#28064 [Asn]: php crashes with big scripts
ID: 28064 User updated by: gross at schlund dot de Reported By: gross at schlund dot de Status: Assigned Bug Type: Scripting Engine problem Operating System: Linux PHP Version: 4.3.6 Assigned To: andi New Comment: compiling PHP without --enable-memory-limit and running the given script results in a crash and the follwoing backtrace: (gdb) bt #0 0x081a0d85 in execute (op_array=0x8325be4) at /usr/src/kundenserver/php-4.3.6/Zend/zend_execute.c:1266 #1 0x08193238 in zend_execute_scripts (type=8, retval=0x0, file_count=3) at /usr/src/kundenserver/php-4.3.6/Zend/zend.c:886 #2 0x0816c853 in php_execute_script (primary_file=0xb588) at /usr/src/kundenserver/php-4.3.6/main/main.c:1731 #3 0x081abc73 in main (argc=2, argv=0xb604) at /usr/src/kundenserver/php-4.3.6/sapi/cgi/cgi_main.c:1592 (gdb) You can find the binaryat http://www.andigross.de/phpcrash/phpbinary-without-memory-limit.gz and the core at http://www.andigross.de/phpcrash/core-without-memory-limit.gz Previous Comments: [2004-04-19 21:34:39] [EMAIL PROTECTED] Although it didn't actually crash for me, valgrind showed the following errors: ==7233== Invalid write of size 4 ==7233==at 0x8213D75: execute (zend_execute.c:1266) ==7233== Address 0x4F1C80C8 is on thread 1's stack ==7233== ==7233== Invalid write of size 4 ==7233==at 0x8213D80: execute (zend_execute.c:1266) ==7233== Address 0x4F1C80C4 is on thread 1's stack ==7233== ==7233== Invalid write of size 4 ==7233==at 0x8213D87: execute (zend_execute.c:1266) ==7233== Address 0x4F1C80C0 is on thread 1's stack ==7233== ==7233== Invalid read of size 4 ==7233==at 0x8211CC5: zend_fetch_var_address (zend_execute.c:559) ==7233== Address 0x4F1C80C4 is on thread 1's stack ==7233== ==7233== Invalid read of size 4 ==7233==at 0x8211CCC: zend_fetch_var_address (zend_execute.c:559) ==7233== Address 0x4F1C80C0 is on thread 1's stack ==7233== ==7233== Invalid read of size 4 ==7233==at 0x8211CE4: zend_fetch_var_address (zend_execute.c:564) ==7233== Address 0x4F1C80C0 is on thread 1's stack ==7233== ==7233== Invalid read of size 4 ==7233==at 0x8211E31: zend_fetch_var_address (zend_execute.c:591) ==7233== Address 0x4F1C80C8 is on thread 1's stack ==7233== ==7233== Invalid read of size 4 ==7233==at 0x8211EF5: zend_fetch_var_address (zend_execute.c:611) ==7233== Address 0x4F1C80C0 is on thread 1's stack ==7233== ==7233== Invalid read of size 4 ==7233==at 0x8211F73: zend_fetch_var_address (zend_execute.c:620) ==7233== Address 0x4F1C80C0 is on thread 1's stack ==7233== ==7233== Invalid read of size 4 ==7233==at 0x8211F87: zend_fetch_var_address (zend_execute.c:620) ==7233== Address 0x4F1C80C4 is on thread 1's stack ==7233== ==7233== Invalid write of size 4 ==7233==at 0x8211F8D: zend_fetch_var_address (zend_execute.c:620) ==7233== Address 0x4F1C80DC is on thread 1's stack ==7233== ==7233== Invalid read of size 4 ==7233==at 0x8211F90: zend_fetch_var_address (zend_execute.c:621) ==7233== Address 0x4F1C80C0 is on thread 1's stack ==7233== ==7233== Invalid write of size 4 ==7233==at 0x8214E39: execute (zend_execute.c:1376) ==7233== Address 0x4F1C80C8 is on thread 1's stack ==7233== ==7233== Invalid write of size 4 ==7233==at 0x8214E44: execute (zend_execute.c:1376) ==7233== Address 0x4F1C80C4 is on thread 1's stack ==7233== ==7233== Invalid write of size 4 ==7233==at 0x8214E4E: execute (zend_execute.c:1376) ==7233== Address 0x4F1C80C0 is on thread 1's stack ==7233== ==7233== Invalid read of size 4 ==7233==at 0x82195BB: _get_zval_ptr (zend_execute.c:73) ==7233== Address 0x4F1C80C0 is on thread 1's stack ==7233== ==7233== Invalid read of size 4 ==7233==at 0x82195EF: _get_zval_ptr (zend_execute.c:75) ==7233== Address 0x4F1C80C8 is on thread 1's stack ==7233== ==7233== Invalid read of size 4 ==7233==at 0x82195F8: _get_zval_ptr (zend_execute.c:76) ==7233== Address 0x4F1C80C0 is on thread 1's stack ==7233== ==7233== Invalid write of size 4 ==7233==at 0x8214E5C: execute (zend_execute.c:1378) ==7233== Address 0x4F1C80D4 is on thread 1's stack ==7233== ==7233== Invalid write of size 4 ==7233==at 0x8214E87: execute (zend_execute.c:1378) ==7233== Address 0x4F1C80D0 is on thread 1's stack ==7233== ==7233== Invalid write of size 4 ==7233==at 0x8214E8E: execute (zend_execute.c:1378) ==7233== Address 0x4F1C80CC is on thread 1's stack ==7233== ==7233== Invalid write of size 4 ==7233==at 0x8214E98: execute (zend_execute.c:1378) ==7233== Address 0x4F1C80C8 is on thread 1's stack ==7233== ==7233== Invalid write of size 4 ==7233==at 0x8214EA2: execute (zend_execute.c:1378) ==7233== Address 0x4F1C80C4 is on thread 1's stack ==7233== ==7233== Invalid write of s
#28064 [Fbk->Opn]: php crashes with big scripts
ID: 28064 User updated by: gross at schlund dot de Reported By: gross at schlund dot de -Status: Feedback +Status: Open Bug Type: Zend Engine 2 problem Operating System: Linux PHP Version: 4.3.6 New Comment: It is not posible to offer a short script. Please try the link to the testscript again (I made a mistake while storing it): http://www.andigross.de/phpcrash/testdaten.php.txt Regardsw Andi Previous Comments: [2004-04-19 20:54:18] [EMAIL PROTECTED] Thank you for this bug report. To properly diagnose the problem, we need a short but complete example script to be able to reproduce this bug ourselves. A proper reproducing script starts with , is max. 10-20 lines long and does not require any external resources such as databases, etc. If possible, make the script source available online and provide an URL to it here. Try avoid embedding huge scripts into the report. The link doesn't work. Please include the script here and make sure it's small. [2004-04-19 17:49:18] gross at schlund dot de Description: Giving it a large script, PHP 4.3.6 crashes during parsing it. The stacktrace is as follows: (gdb) bt #0 0x081a5be6 in execute (op_array=0x8322c3c) at /usr/src/kundenserver/php-4.3.6/Zend/zend_execute.c:2007 #1 0x08191598 in zend_execute_scripts (type=8, retval=0x0, file_count=3) at /usr/src/kundenserver/php-4.3.6/Zend/zend.c:886 #2 0x0816a933 in php_execute_script (primary_file=0xba38) at /usr/src/kundenserver/php-4.3.6/main/main.c:1731 #3 0x081a9fd3 in main (argc=2, argv=0xbab4) at /usr/src/kundenserver/php-4.3.6/sapi/cgi/cgi_main.c:1592 (gdb) You can find a core file under http://www.andigross.de/phpcrash/core.gz and the binary under http://www.andigross.de/phpcrash/phpbinary A phpinfo is under http://www.andigross.de/phpcrash/phpinfo.html the configure-line is: ./configure --with-zlib --enable-debug --enable-safe-mode=no --enable-discard-path=no --enable-track-vars --enable-force-cgi-redirect --enable-memory-limit --enable-trans-sid --enable-shmop --with-openssl --enable-xslt --with-xslt-sablot --with-dom --with-dom-xslt --with-dom-exslt The only modification to php.ini is: memory_limit = 90M; Compiler ist gcc 2.95.4. Reproduce code: --- You can find the code here: http://www.andigross.de/phpcrash/testdaten.php.txt Of curse, this is a very simple one to show the problem. The problem also occurs with "more useful" scripts. The application that caused the problem does something like $big_text="Huge PHP source"; eval($big_text); Expected result: The script produces no output. With PHP 4.2.3 it works fine. Actual result: -- (gdb) bt #0 0x081a5be6 in execute (op_array=0x8322c3c) at /usr/src/kundenserver/php-4.3.6/Zend/zend_execute.c:2007 #1 0x08191598 in zend_execute_scripts (type=8, retval=0x0, file_count=3) at /usr/src/kundenserver/php-4.3.6/Zend/zend.c:886 #2 0x0816a933 in php_execute_script (primary_file=0xba38) at /usr/src/kundenserver/php-4.3.6/main/main.c:1731 #3 0x081a9fd3 in main (argc=2, argv=0xbab4) at /usr/src/kundenserver/php-4.3.6/sapi/cgi/cgi_main.c:1592 (gdb) -- Edit this bug report at http://bugs.php.net/?id=28064&edit=1
#28064 [NEW]: php crashes with big scripts
From: gross at schlund dot de Operating system: Linux PHP version: 4.3.6 PHP Bug Type: Zend Engine 2 problem Bug description: php crashes with big scripts Description: Giving it a large script, PHP 4.3.6 crashes during parsing it. The stacktrace is as follows: (gdb) bt #0 0x081a5be6 in execute (op_array=0x8322c3c) at /usr/src/kundenserver/php-4.3.6/Zend/zend_execute.c:2007 #1 0x08191598 in zend_execute_scripts (type=8, retval=0x0, file_count=3) at /usr/src/kundenserver/php-4.3.6/Zend/zend.c:886 #2 0x0816a933 in php_execute_script (primary_file=0xba38) at /usr/src/kundenserver/php-4.3.6/main/main.c:1731 #3 0x081a9fd3 in main (argc=2, argv=0xbab4) at /usr/src/kundenserver/php-4.3.6/sapi/cgi/cgi_main.c:1592 (gdb) You can find a core file under http://www.andigross.de/phpcrash/core.gz and the binary under http://www.andigross.de/phpcrash/phpbinary A phpinfo is under http://www.andigross.de/phpcrash/phpinfo.html the configure-line is: ./configure --with-zlib --enable-debug --enable-safe-mode=no --enable-discard-path=no --enable-track-vars --enable-force-cgi-redirect --enable-memory-limit --enable-trans-sid --enable-shmop --with-openssl --enable-xslt --with-xslt-sablot --with-dom --with-dom-xslt --with-dom-exslt The only modification to php.ini is: memory_limit = 90M; Compiler ist gcc 2.95.4. Reproduce code: --- You can find the code here: http://www.andigross.de/phpcrash/testdaten.php.txt Of curse, this is a very simple one to show the problem. The problem also occurs with "more useful" scripts. The application that caused the problem does something like $big_text="Huge PHP source"; eval($big_text); Expected result: The script produces no output. With PHP 4.2.3 it works fine. Actual result: -- (gdb) bt #0 0x081a5be6 in execute (op_array=0x8322c3c) at /usr/src/kundenserver/php-4.3.6/Zend/zend_execute.c:2007 #1 0x08191598 in zend_execute_scripts (type=8, retval=0x0, file_count=3) at /usr/src/kundenserver/php-4.3.6/Zend/zend.c:886 #2 0x0816a933 in php_execute_script (primary_file=0xba38) at /usr/src/kundenserver/php-4.3.6/main/main.c:1731 #3 0x081a9fd3 in main (argc=2, argv=0xbab4) at /usr/src/kundenserver/php-4.3.6/sapi/cgi/cgi_main.c:1592 (gdb) -- Edit bug report at http://bugs.php.net/?id=28064&edit=1 -- Try a CVS snapshot (php4): http://bugs.php.net/fix.php?id=28064&r=trysnapshot4 Try a CVS snapshot (php5): http://bugs.php.net/fix.php?id=28064&r=trysnapshot5 Fixed in CVS: http://bugs.php.net/fix.php?id=28064&r=fixedcvs Fixed in release: http://bugs.php.net/fix.php?id=28064&r=alreadyfixed Need backtrace: http://bugs.php.net/fix.php?id=28064&r=needtrace Need Reproduce Script: http://bugs.php.net/fix.php?id=28064&r=needscript Try newer version: http://bugs.php.net/fix.php?id=28064&r=oldversion Not developer issue:http://bugs.php.net/fix.php?id=28064&r=support Expected behavior: http://bugs.php.net/fix.php?id=28064&r=notwrong Not enough info:http://bugs.php.net/fix.php?id=28064&r=notenoughinfo Submitted twice:http://bugs.php.net/fix.php?id=28064&r=submittedtwice register_globals: http://bugs.php.net/fix.php?id=28064&r=globals PHP 3 support discontinued: http://bugs.php.net/fix.php?id=28064&r=php3 Daylight Savings: http://bugs.php.net/fix.php?id=28064&r=dst IIS Stability: http://bugs.php.net/fix.php?id=28064&r=isapi Install GNU Sed:http://bugs.php.net/fix.php?id=28064&r=gnused Floating point limitations: http://bugs.php.net/fix.php?id=28064&r=float
