ID: 28064
Comment by: weaseal at hotmail dot com
Reported By: gross at schlund dot de
Status: Assigned
Bug Type: Scripting Engine problem
Operating System: Linux
PHP Version: 4.3.6
Assigned To: andi
New Comment:
I've experienced this bug on 4.3.7 and the beta2 of 5.0 on FreeBSD
4.10-STABLE.
Core file: www.relnor.com/php.core.tar.gz
Previous Comments:
------------------------------------------------------------------------
[2004-06-14 15:55:13] valyala at tut dot by
Here is a much smaller script, which consumes 99% of CPU and all
avaible on my PHP 4.3.7 under Apache 1.3.31, Win2k, 512Mb RAM, 1Gb
swap.
<?php
$n = 16 * 1024 * 1024;
eval('$i=0;' . str_repeat('$i++;', $n) . 'echo $i;');
?>
------------------------------------------------------------------------
[2004-05-13 18:48:45] phpbugs at hagemeister dot cc
Tested the script on several different machines, they all crash when i
use the test-script.
- Debian woody + php 4.12 (From package)
- Debian woody + php 4.36 (Compiled)
- Debian woody + php 4.37-dev (Compiled from
php4-STABLE-200405131230.tar.gz)
- SuSE 8.0 + php 4.23 (SuSE RPM)
- SuSE 8.0 + php 4.36 (Compiled)
------------------------------------------------------------------------
[2004-04-27 14:00:34] martin dot hoffmann at schlund dot de
The problem is with the do_alloca() in zend_execute.c:1041. The test
script causes it to allocate 14 MByte of stack thereby kicking the
stack into unchartered territory and making subsequent function calls
fail.
------------------------------------------------------------------------
[2004-04-20 09:08:39] gross at schlund dot de
compiling PHP without --enable-memory-limit and running the given
script
results in a crash and the follwoing backtrace:
(gdb) bt
#0 0x081a0d85 in execute (op_array=0x8325be4)
at /usr/src/kundenserver/php-4.3.6/Zend/zend_execute.c:1266
#1 0x08193238 in zend_execute_scripts (type=8, retval=0x0,
file_count=3)
at /usr/src/kundenserver/php-4.3.6/Zend/zend.c:886
#2 0x0816c853 in php_execute_script (primary_file=0xbffff588)
at /usr/src/kundenserver/php-4.3.6/main/main.c:1731
#3 0x081abc73 in main (argc=2, argv=0xbffff604)
at /usr/src/kundenserver/php-4.3.6/sapi/cgi/cgi_main.c:1592
(gdb)
You can find the binaryat
http://www.andigross.de/phpcrash/phpbinary-without-memory-limit.gz
and the core at
http://www.andigross.de/phpcrash/core-without-memory-limit.gz
------------------------------------------------------------------------
[2004-04-19 21:34:39] [EMAIL PROTECTED]
Although it didn't actually crash for me, valgrind showed the following
errors:
==7233== Invalid write of size 4
==7233== at 0x8213D75: execute (zend_execute.c:1266)
==7233== Address 0x4F1C80C8 is on thread 1's stack
==7233==
==7233== Invalid write of size 4
==7233== at 0x8213D80: execute (zend_execute.c:1266)
==7233== Address 0x4F1C80C4 is on thread 1's stack
==7233==
==7233== Invalid write of size 4
==7233== at 0x8213D87: execute (zend_execute.c:1266)
==7233== Address 0x4F1C80C0 is on thread 1's stack
==7233==
==7233== Invalid read of size 4
==7233== at 0x8211CC5: zend_fetch_var_address (zend_execute.c:559)
==7233== Address 0x4F1C80C4 is on thread 1's stack
==7233==
==7233== Invalid read of size 4
==7233== at 0x8211CCC: zend_fetch_var_address (zend_execute.c:559)
==7233== Address 0x4F1C80C0 is on thread 1's stack
==7233==
==7233== Invalid read of size 4
==7233== at 0x8211CE4: zend_fetch_var_address (zend_execute.c:564)
==7233== Address 0x4F1C80C0 is on thread 1's stack
==7233==
==7233== Invalid read of size 4
==7233== at 0x8211E31: zend_fetch_var_address (zend_execute.c:591)
==7233== Address 0x4F1C80C8 is on thread 1's stack
==7233==
==7233== Invalid read of size 4
==7233== at 0x8211EF5: zend_fetch_var_address (zend_execute.c:611)
==7233== Address 0x4F1C80C0 is on thread 1's stack
==7233==
==7233== Invalid read of size 4
==7233== at 0x8211F73: zend_fetch_var_address (zend_execute.c:620)
==7233== Address 0x4F1C80C0 is on thread 1's stack
==7233==
==7233== Invalid read of size 4
==7233== at 0x8211F87: zend_fetch_var_address (zend_execute.c:620)
==7233== Address 0x4F1C80C4 is on thread 1's stack
==7233==
==7233== Invalid write of size 4
==7233== at 0x8211F8D: zend_fetch_var_address (zend_execute.c:620)
==7233== Address 0x4F1C80DC is on thread 1's stack
==7233==
==7233== Invalid read of size 4
==7233== at 0x8211F90: zend_fetch_var_address (zend_execute.c:621)
==7233== Address 0x4F1C80C0 is on thread 1's stack
==7233==
==7233== Invalid write of size 4
==7233== at 0x8214E39: execute (zend_execute.c:1376)
==7233== Address 0x4F1C80C8 is on thread 1's stack
==7233==
==7233== Invalid write of size 4
==7233== at 0x8214E44: execute (zend_execute.c:1376)
==7233== Address 0x4F1C80C4 is on thread 1's stack
==7233==
==7233== Invalid write of size 4
==7233== at 0x8214E4E: execute (zend_execute.c:1376)
==7233== Address 0x4F1C80C0 is on thread 1's stack
==7233==
==7233== Invalid read of size 4
==7233== at 0x82195BB: _get_zval_ptr (zend_execute.c:73)
==7233== Address 0x4F1C80C0 is on thread 1's stack
==7233==
==7233== Invalid read of size 4
==7233== at 0x82195EF: _get_zval_ptr (zend_execute.c:75)
==7233== Address 0x4F1C80C8 is on thread 1's stack
==7233==
==7233== Invalid read of size 4
==7233== at 0x82195F8: _get_zval_ptr (zend_execute.c:76)
==7233== Address 0x4F1C80C0 is on thread 1's stack
==7233==
==7233== Invalid write of size 4
==7233== at 0x8214E5C: execute (zend_execute.c:1378)
==7233== Address 0x4F1C80D4 is on thread 1's stack
==7233==
==7233== Invalid write of size 4
==7233== at 0x8214E87: execute (zend_execute.c:1378)
==7233== Address 0x4F1C80D0 is on thread 1's stack
==7233==
==7233== Invalid write of size 4
==7233== at 0x8214E8E: execute (zend_execute.c:1378)
==7233== Address 0x4F1C80CC is on thread 1's stack
==7233==
==7233== Invalid write of size 4
==7233== at 0x8214E98: execute (zend_execute.c:1378)
==7233== Address 0x4F1C80C8 is on thread 1's stack
==7233==
==7233== Invalid write of size 4
==7233== at 0x8214EA2: execute (zend_execute.c:1378)
==7233== Address 0x4F1C80C4 is on thread 1's stack
==7233==
==7233== Invalid write of size 4
==7233== at 0x8214EAC: execute (zend_execute.c:1378)
==7233== Address 0x4F1C80C0 is on thread 1's stack
==7233==
==7233== Invalid read of size 4
==7233== at 0x8219EF8: zend_assign_to_variable (zend_execute.c:315)
==7233== Address 0x4F1C80D4 is on thread 1's stack
==7233==
==7233== Invalid read of size 4
==7233== at 0x8219EFF: zend_assign_to_variable (zend_execute.c:315)
==7233== Address 0x4F1C80C4 is on thread 1's stack
==7233==
==7233== Invalid read of size 4
==7233== at 0x8219B2A: _get_zval_ptr_ptr (zend_execute.c:165)
==7233== Address 0x4F1C80DC is on thread 1's stack
==7233==
==7233== Invalid read of size 4
==7233== at 0x8219B47: _get_zval_ptr_ptr (zend_execute.c:166)
==7233== Address 0x4F1C80DC is on thread 1's stack
==7233==
==7233== Invalid read of size 4
==7233== at 0x8219BAE: _get_zval_ptr_ptr (zend_execute.c:170)
==7233== Address 0x4F1C80DC is on thread 1's stack
==7233==
==7233== Invalid read of size 4
==7233== at 0x821A9B7: zend_assign_to_variable (zend_execute.c:492)
==7233== Address 0x4F1C80D0 is on thread 1's stack
==7233==
==7233== Invalid read of size 4
==7233== at 0x821A9E3: zend_assign_to_variable (zend_execute.c:496)
==7233== Address 0x4F1C80CC is on thread 1's stack
==7233==
==7233== Invalid read of size 4
==7233== at 0x821A9EC: zend_assign_to_variable (zend_execute.c:496)
==7233== Address 0x4F1C80CC is on thread 1's stack
==7233==
==7233== Invalid read of size 4
==7233== at 0x821AA30: zend_assign_to_variable (zend_execute.c:499)
==7233== Address 0x4F1C80CC is on thread 1's stack
==7233==
==7233== Invalid read of size 4
==7233== at 0x821AADD: zend_assign_to_variable (zend_execute.c:517)
==7233== Address 0x4F1C80C0 is on thread 1's stack
==7233==
==7233== Invalid read of size 4
==7233== at 0x821AAE7: zend_assign_to_variable (zend_execute.c:518)
==7233== Address 0x4F1C80C0 is on thread 1's stack
==7233==
==7233== Invalid read of size 4
==7233== at 0x821AAFB: zend_assign_to_variable (zend_execute.c:518)
==7233== Address 0x4F1C80D4 is on thread 1's stack
==7233==
==7233== Invalid write of size 4
==7233== at 0x821AB01: zend_assign_to_variable (zend_execute.c:518)
==7233== Address 0x4F1C80F8 is on thread 1's stack
==7233==
==7233== Invalid read of size 4
==7233== at 0x821AB04: zend_assign_to_variable (zend_execute.c:519)
==7233== Address 0x4F1C80C0 is on thread 1's stack
==7233==
==7233== Invalid read of size 4
==7233== at 0x821AB1E: zend_assign_to_variable (zend_execute.c:520)
==7233== Address 0x4F1C80C0 is on thread 1's stack
==7233==
==7233== Invalid read of size 4
==7233== at 0x821AB32: zend_assign_to_variable (zend_execute.c:520)
==7233== Address 0x4F1C80D4 is on thread 1's stack
==7233==
==7233== Invalid read of size 4
==7233== at 0x821AB35: zend_assign_to_variable (zend_execute.c:520)
==7233== Address 0x4F1C80F8 is on thread 1's stack
==7233==
==7233== Invalid read of size 4
==7233== at 0x821AB3B: zend_assign_to_variable (zend_execute.c:520)
==7233== Address 0x4F1C80C0 is on thread 1's stack
==7233==
==7233== Invalid read of size 4
==7233== at 0x821AB4F: zend_assign_to_variable (zend_execute.c:520)
==7233== Address 0x4F1C80D4 is on thread 1's stack
==7233==
==7233== Invalid read of size 4
==7233== at 0x821AB52: zend_assign_to_variable (zend_execute.c:520)
==7233== Address 0x4F1C80C0 is on thread 1's stack
==7233==
==7233== Invalid read of size 4
==7233== at 0x821AB66: zend_assign_to_variable (zend_execute.c:520)
==7233== Address 0x4F1C80D4 is on thread 1's stack
==7233==
==7233== Invalid read of size 4
==7233== at 0x821AB69: zend_assign_to_variable (zend_execute.c:520)
==7233== Address 0x4F1C80F8 is on thread 1's stack
==7233==
==7233== Invalid write of size 4
==7233== at 0x821AB6E: zend_assign_to_variable (zend_execute.c:520)
==7233== Address 0x4F1C80FC is on thread 1's stack
==7233==
==7233== Invalid read of size 4
==7233== at 0x821AB72: zend_assign_to_variable (zend_execute.c:520)
==7233== Address 0x4F1C80C0 is on thread 1's stack
==7233==
==7233== Invalid read of size 4
==7233== at 0x821AB86: zend_assign_to_variable (zend_execute.c:520)
==7233== Address 0x4F1C80D4 is on thread 1's stack
==7233==
==7233== Invalid read of size 4
==7233== at 0x821AB89: zend_assign_to_variable (zend_execute.c:520)
==7233== Address 0x4F1C80C0 is on thread 1's stack
==7233==
==7233== More than 50 errors detected. Subsequent errors
==7233== will still be recorded, but in less detail than before.
==7233==
==7233== Invalid read of size 4
==7233== at 0x821AB99: zend_assign_to_variable (zend_execute.c:520)
==7233== Address 0x4F1C80D4 is on thread 1's stack
==7233==
==7233== Invalid write of size 4
==7233== at 0x821AB9F: zend_assign_to_variable (zend_execute.c:520)
==7233== Address 0x4F1C80F8 is on thread 1's stack
==7233==
==7233== Invalid write of size 4
==7233== at 0x8213D9A: execute (zend_execute.c:1269)
==7233== Address 0x4F1C80C8 is on thread 1's stack
==7233==
==7233== Invalid write of size 4
==7233== at 0x8213DA5: execute (zend_execute.c:1269)
==7233== Address 0x4F1C80C4 is on thread 1's stack
==7233==
==7233== Invalid write of size 4
==7233== at 0x8213DAC: execute (zend_execute.c:1269)
==7233== Address 0x4F1C80C0 is on thread 1's stack
==7233==
==7233== Invalid write of size 4
==7233== at 0x82137EC: execute (zend_execute.c:1216)
==7233== Address 0x4F1C80C4 is on thread 1's stack
==7233==
==7233== Invalid write of size 4
==7233== at 0x82137F6: execute (zend_execute.c:1216)
==7233== Address 0x4F1C80C0 is on thread 1's stack
==7233==
==7233== Invalid read of size 4
==7233== at 0x8219B07: _get_zval_ptr_ptr (zend_execute.c:164)
==7233== Address 0x4F1C80C0 is on thread 1's stack
==7233==
==7233== Invalid read of size 4
==7233== at 0x8219B13: _get_zval_ptr_ptr (zend_execute.c:165)
==7233== Address 0x4F1C80C0 is on thread 1's stack
==7233==
==7233== Invalid read of size 4
==7233== at 0x8219B27: _get_zval_ptr_ptr (zend_execute.c:165)
==7233== Address 0x4F1C80C4 is on thread 1's stack
==7233==
==7233== Invalid read of size 4
==7233== at 0x8219B30: _get_zval_ptr_ptr (zend_execute.c:166)
==7233== Address 0x4F1C80C0 is on thread 1's stack
==7233==
==7233== Invalid read of size 4
==7233== at 0x8219B44: _get_zval_ptr_ptr (zend_execute.c:166)
==7233== Address 0x4F1C80C4 is on thread 1's stack
==7233==
==7233== Invalid read of size 4
==7233== at 0x8219B97: _get_zval_ptr_ptr (zend_execute.c:170)
==7233== Address 0x4F1C80C0 is on thread 1's stack
==7233==
==7233== Invalid read of size 4
==7233== at 0x8219BAB: _get_zval_ptr_ptr (zend_execute.c:170)
==7233== Address 0x4F1C80C4 is on thread 1's stack
==7233==
==7233== Invalid write of size 4
==7233== at 0x82139B0: execute (zend_execute.c:1233)
==7233== Address 0x4F1C8130 is on thread 1's stack
==7233==
==7233== Invalid write of size 4
==7233== at 0x82139B6: execute (zend_execute.c:1233)
==7233== Address 0x4F1C8134 is on thread 1's stack
==7233==
==7233== Invalid write of size 4
==7233== at 0x82139BD: execute (zend_execute.c:1233)
==7233== Address 0x4F1C8138 is on thread 1's stack
==7233==
==7233== Invalid write of size 4
==7233== at 0x82139C1: execute (zend_execute.c:1234)
==7233== Address 0x4F1C80C8 is on thread 1's stack
==7233==
==7233== Invalid write of size 4
==7233== at 0x82139C9: execute (zend_execute.c:1234)
==7233== Address 0x4F1C80C4 is on thread 1's stack
==7233==
==7233== Invalid write of size 4
==7233== at 0x82139E4: execute (zend_execute.c:1234)
==7233== Address 0x4F1C80C0 is on thread 1's stack
==7233==
==7233== Invalid read of size 4
==7233== at 0x8202414: _zval_copy_ctor (zend_variables.c:91)
==7233== Address 0x4F1C80C0 is on thread 1's stack
==7233==
==7233== Invalid read of size 1
==7233== at 0x8202417: _zval_copy_ctor (zend_variables.c:91)
==7233== Address 0x4F1C8138 is on thread 1's stack
==7233==
==7233== Invalid write of size 4
==7233== at 0x8213A9F: execute (zend_execute.c:1240)
==7233== Address 0x4F1C80C0 is on thread 1's stack
==7233==
==7233== Invalid read of size 4
==7233== at 0x8201004: increment_function (zend_operators.c:1463)
==7233== Address 0x4F1C80C0 is on thread 1's stack
==7233==
==7233== Invalid read of size 4
==7233== at 0x8201036: increment_function (zend_operators.c:1465)
==7233== Address 0x4F1C80C0 is on thread 1's stack
==7233==
==7233== Invalid read of size 4
==7233== at 0x8201061: increment_function (zend_operators.c:1470)
==7233== Address 0x4F1C80C0 is on thread 1's stack
==7233==
==7233== Invalid write of size 4
==7233== at 0x82152F5: execute (zend_execute.c:1471)
==7233== Address 0x4F1C80C8 is on thread 1's stack
==7233==
==7233== Invalid write of size 4
==7233== at 0x82152FD: execute (zend_execute.c:1471)
==7233== Address 0x4F1C80C4 is on thread 1's stack
==7233==
==7233== Invalid write of size 4
==7233== at 0x8215318: execute (zend_execute.c:1471)
==7233== Address 0x4F1C80C0 is on thread 1's stack
==7233==
==7233== Invalid read of size 4
==7233== at 0x820228A: _zval_dtor (zend_variables.c:37)
==7233== Address 0x4F1C80C0 is on thread 1's stack
==7233==
==7233== Invalid read of size 1
==7233== at 0x820228D: _zval_dtor (zend_variables.c:37)
==7233== Address 0x4F1C8138 is on thread 1's stack
==7233==
==7233== More than 30000 total errors detected. I'm not reporting any
more.
==7233== Final error counts will be inaccurate. Go fix your program!
==7233== Rerun with --error-limit=no to disable this cutoff. Note
==7233== that errors may occur in your program without prior warning
from
==7233== Valgrind, because errors are no longer being displayed.
==7233==
==7233==
==7233== ERROR SUMMARY: 30000 errors from 81 contexts (suppressed: 58
from 2)
==7233== malloc/free: in use at exit: 94 bytes in 5 blocks.
==7233== malloc/free: 271228 allocs, 271223 frees, 144890443 bytes
allocated.
------------------------------------------------------------------------
The remainder of the comments for this report are too long. To view
the rest of the comments, please view the bug report online at
http://bugs.php.net/28064
--
Edit this bug report at http://bugs.php.net/?id=28064&edit=1
