ID: 23132
Updated by: [EMAIL PROTECTED]
-Summary: Strange engine crash
Reported By: edink at proventum dot net
Status: Closed
Bug Type: Scripting Engine problem
Operating System: Linux (RedHat 7.3)
PHP Version: 4CVS-2003-04-09 (stable)
Assigned To: stas
New Comment:
Related to bug #25856
Previous Comments:
------------------------------------------------------------------------
[2003-04-11 01:53:52] [EMAIL PROTECTED]
The reference count is correct all along - it's just that in this
particular example, the very same (empty) $agreement ends up being
referenced more than 64K times, which overflows ZE1's refcount limit.
Either way, it's a bug related to the 64K limit, so it'll be fixed in
ZE2 only.
------------------------------------------------------------------------
[2003-04-10 16:05:24] [EMAIL PROTECTED]
Bug is not existant in Zend Engine 2 [PHP5]:
[EMAIL PROTECTED]:~/devel/php/tests > cat overflow.php
<?php
function trim_field(&$row) {}
$row = array();
for ($i=0; $i<70000; $i++) {
trim_field($row);
$agreement_arr[] = $agreement;
}
var_dump(sizeof($agreement_arr));
?>
[EMAIL PROTECTED]:~/devel/php/tests > php5 overflow.php
int(70000)
------------------------------------------------------------------------
[2003-04-09 20:09:23] [EMAIL PROTECTED]
variable_ptr->refcount is getting overflowed in
zend_assign_to_variable_reference. It appears that the
variable doesn't get derefenced in the example below. If
you inteject $agreement =1; as a line 2 in the loop, the
reference count seems to stay correct.
------------------------------------------------------------------------
[2003-04-09 09:44:06] [EMAIL PROTECTED]
I heard that stas almost begged for fixing this bug. :)
------------------------------------------------------------------------
[2003-04-09 09:39:45] edink at proventum dot net
This piece of code crashes the engine in PHP 4.2.x and 4.3.x including
the latest CVS vers�on from PHP_4_3 branch:
function trim_field(&$row) {}
$row = array();
for ($i=0; $i<70000; $i++) {
trim_field($row);
$agreement_arr[] = $agreement;
}
Comment out any of the two lines inside the loop and it works.
Just before the crash PHP reports:
[Wed Apr 9 16:40:32 2003] Script: 'bug.php'
---------------------------------------
/data/src/PHP_4_3/Zend/zend_execute.c(271) : Block 0x0813FB40 status:
Beginning: Overrun (magic=0x00000000, expected=0x7312F8DC)
And backtrace:
Program received signal SIGSEGV, Segmentation fault.
0x420828fc in memcpy () from /lib/i686/libc.so.6
(gdb) bt
#0 0x420828fc in memcpy () from /lib/i686/libc.so.6
#1 0x080e1f8a in _mem_block_check (ptr=0x813fb64, silent=0,
__zend_filename=0x8130720 "/data/src/PHP_4_3/Zend/zend_execute.c",
__zend_lineno=271, __zend_orig_filename=0x0, __zend_orig_lineno=0)
at /data/src/PHP_4_3/Zend/zend_alloc.c:649
#2 0x080e1f4d in _mem_block_check (ptr=0x813fb64, silent=1,
__zend_filename=0x8130720 "/data/src/PHP_4_3/Zend/zend_execute.c",
__zend_lineno=271, __zend_orig_filename=0x0, __zend_orig_lineno=0)
at /data/src/PHP_4_3/Zend/zend_alloc.c:641
#3 0x080e1337 in _efree (ptr=0x813fb64,
__zend_filename=0x8130720 "/data/src/PHP_4_3/Zend/zend_execute.c",
__zend_lineno=271, __zend_orig_filename=0x0, __zend_orig_lineno=0)
at /data/src/PHP_4_3/Zend/zend_alloc.c:217
#4 0x080fe992 in zend_assign_to_variable_reference (result=0x0,
variable_ptr_ptr=0x86e4540, value_ptr_ptr=0x815e49c, Ts=0x0)
at /data/src/PHP_4_3/Zend/zend_execute.c:271
#5 0x081034e4 in execute (op_array=0x81686e8)
at /data/src/PHP_4_3/Zend/zend_execute.c:1827
#6 0x08102a02 in execute (op_array=0x8163484)
at /data/src/PHP_4_3/Zend/zend_execute.c:1650
#7 0x080f270a in zend_execute_scripts (type=8, retval=0x0,
file_count=3)
at /data/src/PHP_4_3/Zend/zend.c:864
#8 0x080c25c0 in php_execute_script (primary_file=0xbffffa20)
at /data/src/PHP_4_3/main/main.c:1653
#9 0x0810825c in main (argc=2, argv=0xbffffac4)
at /data/src/PHP_4_3/sapi/cli/php_cli.c:753
#10 0x42017499 in __libc_start_main () from /lib/i686/libc.so.6
------------------------------------------------------------------------
--
Edit this bug report at http://bugs.php.net/?id=23132&edit=1
