ID: 28064
Comment by: dl at CyberPunk dot ru
Reported By: gross at schlund dot de
Status: Assigned
Bug Type: Scripting Engine problem
Operating System: Linux
PHP Version: 4.3.6
Assigned To: andi
New Comment:
Stable "Segmentation fault" or "Bus error" :-(
in APACHE-Module with
<?php
$n = 1 * 1024;
eval('$i=0;' . str_repeat('$i++;', $n) . 'echo $i;');
?>
but in CLI - script run normal
OS: FreeBSD 5
PHP: 4.3.6, 4.3.7, 5.0.0RC3
(Example http://www.flexor.ru/1.php)
Program received signal SIGSEGV, Segmentation fault.
0x2864184c in zend_fetch_var_address (opline=0x839fdcc,
Ts=0xbfacb3b8, type=1,
tsrm_ls=0x8204950)
at /usr/1/HiEnd/php-5.0.0RC3/Zend/zend_execute.c:797
797 T(opline->result.u.var).var.ptr_ptr =
retval;
(gdb) bt
#0 0x2864184c in zend_fetch_var_address
(opline=0x839fdcc, Ts=0xbfacb3b8,
type=1, tsrm_ls=0x8204950)
at /usr/1/HiEnd/php-5.0.0RC3/Zend/zend_execute.c:797
#1 0x28644e51 in zend_fetch_w_handler
(execute_data=0xbfad3538,
opline=0x839fdcc, op_array=0x8375a9c,
tsrm_ls=0x8204950)
at /usr/1/HiEnd/php-5.0.0RC3/Zend/zend_execute.c:2002
#2 0x286430d9 in execute (op_array=0x8375a9c,
tsrm_ls=0x8204950)
at /usr/1/HiEnd/php-5.0.0RC3/Zend/zend_execute.c:1389
#3 0x28649ba3 in zend_include_or_eval_handler
(execute_data=0xbfad4db8,
opline=0x8374af0, op_array=0x8335104,
tsrm_ls=0x8204950)
at /usr/1/HiEnd/php-5.0.0RC3/Zend/zend_execute.c:3552
#4 0x286430d9 in execute (op_array=0x8335104,
tsrm_ls=0x8204950)
at /usr/1/HiEnd/php-5.0.0RC3/Zend/zend_execute.c:1389
#5 0x28649ba3 in zend_include_or_eval_handler
(execute_data=0xbfada408,
opline=0x83519a4, op_array=0x82a2dfc,
tsrm_ls=0x8204950)
at /usr/1/HiEnd/php-5.0.0RC3/Zend/zend_execute.c:3552
#6 0x286430d9 in execute (op_array=0x82a2dfc,
tsrm_ls=0x8204950)
at /usr/1/HiEnd/php-5.0.0RC3/Zend/zend_execute.c:1389
#7 0x28649ba3 in zend_include_or_eval_handler
(execute_data=0xbfadb798,
opline=0x82a9ad8, op_array=0x82a1124,
tsrm_ls=0x8204950)
at /usr/1/HiEnd/php-5.0.0RC3/Zend/zend_execute.c:3552
#8 0x286430d9 in execute (op_array=0x82a1124,
tsrm_ls=0x8204950)
at /usr/1/HiEnd/php-5.0.0RC3/Zend/zend_execute.c:1389
#9 0x2861fccd in zend_execute_scripts (type=8,
tsrm_ls=0x8204950, retval=0x0,
file_count=3)
at /usr/1/HiEnd/php-5.0.0RC3/Zend/zend.c:1061
#10 0x285d3018 in php_execute_script
(primary_file=0xbfadcdd8,
tsrm_ls=0x8204950)
at /usr/1/HiEnd/php-5.0.0RC3/main/main.c:1627
#11 0x2865133a in php_handler (r=0x828d050)
at /usr/1/HiEnd/php-5.0.0RC3/sapi/apache2handler/sapi_apache2.c:556
#12 0x0806ae06 in ap_invoke_handler ()
#13 0x0806645b in ap_process_request ()
#14 0x08060ecf in ap_process_http_connection ()
#15 0x08076055 in ap_process_connection ()
#16 0x0806a4da in worker_thread ()
#17 0x283e0506 in apr_thread_pool_get ()
from /usr/local/apache2/lib/libapr-0.so.9
#18 0x2842250d in pthread_create ()
from /usr/lib/libpthread.so.1
#19 0x284cf5ab in _ctx_start () from /lib/libc.so.5
Previous Comments:
------------------------------------------------------------------------
[2004-06-15 07:55:57] weaseal at hotmail dot com
I've experienced this bug on 4.3.7 and the beta2 of 5.0 on FreeBSD
4.10-STABLE.
Core file: www.relnor.com/php.core.tar.gz
------------------------------------------------------------------------
[2004-06-14 15:55:13] valyala at tut dot by
Here is a much smaller script, which consumes 99% of CPU and all
avaible on my PHP 4.3.7 under Apache 1.3.31, Win2k, 512Mb RAM, 1Gb
swap.
<?php
$n = 16 * 1024 * 1024;
eval('$i=0;' . str_repeat('$i++;', $n) . 'echo $i;');
?>
------------------------------------------------------------------------
[2004-05-13 18:48:45] phpbugs at hagemeister dot cc
Tested the script on several different machines, they all crash when i
use the test-script.
- Debian woody + php 4.12 (From package)
- Debian woody + php 4.36 (Compiled)
- Debian woody + php 4.37-dev (Compiled from
php4-STABLE-200405131230.tar.gz)
- SuSE 8.0 + php 4.23 (SuSE RPM)
- SuSE 8.0 + php 4.36 (Compiled)
------------------------------------------------------------------------
[2004-04-27 14:00:34] martin dot hoffmann at schlund dot de
The problem is with the do_alloca() in zend_execute.c:1041. The test
script causes it to allocate 14 MByte of stack thereby kicking the
stack into unchartered territory and making subsequent function calls
fail.
------------------------------------------------------------------------
[2004-04-20 09:08:39] gross at schlund dot de
compiling PHP without --enable-memory-limit and running the given
script
results in a crash and the follwoing backtrace:
(gdb) bt
#0 0x081a0d85 in execute (op_array=0x8325be4)
at /usr/src/kundenserver/php-4.3.6/Zend/zend_execute.c:1266
#1 0x08193238 in zend_execute_scripts (type=8, retval=0x0,
file_count=3)
at /usr/src/kundenserver/php-4.3.6/Zend/zend.c:886
#2 0x0816c853 in php_execute_script (primary_file=0xbffff588)
at /usr/src/kundenserver/php-4.3.6/main/main.c:1731
#3 0x081abc73 in main (argc=2, argv=0xbffff604)
at /usr/src/kundenserver/php-4.3.6/sapi/cgi/cgi_main.c:1592
(gdb)
You can find the binaryat
http://www.andigross.de/phpcrash/phpbinary-without-memory-limit.gz
and the core at
http://www.andigross.de/phpcrash/core-without-memory-limit.gz
------------------------------------------------------------------------
The remainder of the comments for this report are too long. To view
the rest of the comments, please view the bug report online at
http://bugs.php.net/28064
--
Edit this bug report at http://bugs.php.net/?id=28064&edit=1
