ID: 32685 Updated by: [EMAIL PROTECTED] Reported By: david at davidheath dot org Status: Assigned Bug Type: Reproducible crash Operating System: mandrake linux 10.1 PHP Version: 4CVS-2005-04-14 -Assigned To: derick +Assigned To: dmitry New Comment:
Valgrind errors that I get: PHP Notice: Undefined property: Root in /tmp/32685/crash.php on line 6 Notice: Undefined property: Root in /tmp/32685/crash.php on line 6 ==24279== Invalid read of size 2 ==24279== at 0x81E94F5: _zval_ptr_dtor (zend_execute_API.c:287) ==24279== by 0x81F1920: _zval_ptr_dtor_wrapper (zend_variables.c:171) ==24279== by 0x81F7D85: zend_hash_destroy (zend_hash.c:556) ==24279== by 0x81F1674: _zval_dtor (zend_variables.c:60) ==24279== by 0x81E9526: _zval_ptr_dtor (zend_execute_API.c:289) ==24279== by 0x81F1920: _zval_ptr_dtor_wrapper (zend_variables.c:171) ==24279== by 0x81F7E31: zend_hash_clean (zend_hash.c:582) ==24279== by 0x82053AC: execute (zend_execute.c:1717) ==24279== by 0x81F2EF7: zend_execute_scripts (zend.c:935) ==24279== by 0x81C05B3: php_execute_script (main.c:1751) ==24279== by 0x820B22E: main (php_cli.c:828) ==24279== Address 0x1BF5F35A is 10 bytes inside a block of size 12 free'd ==24279== at 0x1B904B04: free (vg_replace_malloc.c:152) ==24279== by 0x81EAA3A: safe_free_zval_ptr (zend_execute.h:44) ==24279== by 0x81E9533: _zval_ptr_dtor (zend_execute_API.c:290) ==24279== by 0x81F1920: _zval_ptr_dtor_wrapper (zend_variables.c:171) ==24279== by 0x81F7E31: zend_hash_clean (zend_hash.c:582) ==24279== by 0x82053AC: execute (zend_execute.c:1717) ==24279== by 0x8205256: execute (zend_execute.c:1700) ==24279== by 0x81F2EF7: zend_execute_scripts (zend.c:935) ==24279== by 0x81C05B3: php_execute_script (main.c:1751) ==24279== by 0x820B22E: main (php_cli.c:828) ==24279== ==24279== Invalid write of size 2 ==24279== at 0x81E94FA: _zval_ptr_dtor (zend_execute_API.c:287) ==24279== by 0x81F1920: _zval_ptr_dtor_wrapper (zend_variables.c:171) ==24279== by 0x81F7D85: zend_hash_destroy (zend_hash.c:556) ==24279== by 0x81F1674: _zval_dtor (zend_variables.c:60) ==24279== by 0x81E9526: _zval_ptr_dtor (zend_execute_API.c:289) ==24279== by 0x81F1920: _zval_ptr_dtor_wrapper (zend_variables.c:171) ==24279== by 0x81F7E31: zend_hash_clean (zend_hash.c:582) ==24279== by 0x82053AC: execute (zend_execute.c:1717) ==24279== by 0x81F2EF7: zend_execute_scripts (zend.c:935) ==24279== by 0x81C05B3: php_execute_script (main.c:1751) ==24279== by 0x820B22E: main (php_cli.c:828) ==24279== Address 0x1BF5F35A is 10 bytes inside a block of size 12 free'd ==24279== at 0x1B904B04: free (vg_replace_malloc.c:152) ==24279== by 0x81EAA3A: safe_free_zval_ptr (zend_execute.h:44) ==24279== by 0x81E9533: _zval_ptr_dtor (zend_execute_API.c:290) ==24279== by 0x81F1920: _zval_ptr_dtor_wrapper (zend_variables.c:171) ==24279== by 0x81F7E31: zend_hash_clean (zend_hash.c:582) ==24279== by 0x82053AC: execute (zend_execute.c:1717) ==24279== by 0x8205256: execute (zend_execute.c:1700) ==24279== by 0x81F2EF7: zend_execute_scripts (zend.c:935) ==24279== by 0x81C05B3: php_execute_script (main.c:1751) ==24279== by 0x820B22E: main (php_cli.c:828) ==24279== ==24279== Invalid read of size 2 ==24279== at 0x81E9503: _zval_ptr_dtor (zend_execute_API.c:288) ==24279== by 0x81F1920: _zval_ptr_dtor_wrapper (zend_variables.c:171) ==24279== by 0x81F7D85: zend_hash_destroy (zend_hash.c:556) ==24279== by 0x81F1674: _zval_dtor (zend_variables.c:60) ==24279== by 0x81E9526: _zval_ptr_dtor (zend_execute_API.c:289) ==24279== by 0x81F1920: _zval_ptr_dtor_wrapper (zend_variables.c:171) ==24279== by 0x81F7E31: zend_hash_clean (zend_hash.c:582) ==24279== by 0x82053AC: execute (zend_execute.c:1717) ==24279== by 0x81F2EF7: zend_execute_scripts (zend.c:935) ==24279== by 0x81C05B3: php_execute_script (main.c:1751) ==24279== by 0x820B22E: main (php_cli.c:828) ==24279== Address 0x1BF5F35A is 10 bytes inside a block of size 12 free'd ==24279== at 0x1B904B04: free (vg_replace_malloc.c:152) ==24279== by 0x81EAA3A: safe_free_zval_ptr (zend_execute.h:44) ==24279== by 0x81E9533: _zval_ptr_dtor (zend_execute_API.c:290) ==24279== by 0x81F1920: _zval_ptr_dtor_wrapper (zend_variables.c:171) ==24279== by 0x81F7E31: zend_hash_clean (zend_hash.c:582) ==24279== by 0x82053AC: execute (zend_execute.c:1717) ==24279== by 0x8205256: execute (zend_execute.c:1700) ==24279== by 0x81F2EF7: zend_execute_scripts (zend.c:935) ==24279== by 0x81C05B3: php_execute_script (main.c:1751) ==24279== by 0x820B22E: main (php_cli.c:828) ==24279== ==24279== Invalid read of size 2 ==24279== at 0x81E953B: _zval_ptr_dtor (zend_execute_API.c:291) ==24279== by 0x81F1920: _zval_ptr_dtor_wrapper (zend_variables.c:171) ==24279== by 0x81F7D85: zend_hash_destroy (zend_hash.c:556) ==24279== by 0x81F1674: _zval_dtor (zend_variables.c:60) ==24279== by 0x81E9526: _zval_ptr_dtor (zend_execute_API.c:289) ==24279== by 0x81F1920: _zval_ptr_dtor_wrapper (zend_variables.c:171) ==24279== by 0x81F7E31: zend_hash_clean (zend_hash.c:582) ==24279== by 0x82053AC: execute (zend_execute.c:1717) ==24279== by 0x81F2EF7: zend_execute_scripts (zend.c:935) ==24279== by 0x81C05B3: php_execute_script (main.c:1751) ==24279== by 0x820B22E: main (php_cli.c:828) ==24279== Address 0x1BF5F35A is 10 bytes inside a block of size 12 free'd ==24279== at 0x1B904B04: free (vg_replace_malloc.c:152) ==24279== by 0x81EAA3A: safe_free_zval_ptr (zend_execute.h:44) ==24279== by 0x81E9533: _zval_ptr_dtor (zend_execute_API.c:290) ==24279== by 0x81F1920: _zval_ptr_dtor_wrapper (zend_variables.c:171) ==24279== by 0x81F7E31: zend_hash_clean (zend_hash.c:582) ==24279== by 0x82053AC: execute (zend_execute.c:1717) ==24279== by 0x8205256: execute (zend_execute.c:1700) ==24279== by 0x81F2EF7: zend_execute_scripts (zend.c:935) ==24279== by 0x81C05B3: php_execute_script (main.c:1751) ==24279== by 0x820B22E: main (php_cli.c:828) and re-assigning to Dmitry. Previous Comments: ------------------------------------------------------------------------ [2005-06-07 00:09:08] [EMAIL PROTECTED] # php crash.php /usr/src/php/php_4_4/Zend/zend_execute.c(282) : Freeing 0x08CA8E7C (9 bytes), script=crash.php /usr/src/php/php_4_4/Zend/zend_variables.c(111) : Actual location (location was relayed) /usr/src/php/php_4_4/Zend/zend_execute.c(279) : Freeing 0x08CA8BB4 (12 bytes), script=crash.php ------------------------------------------------------------------------ [2005-05-11 15:17:44] david at davidheath dot org Hi thanks for following this up. I tried with the snapshot you gave and still got the crash. I tried running it in gdb as well ('fraid I don't really know whether this helps or not). See below. Dave [EMAIL PROTECTED] dh]$ gdb GNU gdb 6.2-2mdk (Mandrakelinux) Copyright 2004 Free Software Foundation, Inc. GDB is free software, covered by the GNU General Public License, and you are welcome to change it and/or distribute copies of it under certain conditions. Type "show copying" to see the conditions. There is absolutely no warranty for GDB. Type "show warranty" for details. This GDB was configured as "i586-mandrake-linux-gnu". (gdb) file /usr/local/src/php4-STABLE-200505110647/sapi/cli/php Reading symbols from /usr/local/src/php4-STABLE-200505110647/sapi/cli/php...done. Using host libthread_db library "/lib/tls/libthread_db.so.1". (gdb) run crash2.php Starting program: /usr/local/src/php4-STABLE-200505110647/sapi/cli/php crash2.php Program received signal SIGSEGV, Segmentation fault. 0x08111a41 in shutdown_memory_manager (silent=0, clean_cache=0) at /usr/local/src/php4-STABLE-200505110647/Zend/zend_alloc.c:530 530 REMOVE_POINTER_FROM_LIST(t); (gdb) quit ------------------------------------------------------------------------ [2005-05-11 10:05:56] [EMAIL PROTECTED] Please try using this CVS snapshot: http://snaps.php.net/php4-STABLE-latest.tar.gz For Windows: http://snaps.php.net/win32/php4-win32-STABLE-latest.zip ------------------------------------------------------------------------ [2005-04-19 13:53:19] ericvanblokland at gmail dot com This maybe related to an issue I encountered. My guess is this code will work fine with php5 http://bugs.php.net/bug.php?id=31624 ------------------------------------------------------------------------ [2005-04-13 10:51:34] david at davidheath dot org > 1) Does it also crash when you replace file reading by > assignment from string? yes it does, see http://www.davidheath.org/php_bug/crash2.php.txt I've also noticed that I had a mistake in the original repro script (crash.php.txt), which I've now corrected (the filename on line 4 was wrong). This may explain why you couldn't repro. However, having changed that I now get: [EMAIL PROTECTED] repro]$ /usr/local/php-4.3-CVS-13apr05/bin/php crash.php Content-type: text/html X-Powered-By: PHP/4.3.12-dev free(): invalid pointer 0x81b14a8! ALSO, another important observation. The crash sometimes seems to not happen if I execute the script in a different directory. For example: [EMAIL PROTECTED] repro]$ pwd /tmp/repro [EMAIL PROTECTED] repro]$ ls crash2.php [EMAIL PROTECTED] repro]$ /usr/local/php-4.3-CVS-13apr05/bin/php crash2.php Content-type: text/html X-Powered-By: PHP/4.3.12-dev [EMAIL PROTECTED] repro]$ mkdir -p foo/bar [EMAIL PROTECTED] repro]$ cd foo/bar [EMAIL PROTECTED] bar]$ cp ../../crash2.php . [EMAIL PROTECTED] bar]$ /usr/local/php-4.3-CVS-13apr05/bin/php crash2.php Content-type: text/html X-Powered-By: PHP/4.3.12-dev Segmentation fault (core dumped) ------------------------------------------------------------------------ The remainder of the comments for this report are too long. To view the rest of the comments, please view the bug report online at http://bugs.php.net/32685 -- Edit this bug report at http://bugs.php.net/?id=32685&edit=1