Home Original page

PHP :: Bug #50145 :: crash while running bug35634.phpt

Bug #50145 crash while running bug35634.phpt
Submitted: 2009-11-11 08:26 UTC Modified: 2009-11-17 11:18 UTC
From: srinatar@php.net Assigned: felipe (profile)
Status: Closed Package: Reproducible crash
PHP Version: 5.3.1RC3 OS: solaris, linux
Private report: No CVE-ID: None

 [2009-11-11 08:26 UTC] srinatar@php.net

Description:
------------
with recent php 5.3.1 RC3, i noticed a crash when compiled with mbstring and zend-multibyte and running the bug35634.phpt script found under Zend/tests



Reproduce code:
---------------
'./configure' \
'--enable-cli' \
'--enable-mbstring' \
'--enable-zend-multibyte'

while running the test script Zend/tests/bug35634.phpt

<?php
if (defined("pass3")) {

  class ErrorClass {
  }

} else if (defined("pass2")) {

  class TestClass {
    function __construct() {
    }
    function TestClass() {
      $this->__construct();
    }
  }

} else {

  function errorHandler($errorNumber, $errorMessage, $fileName, $lineNumber) {
    define("pass3", 1);
    include(__FILE__);
    die("Error: $errorMessage ($fileName:$lineNumber)\n");
  }

  set_error_handler('errorHandler');
  define("pass2", 1);
  include(__FILE__);
}
?>


Expected result:
----------------
Error: Redefining already defined constructor for class TestClass (/tmp/c.php:12)

Actual result:
--------------
here is the stack trace of this crash..


@1 (l@1) program terminated by signal SEGV (no mapping at the fault address)
Current function is _zend_mm_alloc_int
 1892                   ZEND_MM_CHECK_BLOCK_LINKAGE(best_fit);
(dbx 1) where                                                         
current thread: t@1
=>[1] _zend_mm_alloc_int(heap = 0x8b7f2f0, size = 496U), line 1892 in "zend_alloc.c"
  [2] _emalloc(size = 496U), line 2295 in "zend_alloc.c"
  [3] open_file_for_scanning(file_handle = 0x80454f8), line 272 in "zend_language_scanner.l"
  [4] compile_file(file_handle = 0x80454f8, type = 2), line 331 in "zend_language_scanner.l"
  [5] phar_compile_file(file_handle = 0x80454f8, type = 2), line 3390 in "phar.c"
  [6] compile_filename(type = 2, filename = 0x8b910b8), line 386 in "zend_language_scanner.l"
  [7] ZEND_INCLUDE_OR_EVAL_SPEC_CONST_HANDLER(execute_data = 0x8cd6560), line 1915 in "zend_vm_execute.h"
  [8] execute(op_array = 0x8cd4438), line 104 in "zend_vm_execute.h"
  [9] zend_call_function(fci = 0x80456a8, fci_cache = 0x8045608), line 942 in "zend_execute_API.c"
  [10] call_user_function_ex(function_table = 0x8bbf5a0, object_pp = (nil), function_name = 0x8b8db78, retval_ptr_ptr = 0x804572c, param_count = 5U, params = 0x8b906d0, no_separation = 1, symbol_table = (nil)), line 734 in "zend_execute_API.c"
  [11] zend_error(type = 2048, format = 0x8b145e8 "Redefining already defined constructor for class %s", ... = 0x8b8e730, ...), line 1101 in "zend.c"
  [12] zend_do_begin_function_declaration(function_token = 0x8045b00, function_name = 0x8045b28, is_method = 1, return_reference = 0, fn_flags_znode = 0x8045aec), line 1289 in "zend_compile.c"
  [13] zendparse(), line 4082 in "zend_language_parser.c"
  [14] compile_file(file_handle = 0x8046da8, type = 2), line 343 in "zend_language_scanner.l"
  [15] phar_compile_file(file_handle = 0x8046da8, type = 2), line 3390 in "phar.c"
  [16] compile_filename(type = 2, filename = 0x8b8e4b4), line 386 in "zend_language_scanner.l"
  [17] ZEND_INCLUDE_OR_EVAL_SPEC_CONST_HANDLER(execute_data = 0x8cd6440), line 1915 in "zend_vm_execute.h"
  [18] execute(op_array = 0x8b8d970), line 104 in "zend_vm_execute.h"
  [19] zend_execute_scripts(type = 8, retval = (nil), file_count = 3, ... = (nil), ...), line 1194 in "zend.c"
  [20] php_execute_script(primary_file = 0x8047850), line 2225 in "main.c"
  [21] main(argc = 2, argv = 0x80478c4), line 1190 in "php_cli.c"

and here looks like best_fit seems to have been corrupted..

(dbx 2) p *best_fit
dbx: cannot access address 0x66690a70


(dbx 3) p *heap   
*heap = {
    use_zend_alloc     = 1
    _malloc            = (nil)
    _free              = (nil)
    _realloc           = (nil)
    free_bitmap        = 1073741824U
    large_free_bitmap  = 133376U
    block_size         = 262144U
    compact_size       = 2097152U
    segments_list      = 0x8cd6410
    storage            = 0x8b7eef0
    real_size          = 524288U
    real_peak          = 524288U
    limit              = 134217728U
    size               = 341616U
    peak               = 342120U
    reserve_size       = 8192U
    reserve            = 0x8b7f560
    overflow           = 0
    internal           = 0
    cached             = 456U
    cache              = (0x8b90590, 0x8b90700, 0x8b90718, 0x8b90558, 0x8b90918, (nil), (nil), (nil), (nil), (nil), 0x8b8faa0, (nil), (nil), (nil), (nil), 0x8b8c1e8, (nil), (nil), (nil), (nil), (nil), (nil), (nil), (nil), (nil), (nil), (nil), (nil), (nil), (nil), (nil), (nil))
    free_buckets       = (0x8b7f3b8, 0x8b7f3b8, 0x8b7f3c0, 0x8b7f3c0, 0x8b7f3c8, 0x8b7f3c8, 0x8b7f3d0, 0x8b7f3d0, 0x8b7f3d8, 0x8b7f3d8, 0x8b7f3e0, 0x8b7f3e0, 0x8b7f3e8, 0x8b7f3e8, 0x8b7f3f0, 0x8b7f3f0, 0x8b7f3f8, 0x8b7f3f8, 0x8b7f400, 0x8b7f400, 0x8b7f408, 0x8b7f408, 0x8b7f410, 0x8b7f410, 0x8b7f418, 0x8b7f418, 0x8b7f420, 0x8b7f420, 0x8b7f428, 0x8b7f428, 0x8b7f430, 0x8b7f430, 0x8b7f438, 0x8b7f438, 0x8b7f440, 0x8b7f440, 0x8b7f448, 0x8b7f448, 0x8b7f450, 0x8b7f450, 0x8b7f458, 0x8b7f458, 0x8b7f460, 0x8b7f460, 0x8b7f468, 0x8b7f468, 0x8b7f470, 0x8b7f470, 0x8b7f478, 0x8b7f478, 0x8b7f480, 0x8b7f480, 0x8b7f488, 0x8b7f488, 0x8b7f490, 0x8b7f490, 0x8b7f498, 0x8b7f498, 0x8b7f4a0, 0x8b7f4a0, 0x8b90b20, 0x8b90b20, 0x8b7f4b0, 0x8b7f4b0)
    large_free_buckets = ((nil), (nil), (nil), (nil), (nil), (nil), (nil), (nil), 0x8b8fef8, (nil), (nil), 0x8b8e7a8, (nil), (nil), (nil), (nil), (nil), 0x8b93a00, (nil), (nil), (nil), (nil), (nil), (nil), (nil), (nil), (nil), (nil), (nil), (nil), (nil), (nil))
    rest_buckets       = (0x8b7f538, 0x8b7f538)
}

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

 [2009-11-11 08:33 UTC] srinatar@php.net

af course, this issue is not reproduced when used with USE_ZEND_ALLOC=0. this can be a temporary work around until this issue is further investigated.

 [2009-11-15 21:54 UTC] kalle@php.net

Just wondering, does --disable-phar change anything here? How about on other systems than Solaris?

 [2009-11-16 02:08 UTC] srinatar@php.net

looking at the source of the crash and that it happens only when used 
with --enable-zend-multibyte , i think, this issue has nothing to do 
with phar is enabled or not.  (yes, it happens even if it is 
disabled). 

i think, my gut feeling it that this issue has some thing to do how to 
memory is allocated / reallocated when the file is being parsed with 
zend-multi-byte mode is enabled. just a theory at this point. i need 
to debug more though. any useful pointers will be much appreciated ..

with respect to the platform,if you notice closely, you will notice 
that  the bug report mentions both solaris and linux. yes, i do luv 
and Linux and valgrind..

unfortunately, i didn't get time to look into this last thursday and 
friday as I had to deal with some urgent family matters but i hope to 
look into this more on monday (it is still sunday for me here .. :-) )

 [2009-11-16 02:12 UTC] srinatar@php.net

as i expected, this is what valgrind reports..

==8398== Memcheck, a memory error detector.
==8398== Copyright (C) 2002-2006, and GNU GPL'd, by Julian Seward et 
al.
==8398== Using LibVEX rev 1658, a library for dynamic binary 
translation.
==8398== Copyright (C) 2004-2006, and GNU GPL'd, by OpenWorks LLP.
==8398== Using valgrind-3.2.1, a dynamic binary instrumentation 
framework.
==8398== Copyright (C) 2000-2006, and GNU GPL'd, by Julian Seward et 
al.
==8398== For more details, rerun with: -v
==8398== 
==8398== Invalid read of size 4
==8398==    at 0x82B0A73: _zend_mm_alloc_int (zend_alloc.c:1892)
==8398==    by 0x82A17A7: open_file_for_scanning 
(zend_language_scanner.l:272)
==8398==    by 0x82A1D2B: compile_file (zend_language_scanner.l:331)
==8398==    by 0x82A18AD: compile_filename 
(zend_language_scanner.l:386)
==8398==    by 0x830CE73: ZEND_INCLUDE_OR_EVAL_SPEC_CONST_HANDLER 
(zend_vm_execute.h:1916)
==8398==    by 0x82EEA67: execute (zend_vm_execute.h:104)
==8398==    by 0x82C1F35: zend_call_function (zend_execute_API.c:942)
==8398==    by 0x82C29B7: call_user_function_ex 
(zend_execute_API.c:734)
==8398==    by 0x82CD76C: zend_error (zend.c:1101)
==8398==    by 0x82BC0D3: zend_do_begin_function_declaration 
(zend_compile.c:1289)
==8398==    by 0x829CD59: zendparse (zend_language_parser.y:517)
==8398==    by 0x82A1D5E: compile_file (zend_language_scanner.l:343)
==8398==  Address 0x66690A70 is not stack'd, malloc'd or (recently) 
free'd
==8398== 
==8398== Process terminating with default action of signal 11 
(SIGSEGV)
==8398==  Access not within mapped region at address 0x66690A70
==8398==    at 0x82B0A73: _zend_mm_alloc_int (zend_alloc.c:1892)
==8398==    by 0x82A17A7: open_file_for_scanning 
(zend_language_scanner.l:272)
==8398==    by 0x82A1D2B: compile_file (zend_language_scanner.l:331)
==8398==    by 0x82A18AD: compile_filename 
(zend_language_scanner.l:386)
==8398==    by 0x830CE73: ZEND_INCLUDE_OR_EVAL_SPEC_CONST_HANDLER 
(zend_vm_execute.h:1916)
==8398==    by 0x82EEA67: execute (zend_vm_execute.h:104)
==8398==    by 0x82C1F35: zend_call_function (zend_execute_API.c:942)
==8398==    by 0x82C29B7: call_user_function_ex 
(zend_execute_API.c:734)
==8398==    by 0x82CD76C: zend_error (zend.c:1101)
==8398==    by 0x82BC0D3: zend_do_begin_function_declaration 
(zend_compile.c:1289)
==8398==    by 0x829CD59: zendparse (zend_language_parser.y:517)
==8398==    by 0x82A1D5E: compile_file (zend_language_scanner.l:343)
==8398== 
==8398== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 25 from 
1)
==8398== malloc/free: in use at exit: 1,475,924 bytes in 11,420 
blocks.
==8398== malloc/free: 11,877 allocs, 457 frees, 1,767,115 bytes 
allocated.
==8398== For counts of detected errors, rerun with: -v
==8398== searching for pointers to 11,420 not-freed blocks.
==8398== checked 903,284 bytes.
==8398== 
==8398== LEAK SUMMARY:
==8398==    definitely lost: 0 bytes in 0 blocks.
==8398==      possibly lost: 0 bytes in 0 blocks.
==8398==    still reachable: 1,475,924 bytes in 11,420 blocks.
==8398==         suppressed: 0 bytes in 0 blocks.
==8398== Reachable blocks (those to which a pointer was found) are not 
shown.

 [2009-11-17 11:18 UTC] felipe@php.net

This bug has been fixed in SVN.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.
 
Thank you for the report, and for helping us make PHP better.