ID: 32685
Updated by: [EMAIL PROTECTED]
Reported By: david at davidheath dot org
Status: Assigned
Bug Type: Reproducible crash
Operating System: mandrake linux 10.1
PHP Version: 4CVS-2005-04-14
-Assigned To: derick
+Assigned To: dmitry
New Comment:
Valgrind errors that I get:
PHP Notice: Undefined property: Root in /tmp/32685/crash.php on line
6
Notice: Undefined property: Root in /tmp/32685/crash.php on line 6
==24279== Invalid read of size 2
==24279== at 0x81E94F5: _zval_ptr_dtor (zend_execute_API.c:287)
==24279== by 0x81F1920: _zval_ptr_dtor_wrapper
(zend_variables.c:171)
==24279== by 0x81F7D85: zend_hash_destroy (zend_hash.c:556)
==24279== by 0x81F1674: _zval_dtor (zend_variables.c:60)
==24279== by 0x81E9526: _zval_ptr_dtor (zend_execute_API.c:289)
==24279== by 0x81F1920: _zval_ptr_dtor_wrapper
(zend_variables.c:171)
==24279== by 0x81F7E31: zend_hash_clean (zend_hash.c:582)
==24279== by 0x82053AC: execute (zend_execute.c:1717)
==24279== by 0x81F2EF7: zend_execute_scripts (zend.c:935)
==24279== by 0x81C05B3: php_execute_script (main.c:1751)
==24279== by 0x820B22E: main (php_cli.c:828)
==24279== Address 0x1BF5F35A is 10 bytes inside a block of size 12
free'd
==24279== at 0x1B904B04: free (vg_replace_malloc.c:152)
==24279== by 0x81EAA3A: safe_free_zval_ptr (zend_execute.h:44)
==24279== by 0x81E9533: _zval_ptr_dtor (zend_execute_API.c:290)
==24279== by 0x81F1920: _zval_ptr_dtor_wrapper
(zend_variables.c:171)
==24279== by 0x81F7E31: zend_hash_clean (zend_hash.c:582)
==24279== by 0x82053AC: execute (zend_execute.c:1717)
==24279== by 0x8205256: execute (zend_execute.c:1700)
==24279== by 0x81F2EF7: zend_execute_scripts (zend.c:935)
==24279== by 0x81C05B3: php_execute_script (main.c:1751)
==24279== by 0x820B22E: main (php_cli.c:828)
==24279==
==24279== Invalid write of size 2
==24279== at 0x81E94FA: _zval_ptr_dtor (zend_execute_API.c:287)
==24279== by 0x81F1920: _zval_ptr_dtor_wrapper
(zend_variables.c:171)
==24279== by 0x81F7D85: zend_hash_destroy (zend_hash.c:556)
==24279== by 0x81F1674: _zval_dtor (zend_variables.c:60)
==24279== by 0x81E9526: _zval_ptr_dtor (zend_execute_API.c:289)
==24279== by 0x81F1920: _zval_ptr_dtor_wrapper
(zend_variables.c:171)
==24279== by 0x81F7E31: zend_hash_clean (zend_hash.c:582)
==24279== by 0x82053AC: execute (zend_execute.c:1717)
==24279== by 0x81F2EF7: zend_execute_scripts (zend.c:935)
==24279== by 0x81C05B3: php_execute_script (main.c:1751)
==24279== by 0x820B22E: main (php_cli.c:828)
==24279== Address 0x1BF5F35A is 10 bytes inside a block of size 12
free'd
==24279== at 0x1B904B04: free (vg_replace_malloc.c:152)
==24279== by 0x81EAA3A: safe_free_zval_ptr (zend_execute.h:44)
==24279== by 0x81E9533: _zval_ptr_dtor (zend_execute_API.c:290)
==24279== by 0x81F1920: _zval_ptr_dtor_wrapper
(zend_variables.c:171)
==24279== by 0x81F7E31: zend_hash_clean (zend_hash.c:582)
==24279== by 0x82053AC: execute (zend_execute.c:1717)
==24279== by 0x8205256: execute (zend_execute.c:1700)
==24279== by 0x81F2EF7: zend_execute_scripts (zend.c:935)
==24279== by 0x81C05B3: php_execute_script (main.c:1751)
==24279== by 0x820B22E: main (php_cli.c:828)
==24279==
==24279== Invalid read of size 2
==24279== at 0x81E9503: _zval_ptr_dtor (zend_execute_API.c:288)
==24279== by 0x81F1920: _zval_ptr_dtor_wrapper
(zend_variables.c:171)
==24279== by 0x81F7D85: zend_hash_destroy (zend_hash.c:556)
==24279== by 0x81F1674: _zval_dtor (zend_variables.c:60)
==24279== by 0x81E9526: _zval_ptr_dtor (zend_execute_API.c:289)
==24279== by 0x81F1920: _zval_ptr_dtor_wrapper
(zend_variables.c:171)
==24279== by 0x81F7E31: zend_hash_clean (zend_hash.c:582)
==24279== by 0x82053AC: execute (zend_execute.c:1717)
==24279== by 0x81F2EF7: zend_execute_scripts (zend.c:935)
==24279== by 0x81C05B3: php_execute_script (main.c:1751)
==24279== by 0x820B22E: main (php_cli.c:828)
==24279== Address 0x1BF5F35A is 10 bytes inside a block of size 12
free'd
==24279== at 0x1B904B04: free (vg_replace_malloc.c:152)
==24279== by 0x81EAA3A: safe_free_zval_ptr (zend_execute.h:44)
==24279== by 0x81E9533: _zval_ptr_dtor (zend_execute_API.c:290)
==24279== by 0x81F1920: _zval_ptr_dtor_wrapper
(zend_variables.c:171)
==24279== by 0x81F7E31: zend_hash_clean (zend_hash.c:582)
==24279== by 0x82053AC: execute (zend_execute.c:1717)
==24279== by 0x8205256: execute (zend_execute.c:1700)
==24279== by 0x81F2EF7: zend_execute_scripts (zend.c:935)
==24279== by 0x81C05B3: php_execute_script (main.c:1751)
==24279== by 0x820B22E: main (php_cli.c:828)
==24279==
==24279== Invalid read of size 2
==24279== at 0x81E953B: _zval_ptr_dtor (zend_execute_API.c:291)
==24279== by 0x81F1920: _zval_ptr_dtor_wrapper
(zend_variables.c:171)
==24279== by 0x81F7D85: zend_hash_destroy (zend_hash.c:556)
==24279== by 0x81F1674: _zval_dtor (zend_variables.c:60)
==24279== by 0x81E9526: _zval_ptr_dtor (zend_execute_API.c:289)
==24279== by 0x81F1920: _zval_ptr_dtor_wrapper
(zend_variables.c:171)
==24279== by 0x81F7E31: zend_hash_clean (zend_hash.c:582)
==24279== by 0x82053AC: execute (zend_execute.c:1717)
==24279== by 0x81F2EF7: zend_execute_scripts (zend.c:935)
==24279== by 0x81C05B3: php_execute_script (main.c:1751)
==24279== by 0x820B22E: main (php_cli.c:828)
==24279== Address 0x1BF5F35A is 10 bytes inside a block of size 12
free'd
==24279== at 0x1B904B04: free (vg_replace_malloc.c:152)
==24279== by 0x81EAA3A: safe_free_zval_ptr (zend_execute.h:44)
==24279== by 0x81E9533: _zval_ptr_dtor (zend_execute_API.c:290)
==24279== by 0x81F1920: _zval_ptr_dtor_wrapper
(zend_variables.c:171)
==24279== by 0x81F7E31: zend_hash_clean (zend_hash.c:582)
==24279== by 0x82053AC: execute (zend_execute.c:1717)
==24279== by 0x8205256: execute (zend_execute.c:1700)
==24279== by 0x81F2EF7: zend_execute_scripts (zend.c:935)
==24279== by 0x81C05B3: php_execute_script (main.c:1751)
==24279== by 0x820B22E: main (php_cli.c:828)
and re-assigning to Dmitry.
Previous Comments:
------------------------------------------------------------------------
[2005-06-07 00:09:08] [EMAIL PROTECTED]
# php crash.php
/usr/src/php/php_4_4/Zend/zend_execute.c(282) : Freeing 0x08CA8E7C (9
bytes), script=crash.php
/usr/src/php/php_4_4/Zend/zend_variables.c(111) : Actual location
(location was relayed)
/usr/src/php/php_4_4/Zend/zend_execute.c(279) : Freeing 0x08CA8BB4 (12
bytes), script=crash.php
------------------------------------------------------------------------
[2005-05-11 15:17:44] david at davidheath dot org
Hi
thanks for following this up. I tried with the snapshot you gave and
still got the crash.
I tried running it in gdb as well ('fraid I don't really know whether
this helps or not).
See below.
Dave
[EMAIL PROTECTED] dh]$ gdb
GNU gdb 6.2-2mdk (Mandrakelinux)
Copyright 2004 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and
you are
welcome to change it and/or distribute copies of it under certain
conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB. Type "show warranty" for
details.
This GDB was configured as "i586-mandrake-linux-gnu".
(gdb) file /usr/local/src/php4-STABLE-200505110647/sapi/cli/php
Reading symbols from
/usr/local/src/php4-STABLE-200505110647/sapi/cli/php...done.
Using host libthread_db library "/lib/tls/libthread_db.so.1".
(gdb) run crash2.php
Starting program: /usr/local/src/php4-STABLE-200505110647/sapi/cli/php
crash2.php
Program received signal SIGSEGV, Segmentation fault.
0x08111a41 in shutdown_memory_manager (silent=0, clean_cache=0) at
/usr/local/src/php4-STABLE-200505110647/Zend/zend_alloc.c:530
530 REMOVE_POINTER_FROM_LIST(t);
(gdb) quit
------------------------------------------------------------------------
[2005-05-11 10:05:56] [EMAIL PROTECTED]
Please try using this CVS snapshot:
http://snaps.php.net/php4-STABLE-latest.tar.gz
For Windows:
http://snaps.php.net/win32/php4-win32-STABLE-latest.zip
------------------------------------------------------------------------
[2005-04-19 13:53:19] ericvanblokland at gmail dot com
This maybe related to an issue I encountered. My guess is this code
will work fine with php5
http://bugs.php.net/bug.php?id=31624
------------------------------------------------------------------------
[2005-04-13 10:51:34] david at davidheath dot org
> 1) Does it also crash when you replace file reading by
> assignment from string?
yes it does, see http://www.davidheath.org/php_bug/crash2.php.txt
I've also noticed that I had a mistake in the original repro script
(crash.php.txt), which I've now corrected (the filename on line 4 was
wrong). This may explain why you couldn't repro. However, having
changed that I now get:
[EMAIL PROTECTED] repro]$ /usr/local/php-4.3-CVS-13apr05/bin/php
crash.php
Content-type: text/html
X-Powered-By: PHP/4.3.12-dev
free(): invalid pointer 0x81b14a8!
ALSO, another important observation. The crash sometimes seems to not
happen if I execute the script in a different directory. For example:
[EMAIL PROTECTED] repro]$ pwd
/tmp/repro
[EMAIL PROTECTED] repro]$ ls
crash2.php
[EMAIL PROTECTED] repro]$ /usr/local/php-4.3-CVS-13apr05/bin/php
crash2.php
Content-type: text/html
X-Powered-By: PHP/4.3.12-dev
[EMAIL PROTECTED] repro]$ mkdir -p foo/bar
[EMAIL PROTECTED] repro]$ cd foo/bar
[EMAIL PROTECTED] bar]$ cp ../../crash2.php .
[EMAIL PROTECTED] bar]$ /usr/local/php-4.3-CVS-13apr05/bin/php
crash2.php
Content-type: text/html
X-Powered-By: PHP/4.3.12-dev
Segmentation fault (core dumped)
------------------------------------------------------------------------
The remainder of the comments for this report are too long. To view
the rest of the comments, please view the bug report online at
http://bugs.php.net/32685
--
Edit this bug report at http://bugs.php.net/?id=32685&edit=1
