ID: 28064 Comment by: weaseal at hotmail dot com Reported By: gross at schlund dot de Status: Assigned Bug Type: Scripting Engine problem Operating System: Linux PHP Version: 4.3.6 Assigned To: andi New Comment:
I've experienced this bug on 4.3.7 and the beta2 of 5.0 on FreeBSD 4.10-STABLE. Core file: www.relnor.com/php.core.tar.gz Previous Comments: ------------------------------------------------------------------------ [2004-06-14 15:55:13] valyala at tut dot by Here is a much smaller script, which consumes 99% of CPU and all avaible on my PHP 4.3.7 under Apache 1.3.31, Win2k, 512Mb RAM, 1Gb swap. <?php $n = 16 * 1024 * 1024; eval('$i=0;' . str_repeat('$i++;', $n) . 'echo $i;'); ?> ------------------------------------------------------------------------ [2004-05-13 18:48:45] phpbugs at hagemeister dot cc Tested the script on several different machines, they all crash when i use the test-script. - Debian woody + php 4.12 (From package) - Debian woody + php 4.36 (Compiled) - Debian woody + php 4.37-dev (Compiled from php4-STABLE-200405131230.tar.gz) - SuSE 8.0 + php 4.23 (SuSE RPM) - SuSE 8.0 + php 4.36 (Compiled) ------------------------------------------------------------------------ [2004-04-27 14:00:34] martin dot hoffmann at schlund dot de The problem is with the do_alloca() in zend_execute.c:1041. The test script causes it to allocate 14 MByte of stack thereby kicking the stack into unchartered territory and making subsequent function calls fail. ------------------------------------------------------------------------ [2004-04-20 09:08:39] gross at schlund dot de compiling PHP without --enable-memory-limit and running the given script results in a crash and the follwoing backtrace: (gdb) bt #0 0x081a0d85 in execute (op_array=0x8325be4) at /usr/src/kundenserver/php-4.3.6/Zend/zend_execute.c:1266 #1 0x08193238 in zend_execute_scripts (type=8, retval=0x0, file_count=3) at /usr/src/kundenserver/php-4.3.6/Zend/zend.c:886 #2 0x0816c853 in php_execute_script (primary_file=0xbffff588) at /usr/src/kundenserver/php-4.3.6/main/main.c:1731 #3 0x081abc73 in main (argc=2, argv=0xbffff604) at /usr/src/kundenserver/php-4.3.6/sapi/cgi/cgi_main.c:1592 (gdb) You can find the binaryat http://www.andigross.de/phpcrash/phpbinary-without-memory-limit.gz and the core at http://www.andigross.de/phpcrash/core-without-memory-limit.gz ------------------------------------------------------------------------ [2004-04-19 21:34:39] [EMAIL PROTECTED] Although it didn't actually crash for me, valgrind showed the following errors: ==7233== Invalid write of size 4 ==7233== at 0x8213D75: execute (zend_execute.c:1266) ==7233== Address 0x4F1C80C8 is on thread 1's stack ==7233== ==7233== Invalid write of size 4 ==7233== at 0x8213D80: execute (zend_execute.c:1266) ==7233== Address 0x4F1C80C4 is on thread 1's stack ==7233== ==7233== Invalid write of size 4 ==7233== at 0x8213D87: execute (zend_execute.c:1266) ==7233== Address 0x4F1C80C0 is on thread 1's stack ==7233== ==7233== Invalid read of size 4 ==7233== at 0x8211CC5: zend_fetch_var_address (zend_execute.c:559) ==7233== Address 0x4F1C80C4 is on thread 1's stack ==7233== ==7233== Invalid read of size 4 ==7233== at 0x8211CCC: zend_fetch_var_address (zend_execute.c:559) ==7233== Address 0x4F1C80C0 is on thread 1's stack ==7233== ==7233== Invalid read of size 4 ==7233== at 0x8211CE4: zend_fetch_var_address (zend_execute.c:564) ==7233== Address 0x4F1C80C0 is on thread 1's stack ==7233== ==7233== Invalid read of size 4 ==7233== at 0x8211E31: zend_fetch_var_address (zend_execute.c:591) ==7233== Address 0x4F1C80C8 is on thread 1's stack ==7233== ==7233== Invalid read of size 4 ==7233== at 0x8211EF5: zend_fetch_var_address (zend_execute.c:611) ==7233== Address 0x4F1C80C0 is on thread 1's stack ==7233== ==7233== Invalid read of size 4 ==7233== at 0x8211F73: zend_fetch_var_address (zend_execute.c:620) ==7233== Address 0x4F1C80C0 is on thread 1's stack ==7233== ==7233== Invalid read of size 4 ==7233== at 0x8211F87: zend_fetch_var_address (zend_execute.c:620) ==7233== Address 0x4F1C80C4 is on thread 1's stack ==7233== ==7233== Invalid write of size 4 ==7233== at 0x8211F8D: zend_fetch_var_address (zend_execute.c:620) ==7233== Address 0x4F1C80DC is on thread 1's stack ==7233== ==7233== Invalid read of size 4 ==7233== at 0x8211F90: zend_fetch_var_address (zend_execute.c:621) ==7233== Address 0x4F1C80C0 is on thread 1's stack ==7233== ==7233== Invalid write of size 4 ==7233== at 0x8214E39: execute (zend_execute.c:1376) ==7233== Address 0x4F1C80C8 is on thread 1's stack ==7233== ==7233== Invalid write of size 4 ==7233== at 0x8214E44: execute (zend_execute.c:1376) ==7233== Address 0x4F1C80C4 is on thread 1's stack ==7233== ==7233== Invalid write of size 4 ==7233== at 0x8214E4E: execute (zend_execute.c:1376) ==7233== Address 0x4F1C80C0 is on thread 1's stack ==7233== ==7233== Invalid read of size 4 ==7233== at 0x82195BB: _get_zval_ptr (zend_execute.c:73) ==7233== Address 0x4F1C80C0 is on thread 1's stack ==7233== ==7233== Invalid read of size 4 ==7233== at 0x82195EF: _get_zval_ptr (zend_execute.c:75) ==7233== Address 0x4F1C80C8 is on thread 1's stack ==7233== ==7233== Invalid read of size 4 ==7233== at 0x82195F8: _get_zval_ptr (zend_execute.c:76) ==7233== Address 0x4F1C80C0 is on thread 1's stack ==7233== ==7233== Invalid write of size 4 ==7233== at 0x8214E5C: execute (zend_execute.c:1378) ==7233== Address 0x4F1C80D4 is on thread 1's stack ==7233== ==7233== Invalid write of size 4 ==7233== at 0x8214E87: execute (zend_execute.c:1378) ==7233== Address 0x4F1C80D0 is on thread 1's stack ==7233== ==7233== Invalid write of size 4 ==7233== at 0x8214E8E: execute (zend_execute.c:1378) ==7233== Address 0x4F1C80CC is on thread 1's stack ==7233== ==7233== Invalid write of size 4 ==7233== at 0x8214E98: execute (zend_execute.c:1378) ==7233== Address 0x4F1C80C8 is on thread 1's stack ==7233== ==7233== Invalid write of size 4 ==7233== at 0x8214EA2: execute (zend_execute.c:1378) ==7233== Address 0x4F1C80C4 is on thread 1's stack ==7233== ==7233== Invalid write of size 4 ==7233== at 0x8214EAC: execute (zend_execute.c:1378) ==7233== Address 0x4F1C80C0 is on thread 1's stack ==7233== ==7233== Invalid read of size 4 ==7233== at 0x8219EF8: zend_assign_to_variable (zend_execute.c:315) ==7233== Address 0x4F1C80D4 is on thread 1's stack ==7233== ==7233== Invalid read of size 4 ==7233== at 0x8219EFF: zend_assign_to_variable (zend_execute.c:315) ==7233== Address 0x4F1C80C4 is on thread 1's stack ==7233== ==7233== Invalid read of size 4 ==7233== at 0x8219B2A: _get_zval_ptr_ptr (zend_execute.c:165) ==7233== Address 0x4F1C80DC is on thread 1's stack ==7233== ==7233== Invalid read of size 4 ==7233== at 0x8219B47: _get_zval_ptr_ptr (zend_execute.c:166) ==7233== Address 0x4F1C80DC is on thread 1's stack ==7233== ==7233== Invalid read of size 4 ==7233== at 0x8219BAE: _get_zval_ptr_ptr (zend_execute.c:170) ==7233== Address 0x4F1C80DC is on thread 1's stack ==7233== ==7233== Invalid read of size 4 ==7233== at 0x821A9B7: zend_assign_to_variable (zend_execute.c:492) ==7233== Address 0x4F1C80D0 is on thread 1's stack ==7233== ==7233== Invalid read of size 4 ==7233== at 0x821A9E3: zend_assign_to_variable (zend_execute.c:496) ==7233== Address 0x4F1C80CC is on thread 1's stack ==7233== ==7233== Invalid read of size 4 ==7233== at 0x821A9EC: zend_assign_to_variable (zend_execute.c:496) ==7233== Address 0x4F1C80CC is on thread 1's stack ==7233== ==7233== Invalid read of size 4 ==7233== at 0x821AA30: zend_assign_to_variable (zend_execute.c:499) ==7233== Address 0x4F1C80CC is on thread 1's stack ==7233== ==7233== Invalid read of size 4 ==7233== at 0x821AADD: zend_assign_to_variable (zend_execute.c:517) ==7233== Address 0x4F1C80C0 is on thread 1's stack ==7233== ==7233== Invalid read of size 4 ==7233== at 0x821AAE7: zend_assign_to_variable (zend_execute.c:518) ==7233== Address 0x4F1C80C0 is on thread 1's stack ==7233== ==7233== Invalid read of size 4 ==7233== at 0x821AAFB: zend_assign_to_variable (zend_execute.c:518) ==7233== Address 0x4F1C80D4 is on thread 1's stack ==7233== ==7233== Invalid write of size 4 ==7233== at 0x821AB01: zend_assign_to_variable (zend_execute.c:518) ==7233== Address 0x4F1C80F8 is on thread 1's stack ==7233== ==7233== Invalid read of size 4 ==7233== at 0x821AB04: zend_assign_to_variable (zend_execute.c:519) ==7233== Address 0x4F1C80C0 is on thread 1's stack ==7233== ==7233== Invalid read of size 4 ==7233== at 0x821AB1E: zend_assign_to_variable (zend_execute.c:520) ==7233== Address 0x4F1C80C0 is on thread 1's stack ==7233== ==7233== Invalid read of size 4 ==7233== at 0x821AB32: zend_assign_to_variable (zend_execute.c:520) ==7233== Address 0x4F1C80D4 is on thread 1's stack ==7233== ==7233== Invalid read of size 4 ==7233== at 0x821AB35: zend_assign_to_variable (zend_execute.c:520) ==7233== Address 0x4F1C80F8 is on thread 1's stack ==7233== ==7233== Invalid read of size 4 ==7233== at 0x821AB3B: zend_assign_to_variable (zend_execute.c:520) ==7233== Address 0x4F1C80C0 is on thread 1's stack ==7233== ==7233== Invalid read of size 4 ==7233== at 0x821AB4F: zend_assign_to_variable (zend_execute.c:520) ==7233== Address 0x4F1C80D4 is on thread 1's stack ==7233== ==7233== Invalid read of size 4 ==7233== at 0x821AB52: zend_assign_to_variable (zend_execute.c:520) ==7233== Address 0x4F1C80C0 is on thread 1's stack ==7233== ==7233== Invalid read of size 4 ==7233== at 0x821AB66: zend_assign_to_variable (zend_execute.c:520) ==7233== Address 0x4F1C80D4 is on thread 1's stack ==7233== ==7233== Invalid read of size 4 ==7233== at 0x821AB69: zend_assign_to_variable (zend_execute.c:520) ==7233== Address 0x4F1C80F8 is on thread 1's stack ==7233== ==7233== Invalid write of size 4 ==7233== at 0x821AB6E: zend_assign_to_variable (zend_execute.c:520) ==7233== Address 0x4F1C80FC is on thread 1's stack ==7233== ==7233== Invalid read of size 4 ==7233== at 0x821AB72: zend_assign_to_variable (zend_execute.c:520) ==7233== Address 0x4F1C80C0 is on thread 1's stack ==7233== ==7233== Invalid read of size 4 ==7233== at 0x821AB86: zend_assign_to_variable (zend_execute.c:520) ==7233== Address 0x4F1C80D4 is on thread 1's stack ==7233== ==7233== Invalid read of size 4 ==7233== at 0x821AB89: zend_assign_to_variable (zend_execute.c:520) ==7233== Address 0x4F1C80C0 is on thread 1's stack ==7233== ==7233== More than 50 errors detected. Subsequent errors ==7233== will still be recorded, but in less detail than before. ==7233== ==7233== Invalid read of size 4 ==7233== at 0x821AB99: zend_assign_to_variable (zend_execute.c:520) ==7233== Address 0x4F1C80D4 is on thread 1's stack ==7233== ==7233== Invalid write of size 4 ==7233== at 0x821AB9F: zend_assign_to_variable (zend_execute.c:520) ==7233== Address 0x4F1C80F8 is on thread 1's stack ==7233== ==7233== Invalid write of size 4 ==7233== at 0x8213D9A: execute (zend_execute.c:1269) ==7233== Address 0x4F1C80C8 is on thread 1's stack ==7233== ==7233== Invalid write of size 4 ==7233== at 0x8213DA5: execute (zend_execute.c:1269) ==7233== Address 0x4F1C80C4 is on thread 1's stack ==7233== ==7233== Invalid write of size 4 ==7233== at 0x8213DAC: execute (zend_execute.c:1269) ==7233== Address 0x4F1C80C0 is on thread 1's stack ==7233== ==7233== Invalid write of size 4 ==7233== at 0x82137EC: execute (zend_execute.c:1216) ==7233== Address 0x4F1C80C4 is on thread 1's stack ==7233== ==7233== Invalid write of size 4 ==7233== at 0x82137F6: execute (zend_execute.c:1216) ==7233== Address 0x4F1C80C0 is on thread 1's stack ==7233== ==7233== Invalid read of size 4 ==7233== at 0x8219B07: _get_zval_ptr_ptr (zend_execute.c:164) ==7233== Address 0x4F1C80C0 is on thread 1's stack ==7233== ==7233== Invalid read of size 4 ==7233== at 0x8219B13: _get_zval_ptr_ptr (zend_execute.c:165) ==7233== Address 0x4F1C80C0 is on thread 1's stack ==7233== ==7233== Invalid read of size 4 ==7233== at 0x8219B27: _get_zval_ptr_ptr (zend_execute.c:165) ==7233== Address 0x4F1C80C4 is on thread 1's stack ==7233== ==7233== Invalid read of size 4 ==7233== at 0x8219B30: _get_zval_ptr_ptr (zend_execute.c:166) ==7233== Address 0x4F1C80C0 is on thread 1's stack ==7233== ==7233== Invalid read of size 4 ==7233== at 0x8219B44: _get_zval_ptr_ptr (zend_execute.c:166) ==7233== Address 0x4F1C80C4 is on thread 1's stack ==7233== ==7233== Invalid read of size 4 ==7233== at 0x8219B97: _get_zval_ptr_ptr (zend_execute.c:170) ==7233== Address 0x4F1C80C0 is on thread 1's stack ==7233== ==7233== Invalid read of size 4 ==7233== at 0x8219BAB: _get_zval_ptr_ptr (zend_execute.c:170) ==7233== Address 0x4F1C80C4 is on thread 1's stack ==7233== ==7233== Invalid write of size 4 ==7233== at 0x82139B0: execute (zend_execute.c:1233) ==7233== Address 0x4F1C8130 is on thread 1's stack ==7233== ==7233== Invalid write of size 4 ==7233== at 0x82139B6: execute (zend_execute.c:1233) ==7233== Address 0x4F1C8134 is on thread 1's stack ==7233== ==7233== Invalid write of size 4 ==7233== at 0x82139BD: execute (zend_execute.c:1233) ==7233== Address 0x4F1C8138 is on thread 1's stack ==7233== ==7233== Invalid write of size 4 ==7233== at 0x82139C1: execute (zend_execute.c:1234) ==7233== Address 0x4F1C80C8 is on thread 1's stack ==7233== ==7233== Invalid write of size 4 ==7233== at 0x82139C9: execute (zend_execute.c:1234) ==7233== Address 0x4F1C80C4 is on thread 1's stack ==7233== ==7233== Invalid write of size 4 ==7233== at 0x82139E4: execute (zend_execute.c:1234) ==7233== Address 0x4F1C80C0 is on thread 1's stack ==7233== ==7233== Invalid read of size 4 ==7233== at 0x8202414: _zval_copy_ctor (zend_variables.c:91) ==7233== Address 0x4F1C80C0 is on thread 1's stack ==7233== ==7233== Invalid read of size 1 ==7233== at 0x8202417: _zval_copy_ctor (zend_variables.c:91) ==7233== Address 0x4F1C8138 is on thread 1's stack ==7233== ==7233== Invalid write of size 4 ==7233== at 0x8213A9F: execute (zend_execute.c:1240) ==7233== Address 0x4F1C80C0 is on thread 1's stack ==7233== ==7233== Invalid read of size 4 ==7233== at 0x8201004: increment_function (zend_operators.c:1463) ==7233== Address 0x4F1C80C0 is on thread 1's stack ==7233== ==7233== Invalid read of size 4 ==7233== at 0x8201036: increment_function (zend_operators.c:1465) ==7233== Address 0x4F1C80C0 is on thread 1's stack ==7233== ==7233== Invalid read of size 4 ==7233== at 0x8201061: increment_function (zend_operators.c:1470) ==7233== Address 0x4F1C80C0 is on thread 1's stack ==7233== ==7233== Invalid write of size 4 ==7233== at 0x82152F5: execute (zend_execute.c:1471) ==7233== Address 0x4F1C80C8 is on thread 1's stack ==7233== ==7233== Invalid write of size 4 ==7233== at 0x82152FD: execute (zend_execute.c:1471) ==7233== Address 0x4F1C80C4 is on thread 1's stack ==7233== ==7233== Invalid write of size 4 ==7233== at 0x8215318: execute (zend_execute.c:1471) ==7233== Address 0x4F1C80C0 is on thread 1's stack ==7233== ==7233== Invalid read of size 4 ==7233== at 0x820228A: _zval_dtor (zend_variables.c:37) ==7233== Address 0x4F1C80C0 is on thread 1's stack ==7233== ==7233== Invalid read of size 1 ==7233== at 0x820228D: _zval_dtor (zend_variables.c:37) ==7233== Address 0x4F1C8138 is on thread 1's stack ==7233== ==7233== More than 30000 total errors detected. I'm not reporting any more. ==7233== Final error counts will be inaccurate. Go fix your program! ==7233== Rerun with --error-limit=no to disable this cutoff. Note ==7233== that errors may occur in your program without prior warning from ==7233== Valgrind, because errors are no longer being displayed. ==7233== ==7233== ==7233== ERROR SUMMARY: 30000 errors from 81 contexts (suppressed: 58 from 2) ==7233== malloc/free: in use at exit: 94 bytes in 5 blocks. ==7233== malloc/free: 271228 allocs, 271223 frees, 144890443 bytes allocated. ------------------------------------------------------------------------ The remainder of the comments for this report are too long. To view the rest of the comments, please view the bug report online at http://bugs.php.net/28064 -- Edit this bug report at http://bugs.php.net/?id=28064&edit=1