#48228 [Ver-Csd]: Possible memory corruption when PHP compiled using GCC 4.3.x
ID: 48228
User updated by: iddekingej at lycos dot com
Reported By: iddekingej at lycos dot com
-Status: Verified
+Status: Closed
Bug Type: Scripting Engine problem
Operating System: Linux 64bit gcc
PHP Version: 5.*, 6CVS (2009-05-27)
New Comment:
I can confirm that this bug is probably caused by a compiler bug as
mentioned in bug #48408.
When I compiled PHp with 4.1 and run the test script I didn't see the
(tried to allocate 140498868988960 bytes) message.
I also added the debug output as described at [21 May 9:17pm UTC] and
the arg_type_stack.top=-3 bug didn't happen.
Previous Comments:
[2009-05-27 19:24:02] j...@php.net
See also bug #48408
[2009-05-21 21:17:25] iddekingej at lycos dot com
I have some more information about this bug:
THis bug happens in the following situation:
$l_a-someMethod(other_fy())
When in other_fy() a exception is raised this bug occurs.
This bug doesn't happen when calling a normal function
e.g.
someMethod(other_fy())
This bug happens in apache as module and in the CLI. (only in the cli
there is no visible clue that something did go wrong).
In the function ZEND_HANDLE_EXCEPTION_SPEC_HANDLER (zend_vm_execute.h).
I placed some debug output (EX(fbc)-common.function_name and
EG(arg_types_stack).top)
before:
while (EX(fbc)) {
EX(called_scope) =
(zend_class_entry*)zend_ptr_stack_pop(EG(arg_types_stack));
if (EX(object)) {
and after
zend_object_store_ctor_failed(EX(object) TSRMLS_CC);
}
}
zval_ptr_dtor(EX(object));
}
After the exception is raised this function is called.
The first time it is called, the variable fbc=NULL and
arg_types_stack.top =3. Because
EX(fbc)=NULL the while loop is skipped.
When this function is called the second time and fbc is not
null(Contains data from the method check) ,
and arg_type_stack.top is still 3. After the while loop
arg_type_stack.top=-3, which is afcourse wrong . Because of this
some memory corruption occurs.
So maybe when calling a method and a expception is raised when the
parameters are calculated the variable fbc is not set correctly
or there is a missing zend_ptr_stack_3_push(EG(arg_types_stack),
EX(fbc), EX(object), EX(called_scope));
[2009-05-21 11:03:40] lbarn...@php.net
Verified with gcc 4.3.3 with -O2 on 5.2 and 5.3. (./configure
--disable-all)
Shorter reproduce script:
?
function do_throw() {
throw new Exception();
}
class aa
{
function check()
{
}
function dosome()
{
$this-check(do_throw());
}
}
$l_aa=new aa();
$l_aa-dosome();
?
The following patch against 5.3 may help to see the problem:
Index: Zend/zend_ptr_stack.h
===
RCS file: /repository/ZendEngine2/zend_ptr_stack.h,v
retrieving revision 1.22.2.2.2.1.2.3
diff -u -p -r1.22.2.2.2.1.2.3 zend_ptr_stack.h
--- Zend/zend_ptr_stack.h 31 Dec 2008 11:15:32 - 1.22.2.2.2.1.2.3
+++ Zend/zend_ptr_stack.h 21 May 2009 10:56:26 -
@@ -107,6 +107,9 @@ static inline void zend_ptr_stack_push(z
static inline void *zend_ptr_stack_pop(zend_ptr_stack *stack)
{
stack-top--;
+ if (stack-top 0) {
+ return *(void**)0;
+ }
return *(--stack-top_element);
}
The following patch avoids the crash (don't know exactly why):
Index: Zend/zend_vm_def.h
===
RCS file: /repository/ZendEngine2/zend_vm_def.h,v
retrieving revision 1.59.2.29.2.48.2.90
diff -u -p -r1.59.2.29.2.48.2.90 zend_vm_def.h
--- Zend/zend_vm_def.h 8 Apr 2009 13:19:34 - 1.59.2.29.2.48.2.90
+++ Zend/zend_vm_def.h 21 May 2009 11:01:28 -
@@ -4296,7 +4296,8 @@ ZEND_VM_HANDLER(149, ZEND_HANDLE_EXCEPTI
zval_ptr_dtor(EX(object));
}
EX(called_scope) = DECODE_CTOR(EX(called_scope));
- zend_ptr_stack_2_pop(EG(arg_types_stack), (void**)EX(object),
(void**)EX(fbc));
+ EX(object) = zend_ptr_stack_pop(EG(arg_types_stack));
+ EX(fbc) = zend_ptr_stack_pop(EG(arg_types_stack));
}
for (i=0; iEX(op_array)-last_brk_cont; i++) {
[2009-05-21 07:41:11] iddekingej at lycos dot com
It is the default apache2 for kubuntu 8.10: apache2 2.2.9/Prefork
[2009-05-21 00:46:57] j...@php.net
What MPM are you using in Apache? (and when you give feedback, change
the status to 'Open
#48228 [Fbk-Opn]: Possible memory corruption
ID: 48228
User updated by: iddekingej at lycos dot com
Reported By: iddekingej at lycos dot com
-Status: Feedback
+Status: Open
Bug Type: Scripting Engine problem
Operating System: Linux
PHP Version: 5.3.0RC2
New Comment:
It is the default apache2 for kubuntu 8.10: apache2 2.2.9/Prefork
Previous Comments:
[2009-05-21 00:46:57] j...@php.net
What MPM are you using in Apache? (and when you give feedback, change
the status to 'Open'..)
[2009-05-11 20:37:48] iddekingej at lycos dot com
Thanks, but the latest snapshot din't fix the problem.
I managed to debug apache and php and found the following:
The field alloc_globals-mm_heap-reserve_size is (wrongly) overwritten
with some address while freeing memory. This value contains therefore a
large number.
Next, in zend_mm_shutdown the following code is executed
if (heap-reserve_size) {
heap-reserve = _zend_mm_alloc_int(heap, heap-reserve_size
ZEND_FILE_LINE_CC ZEND_FILE_LINE_EMPTY_CC);
}
This failed because reserve_size contains a very large number.
The corruption of alloc_globals-mm_heap-reserve_size happens in the
function _zend_mm_free_int.This function is called from
shutdown_executor about line 327.
That is zend_ptr_stack_destroy(EG(arg_types_stack));
In the function _zend_mm_free_int a local var mm_block is loaded with
mm_block = ZEND_MM_HEADER_OF(p);
This header contains size=0,next=0 (hmm size=0 sounds wrong).
The value in alloc_globals-mm_heap-reserve_size is corrupted later
on at the line *cache = (zend_mm_free_block*)mm_block; (about line
1968).
So I guess that cache contains a wrong pointer.
This is as far as I could debug php.
[2009-05-11 09:45:55] j...@php.net
Please try using this CVS snapshot:
http://snaps.php.net/php5.3-latest.tar.gz
For Windows:
http://windows.php.net/snapshots/
[2009-05-10 22:47:19] iddekingej at lycos dot com
Description:
The included example code was made for finding the reason
php5.3RC2/apache2 crashed with some php website (the websie is not
publicly available). The script didn't crash apache but failed
differently.
The script should fail with a 'undefined variable', it does but it also
displays the message Fatal error: Allowed memory size of 536870912
bytes exhausted (tried to allocate 140498868988960 bytes) in Unknown on
line 0. (The large number is probably a memory location).
This error only happens in the following situation:
* as a web page (CLI works OK)
* restart apache
* Load the page and the memory exhausted message is displayed.
* Reload the page and no memory exhausted message
Software/machine:
* 64Bit amd
* Kubuntu 8.10
* Apache 2.2.9
* PHP(5.3RC2) compiled with :
'./configure' '--enable-zip' '--enable-soap' '--enable-sockets'
'--with-gd' '--with-pgsql' '--with-apxs2=/usr/bin/apxs2'
'--with-gettext' '--enable-cli' '--enable-mbstring'
Reproduce code:
---
?
function ex_handler($p_exception)
{
? Error:i?=$p_exception-getMessage()?/ibr/br/?
}
function
er_handler($p_errorno,$p_errstr,$p_errfile,$p_errline,$p_context)
{
$l_exception=new Exception(Error $p_errorno at $p_errline in
'$p_errfile':$p_errstr);
throw $l_exception;
}
set_Exception_Handler(ex_handler);
set_Error_Handler(er_handler,E_STRICT|E_WARNING|E_ALL|E_ERROR|E_NOTICE);
class aa
{
function check($p_a,$p_b,$p_c)
{
echo $p_a;
}
function dosome($p_b,$p_d,$p_e,$p_f,$p_g,$p_h)
{
return
$this-check(3,3,array(xx=$p_b,xzx=$p_d,xx=$p_e,yy=$p_c));
}
}
$l_aa=new aa();
$l_aa-dosome('2',3,4,5,'sddd','ddd');
?
Expected result:
* Undefined variable
Actual result:
--
* Undefined variable
* Fatal error: Allowed memory size of 536870912 bytes exhausted (tried
to allocate 140498868988960 bytes) in Unknown on line 0.
--
Edit this bug report at http://bugs.php.net/?id=48228edit=1
#48228 [Ver]: Possible memory corruption
ID: 48228
User updated by: iddekingej at lycos dot com
Reported By: iddekingej at lycos dot com
Status: Verified
Bug Type: Scripting Engine problem
Operating System: Linux
PHP Version: 5.2, 5.3
New Comment:
I have some more information about this bug:
THis bug happens in the following situation:
$l_a-someMethod(other_fy())
When in other_fy() a exception is raised this bug occurs.
This bug doesn't happen when calling a normal function
e.g.
someMethod(other_fy())
This bug happens in apache as module and in the CLI. (only in the cli
there is no visible clue that something did go wrong).
In the function ZEND_HANDLE_EXCEPTION_SPEC_HANDLER (zend_vm_execute.h).
I placed some debug output (EX(fbc)-common.function_name and
EG(arg_types_stack).top)
before:
while (EX(fbc)) {
EX(called_scope) =
(zend_class_entry*)zend_ptr_stack_pop(EG(arg_types_stack));
if (EX(object)) {
and after
zend_object_store_ctor_failed(EX(object) TSRMLS_CC);
}
}
zval_ptr_dtor(EX(object));
}
After the exception is raised this function is called.
The first time it is called, the variable fbc=NULL and
arg_types_stack.top =3. Because
EX(fbc)=NULL the while loop is skipped.
When this function is called the second time and fbc is not
null(Contains data from the method check) ,
and arg_type_stack.top is still 3. After the while loop
arg_type_stack.top=-3, which is afcourse wrong . Because of this
some memory corruption occurs.
So maybe when calling a method and a expception is raised when the
parameters are calculated the variable fbc is not set correctly
or there is a missing zend_ptr_stack_3_push(EG(arg_types_stack),
EX(fbc), EX(object), EX(called_scope));
Previous Comments:
[2009-05-21 11:03:40] lbarn...@php.net
Verified with gcc 4.3.3 with -O2 on 5.2 and 5.3. (./configure
--disable-all)
Shorter reproduce script:
?
function do_throw() {
throw new Exception();
}
class aa
{
function check()
{
}
function dosome()
{
$this-check(do_throw());
}
}
$l_aa=new aa();
$l_aa-dosome();
?
The following patch against 5.3 may help to see the problem:
Index: Zend/zend_ptr_stack.h
===
RCS file: /repository/ZendEngine2/zend_ptr_stack.h,v
retrieving revision 1.22.2.2.2.1.2.3
diff -u -p -r1.22.2.2.2.1.2.3 zend_ptr_stack.h
--- Zend/zend_ptr_stack.h 31 Dec 2008 11:15:32 - 1.22.2.2.2.1.2.3
+++ Zend/zend_ptr_stack.h 21 May 2009 10:56:26 -
@@ -107,6 +107,9 @@ static inline void zend_ptr_stack_push(z
static inline void *zend_ptr_stack_pop(zend_ptr_stack *stack)
{
stack-top--;
+ if (stack-top 0) {
+ return *(void**)0;
+ }
return *(--stack-top_element);
}
The following patch avoids the crash (don't know exactly why):
Index: Zend/zend_vm_def.h
===
RCS file: /repository/ZendEngine2/zend_vm_def.h,v
retrieving revision 1.59.2.29.2.48.2.90
diff -u -p -r1.59.2.29.2.48.2.90 zend_vm_def.h
--- Zend/zend_vm_def.h 8 Apr 2009 13:19:34 - 1.59.2.29.2.48.2.90
+++ Zend/zend_vm_def.h 21 May 2009 11:01:28 -
@@ -4296,7 +4296,8 @@ ZEND_VM_HANDLER(149, ZEND_HANDLE_EXCEPTI
zval_ptr_dtor(EX(object));
}
EX(called_scope) = DECODE_CTOR(EX(called_scope));
- zend_ptr_stack_2_pop(EG(arg_types_stack), (void**)EX(object),
(void**)EX(fbc));
+ EX(object) = zend_ptr_stack_pop(EG(arg_types_stack));
+ EX(fbc) = zend_ptr_stack_pop(EG(arg_types_stack));
}
for (i=0; iEX(op_array)-last_brk_cont; i++) {
[2009-05-21 07:41:11] iddekingej at lycos dot com
It is the default apache2 for kubuntu 8.10: apache2 2.2.9/Prefork
[2009-05-21 00:46:57] j...@php.net
What MPM are you using in Apache? (and when you give feedback, change
the status to 'Open'..)
[2009-05-11 20:37:48] iddekingej at lycos dot com
Thanks, but the latest snapshot din't fix the problem.
I managed to debug apache and php and found the following:
The field alloc_globals-mm_heap-reserve_size is (wrongly) overwritten
with some address while freeing memory. This value contains therefore a
large number.
Next, in zend_mm_shutdown the following code is executed
if (heap-reserve_size) {
heap-reserve = _zend_mm_alloc_int(heap, heap-reserve_size
ZEND_FILE_LINE_CC ZEND_FILE_LINE_EMPTY_CC);
}
This failed because reserve_size contains a very large number.
The corruption of alloc_globals-mm_heap
#48228 [Com]: Possible memory corruption
ID: 48228
Comment by: iddekingej at lycos dot com
Reported By: iddekingej at lycos dot com
Status: No Feedback
Bug Type: Scripting Engine problem
Operating System: Linux
PHP Version: 5.3.0RC2
New Comment:
No feedback was provided
This bug is closed wrongly because I did give feedback.
The request was to try a snapshot. I did try the snapshot and it din't
solve the problem. So I did responded (at 11 May 8:37pm UTC) and wrote
that it didn't solve the problem and give extra information about the
cause so I think I responed apriopiate.
Previous Comments:
[2009-05-19 01:00:01] php-bugs at lists dot php dot net
No feedback was provided for this bug for over a week, so it is
being suspended automatically. If you are able to provide the
information that was originally requested, please do so and change
the status of the bug back to Open.
[2009-05-11 20:37:48] iddekingej at lycos dot com
Thanks, but the latest snapshot din't fix the problem.
I managed to debug apache and php and found the following:
The field alloc_globals-mm_heap-reserve_size is (wrongly) overwritten
with some address while freeing memory. This value contains therefore a
large number.
Next, in zend_mm_shutdown the following code is executed
if (heap-reserve_size) {
heap-reserve = _zend_mm_alloc_int(heap, heap-reserve_size
ZEND_FILE_LINE_CC ZEND_FILE_LINE_EMPTY_CC);
}
This failed because reserve_size contains a very large number.
The corruption of alloc_globals-mm_heap-reserve_size happens in the
function _zend_mm_free_int.This function is called from
shutdown_executor about line 327.
That is zend_ptr_stack_destroy(EG(arg_types_stack));
In the function _zend_mm_free_int a local var mm_block is loaded with
mm_block = ZEND_MM_HEADER_OF(p);
This header contains size=0,next=0 (hmm size=0 sounds wrong).
The value in alloc_globals-mm_heap-reserve_size is corrupted later
on at the line *cache = (zend_mm_free_block*)mm_block; (about line
1968).
So I guess that cache contains a wrong pointer.
This is as far as I could debug php.
[2009-05-11 09:45:55] j...@php.net
Please try using this CVS snapshot:
http://snaps.php.net/php5.3-latest.tar.gz
For Windows:
http://windows.php.net/snapshots/
[2009-05-10 22:47:19] iddekingej at lycos dot com
Description:
The included example code was made for finding the reason
php5.3RC2/apache2 crashed with some php website (the websie is not
publicly available). The script didn't crash apache but failed
differently.
The script should fail with a 'undefined variable', it does but it also
displays the message Fatal error: Allowed memory size of 536870912
bytes exhausted (tried to allocate 140498868988960 bytes) in Unknown on
line 0. (The large number is probably a memory location).
This error only happens in the following situation:
* as a web page (CLI works OK)
* restart apache
* Load the page and the memory exhausted message is displayed.
* Reload the page and no memory exhausted message
Software/machine:
* 64Bit amd
* Kubuntu 8.10
* Apache 2.2.9
* PHP(5.3RC2) compiled with :
'./configure' '--enable-zip' '--enable-soap' '--enable-sockets'
'--with-gd' '--with-pgsql' '--with-apxs2=/usr/bin/apxs2'
'--with-gettext' '--enable-cli' '--enable-mbstring'
Reproduce code:
---
?
function ex_handler($p_exception)
{
? Error:i?=$p_exception-getMessage()?/ibr/br/?
}
function
er_handler($p_errorno,$p_errstr,$p_errfile,$p_errline,$p_context)
{
$l_exception=new Exception(Error $p_errorno at $p_errline in
'$p_errfile':$p_errstr);
throw $l_exception;
}
set_Exception_Handler(ex_handler);
set_Error_Handler(er_handler,E_STRICT|E_WARNING|E_ALL|E_ERROR|E_NOTICE);
class aa
{
function check($p_a,$p_b,$p_c)
{
echo $p_a;
}
function dosome($p_b,$p_d,$p_e,$p_f,$p_g,$p_h)
{
return
$this-check(3,3,array(xx=$p_b,xzx=$p_d,xx=$p_e,yy=$p_c));
}
}
$l_aa=new aa();
$l_aa-dosome('2',3,4,5,'sddd','ddd');
?
Expected result:
* Undefined variable
Actual result:
--
* Undefined variable
* Fatal error: Allowed memory size of 536870912 bytes exhausted (tried
to allocate 140498868988960 bytes) in Unknown on line 0.
--
Edit this bug report at http://bugs.php.net/?id=48228edit=1
#48228 [NoF-Opn]: Possible memory corruption
ID: 48228
User updated by: iddekingej at lycos dot com
Reported By: iddekingej at lycos dot com
-Status: No Feedback
+Status: Open
Bug Type: Scripting Engine problem
Operating System: Linux
PHP Version: 5.3.0RC2
New Comment:
This bug is closed wrongly because I did give feedback.
The request was to try a snapshot. I did try the snapshot and it din't
solve the problem. So I did responded (at 11 May 8:37pm UTC) and wrote
that it didn't solve the problem and give extra information about the
cause so I think I responed apriopiate
Previous Comments:
[2009-05-20 18:45:30] iddekingej at lycos dot com
No feedback was provided
This bug is closed wrongly because I did give feedback.
The request was to try a snapshot. I did try the snapshot and it din't
solve the problem. So I did responded (at 11 May 8:37pm UTC) and wrote
that it didn't solve the problem and give extra information about the
cause so I think I responed apriopiate.
[2009-05-19 01:00:01] php-bugs at lists dot php dot net
No feedback was provided for this bug for over a week, so it is
being suspended automatically. If you are able to provide the
information that was originally requested, please do so and change
the status of the bug back to Open.
[2009-05-11 20:37:48] iddekingej at lycos dot com
Thanks, but the latest snapshot din't fix the problem.
I managed to debug apache and php and found the following:
The field alloc_globals-mm_heap-reserve_size is (wrongly) overwritten
with some address while freeing memory. This value contains therefore a
large number.
Next, in zend_mm_shutdown the following code is executed
if (heap-reserve_size) {
heap-reserve = _zend_mm_alloc_int(heap, heap-reserve_size
ZEND_FILE_LINE_CC ZEND_FILE_LINE_EMPTY_CC);
}
This failed because reserve_size contains a very large number.
The corruption of alloc_globals-mm_heap-reserve_size happens in the
function _zend_mm_free_int.This function is called from
shutdown_executor about line 327.
That is zend_ptr_stack_destroy(EG(arg_types_stack));
In the function _zend_mm_free_int a local var mm_block is loaded with
mm_block = ZEND_MM_HEADER_OF(p);
This header contains size=0,next=0 (hmm size=0 sounds wrong).
The value in alloc_globals-mm_heap-reserve_size is corrupted later
on at the line *cache = (zend_mm_free_block*)mm_block; (about line
1968).
So I guess that cache contains a wrong pointer.
This is as far as I could debug php.
[2009-05-11 09:45:55] j...@php.net
Please try using this CVS snapshot:
http://snaps.php.net/php5.3-latest.tar.gz
For Windows:
http://windows.php.net/snapshots/
[2009-05-10 22:47:19] iddekingej at lycos dot com
Description:
The included example code was made for finding the reason
php5.3RC2/apache2 crashed with some php website (the websie is not
publicly available). The script didn't crash apache but failed
differently.
The script should fail with a 'undefined variable', it does but it also
displays the message Fatal error: Allowed memory size of 536870912
bytes exhausted (tried to allocate 140498868988960 bytes) in Unknown on
line 0. (The large number is probably a memory location).
This error only happens in the following situation:
* as a web page (CLI works OK)
* restart apache
* Load the page and the memory exhausted message is displayed.
* Reload the page and no memory exhausted message
Software/machine:
* 64Bit amd
* Kubuntu 8.10
* Apache 2.2.9
* PHP(5.3RC2) compiled with :
'./configure' '--enable-zip' '--enable-soap' '--enable-sockets'
'--with-gd' '--with-pgsql' '--with-apxs2=/usr/bin/apxs2'
'--with-gettext' '--enable-cli' '--enable-mbstring'
Reproduce code:
---
?
function ex_handler($p_exception)
{
? Error:i?=$p_exception-getMessage()?/ibr/br/?
}
function
er_handler($p_errorno,$p_errstr,$p_errfile,$p_errline,$p_context)
{
$l_exception=new Exception(Error $p_errorno at $p_errline in
'$p_errfile':$p_errstr);
throw $l_exception;
}
set_Exception_Handler(ex_handler);
set_Error_Handler(er_handler,E_STRICT|E_WARNING|E_ALL|E_ERROR|E_NOTICE);
class aa
{
function check($p_a,$p_b,$p_c)
{
echo $p_a;
}
function dosome($p_b,$p_d,$p_e,$p_f,$p_g,$p_h)
{
return
$this-check(3,3,array(xx=$p_b,xzx=$p_d,xx=$p_e,yy=$p_c));
}
}
$l_aa=new aa();
$l_aa-dosome('2',3,4,5,'sddd','ddd');
?
Expected result:
* Undefined variable
Actual result:
--
* Undefined variable
* Fatal error: Allowed memory size
#48228 [Com]: Possible memory corruption
ID: 48228
Comment by: iddekingej at lycos dot com
Reported By: iddekingej at lycos dot com
Status: Feedback
Bug Type: Scripting Engine problem
Operating System: Linux
PHP Version: 5.3.0RC2
New Comment:
Thanks, but the latest snapshot din't fix the problem.
I managed to debug apache and php and found the following:
The field alloc_globals-mm_heap-reserve_size is (wrongly) overwritten
with some address while freeing memory. This value contains therefore a
large number.
Next, in zend_mm_shutdown the following code is executed
if (heap-reserve_size) {
heap-reserve = _zend_mm_alloc_int(heap, heap-reserve_size
ZEND_FILE_LINE_CC ZEND_FILE_LINE_EMPTY_CC);
}
This failed because reserve_size contains a very large number.
The corruption of alloc_globals-mm_heap-reserve_size happens in the
function _zend_mm_free_int.This function is called from
shutdown_executor about line 327.
That is zend_ptr_stack_destroy(EG(arg_types_stack));
In the function _zend_mm_free_int a local var mm_block is loaded with
mm_block = ZEND_MM_HEADER_OF(p);
This header contains size=0,next=0 (hmm size=0 sounds wrong).
The value in alloc_globals-mm_heap-reserve_size is corrupted later
on at the line *cache = (zend_mm_free_block*)mm_block; (about line
1968).
So I guess that cache contains a wrong pointer.
This is as far as I could debug php.
Previous Comments:
[2009-05-11 09:45:55] j...@php.net
Please try using this CVS snapshot:
http://snaps.php.net/php5.3-latest.tar.gz
For Windows:
http://windows.php.net/snapshots/
[2009-05-10 22:47:19] iddekingej at lycos dot com
Description:
The included example code was made for finding the reason
php5.3RC2/apache2 crashed with some php website (the websie is not
publicly available). The script didn't crash apache but failed
differently.
The script should fail with a 'undefined variable', it does but it also
displays the message Fatal error: Allowed memory size of 536870912
bytes exhausted (tried to allocate 140498868988960 bytes) in Unknown on
line 0. (The large number is probably a memory location).
This error only happens in the following situation:
* as a web page (CLI works OK)
* restart apache
* Load the page and the memory exhausted message is displayed.
* Reload the page and no memory exhausted message
Software/machine:
* 64Bit amd
* Kubuntu 8.10
* Apache 2.2.9
* PHP(5.3RC2) compiled with :
'./configure' '--enable-zip' '--enable-soap' '--enable-sockets'
'--with-gd' '--with-pgsql' '--with-apxs2=/usr/bin/apxs2'
'--with-gettext' '--enable-cli' '--enable-mbstring'
Reproduce code:
---
?
function ex_handler($p_exception)
{
? Error:i?=$p_exception-getMessage()?/ibr/br/?
}
function
er_handler($p_errorno,$p_errstr,$p_errfile,$p_errline,$p_context)
{
$l_exception=new Exception(Error $p_errorno at $p_errline in
'$p_errfile':$p_errstr);
throw $l_exception;
}
set_Exception_Handler(ex_handler);
set_Error_Handler(er_handler,E_STRICT|E_WARNING|E_ALL|E_ERROR|E_NOTICE);
class aa
{
function check($p_a,$p_b,$p_c)
{
echo $p_a;
}
function dosome($p_b,$p_d,$p_e,$p_f,$p_g,$p_h)
{
return
$this-check(3,3,array(xx=$p_b,xzx=$p_d,xx=$p_e,yy=$p_c));
}
}
$l_aa=new aa();
$l_aa-dosome('2',3,4,5,'sddd','ddd');
?
Expected result:
* Undefined variable
Actual result:
--
* Undefined variable
* Fatal error: Allowed memory size of 536870912 bytes exhausted (tried
to allocate 140498868988960 bytes) in Unknown on line 0.
--
Edit this bug report at http://bugs.php.net/?id=48228edit=1
#48228 [NEW]: Possible memory corruption
From: iddekingej at lycos dot com
Operating system: Linux
PHP version: 5.3.0RC2
PHP Bug Type: Scripting Engine problem
Bug description: Possible memory corruption
Description:
The included example code was made for finding the reason
php5.3RC2/apache2 crashed with some php website (the websie is not publicly
available). The script didn't crash apache but failed differently.
The script should fail with a 'undefined variable', it does but it also
displays the message Fatal error: Allowed memory size of 536870912 bytes
exhausted (tried to allocate 140498868988960 bytes) in Unknown on line 0.
(The large number is probably a memory location).
This error only happens in the following situation:
* as a web page (CLI works OK)
* restart apache
* Load the page and the memory exhausted message is displayed.
* Reload the page and no memory exhausted message
Software/machine:
* 64Bit amd
* Kubuntu 8.10
* Apache 2.2.9
* PHP(5.3RC2) compiled with :
'./configure' '--enable-zip' '--enable-soap' '--enable-sockets'
'--with-gd' '--with-pgsql' '--with-apxs2=/usr/bin/apxs2' '--with-gettext'
'--enable-cli' '--enable-mbstring'
Reproduce code:
---
?
function ex_handler($p_exception)
{
? Error:i?=$p_exception-getMessage()?/ibr/br/?
}
function
er_handler($p_errorno,$p_errstr,$p_errfile,$p_errline,$p_context)
{
$l_exception=new Exception(Error $p_errorno at $p_errline in
'$p_errfile':$p_errstr);
throw $l_exception;
}
set_Exception_Handler(ex_handler);
set_Error_Handler(er_handler,E_STRICT|E_WARNING|E_ALL|E_ERROR|E_NOTICE);
class aa
{
function check($p_a,$p_b,$p_c)
{
echo $p_a;
}
function dosome($p_b,$p_d,$p_e,$p_f,$p_g,$p_h)
{
return
$this-check(3,3,array(xx=$p_b,xzx=$p_d,xx=$p_e,yy=$p_c));
}
}
$l_aa=new aa();
$l_aa-dosome('2',3,4,5,'sddd','ddd');
?
Expected result:
* Undefined variable
Actual result:
--
* Undefined variable
* Fatal error: Allowed memory size of 536870912 bytes exhausted (tried to
allocate 140498868988960 bytes) in Unknown on line 0.
--
Edit bug report at http://bugs.php.net/?id=48228edit=1
--
Try a CVS snapshot (PHP 5.2):
http://bugs.php.net/fix.php?id=48228r=trysnapshot52
Try a CVS snapshot (PHP 5.3):
http://bugs.php.net/fix.php?id=48228r=trysnapshot53
Try a CVS snapshot (PHP 6.0):
http://bugs.php.net/fix.php?id=48228r=trysnapshot60
Fixed in CVS:
http://bugs.php.net/fix.php?id=48228r=fixedcvs
Fixed in CVS and need be documented:
http://bugs.php.net/fix.php?id=48228r=needdocs
Fixed in release:
http://bugs.php.net/fix.php?id=48228r=alreadyfixed
Need backtrace:
http://bugs.php.net/fix.php?id=48228r=needtrace
Need Reproduce Script:
http://bugs.php.net/fix.php?id=48228r=needscript
Try newer version:
http://bugs.php.net/fix.php?id=48228r=oldversion
Not developer issue:
http://bugs.php.net/fix.php?id=48228r=support
Expected behavior:
http://bugs.php.net/fix.php?id=48228r=notwrong
Not enough info:
http://bugs.php.net/fix.php?id=48228r=notenoughinfo
Submitted twice:
http://bugs.php.net/fix.php?id=48228r=submittedtwice
register_globals:
http://bugs.php.net/fix.php?id=48228r=globals
PHP 4 support discontinued: http://bugs.php.net/fix.php?id=48228r=php4
Daylight Savings:http://bugs.php.net/fix.php?id=48228r=dst
IIS Stability:
http://bugs.php.net/fix.php?id=48228r=isapi
Install GNU Sed:
http://bugs.php.net/fix.php?id=48228r=gnused
Floating point limitations:
http://bugs.php.net/fix.php?id=48228r=float
No Zend Extensions:
http://bugs.php.net/fix.php?id=48228r=nozend
MySQL Configuration Error:
http://bugs.php.net/fix.php?id=48228r=mysqlcfg
#42496 [NEW]: cursor is not closed when using 2 clobs in a select query
From: iddekingej at lycos dot com
Operating system: win 2000
PHP version: 5.2.4
PHP Bug Type: OCI8 related
Bug description: cursor is not closed when using 2 clobs in a select query
Description:
When a query contains 2 clob fields then the cursor is not closed after
oci_free_statement.
I run the attached script with the following table
tblDocuments
(id number
,v1 clob
,v2 clob
)
After a while the script gives a ora-01000 (maximum number of open
cursors).
When tblDocuments contains only one clob field, the script keeps running
fine.
I can monitor opencursors with the following script:
select a.value, s.username, s.sid, s.serial#
from v$sesstat a, v$statname b, v$session s
where a.statistic# = b.statistic# and s.sid=a.sid
and b.name = 'opened cursors current
When I monitor the script and tblDocuments has 2 clobs, the opencursor
increases until maximum number of cursors is reached and the script failes
with a ora -0100.
When I momitor the script and tblDocument has 1 clob, the number of script
stays about the same.
The versions are
Windows 2000 server
Oracle 10.2.0.2 on the same machine
PHP 5.2.4 (File downloaded from php site)
Apache 2.2
Maximum number of cursors is 500
Version 5.2.2 and 5.2.3 has the same problem.
When I enable debug I get the following information
OCI8 DEBUG: OCIHandleAlloc at (ext\oci8\oci8_statement.c:61)
OCI8 DEBUG: OCIStmtPrepare2 at (ext\oci8\oci8_statement.c:77)
OCI8 DEBUG: OCIAttrSet at (ext\oci8\oci8_statement.c:135)
OCI8 DEBUG: OCIAttrSet at (ext\oci8\oci8_statement.c:144)
OCI8 DEBUG: OCIAttrGet at (ext\oci8\oci8_statement.c:418)
OCI8 DEBUG: OCIStmtExecute at (ext\oci8\oci8_statement.c:442)
OCI8 DEBUG: OCIAttrGet at (ext\oci8\oci8_statement.c:471)
OCI8 DEBUG: OCIParamGet at (ext\oci8\oci8_statement.c:491)
OCI8 DEBUG: OCIAttrGet at (ext\oci8\oci8_statement.c:500)
OCI8 DEBUG: OCIAttrGet at (ext\oci8\oci8_statement.c:510)
OCI8 DEBUG: OCIAttrGet at (ext\oci8\oci8_statement.c:520)
OCI8 DEBUG: OCIAttrGet at (ext\oci8\oci8_statement.c:530)
OCI8 DEBUG: OCIAttrGet at (ext\oci8\oci8_statement.c:543)
OCI8 DEBUG: OCIAttrGet at (ext\oci8\oci8_statement.c:553)
OCI8 DEBUG: OCIAttrGet at (ext\oci8\oci8_statement.c:563)
OCI8 DEBUG: OCIDescriptorFree at (ext\oci8\oci8_statement.c:571)
OCI8 DEBUG: OCIDefineByPos at (ext\oci8\oci8_statement.c:694)
OCI8 DEBUG: OCIParamGet at (ext\oci8\oci8_statement.c:491)
OCI8 DEBUG: OCIAttrGet at (ext\oci8\oci8_statement.c:500)
OCI8 DEBUG: OCIAttrGet at (ext\oci8\oci8_statement.c:510)
OCI8 DEBUG: OCIAttrGet at (ext\oci8\oci8_statement.c:520)
OCI8 DEBUG: OCIAttrGet at (ext\oci8\oci8_statement.c:530)
OCI8 DEBUG: OCIAttrGet at (ext\oci8\oci8_statement.c:543)
OCI8 DEBUG: OCIAttrGet at (ext\oci8\oci8_statement.c:553)
OCI8 DEBUG: OCIAttrGet at (ext\oci8\oci8_statement.c:563)
OCI8 DEBUG: OCIDescriptorFree at (ext\oci8\oci8_statement.c:571)
OCI8 DEBUG: OCIDefineByPos at (ext\oci8\oci8_statement.c:676)
OCI8 DEBUG: OCIDefineDynamic at (ext\oci8\oci8_statement.c:719)
OCI8 DEBUG: OCIParamGet at (ext\oci8\oci8_statement.c:491)
OCI8 DEBUG: OCIAttrGet at (ext\oci8\oci8_statement.c:500)
OCI8 DEBUG: OCIAttrGet at (ext\oci8\oci8_statement.c:510)
OCI8 DEBUG: OCIAttrGet at (ext\oci8\oci8_statement.c:520)
OCI8 DEBUG: OCIAttrGet at (ext\oci8\oci8_statement.c:530)
OCI8 DEBUG: OCIAttrGet at (ext\oci8\oci8_statement.c:543)
OCI8 DEBUG: OCIAttrGet at (ext\oci8\oci8_statement.c:553)
OCI8 DEBUG: OCIAttrGet at (ext\oci8\oci8_statement.c:563)
OCI8 DEBUG: OCIDescriptorFree at (ext\oci8\oci8_statement.c:571)
OCI8 DEBUG: OCIDefineByPos at (ext\oci8\oci8_statement.c:676)
OCI8 DEBUG: OCIDefineDynamic at (ext\oci8\oci8_statement.c:719)
OCI8 DEBUG: OCIStmtFetch at (ext\oci8\oci8_statement.c:168)
OCI8 DEBUG: OCIStmtRelease at (ext\oci8\oci8_statement.c:746)
OCI8 DEBUG: OCIHandleFree at (ext\oci8\oci8_statement.c:757)
OCI8 DEBUG: OCISessionEnd at (ext\oci8\oci8.c:1523)
OCI8 DEBUG: OCIHandleFree at (ext\oci8\oci8.c:1527)
OCI8 DEBUG: OCIServerDetach at (ext\oci8\oci8.c:1531)
OCI8 DEBUG: OCIHandleFree at (ext\oci8\oci8.c:1535)
OCI8 DEBUG: OCIHandleFree at (ext\oci8\oci8.c:1539)
OCI8 DEBUG: OCIHandleFree at (ext\oci8\oci8.c:1543)
OCI8 DEBUG: OCIHandleFree at (ext\oci8\oci8.c:1547)
OCI8 DEBUG: OCIHandleFree at (ext\oci8\oci8.c:461)
OCI8 DEBUG: OCIHandleFree at (ext\oci8\oci8.c:466)
Reproduce code:
---
$l_res=oci_new_connect(username,password,sid);
oci_execute($l_st);
while(1){
$l_cnt++;
$l_st=oci_parse($l_res,select * from tblDocuments where
id=$l_cnt );
oci_execute($l_st);
$l_row=oci_fetch_row($l_st);
oci_free_statement($l_st);
echo $l_cnt,':';print_r($l_row);
}
--
Edit bug report at http://bugs.php.net/?id=42496edit=1
--
Try a CVS snapshot (PHP 4.4):
http://bugs.php.net/fix.php?id=42496r=trysnapshot44
Try a CVS snapshot (PHP 5.2):
http://bugs.php.net/fix.php?id=42496r=trysnapshot52
Try a CVS snapshot (PHP 6.0):
http
#42496 [Opn]: cursor is not closed when using 2 clobs in a select query
ID: 42496
User updated by: iddekingej at lycos dot com
Reported By: iddekingej at lycos dot com
Status: Open
Bug Type: OCI8 related
Operating System: win 2000
PHP Version: 5.2.4
New Comment:
Sorry $l_cnt=0 is missing from the code. It should read:
$l_res=oci_new_connect(username,password,sid);
oci_execute($l_st);
$l_cnt=0;
while(1){
$l_cnt++;
$l_st=oci_parse($l_res,select * from tblDocuments where
id=$l_cnt );
oci_execute($l_st);
$l_row=oci_fetch_row($l_st);
oci_free_statement($l_st);
echo $l_cnt,':';print_r($l_row);
}
Previous Comments:
[2007-08-31 15:46:25] iddekingej at lycos dot com
Description:
When a query contains 2 clob fields then the cursor is not closed after
oci_free_statement.
I run the attached script with the following table
tblDocuments
(id number
,v1 clob
,v2 clob
)
After a while the script gives a ora-01000 (maximum number of open
cursors).
When tblDocuments contains only one clob field, the script keeps
running fine.
I can monitor opencursors with the following script:
select a.value, s.username, s.sid, s.serial#
from v$sesstat a, v$statname b, v$session s
where a.statistic# = b.statistic# and s.sid=a.sid
and b.name = 'opened cursors current
When I monitor the script and tblDocuments has 2 clobs, the opencursor
increases until maximum number of cursors is reached and the script
failes with a ora -0100.
When I momitor the script and tblDocument has 1 clob, the number of
script stays about the same.
The versions are
Windows 2000 server
Oracle 10.2.0.2 on the same machine
PHP 5.2.4 (File downloaded from php site)
Apache 2.2
Maximum number of cursors is 500
Version 5.2.2 and 5.2.3 has the same problem.
When I enable debug I get the following information
OCI8 DEBUG: OCIHandleAlloc at (ext\oci8\oci8_statement.c:61)
OCI8 DEBUG: OCIStmtPrepare2 at (ext\oci8\oci8_statement.c:77)
OCI8 DEBUG: OCIAttrSet at (ext\oci8\oci8_statement.c:135)
OCI8 DEBUG: OCIAttrSet at (ext\oci8\oci8_statement.c:144)
OCI8 DEBUG: OCIAttrGet at (ext\oci8\oci8_statement.c:418)
OCI8 DEBUG: OCIStmtExecute at (ext\oci8\oci8_statement.c:442)
OCI8 DEBUG: OCIAttrGet at (ext\oci8\oci8_statement.c:471)
OCI8 DEBUG: OCIParamGet at (ext\oci8\oci8_statement.c:491)
OCI8 DEBUG: OCIAttrGet at (ext\oci8\oci8_statement.c:500)
OCI8 DEBUG: OCIAttrGet at (ext\oci8\oci8_statement.c:510)
OCI8 DEBUG: OCIAttrGet at (ext\oci8\oci8_statement.c:520)
OCI8 DEBUG: OCIAttrGet at (ext\oci8\oci8_statement.c:530)
OCI8 DEBUG: OCIAttrGet at (ext\oci8\oci8_statement.c:543)
OCI8 DEBUG: OCIAttrGet at (ext\oci8\oci8_statement.c:553)
OCI8 DEBUG: OCIAttrGet at (ext\oci8\oci8_statement.c:563)
OCI8 DEBUG: OCIDescriptorFree at (ext\oci8\oci8_statement.c:571)
OCI8 DEBUG: OCIDefineByPos at (ext\oci8\oci8_statement.c:694)
OCI8 DEBUG: OCIParamGet at (ext\oci8\oci8_statement.c:491)
OCI8 DEBUG: OCIAttrGet at (ext\oci8\oci8_statement.c:500)
OCI8 DEBUG: OCIAttrGet at (ext\oci8\oci8_statement.c:510)
OCI8 DEBUG: OCIAttrGet at (ext\oci8\oci8_statement.c:520)
OCI8 DEBUG: OCIAttrGet at (ext\oci8\oci8_statement.c:530)
OCI8 DEBUG: OCIAttrGet at (ext\oci8\oci8_statement.c:543)
OCI8 DEBUG: OCIAttrGet at (ext\oci8\oci8_statement.c:553)
OCI8 DEBUG: OCIAttrGet at (ext\oci8\oci8_statement.c:563)
OCI8 DEBUG: OCIDescriptorFree at (ext\oci8\oci8_statement.c:571)
OCI8 DEBUG: OCIDefineByPos at (ext\oci8\oci8_statement.c:676)
OCI8 DEBUG: OCIDefineDynamic at (ext\oci8\oci8_statement.c:719)
OCI8 DEBUG: OCIParamGet at (ext\oci8\oci8_statement.c:491)
OCI8 DEBUG: OCIAttrGet at (ext\oci8\oci8_statement.c:500)
OCI8 DEBUG: OCIAttrGet at (ext\oci8\oci8_statement.c:510)
OCI8 DEBUG: OCIAttrGet at (ext\oci8\oci8_statement.c:520)
OCI8 DEBUG: OCIAttrGet at (ext\oci8\oci8_statement.c:530)
OCI8 DEBUG: OCIAttrGet at (ext\oci8\oci8_statement.c:543)
OCI8 DEBUG: OCIAttrGet at (ext\oci8\oci8_statement.c:553)
OCI8 DEBUG: OCIAttrGet at (ext\oci8\oci8_statement.c:563)
OCI8 DEBUG: OCIDescriptorFree at (ext\oci8\oci8_statement.c:571)
OCI8 DEBUG: OCIDefineByPos at (ext\oci8\oci8_statement.c:676)
OCI8 DEBUG: OCIDefineDynamic at (ext\oci8\oci8_statement.c:719)
OCI8 DEBUG: OCIStmtFetch at (ext\oci8\oci8_statement.c:168)
OCI8 DEBUG: OCIStmtRelease at (ext\oci8\oci8_statement.c:746)
OCI8 DEBUG: OCIHandleFree at (ext\oci8\oci8_statement.c:757)
OCI8 DEBUG: OCISessionEnd at (ext\oci8\oci8.c:1523)
OCI8 DEBUG: OCIHandleFree at (ext\oci8\oci8.c:1527)
OCI8 DEBUG: OCIServerDetach at (ext\oci8\oci8.c:1531)
OCI8 DEBUG: OCIHandleFree at (ext\oci8\oci8.c:1535)
OCI8 DEBUG: OCIHandleFree at (ext\oci8\oci8.c:1539)
OCI8 DEBUG: OCIHandleFree at (ext\oci8\oci8.c:1543)
OCI8 DEBUG: OCIHandleFree at (ext\oci8\oci8.c:1547)
OCI8 DEBUG: OCIHandleFree at (ext\oci8\oci8.c:461)
OCI8 DEBUG: OCIHandleFree at (ext\oci8\oci8.c:466)
Reproduce code:
---
$l_res=oci_new_connect
