ID: 22510
Comment by: taneli at crasman dot fi
Reported By: php at codewhore dot org
Status: Closed
Bug Type: Scripting Engine problem
Operating System: Linux 2.4
PHP Version: 4CVS-2003-06-01 (stable)
New Comment:
No fix for 4.3. I've gotten bitten by apparently the same bug:
Program received signal SIGSEGV, Segmentation fault.
0x081a193f in _efree (ptr=0x84409a4) at
/usr/src/www/php-4.3.4/Zend/zend_alloc.c:259
259 REMOVE_POINTER_FROM_LIST(p);
(gdb) backtrace
#0 0x081a193f in _efree (ptr=0x84409a4) at
/usr/src/www/php-4.3.4/Zend/zend_alloc.c:259
#1 0x081b8b89 in zend_assign_to_variable_reference (result=0xa806b48,
variable_ptr_ptr=0x16c21858,
value_ptr_ptr=0x16c04030, Ts=0xbff80a70) at
/usr/src/www/php-4.3.4/Zend/zend_execute.c:271
#2 0x081ba8d3 in execute (op_array=0xa8000d4) at
/usr/src/www/php-4.3.4/Zend/zend_execute.c:163
#3 0x081bbda7 in execute (op_array=0xa7d67e4) at
/usr/src/www/php-4.3.4/Zend/zend_execute.c:1660
#4 0x081bbda7 in execute (op_array=0xa4c37a4) at
/usr/src/www/php-4.3.4/Zend/zend_execute.c:1660
#5 0x081bbda7 in execute (op_array=0xa5105f4) at
/usr/src/www/php-4.3.4/Zend/zend_execute.c:1660
#6 0x081bbda7 in execute (op_array=0xa41b854) at
/usr/src/www/php-4.3.4/Zend/zend_execute.c:1660
#7 0x081af74d in zend_execute_scripts (type=8, retval=0x0,
file_count=3) at /usr/src/www/php-4.3.4/Zend/zend.c:884
#8 0x081896e7 in php_execute_script (primary_file=0xbff8bfb0) at
/usr/src/www/php-4.3.4/main/main.c:1729
#9 0x081c0c17 in main (argc=4, argv=0xbff8c074) at
/usr/src/www/php-4.3.4/sapi/cli/php_cli.c:819
Previous Comments:
------------------------------------------------------------------------
[2003-07-12 04:24:52] [EMAIL PROTECTED]
The fix by Zeev will be in php5.
------------------------------------------------------------------------
[2003-06-02 10:56:43] [EMAIL PROTECTED]
Just tested your last script with PHP 5.0.0-dev (ZE2),
and it does not crash:
# sapi/cli/php /home/jani/t.php
Notice: Undefined variable: a in /home/jani/t.php on line 32
/usr/src/web/php/php5/Zend/zend_execute.c(2782) : Freeing 0x089681F4
(16 bytes), script=/home/jani/t.php
And commenting out the line 32 (with $a=$a) makes it not crash in PHP
4.3.3-dev too:
$ php t.php
/usr/src/web/php/php4/Zend/zend_execute.c(1702) : Freeing 0x088A427C
(12 bytes), script=t.php
------------------------------------------------------------------------
[2003-06-01 11:38:31] php at codewhore dot org
A shorter crashing version of tests/lang/22510.phpt.
Notice that removal of the silence operator (@) in
method2() makes the crash go away.
<?php
class foo
{
function &method1() {
return $this->foo;
}
function &method2() {
return @$this->foo;
}
}
class bar
{
function run1() {
$instance = new foo();
$instance->method1();
}
function run2() {
$instance = new foo();
$instance->method2();
$instance->method2();
}
}
function ouch(&$bar) {
$bar->run1();
}
function ok(&$bar) {
$a = $a;
$bar->run2();
}
$bar = new bar();
ok($bar);
ouch($bar);
?>
------------------------------------------------------------------------
[2003-03-02 17:30:18] php at codewhore dot org
Accidently posted the non-crashing code snippet. Here's the one that
crashes:
function finalize()
{
$cl =& $this->commit_list;
/* Note:
These are references; we leave the value, $x, unused. */
foreach ($cl as $k => $x)
{
if (!$cl[$k]->transaction_commit())
return $this->throw(E_SYS);
}
return true;
}
------------------------------------------------------------------------
[2003-03-02 17:28:54] php at codewhore dot org
I've been able to reproducibly crash the PHP interpreter with a
section of code that I'm working that passes around and calls through a
lot of references. The function that causes the crash looks like:
function finalize()
{
/* Note:
These are references; we leave the value, $x, unused. */
foreach ($this->commit_list as $k => $x)
{
if (!$this->commit_list[$k]->transaction_commit())
return $this->throw(E_SYS);
}
return true;
}
I haven't managed to narrow it down any further - executing similar
code in isolation hasn't been able to reproduce the crash yet. I'll
keep trying.
The backtrace:
--------------
Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 16384 (LWP 8158)]
0x4034913f in _efree (ptr=0x403b4564) at
/usr/src/web-server/php-4.3-cvs/Zend/zend_alloc.c:233
233 REMOVE_POINTER_FROM_LIST(p);
(gdb) bt
#0 0x4034913f in _efree (ptr=0x403b4564) at
/usr/src/web-server/php-4.3-cvs/Zend/zend_alloc.c:233
#1 0x403669fe in zend_assign_to_variable_reference (result=0x8264b6c,
variable_ptr_ptr=0x82509a0,
value_ptr_ptr=0x82637e8, Ts=0xbfffc550) at
/usr/src/web-server/php-4.3-cvs/Zend/zend_execute.c:271
#2 0x40369b83 in execute (op_array=0x8263344) at
/usr/src/web-server/php-4.3-cvs/Zend/zend_execute.c:1344
#3 0x4036aa90 in execute (op_array=0x817cad4) at
/usr/src/web-server/php-4.3-cvs/Zend/zend_execute.c:1640
#4 0x4036aa90 in execute (op_array=0x818a144) at
/usr/src/web-server/php-4.3-cvs/Zend/zend_execute.c:1640
#5 0x4036aa90 in execute (op_array=0x81fa9bc) at
/usr/src/web-server/php-4.3-cvs/Zend/zend_execute.c:1640
#6 0x4035b219 in zend_execute_scripts (type=8, retval=0x0,
file_count=3)
at /usr/src/web-server/php-4.3-cvs/Zend/zend.c:864
#7 0x40329fcc in php_execute_script (primary_file=0xbffff820)
at /usr/src/web-server/php-4.3-cvs/main/main.c:1588
#8 0x4036f1a2 in apache_php_module_main (r=0x811047c,
display_source_mode=0)
at /usr/src/web-server/php-4.3-cvs/sapi/apache/sapi_apache.c:55
#9 0x403700e6 in send_php (r=0x811047c, display_source_mode=0,
filename=0x8112204 "/web/sites/frylock/development/node.php")
at /usr/src/web-server/php-4.3-cvs/sapi/apache/mod_php4.c:617
#10 0x4037016c in send_parsed_php (r=0x811047c)
at /usr/src/web-server/php-4.3-cvs/sapi/apache/mod_php4.c:632
#11 0x08054360 in ap_invoke_handler (r=0x811047c) at http_config.c:518
#12 0x08068aae in process_request_internal (r=0x811047c) at
http_request.c:1308
#13 0x08068b0e in ap_process_request (r=0x811047c) at
http_request.c:1324
#14 0x0805fd6e in child_main (child_num_arg=0) at http_main.c:4689
#15 0x0805ff34 in make_child (s=0x8094ec4, slot=0, now=1046645587) at
http_main.c:4813
#16 0x0806009b in startup_children (number_to_start=8) at
http_main.c:4895
#17 0x080606c8 in standalone_main (argc=5, argv=0xbffffca4) at
http_main.c:5203
#18 0x08060f00 in main (argc=5, argv=0xbffffca4) at http_main.c:5566
#19 0x400d3bb4 in __libc_start_main () from /lib/libc.so.6
(gdb) frame 2
#2 0x40369b83 in execute (op_array=0x8263344) at
/usr/src/web-server/php-4.3-cvs/Zend/zend_execute.c:1344
1344
zend_assign_to_variable_reference(&EX(opline)->result,
get_zval_ptr_ptr(&EX(opline)->op1, EX(Ts), BP_VAR_W),
get_zval_ptr_ptr(&EX(opline)->op2, EX(Ts), BP_VAR_W), EX(Ts)
TSRMLS_CC);
(gdb) print (char
*)(executor_globals.function_state_ptr->function)->common.function_name
$1 = 0x8258b0c "finalize"
(gdb) frame 1
#1 0x403669fe in zend_assign_to_variable_reference (result=0x8264b6c,
variable_ptr_ptr=0x82509a0,
value_ptr_ptr=0x82637e8, Ts=0xbfffc550) at
/usr/src/web-server/php-4.3-cvs/Zend/zend_execute.c:271
271 FREE_ZVAL(variable_ptr);
(gdb) p *value_ptr_ptr
$6 = (struct _zval_struct *) 0x825925c
(gdb) p **value_ptr_ptr
$7 = {value = {lval = 136677812, dval = 7.6896363518630331, str = {val
= 0x82589b4 "\b",
len = 1075757616}, ht = 0x82589b4, obj = {ce = 0x82589b4,
properties = 0x401ec230}},
type = 4 '\004', is_ref = 0 '\0', refcount = 2}
(gdb) p *result
$9 = {op_type = 4, u = {constant = {value = {lval = 3, dval =
2.1219957924474693e-314, str = {
val = 0x3 <Address 0x3 out of bounds>, len = 1}, ht = 0x3,
obj = {ce = 0x3, properties = 0x1}},
type = 0 '\0', is_ref = 0 '\0', refcount = 0}, var = 3,
opline_num = 3, fetch_type = 3,
op_array = 0x3, EA = {var = 3, type = 1}}}
(gdb) p *variable_ptr_ptr
$10 = (struct _zval_struct *) 0x403b4564
(gdb) p **variable_ptr_ptr
$11 = {value = {lval = 0, dval = 0, str = {val = 0x0, len = 0}, ht =
0x0, obj = {ce = 0x0,
properties = 0x0}}, type = 0 '\0', is_ref = 0 '\0', refcount =
0}
------------------------------------------------------------------------
--
Edit this bug report at http://bugs.php.net/?id=22510&edit=1
