#25738 [Fbk-Opn]: Long Scripts Consistently Segfault
ID: 25738 Updated by: [EMAIL PROTECTED] Reported By: ohornoiu at bellevuechristian dot org -Status: Feedback +Status: Open Bug Type: Scripting Engine problem Operating System: Mac OS X 10.2.6+ PHP Version: 4.3.3 New Comment: Using: Darwin aphrodite 6.6 Darwin Kernel Version 6.6: Thu May 1 21:48:54 PDT 2003; root:xnu/xnu-344.34.obj~1/RELEASE_PPC Power Macintosh powerpc latest PHP_4_3 branch, a vanilla configure, and a script containing approx 16000 $x=1; assignments, I get this: Program received signal EXC_BAD_ACCESS, Could not access memory. execute (op_array=0x460780) at /Users/wez/src/php4.3cvs/Zend/zend_execute.c:1027 1027EX(Ts) = (temp_variable *) do_alloca(sizeof(temp_variable)*op_array-T); (gdb) bt #0 execute (op_array=0x460780) at /Users/wez/src/php4.3cvs/Zend/zend_execute.c:1027 #1 0x000d6b14 in zend_execute_scripts (type=0, retval=0x0, file_count=3) at /Users/wez/src/php4.3cvs/Zend/zend.c:885 #2 0x000ab9e8 in php_execute_script (primary_file=0x0) at /Users/wez/src/php4.3cvs/main/main.c:1732 #3 0x000e9f88 in main (argc=3, argv=0xbd60) at /Users/wez/src/php4.3cvs/sapi/cli/php_cli.c:819 #4 0x23e4 in _start (argc=3, argv=0xbd60, envp=0xbd70) at /SourceCache/Csu/Csu-45/crt.c:267 #5 0x2264 in start () My guess is that we are overflowing either the stack or the Ts storage space since the scope of the function never ends. Previous Comments: [2003-10-03 16:14:40] mark dot meredith at shaw dot ca Here is the backtrace as a result of crashing the simpler, $x = 1; done 10,000 times script as per the original reported bug #25394... #0 0x900048b0 in malloc () (gdb) bt #0 0x900048b0 in malloc () #1 0x000f0bb4 in zend_hash_add_or_update (ht=0x139c14, arKey=0x3773a8 x, nKeyLength=2, pData=0xbff80184, nDataSize=4, pDest=0xbff80168, flag=1) at /Users/markmere/ Sources/php4-snapshot/Zend/zend_hash.c:272 #2 0x000fe230 in zend_fetch_var_address (opline=0x424028, Ts=0xbff801e0, type=1) at /Users/markmere/Sources/php4- snapshot/Zend/zend_execute.c:596 #3 0x00100a88 in execute (op_array=0x375f28) at /Users/ markmere/Sources/php4-snapshot/Zend/zend_execute.c:1252 #4 0x000e9f94 in zend_execute_scripts (type=8, retval=0x0, file_count=3) at /Users/markmere/Sources/php4-snapshot/ Zend/zend.c:885 #5 0x0009c6b8 in php_execute_script (primary_file=0xb760) at /Users/markmere/Sources/php4- snapshot/main/main.c:1732 #6 0x0010a744 in main (argc=2, argv=0xbcc0) at /Users/ markmere/Sources/php4-snapshot/sapi/cli/php_cli.c:819 #7 0x1a50 in _start (argc=2, argv=0xbcc0, envp=0xbccc) at /SourceCache/Csu/Csu-45/crt.c:267 #8 0x18d0 in start () ... I generated this backtrace using the latest snapshot. Bug #29394 is just a test case representing any script long enough to tickle the crasher. It is just $x = 1; done around 10,000 times. On my Mac, it takes 8041 assignments. The crasher still goes if the script is broken up into multiple include()'s. [2003-10-03 15:46:30] [EMAIL PROTECTED] Thank you for this bug report. To properly diagnose the problem, we need a backtrace to see what is happening behind the scenes. To find out how to generate a backtrace, please read http://bugs.php.net/bugs-generating-backtrace.php Once you have generated a backtrace, please submit it to this bug report and change the status back to Open. Thank you for helping us make PHP better. NOTE: See also bug #22231, bug #22367, and bug #22510. [2003-10-03 15:42:10] mark dot meredith at shaw dot ca I downloaded and compiled again. And, yes, it still crashes. So why did my first comment on this, along with many others from other users on this page, as well as the #25394 page get deleted? I do not mean the comments that said Me too! on OPEN bug pages. Those can go. I am referring to the troubled user's posts that were requesting the bug be reopened, and my feedback on the snapshots. Are those deleted automatically? Feel free to delete this part of the comment, just please do not let it go unanswered. Thanks. [2003-10-03 01:53:58] [EMAIL PROTECTED] Please try using this CVS snapshot: http://snaps.php.net/php4-STABLE-latest.tar.gz For Windows: http://snaps.php.net/win32/php4-win32-STABLE-latest.zip [2003-10-02 22:13:09] ohornoiu at bellevuechristian dot org Description: This bug is a reference to BugĀ #25394 which was deemed bogus without any serious research by the developers. This is a very serious bug which basically results in the inability to create rich, meaningful applications on OS X since php
#25738 [Fbk-Opn]: Long Scripts Consistently Segfault
ID: 25738 Updated by: [EMAIL PROTECTED] Reported By: ohornoiu at bellevuechristian dot org -Status: Feedback +Status: Open Bug Type: Scripting Engine problem Operating System: Mac OS X 10.2.6+ PHP Version: 4.3.3 New Comment: Seems to work for me. Previous Comments: [2003-10-03 17:36:59] [EMAIL PROTECTED] Sounds like yet another alloca() problem to me. Could try this patch and tell me what would actually happen. http://www.voltex.jp/patches/bug25738-preliminary.patch.diff [2003-10-03 17:25:37] [EMAIL PROTECTED] Using: Darwin aphrodite 6.6 Darwin Kernel Version 6.6: Thu May 1 21:48:54 PDT 2003; root:xnu/xnu-344.34.obj~1/RELEASE_PPC Power Macintosh powerpc latest PHP_4_3 branch, a vanilla configure, and a script containing approx 16000 $x=1; assignments, I get this: Program received signal EXC_BAD_ACCESS, Could not access memory. execute (op_array=0x460780) at /Users/wez/src/php4.3cvs/Zend/zend_execute.c:1027 1027EX(Ts) = (temp_variable *) do_alloca(sizeof(temp_variable)*op_array-T); (gdb) bt #0 execute (op_array=0x460780) at /Users/wez/src/php4.3cvs/Zend/zend_execute.c:1027 #1 0x000d6b14 in zend_execute_scripts (type=0, retval=0x0, file_count=3) at /Users/wez/src/php4.3cvs/Zend/zend.c:885 #2 0x000ab9e8 in php_execute_script (primary_file=0x0) at /Users/wez/src/php4.3cvs/main/main.c:1732 #3 0x000e9f88 in main (argc=3, argv=0xbd60) at /Users/wez/src/php4.3cvs/sapi/cli/php_cli.c:819 #4 0x23e4 in _start (argc=3, argv=0xbd60, envp=0xbd70) at /SourceCache/Csu/Csu-45/crt.c:267 #5 0x2264 in start () My guess is that we are overflowing either the stack or the Ts storage space since the scope of the function never ends. [2003-10-03 16:14:40] mark dot meredith at shaw dot ca Here is the backtrace as a result of crashing the simpler, $x = 1; done 10,000 times script as per the original reported bug #25394... #0 0x900048b0 in malloc () (gdb) bt #0 0x900048b0 in malloc () #1 0x000f0bb4 in zend_hash_add_or_update (ht=0x139c14, arKey=0x3773a8 x, nKeyLength=2, pData=0xbff80184, nDataSize=4, pDest=0xbff80168, flag=1) at /Users/markmere/ Sources/php4-snapshot/Zend/zend_hash.c:272 #2 0x000fe230 in zend_fetch_var_address (opline=0x424028, Ts=0xbff801e0, type=1) at /Users/markmere/Sources/php4- snapshot/Zend/zend_execute.c:596 #3 0x00100a88 in execute (op_array=0x375f28) at /Users/ markmere/Sources/php4-snapshot/Zend/zend_execute.c:1252 #4 0x000e9f94 in zend_execute_scripts (type=8, retval=0x0, file_count=3) at /Users/markmere/Sources/php4-snapshot/ Zend/zend.c:885 #5 0x0009c6b8 in php_execute_script (primary_file=0xb760) at /Users/markmere/Sources/php4- snapshot/main/main.c:1732 #6 0x0010a744 in main (argc=2, argv=0xbcc0) at /Users/ markmere/Sources/php4-snapshot/sapi/cli/php_cli.c:819 #7 0x1a50 in _start (argc=2, argv=0xbcc0, envp=0xbccc) at /SourceCache/Csu/Csu-45/crt.c:267 #8 0x18d0 in start () ... I generated this backtrace using the latest snapshot. Bug #29394 is just a test case representing any script long enough to tickle the crasher. It is just $x = 1; done around 10,000 times. On my Mac, it takes 8041 assignments. The crasher still goes if the script is broken up into multiple include()'s. [2003-10-03 15:46:30] [EMAIL PROTECTED] Thank you for this bug report. To properly diagnose the problem, we need a backtrace to see what is happening behind the scenes. To find out how to generate a backtrace, please read http://bugs.php.net/bugs-generating-backtrace.php Once you have generated a backtrace, please submit it to this bug report and change the status back to Open. Thank you for helping us make PHP better. NOTE: See also bug #22231, bug #22367, and bug #22510. [2003-10-03 15:42:10] mark dot meredith at shaw dot ca I downloaded and compiled again. And, yes, it still crashes. So why did my first comment on this, along with many others from other users on this page, as well as the #25394 page get deleted? I do not mean the comments that said Me too! on OPEN bug pages. Those can go. I am referring to the troubled user's posts that were requesting the bug be reopened, and my feedback on the snapshots. Are those deleted automatically? Feel free to delete this part of the comment, just please do not let it go unanswered. Thanks. The remainder of the comments for this report are too long. To view the rest of the comments, please view the bug report online at http://bugs.php.net/25738 -- Edit this bug
