prev = 57}, prev_free_block = 0x7ffff7fae1c8, next_free_block = 0x7ffff7fae1c8, parent = 0x0, child = {0x0, 0x0}} Note that parent is NULL there and ZEND_MM_CHECK_TREE tries to dereference *parent ------------------------------------------------------------------------ [2012-02-10 17:46:09] jpa...@php.net Notice that I only reproduce with memory_limit set to accurate 512k , not 500k as in bug text, nor even 511k ------------------------------------------------------------------------ The remainder of the comments for this report are too long. To view the rest of the comments, please view the bug report online at https://bugs.php.net/bug.php?id=61046 -- Edit this bug report at https://bugs.php.net/bug.php?id=61046&edit=1