ID: 28064 Updated by: [EMAIL PROTECTED] Reported By: gross at schlund dot de -Status: Open +Status: Assigned -Bug Type: Zend Engine 2 problem +Bug Type: Scripting Engine problem Operating System: Linux PHP Version: 4.3.6 -Assigned To: +Assigned To: andi New Comment:
Although it didn't actually crash for me, valgrind showed the following errors: ==7233== Invalid write of size 4 ==7233== at 0x8213D75: execute (zend_execute.c:1266) ==7233== Address 0x4F1C80C8 is on thread 1's stack ==7233== ==7233== Invalid write of size 4 ==7233== at 0x8213D80: execute (zend_execute.c:1266) ==7233== Address 0x4F1C80C4 is on thread 1's stack ==7233== ==7233== Invalid write of size 4 ==7233== at 0x8213D87: execute (zend_execute.c:1266) ==7233== Address 0x4F1C80C0 is on thread 1's stack ==7233== ==7233== Invalid read of size 4 ==7233== at 0x8211CC5: zend_fetch_var_address (zend_execute.c:559) ==7233== Address 0x4F1C80C4 is on thread 1's stack ==7233== ==7233== Invalid read of size 4 ==7233== at 0x8211CCC: zend_fetch_var_address (zend_execute.c:559) ==7233== Address 0x4F1C80C0 is on thread 1's stack ==7233== ==7233== Invalid read of size 4 ==7233== at 0x8211CE4: zend_fetch_var_address (zend_execute.c:564) ==7233== Address 0x4F1C80C0 is on thread 1's stack ==7233== ==7233== Invalid read of size 4 ==7233== at 0x8211E31: zend_fetch_var_address (zend_execute.c:591) ==7233== Address 0x4F1C80C8 is on thread 1's stack ==7233== ==7233== Invalid read of size 4 ==7233== at 0x8211EF5: zend_fetch_var_address (zend_execute.c:611) ==7233== Address 0x4F1C80C0 is on thread 1's stack ==7233== ==7233== Invalid read of size 4 ==7233== at 0x8211F73: zend_fetch_var_address (zend_execute.c:620) ==7233== Address 0x4F1C80C0 is on thread 1's stack ==7233== ==7233== Invalid read of size 4 ==7233== at 0x8211F87: zend_fetch_var_address (zend_execute.c:620) ==7233== Address 0x4F1C80C4 is on thread 1's stack ==7233== ==7233== Invalid write of size 4 ==7233== at 0x8211F8D: zend_fetch_var_address (zend_execute.c:620) ==7233== Address 0x4F1C80DC is on thread 1's stack ==7233== ==7233== Invalid read of size 4 ==7233== at 0x8211F90: zend_fetch_var_address (zend_execute.c:621) ==7233== Address 0x4F1C80C0 is on thread 1's stack ==7233== ==7233== Invalid write of size 4 ==7233== at 0x8214E39: execute (zend_execute.c:1376) ==7233== Address 0x4F1C80C8 is on thread 1's stack ==7233== ==7233== Invalid write of size 4 ==7233== at 0x8214E44: execute (zend_execute.c:1376) ==7233== Address 0x4F1C80C4 is on thread 1's stack ==7233== ==7233== Invalid write of size 4 ==7233== at 0x8214E4E: execute (zend_execute.c:1376) ==7233== Address 0x4F1C80C0 is on thread 1's stack ==7233== ==7233== Invalid read of size 4 ==7233== at 0x82195BB: _get_zval_ptr (zend_execute.c:73) ==7233== Address 0x4F1C80C0 is on thread 1's stack ==7233== ==7233== Invalid read of size 4 ==7233== at 0x82195EF: _get_zval_ptr (zend_execute.c:75) ==7233== Address 0x4F1C80C8 is on thread 1's stack ==7233== ==7233== Invalid read of size 4 ==7233== at 0x82195F8: _get_zval_ptr (zend_execute.c:76) ==7233== Address 0x4F1C80C0 is on thread 1's stack ==7233== ==7233== Invalid write of size 4 ==7233== at 0x8214E5C: execute (zend_execute.c:1378) ==7233== Address 0x4F1C80D4 is on thread 1's stack ==7233== ==7233== Invalid write of size 4 ==7233== at 0x8214E87: execute (zend_execute.c:1378) ==7233== Address 0x4F1C80D0 is on thread 1's stack ==7233== ==7233== Invalid write of size 4 ==7233== at 0x8214E8E: execute (zend_execute.c:1378) ==7233== Address 0x4F1C80CC is on thread 1's stack ==7233== ==7233== Invalid write of size 4 ==7233== at 0x8214E98: execute (zend_execute.c:1378) ==7233== Address 0x4F1C80C8 is on thread 1's stack ==7233== ==7233== Invalid write of size 4 ==7233== at 0x8214EA2: execute (zend_execute.c:1378) ==7233== Address 0x4F1C80C4 is on thread 1's stack ==7233== ==7233== Invalid write of size 4 ==7233== at 0x8214EAC: execute (zend_execute.c:1378) ==7233== Address 0x4F1C80C0 is on thread 1's stack ==7233== ==7233== Invalid read of size 4 ==7233== at 0x8219EF8: zend_assign_to_variable (zend_execute.c:315) ==7233== Address 0x4F1C80D4 is on thread 1's stack ==7233== ==7233== Invalid read of size 4 ==7233== at 0x8219EFF: zend_assign_to_variable (zend_execute.c:315) ==7233== Address 0x4F1C80C4 is on thread 1's stack ==7233== ==7233== Invalid read of size 4 ==7233== at 0x8219B2A: _get_zval_ptr_ptr (zend_execute.c:165) ==7233== Address 0x4F1C80DC is on thread 1's stack ==7233== ==7233== Invalid read of size 4 ==7233== at 0x8219B47: _get_zval_ptr_ptr (zend_execute.c:166) ==7233== Address 0x4F1C80DC is on thread 1's stack ==7233== ==7233== Invalid read of size 4 ==7233== at 0x8219BAE: _get_zval_ptr_ptr (zend_execute.c:170) ==7233== Address 0x4F1C80DC is on thread 1's stack ==7233== ==7233== Invalid read of size 4 ==7233== at 0x821A9B7: zend_assign_to_variable (zend_execute.c:492) ==7233== Address 0x4F1C80D0 is on thread 1's stack ==7233== ==7233== Invalid read of size 4 ==7233== at 0x821A9E3: zend_assign_to_variable (zend_execute.c:496) ==7233== Address 0x4F1C80CC is on thread 1's stack ==7233== ==7233== Invalid read of size 4 ==7233== at 0x821A9EC: zend_assign_to_variable (zend_execute.c:496) ==7233== Address 0x4F1C80CC is on thread 1's stack ==7233== ==7233== Invalid read of size 4 ==7233== at 0x821AA30: zend_assign_to_variable (zend_execute.c:499) ==7233== Address 0x4F1C80CC is on thread 1's stack ==7233== ==7233== Invalid read of size 4 ==7233== at 0x821AADD: zend_assign_to_variable (zend_execute.c:517) ==7233== Address 0x4F1C80C0 is on thread 1's stack ==7233== ==7233== Invalid read of size 4 ==7233== at 0x821AAE7: zend_assign_to_variable (zend_execute.c:518) ==7233== Address 0x4F1C80C0 is on thread 1's stack ==7233== ==7233== Invalid read of size 4 ==7233== at 0x821AAFB: zend_assign_to_variable (zend_execute.c:518) ==7233== Address 0x4F1C80D4 is on thread 1's stack ==7233== ==7233== Invalid write of size 4 ==7233== at 0x821AB01: zend_assign_to_variable (zend_execute.c:518) ==7233== Address 0x4F1C80F8 is on thread 1's stack ==7233== ==7233== Invalid read of size 4 ==7233== at 0x821AB04: zend_assign_to_variable (zend_execute.c:519) ==7233== Address 0x4F1C80C0 is on thread 1's stack ==7233== ==7233== Invalid read of size 4 ==7233== at 0x821AB1E: zend_assign_to_variable (zend_execute.c:520) ==7233== Address 0x4F1C80C0 is on thread 1's stack ==7233== ==7233== Invalid read of size 4 ==7233== at 0x821AB32: zend_assign_to_variable (zend_execute.c:520) ==7233== Address 0x4F1C80D4 is on thread 1's stack ==7233== ==7233== Invalid read of size 4 ==7233== at 0x821AB35: zend_assign_to_variable (zend_execute.c:520) ==7233== Address 0x4F1C80F8 is on thread 1's stack ==7233== ==7233== Invalid read of size 4 ==7233== at 0x821AB3B: zend_assign_to_variable (zend_execute.c:520) ==7233== Address 0x4F1C80C0 is on thread 1's stack ==7233== ==7233== Invalid read of size 4 ==7233== at 0x821AB4F: zend_assign_to_variable (zend_execute.c:520) ==7233== Address 0x4F1C80D4 is on thread 1's stack ==7233== ==7233== Invalid read of size 4 ==7233== at 0x821AB52: zend_assign_to_variable (zend_execute.c:520) ==7233== Address 0x4F1C80C0 is on thread 1's stack ==7233== ==7233== Invalid read of size 4 ==7233== at 0x821AB66: zend_assign_to_variable (zend_execute.c:520) ==7233== Address 0x4F1C80D4 is on thread 1's stack ==7233== ==7233== Invalid read of size 4 ==7233== at 0x821AB69: zend_assign_to_variable (zend_execute.c:520) ==7233== Address 0x4F1C80F8 is on thread 1's stack ==7233== ==7233== Invalid write of size 4 ==7233== at 0x821AB6E: zend_assign_to_variable (zend_execute.c:520) ==7233== Address 0x4F1C80FC is on thread 1's stack ==7233== ==7233== Invalid read of size 4 ==7233== at 0x821AB72: zend_assign_to_variable (zend_execute.c:520) ==7233== Address 0x4F1C80C0 is on thread 1's stack ==7233== ==7233== Invalid read of size 4 ==7233== at 0x821AB86: zend_assign_to_variable (zend_execute.c:520) ==7233== Address 0x4F1C80D4 is on thread 1's stack ==7233== ==7233== Invalid read of size 4 ==7233== at 0x821AB89: zend_assign_to_variable (zend_execute.c:520) ==7233== Address 0x4F1C80C0 is on thread 1's stack ==7233== ==7233== More than 50 errors detected. Subsequent errors ==7233== will still be recorded, but in less detail than before. ==7233== ==7233== Invalid read of size 4 ==7233== at 0x821AB99: zend_assign_to_variable (zend_execute.c:520) ==7233== Address 0x4F1C80D4 is on thread 1's stack ==7233== ==7233== Invalid write of size 4 ==7233== at 0x821AB9F: zend_assign_to_variable (zend_execute.c:520) ==7233== Address 0x4F1C80F8 is on thread 1's stack ==7233== ==7233== Invalid write of size 4 ==7233== at 0x8213D9A: execute (zend_execute.c:1269) ==7233== Address 0x4F1C80C8 is on thread 1's stack ==7233== ==7233== Invalid write of size 4 ==7233== at 0x8213DA5: execute (zend_execute.c:1269) ==7233== Address 0x4F1C80C4 is on thread 1's stack ==7233== ==7233== Invalid write of size 4 ==7233== at 0x8213DAC: execute (zend_execute.c:1269) ==7233== Address 0x4F1C80C0 is on thread 1's stack ==7233== ==7233== Invalid write of size 4 ==7233== at 0x82137EC: execute (zend_execute.c:1216) ==7233== Address 0x4F1C80C4 is on thread 1's stack ==7233== ==7233== Invalid write of size 4 ==7233== at 0x82137F6: execute (zend_execute.c:1216) ==7233== Address 0x4F1C80C0 is on thread 1's stack ==7233== ==7233== Invalid read of size 4 ==7233== at 0x8219B07: _get_zval_ptr_ptr (zend_execute.c:164) ==7233== Address 0x4F1C80C0 is on thread 1's stack ==7233== ==7233== Invalid read of size 4 ==7233== at 0x8219B13: _get_zval_ptr_ptr (zend_execute.c:165) ==7233== Address 0x4F1C80C0 is on thread 1's stack ==7233== ==7233== Invalid read of size 4 ==7233== at 0x8219B27: _get_zval_ptr_ptr (zend_execute.c:165) ==7233== Address 0x4F1C80C4 is on thread 1's stack ==7233== ==7233== Invalid read of size 4 ==7233== at 0x8219B30: _get_zval_ptr_ptr (zend_execute.c:166) ==7233== Address 0x4F1C80C0 is on thread 1's stack ==7233== ==7233== Invalid read of size 4 ==7233== at 0x8219B44: _get_zval_ptr_ptr (zend_execute.c:166) ==7233== Address 0x4F1C80C4 is on thread 1's stack ==7233== ==7233== Invalid read of size 4 ==7233== at 0x8219B97: _get_zval_ptr_ptr (zend_execute.c:170) ==7233== Address 0x4F1C80C0 is on thread 1's stack ==7233== ==7233== Invalid read of size 4 ==7233== at 0x8219BAB: _get_zval_ptr_ptr (zend_execute.c:170) ==7233== Address 0x4F1C80C4 is on thread 1's stack ==7233== ==7233== Invalid write of size 4 ==7233== at 0x82139B0: execute (zend_execute.c:1233) ==7233== Address 0x4F1C8130 is on thread 1's stack ==7233== ==7233== Invalid write of size 4 ==7233== at 0x82139B6: execute (zend_execute.c:1233) ==7233== Address 0x4F1C8134 is on thread 1's stack ==7233== ==7233== Invalid write of size 4 ==7233== at 0x82139BD: execute (zend_execute.c:1233) ==7233== Address 0x4F1C8138 is on thread 1's stack ==7233== ==7233== Invalid write of size 4 ==7233== at 0x82139C1: execute (zend_execute.c:1234) ==7233== Address 0x4F1C80C8 is on thread 1's stack ==7233== ==7233== Invalid write of size 4 ==7233== at 0x82139C9: execute (zend_execute.c:1234) ==7233== Address 0x4F1C80C4 is on thread 1's stack ==7233== ==7233== Invalid write of size 4 ==7233== at 0x82139E4: execute (zend_execute.c:1234) ==7233== Address 0x4F1C80C0 is on thread 1's stack ==7233== ==7233== Invalid read of size 4 ==7233== at 0x8202414: _zval_copy_ctor (zend_variables.c:91) ==7233== Address 0x4F1C80C0 is on thread 1's stack ==7233== ==7233== Invalid read of size 1 ==7233== at 0x8202417: _zval_copy_ctor (zend_variables.c:91) ==7233== Address 0x4F1C8138 is on thread 1's stack ==7233== ==7233== Invalid write of size 4 ==7233== at 0x8213A9F: execute (zend_execute.c:1240) ==7233== Address 0x4F1C80C0 is on thread 1's stack ==7233== ==7233== Invalid read of size 4 ==7233== at 0x8201004: increment_function (zend_operators.c:1463) ==7233== Address 0x4F1C80C0 is on thread 1's stack ==7233== ==7233== Invalid read of size 4 ==7233== at 0x8201036: increment_function (zend_operators.c:1465) ==7233== Address 0x4F1C80C0 is on thread 1's stack ==7233== ==7233== Invalid read of size 4 ==7233== at 0x8201061: increment_function (zend_operators.c:1470) ==7233== Address 0x4F1C80C0 is on thread 1's stack ==7233== ==7233== Invalid write of size 4 ==7233== at 0x82152F5: execute (zend_execute.c:1471) ==7233== Address 0x4F1C80C8 is on thread 1's stack ==7233== ==7233== Invalid write of size 4 ==7233== at 0x82152FD: execute (zend_execute.c:1471) ==7233== Address 0x4F1C80C4 is on thread 1's stack ==7233== ==7233== Invalid write of size 4 ==7233== at 0x8215318: execute (zend_execute.c:1471) ==7233== Address 0x4F1C80C0 is on thread 1's stack ==7233== ==7233== Invalid read of size 4 ==7233== at 0x820228A: _zval_dtor (zend_variables.c:37) ==7233== Address 0x4F1C80C0 is on thread 1's stack ==7233== ==7233== Invalid read of size 1 ==7233== at 0x820228D: _zval_dtor (zend_variables.c:37) ==7233== Address 0x4F1C8138 is on thread 1's stack ==7233== ==7233== More than 30000 total errors detected. I'm not reporting any more. ==7233== Final error counts will be inaccurate. Go fix your program! ==7233== Rerun with --error-limit=no to disable this cutoff. Note ==7233== that errors may occur in your program without prior warning from ==7233== Valgrind, because errors are no longer being displayed. ==7233== ==7233== ==7233== ERROR SUMMARY: 30000 errors from 81 contexts (suppressed: 58 from 2) ==7233== malloc/free: in use at exit: 94 bytes in 5 blocks. ==7233== malloc/free: 271228 allocs, 271223 frees, 144890443 bytes allocated. Previous Comments: ------------------------------------------------------------------------ [2004-04-19 21:18:50] gross at schlund dot de It is not posible to offer a short script. Please try the link to the testscript again (I made a mistake while storing it): http://www.andigross.de/phpcrash/testdaten.php.txt Regardsw Andi ------------------------------------------------------------------------ [2004-04-19 20:54:18] [EMAIL PROTECTED] Thank you for this bug report. To properly diagnose the problem, we need a short but complete example script to be able to reproduce this bug ourselves. A proper reproducing script starts with <?php and ends with ?>, is max. 10-20 lines long and does not require any external resources such as databases, etc. If possible, make the script source available online and provide an URL to it here. Try avoid embedding huge scripts into the report. The link doesn't work. Please include the script here and make sure it's small. ------------------------------------------------------------------------ [2004-04-19 17:49:18] gross at schlund dot de Description: ------------ Giving it a large script, PHP 4.3.6 crashes during parsing it. The stacktrace is as follows: (gdb) bt #0 0x081a5be6 in execute (op_array=0x8322c3c) at /usr/src/kundenserver/php-4.3.6/Zend/zend_execute.c:2007 #1 0x08191598 in zend_execute_scripts (type=8, retval=0x0, file_count=3) at /usr/src/kundenserver/php-4.3.6/Zend/zend.c:886 #2 0x0816a933 in php_execute_script (primary_file=0xbffffa38) at /usr/src/kundenserver/php-4.3.6/main/main.c:1731 #3 0x081a9fd3 in main (argc=2, argv=0xbffffab4) at /usr/src/kundenserver/php-4.3.6/sapi/cgi/cgi_main.c:1592 (gdb) You can find a core file under http://www.andigross.de/phpcrash/core.gz and the binary under http://www.andigross.de/phpcrash/phpbinary A phpinfo is under http://www.andigross.de/phpcrash/phpinfo.html the configure-line is: ./configure --with-zlib --enable-debug --enable-safe-mode=no --enable-discard-path=no --enable-track-vars --enable-force-cgi-redirect --enable-memory-limit --enable-trans-sid --enable-shmop --with-openssl --enable-xslt --with-xslt-sablot --with-dom --with-dom-xslt --with-dom-exslt The only modification to php.ini is: memory_limit = 90M; Compiler ist gcc 2.95.4. Reproduce code: --------------- You can find the code here: http://www.andigross.de/phpcrash/testdaten.php.txt Of curse, this is a very simple one to show the problem. The problem also occurs with "more useful" scripts. The application that caused the problem does something like $big_text="Huge PHP source"; eval($big_text); Expected result: ---------------- The script produces no output. With PHP 4.2.3 it works fine. Actual result: -------------- (gdb) bt #0 0x081a5be6 in execute (op_array=0x8322c3c) at /usr/src/kundenserver/php-4.3.6/Zend/zend_execute.c:2007 #1 0x08191598 in zend_execute_scripts (type=8, retval=0x0, file_count=3) at /usr/src/kundenserver/php-4.3.6/Zend/zend.c:886 #2 0x0816a933 in php_execute_script (primary_file=0xbffffa38) at /usr/src/kundenserver/php-4.3.6/main/main.c:1731 #3 0x081a9fd3 in main (argc=2, argv=0xbffffab4) at /usr/src/kundenserver/php-4.3.6/sapi/cgi/cgi_main.c:1592 (gdb) ------------------------------------------------------------------------ -- Edit this bug report at http://bugs.php.net/?id=28064&edit=1
