ID: 25275
Comment by: moregan at flr dot follett dot com
Reported By: rehsack at liwing dot de
Status: Feedback
Bug Type: Reproducible crash
Operating System: FreeBSD 5.1 i386
PHP Version: 4.3.3
New Comment:
Pardon me as I chime in.
With this config of php4-STABLE-200309020330 on Red Hat 8:
./configure \
--disable-all \
--enable-debug \
--enable-cli \
--disable-cgi \
--disable-short-tags \
--disable-xml \
--without-mysql \
--without-pear \
--prefix=/usr/local \
the test script runs without apparent difficulty:
[EMAIL PROTECTED]/php4-STABLE-200309020330]$ ./sapi/cli/php bug25275.php
before deaggregate
after deaggregate
but piping the program to PHP segfaults:
[EMAIL PROTECTED]/php4-STABLE-200309020330]$ cat bug25275.php |
./sapi/cli/php
Segmentation fault (core dumped)
[EMAIL PROTECTED]/php4-STABLE-200309020330]$ gdb ./php core.32304
GNU gdb Red Hat Linux (5.2.1-4)
Copyright 2002 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and
you are
welcome to change it and/or distribute copies of it under certain
conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB. Type "show warranty" for
details.
This GDB was configured as "i386-redhat-linux"...
Core was generated by `./sapi/cli/php'.
Program terminated with signal 11, Segmentation fault.
Reading symbols from /lib/libcrypt.so.1...done.
Loaded symbols for /lib/libcrypt.so.1
Reading symbols from /lib/libresolv.so.2...done.
Loaded symbols for /lib/libresolv.so.2
Reading symbols from /lib/i686/libm.so.6...done.
Loaded symbols for /lib/i686/libm.so.6
Reading symbols from /lib/libdl.so.2...done.
Loaded symbols for /lib/libdl.so.2
Reading symbols from /lib/libnsl.so.1...done.
Loaded symbols for /lib/libnsl.so.1
Reading symbols from /lib/i686/libc.so.6...done.
Loaded symbols for /lib/i686/libc.so.6
Reading symbols from /lib/ld-linux.so.2...done.
Loaded symbols for /lib/ld-linux.so.2
#0 0x080c6769 in php_strlcpy (dst=0x8135ac0 "-", src=0x5a5a5a5a
<Address 0x5a5a5a5a out of bounds>, siz=1024)
at /home/moregan/php4-STABLE-200309020330/main/strlcpy.c:58
58 if ((*d++ = *s++) == 0)
(gdb) bt full
#0 0x080c6769 in php_strlcpy (dst=0x8135ac0 "-", src=0x5a5a5a5a
<Address 0x5a5a5a5a out of bounds>, siz=1024)
at /home/moregan/php4-STABLE-200309020330/main/strlcpy.c:58
d = 0x8135ac0 "-"
s = 0x5a5a5a5a <Address 0x5a5a5a5a out of bounds>
n = 1023
#1 0x080bd020 in php_error_cb (type=8, error_filename=0x5a5a5a5a
<Address 0x5a5a5a5a out of bounds>, error_lineno=35,
format=0x812ad40 "Use of undefined constant %s - assumed '%s'",
args=0xbfffba58 "�\037\027\b�\037\027\b�\037\027\b\006")
at /home/moregan/php4-STABLE-200309020330/main/main.c:615
buffer = 0x816a4dc "Use of undefined constant STDERR - assumed
'STDERR'"
buffer_len = 51
display = 1
#2 0x080ee343 in zend_error (type=8, format=0x812ad40 "Use of
undefined constant %s - assumed '%s'")
at /home/moregan/php4-STABLE-200309020330/Zend/zend.c:751
args = 0xbfffba58 "�\037\027\b�\037\027\b�\037\027\b\006"
params = (struct _zval_struct ***) 0x0
retval = (struct _zval_struct *) 0xbfffba58
z_error_type = (struct _zval_struct *) 0x81285c0
z_error_message = (struct _zval_struct *) 0x81716bc
z_error_filename = (struct _zval_struct *) 0xbfffba44
z_error_lineno = (struct _zval_struct *) 0x7
z_context = (struct _zval_struct *) 0x8007272
error_filename = 0x5a5a5a5a <Address 0x5a5a5a5a out of bounds>
error_lineno = 35
orig_user_error_handler = (struct _zval_struct *) 0x7
#3 0x080ffa0c in execute (op_array=0x8171b1c) at
/home/moregan/php4-STABLE-200309020330/Zend/zend_execute.c:1989
execute_data = {opline = 0x8171250, function_state =
{function_symbol_table = 0x0, function = 0x8171b1c, reserved = {
0x80fabde, 0x8171fac, 0x5a9b0765, 0x1c}}, fbc = 0x0, ce = 0x0,
object = {ptr = 0x0}, Ts = 0xbfffba60,
original_in_execution = 1 '\001', op_array = 0x8171b1c,
prev_execute_data = 0xbfffbeb0}
#4 0x080fe633 in execute (op_array=0x816a454) at
/home/moregan/php4-STABLE-200309020330/Zend/zend_execute.c:1660
calling_symbol_table = (struct _hashtable *) 0x813a14c
original_return_value = (struct _zval_struct **) 0xbfffbf34
return_value_used = 0
execute_data = {opline = 0x816e840, function_state =
{function_symbol_table = 0x81715b4, function = 0x8171b1c, reserved = {
0x10001, 0x4000000, 0x0, 0x0}}, fbc = 0x8171b1c, ce = 0x0, object
= {ptr = 0x81709f4}, Ts = 0xbfffbcb0,
original_in_execution = 0 '\0', op_array = 0x816a454,
prev_execute_data = 0x0}
#5 0x080ee81c in zend_execute_scripts (type=8, retval=0x0,
file_count=3) at
/home/moregan/php4-STABLE-200309020330/Zend/zend.c:885
files = 0xbfffbf64 ""
i = 1
file_handle = (struct _zend_file_handle *) 0xbfffe200
orig_op_array = (struct _zend_op_array *) 0x0
local_retval = (struct _zval_struct *) 0x0
#6 0x080bf239 in php_execute_script (primary_file=0xbfffe200) at
/home/moregan/php4-STABLE-200309020330/main/main.c:1723
orig_bailout = {{__jmpbuf = {1108517584, 1073815584, -1073749356,
-1073749432, -1073749840, 135281170},
__mask_was_saved = 0, __saved_mask = {__val = {0 <repeats 32
times>}}}}
orig_bailout_set = 1 '\001'
prepend_file_p = (struct _zend_file_handle *) 0x0
append_file_p = (struct _zend_file_handle *) 0x0
prepend_file = {type = 0 '\0', filename = 0x0, opened_path = 0x0,
handle = {fd = 0, fp = 0x0}, free_filename = 0 '\0'}
append_file = {type = 0 '\0', filename = 0x0, opened_path = 0x0,
handle = {fd = 0, fp = 0x0}, free_filename = 0 '\0'}
---Type <return> to continue, or q <return> to quit---
old_cwd = 0xbfffbf70 ""
old_primary_file_path = 0x0
retval = 0
#7 0x08104108 in main (argc=1, argv=0xbfffe294) at
/home/moregan/php4-STABLE-200309020330/sapi/cli/php_cli.c:819
orig_bailout = {{__jmpbuf = {0, 0, 0, 0, 0, 0}, __mask_was_saved = 0,
__saved_mask = {__val = {0 <repeats 32 times>}}}}
orig_bailout_set = 0 '\0'
exit_status = 0
c = -1
file_handle = {type = 2 '\002', filename = 0x812bb4b "-", opened_path
= 0x0, handle = {fd = 1108505024, fp = 0x421271c0},
free_filename = 0 '\0'}
behavior = 1
orig_optind = 1
orig_optarg = 0x0
arg_free = 0xbffffbbc "./sapi/cli/php"
arg_excp = (char **) 0xbfffe294
script_file = 0x0
global_vars = {head = 0x0, tail = 0x0, size = 4, count = 0, dtor = 0,
persistent = 0 '\0', traverse_ptr = 0xbfffe294}
interactive = 0
module_started = 1
lineno = 0
exec_direct = 0x0
param_error = 0x0
hide_argv = 0
#8 0x420158d4 in __libc_start_main () from /lib/i686/libc.so.6
No symbol table info available.
When I remove --enable-debug from the config then the piped version no
longer segfaults but instead prints warnings:
[EMAIL PROTECTED]/php4-STABLE-200309020330]$ cat bug25275.php |
./sapi/cli/php
Notice: Use of undefined constant STDERR - assumed 'STDERR' in - on
line 33
Warning: fwrite(): supplied argument is not a valid stream resource in
- on line 33
Notice: Use of undefined constant STDERR - assumed 'STDERR' in - on
line 35
Warning: fwrite(): supplied argument is not a valid stream resource in
- on line 35
In all cases, valgrind has something like this to say:
[EMAIL PROTECTED]/php4-STABLE-200309020330]$ valgrind -v --skin=memcheck
./sapi/cli/php bug25275.php
==26379== Memcheck, a.k.a. Valgrind, a memory error detector for
x86-linux.
==26379== Copyright (C) 2002-2003, and GNU GPL'd, by Julian Seward.
==26379== Using valgrind-20030725, a program supervision framework for
x86-linux.
==26379== Copyright (C) 2000-2003, and GNU GPL'd, by Julian Seward.
==26379== Startup, with flags:
==26379== --suppressions=/usr/local/lib/valgrind/default.supp
==26379== -v
==26379== Reading syms from
/home/moregan/php4-STABLE-200309020330/sapi/cli/php
==26379== Reading syms from /lib/ld-2.2.93.so
==26379== object doesn't have any debug info
==26379== Reading syms from /usr/local/lib/valgrind/vgskin_memcheck.so
==26379== Reading syms from /usr/local/lib/valgrind/valgrind.so
==26379== Reading syms from /lib/libcrypt-2.2.93.so
==26379== object doesn't have any debug info
==26379== Reading syms from /lib/libresolv-2.2.93.so
==26379== object doesn't have any debug info
==26379== Reading syms from /lib/i686/libm-2.2.93.so
==26379== object doesn't have any debug info
==26379== Reading syms from /lib/libdl-2.2.93.so
==26379== object doesn't have any debug info
==26379== Reading syms from /lib/libnsl-2.2.93.so
==26379== object doesn't have any debug info
==26379== Reading syms from /lib/i686/libc-2.2.93.so
==26379== object doesn't have any debug info
==26379== Reading suppressions file:
/usr/local/lib/valgrind/default.supp
==26379== Estimated CPU clock rate is 2401 MHz
==26379==
before deaggregate
after deaggregate
==26379== Invalid read of size 1
==26379== at 0x80D14C4: execute
(/home/moregan/php4-STABLE-200309020330/Zend/zend_execute.c:1702)
==26379== by 0x80D11C9: execute
(/home/moregan/php4-STABLE-200309020330/Zend/zend_execute.c:1660)
==26379== by 0x80C66D6: zend_execute_scripts
(/home/moregan/php4-STABLE-200309020330/Zend/zend.c:885)
==26379== by 0x80A5706: php_execute_script
(/home/moregan/php4-STABLE-200309020330/main/main.c:1723)
==26379== Address 0x41383B64 is 72 bytes inside a block of size 100
free'd
==26379== at 0x40025722: free (vg_replace_malloc.c:220)
==26379== by 0x80BA98C: _efree
(/home/moregan/php4-STABLE-200309020330/Zend/zend_alloc.c:265)
==26379== by 0x80C9C6C: zend_hash_destroy
(/home/moregan/php4-STABLE-200309020330/Zend/zend_hash.c:560)
==26379== by 0x80C17E3: destroy_zend_class
(/home/moregan/php4-STABLE-200309020330/Zend/zend_opcode.c:124)
==26379==
==26379== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 0 from
0)
[...]
(this valgrind not done on the same binary that produced the backtrace)
Previous Comments:
------------------------------------------------------------------------
[2003-08-30 08:52:58] [EMAIL PROTECTED]
Cool, let's keep the status set to feedback during this time then.
------------------------------------------------------------------------
[2003-08-30 08:39:35] rehsack at liwing dot de
This may take a while. I can't start before monday, so I think tuesday
you can reach results.
------------------------------------------------------------------------
[2003-08-30 07:21:47] [EMAIL PROTECTED]
Yes, that's the idea..
------------------------------------------------------------------------
[2003-08-30 06:10:26] rehsack at liwing dot de
Nope, it runs fine. Do you suggest enabling each extension I used until
it crash's?
------------------------------------------------------------------------
[2003-08-30 02:00:15] [EMAIL PROTECTED]
Try this:
# rm config.cache
# ./configure --disable-all --disable-cgi --enable-debug
# make clean && make
# sapi/cli/php yourscript.php
Does it crash now?
------------------------------------------------------------------------
The remainder of the comments for this report are too long. To view
the rest of the comments, please view the bug report online at
http://bugs.php.net/25275
--
Edit this bug report at http://bugs.php.net/?id=25275&edit=1