PHP :: Bug #44913 :: Segfault when using return; in combination with nested loops and continue 2;

Bug #44913

Segfault when using return; in combination with nested loops and continue 2;

Submitted:

2008-05-05 08:55 UTC

Modified:

2008-05-05 11:04 UTC

Votes:	1
Avg. Score:	3.0 ± 0.0
Reproduced:	1 of 1 (100.0%)
Same Version:	0 (0.0%)
Same OS:	0 (0.0%)

From:

dz at bitxtender dot com

Assigned:

dmitry (profile)

Status:

Closed

Package:

Reproducible crash

PHP Version:

5.2.6

OS:

irrelevant

Private report:

CVE-ID:

None

View Developer Edit

[2008-05-05 08:55 UTC] dz at bitxtender dot com

Description:
------------
The code below crashes reproducibly on different PHP versions and 
different OS (tried OS X, Linux, Windows) including 5.2.6 and 5.3-dev

I am suspecting a problem in the bytecode generation, as the crash 
does not occur if
a) XDebug is enabled or
b) any statement is put right before the return;, like $foo = 'bar';
c) the return; is not there at all
And it only happens in this foreach() / for() combination... two 
foreach()es, two for()s or a foreach() in a for() works just fine.

Also note that on many PHP versions, no segfault will occur right away 
with just array(1) in the foreach - instead, warnings will pop up 
saying "invalid argument supplied for foreach()" for this line. Other 
code may then crash much later due to memory corruption. In more 
complex test cases, we get random memory output on screen when 
var_dump()ing variables, or strange undefined index warnings for 
variables that then, suddenly, are of "unknown type" etc. I also got 
heap overflow warnings etc once. In any case, something goes wrong 
deep inside the belly of the beast :)

Can provide additional, more complex reproduce cases if needed. 
Obviously, the code below doesn't make much sense per se; in our 
"real-life" code, the continue 2; is run only when certain conditions 
are met. Here, the return is never reached, but still seems to be the 
cause of the problem.

Reproduce code:
---------------
--TEST--
continue/return/loop-related segfault test case for Bug #44913
--FILE--
<?php
function something() {
	foreach(array(1, 2) as $value) {
		for($i = 0; $i < 1; $i++) {
			continue 2;
		}
		return;
	}
}
something();
echo 'hi';
?>
--EXPECT--
hi

Expected result:
----------------
hi

Actual result:
--------------
"Segmentation fault" or "Bus error"

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2008-05-05 09:10 UTC] sebastian@php.net

It does not crash for me but PHP claims that array(1, 2) is not array here.

sb@ubuntu ~ % USE_ZEND_ALLOC=0 valgrind php -n crash.php
==9030== Memcheck, a memory error detector.
==9030== Copyright (C) 2002-2007, and GNU GPL'd, by Julian Seward et al.
==9030== Using LibVEX rev 1804, a library for dynamic binary translation.
==9030== Copyright (C) 2004-2007, and GNU GPL'd, by OpenWorks LLP.
==9030== Using valgrind-3.3.0-Debian, a dynamic binary instrumentation framework.
==9030== Copyright (C) 2000-2007, and GNU GPL'd, by Julian Seward et al.
==9030== For more details, rerun with: -v
==9030== 
==9030== Invalid read of size 4
==9030==    at 0x844F126: zend_pzval_unlock_func (zend_execute.c:69)
==9030==    by 0x8452225: _get_zval_ptr_var (zend_execute.c:172)
==9030==    by 0x8467765: ZEND_FE_FETCH_SPEC_VAR_HANDLER (zend_vm_execute.h:8008)
==9030==    by 0x844D36F: execute (zend_vm_execute.h:92)
==9030==    by 0x844DB22: zend_do_fcall_common_helper_SPEC (zend_vm_execute.h:234)
==9030==    by 0x8454339: ZEND_DO_FCALL_SPEC_CONST_HANDLER (zend_vm_execute.h:1679)
==9030==    by 0x844D36F: execute (zend_vm_execute.h:92)
==9030==    by 0x8424F72: zend_execute_scripts (zend.c:1134)
==9030==    by 0x83BFDE9: php_execute_script (main.c:2005)
==9030==    by 0x84AD23C: main (php_cli.c:1140)
==9030==  Address 0x4d02e70 is 8 bytes inside a block of size 16 free'd
==9030==    at 0x402265C: free (vg_replace_malloc.c:323)
==9030==    by 0x840104A: _efree (zend_alloc.c:2290)
==9030==    by 0x84131E8: safe_free_zval_ptr_rel (zend_execute.h:70)
==9030==    by 0x8413127: _zval_ptr_dtor (zend_execute_API.c:415)
==9030==    by 0x8450153: zend_switch_free (zend_execute.c:372)
==9030==    by 0x84518D4: zend_brk_cont (zend_execute.c:1328)
==9030==    by 0x845195D: ZEND_CONT_SPEC_CONST_HANDLER (zend_vm_execute.h:825)
==9030==    by 0x844D36F: execute (zend_vm_execute.h:92)
==9030==    by 0x844DB22: zend_do_fcall_common_helper_SPEC (zend_vm_execute.h:234)
==9030==    by 0x8454339: ZEND_DO_FCALL_SPEC_CONST_HANDLER (zend_vm_execute.h:1679)
==9030==    by 0x844D36F: execute (zend_vm_execute.h:92)
==9030==    by 0x8424F72: zend_execute_scripts (zend.c:1134)
==9030== 
==9030== Invalid write of size 4
==9030==    at 0x844F12F: zend_pzval_unlock_func (zend_execute.c:69)
==9030==    by 0x8452225: _get_zval_ptr_var (zend_execute.c:172)
==9030==    by 0x8467765: ZEND_FE_FETCH_SPEC_VAR_HANDLER (zend_vm_execute.h:8008)
==9030==    by 0x844D36F: execute (zend_vm_execute.h:92)
==9030==    by 0x844DB22: zend_do_fcall_common_helper_SPEC (zend_vm_execute.h:234)
==9030==    by 0x8454339: ZEND_DO_FCALL_SPEC_CONST_HANDLER (zend_vm_execute.h:1679)
==9030==    by 0x844D36F: execute (zend_vm_execute.h:92)
==9030==    by 0x8424F72: zend_execute_scripts (zend.c:1134)
==9030==    by 0x83BFDE9: php_execute_script (main.c:2005)
==9030==    by 0x84AD23C: main (php_cli.c:1140)
==9030==  Address 0x4d02e70 is 8 bytes inside a block of size 16 free'd
==9030==    at 0x402265C: free (vg_replace_malloc.c:323)
==9030==    by 0x840104A: _efree (zend_alloc.c:2290)
==9030==    by 0x84131E8: safe_free_zval_ptr_rel (zend_execute.h:70)
==9030==    by 0x8413127: _zval_ptr_dtor (zend_execute_API.c:415)
==9030==    by 0x8450153: zend_switch_free (zend_execute.c:372)
==9030==    by 0x84518D4: zend_brk_cont (zend_execute.c:1328)
==9030==    by 0x845195D: ZEND_CONT_SPEC_CONST_HANDLER (zend_vm_execute.h:825)
==9030==    by 0x844D36F: execute (zend_vm_execute.h:92)
==9030==    by 0x844DB22: zend_do_fcall_common_helper_SPEC (zend_vm_execute.h:234)
==9030==    by 0x8454339: ZEND_DO_FCALL_SPEC_CONST_HANDLER (zend_vm_execute.h:1679)
==9030==    by 0x844D36F: execute (zend_vm_execute.h:92)
==9030==    by 0x8424F72: zend_execute_scripts (zend.c:1134)
==9030== 
==9030== Invalid read of size 4
==9030==    at 0x844F135: zend_pzval_unlock_func (zend_execute.c:69)
==9030==    by 0x8452225: _get_zval_ptr_var (zend_execute.c:172)
==9030==    by 0x8467765: ZEND_FE_FETCH_SPEC_VAR_HANDLER (zend_vm_execute.h:8008)
==9030==    by 0x844D36F: execute (zend_vm_execute.h:92)
==9030==    by 0x844DB22: zend_do_fcall_common_helper_SPEC (zend_vm_execute.h:234)
==9030==    by 0x8454339: ZEND_DO_FCALL_SPEC_CONST_HANDLER (zend_vm_execute.h:1679)
==9030==    by 0x844D36F: execute (zend_vm_execute.h:92)
==9030==    by 0x8424F72: zend_execute_scripts (zend.c:1134)
==9030==    by 0x83BFDE9: php_execute_script (main.c:2005)
==9030==    by 0x84AD23C: main (php_cli.c:1140)
==9030==  Address 0x4d02e70 is 8 bytes inside a block of size 16 free'd
==9030==    at 0x402265C: free (vg_replace_malloc.c:323)
==9030==    by 0x840104A: _efree (zend_alloc.c:2290)
==9030==    by 0x84131E8: safe_free_zval_ptr_rel (zend_execute.h:70)
==9030==    by 0x8413127: _zval_ptr_dtor (zend_execute_API.c:415)
==9030==    by 0x8450153: zend_switch_free (zend_execute.c:372)
==9030==    by 0x84518D4: zend_brk_cont (zend_execute.c:1328)
==9030==    by 0x845195D: ZEND_CONT_SPEC_CONST_HANDLER (zend_vm_execute.h:825)
==9030==    by 0x844D36F: execute (zend_vm_execute.h:92)
==9030==    by 0x844DB22: zend_do_fcall_common_helper_SPEC (zend_vm_execute.h:234)
==9030==    by 0x8454339: ZEND_DO_FCALL_SPEC_CONST_HANDLER (zend_vm_execute.h:1679)
==9030==    by 0x844D36F: execute (zend_vm_execute.h:92)
==9030==    by 0x8424F72: zend_execute_scripts (zend.c:1134)
==9030== 
==9030== Invalid read of size 1
==9030==    at 0x844F169: zend_pzval_unlock_func (zend_execute.c:76)
==9030==    by 0x8452225: _get_zval_ptr_var (zend_execute.c:172)
==9030==    by 0x8467765: ZEND_FE_FETCH_SPEC_VAR_HANDLER (zend_vm_execute.h:8008)
==9030==    by 0x844D36F: execute (zend_vm_execute.h:92)
==9030==    by 0x844DB22: zend_do_fcall_common_helper_SPEC (zend_vm_execute.h:234)
==9030==    by 0x8454339: ZEND_DO_FCALL_SPEC_CONST_HANDLER (zend_vm_execute.h:1679)
==9030==    by 0x844D36F: execute (zend_vm_execute.h:92)
==9030==    by 0x8424F72: zend_execute_scripts (zend.c:1134)
==9030==    by 0x83BFDE9: php_execute_script (main.c:2005)
==9030==    by 0x84AD23C: main (php_cli.c:1140)
==9030==  Address 0x4d02e75 is 13 bytes inside a block of size 16 free'd
==9030==    at 0x402265C: free (vg_replace_malloc.c:323)
==9030==    by 0x840104A: _efree (zend_alloc.c:2290)
==9030==    by 0x84131E8: safe_free_zval_ptr_rel (zend_execute.h:70)
==9030==    by 0x8413127: _zval_ptr_dtor (zend_execute_API.c:415)
==9030==    by 0x8450153: zend_switch_free (zend_execute.c:372)
==9030==    by 0x84518D4: zend_brk_cont (zend_execute.c:1328)
==9030==    by 0x845195D: ZEND_CONT_SPEC_CONST_HANDLER (zend_vm_execute.h:825)
==9030==    by 0x844D36F: execute (zend_vm_execute.h:92)
==9030==    by 0x844DB22: zend_do_fcall_common_helper_SPEC (zend_vm_execute.h:234)
==9030==    by 0x8454339: ZEND_DO_FCALL_SPEC_CONST_HANDLER (zend_vm_execute.h:1679)
==9030==    by 0x844D36F: execute (zend_vm_execute.h:92)
==9030==    by 0x8424F72: zend_execute_scripts (zend.c:1134)
==9030== 
==9030== Invalid read of size 4
==9030==    at 0x8467786: ZEND_FE_FETCH_SPEC_VAR_HANDLER (zend_vm_execute.h:8018)
==9030==    by 0x844D36F: execute (zend_vm_execute.h:92)
==9030==    by 0x844DB22: zend_do_fcall_common_helper_SPEC (zend_vm_execute.h:234)
==9030==    by 0x8454339: ZEND_DO_FCALL_SPEC_CONST_HANDLER (zend_vm_execute.h:1679)
==9030==    by 0x844D36F: execute (zend_vm_execute.h:92)
==9030==    by 0x8424F72: zend_execute_scripts (zend.c:1134)
==9030==    by 0x83BFDE9: php_execute_script (main.c:2005)
==9030==    by 0x84AD23C: main (php_cli.c:1140)
==9030==  Address 0x4d02e70 is 8 bytes inside a block of size 16 free'd
==9030==    at 0x402265C: free (vg_replace_malloc.c:323)
==9030==    by 0x840104A: _efree (zend_alloc.c:2290)
==9030==    by 0x84131E8: safe_free_zval_ptr_rel (zend_execute.h:70)
==9030==    by 0x8413127: _zval_ptr_dtor (zend_execute_API.c:415)
==9030==    by 0x8450153: zend_switch_free (zend_execute.c:372)
==9030==    by 0x84518D4: zend_brk_cont (zend_execute.c:1328)
==9030==    by 0x845195D: ZEND_CONT_SPEC_CONST_HANDLER (zend_vm_execute.h:825)
==9030==    by 0x844D36F: execute (zend_vm_execute.h:92)
==9030==    by 0x844DB22: zend_do_fcall_common_helper_SPEC (zend_vm_execute.h:234)
==9030==    by 0x8454339: ZEND_DO_FCALL_SPEC_CONST_HANDLER (zend_vm_execute.h:1679)
==9030==    by 0x844D36F: execute (zend_vm_execute.h:92)
==9030==    by 0x8424F72: zend_execute_scripts (zend.c:1134)
==9030== 
==9030== Invalid write of size 4
==9030==    at 0x846778C: ZEND_FE_FETCH_SPEC_VAR_HANDLER (zend_vm_execute.h:8018)
==9030==    by 0x844D36F: execute (zend_vm_execute.h:92)
==9030==    by 0x844DB22: zend_do_fcall_common_helper_SPEC (zend_vm_execute.h:234)
==9030==    by 0x8454339: ZEND_DO_FCALL_SPEC_CONST_HANDLER (zend_vm_execute.h:1679)
==9030==    by 0x844D36F: execute (zend_vm_execute.h:92)
==9030==    by 0x8424F72: zend_execute_scripts (zend.c:1134)
==9030==    by 0x83BFDE9: php_execute_script (main.c:2005)
==9030==    by 0x84AD23C: main (php_cli.c:1140)
==9030==  Address 0x4d02e70 is 8 bytes inside a block of size 16 free'd
==9030==    at 0x402265C: free (vg_replace_malloc.c:323)
==9030==    by 0x840104A: _efree (zend_alloc.c:2290)
==9030==    by 0x84131E8: safe_free_zval_ptr_rel (zend_execute.h:70)
==9030==    by 0x8413127: _zval_ptr_dtor (zend_execute_API.c:415)
==9030==    by 0x8450153: zend_switch_free (zend_execute.c:372)
==9030==    by 0x84518D4: zend_brk_cont (zend_execute.c:1328)
==9030==    by 0x845195D: ZEND_CONT_SPEC_CONST_HANDLER (zend_vm_execute.h:825)
==9030==    by 0x844D36F: execute (zend_vm_execute.h:92)
==9030==    by 0x844DB22: zend_do_fcall_common_helper_SPEC (zend_vm_execute.h:234)
==9030==    by 0x8454339: ZEND_DO_FCALL_SPEC_CONST_HANDLER (zend_vm_execute.h:1679)
==9030==    by 0x844D36F: execute (zend_vm_execute.h:92)
==9030==    by 0x8424F72: zend_execute_scripts (zend.c:1134)
==9030== 
==9030== Invalid read of size 1
==9030==    at 0x843E2D9: zend_iterator_unwrap (zend_iterators.c:79)
==9030==    by 0x84677A7: ZEND_FE_FETCH_SPEC_VAR_HANDLER (zend_vm_execute.h:8020)
==9030==    by 0x844D36F: execute (zend_vm_execute.h:92)
==9030==    by 0x844DB22: zend_do_fcall_common_helper_SPEC (zend_vm_execute.h:234)
==9030==    by 0x8454339: ZEND_DO_FCALL_SPEC_CONST_HANDLER (zend_vm_execute.h:1679)
==9030==    by 0x844D36F: execute (zend_vm_execute.h:92)
==9030==    by 0x8424F72: zend_execute_scripts (zend.c:1134)
==9030==    by 0x83BFDE9: php_execute_script (main.c:2005)
==9030==    by 0x84AD23C: main (php_cli.c:1140)
==9030==  Address 0x4d02e74 is 12 bytes inside a block of size 16 free'd
==9030==    at 0x402265C: free (vg_replace_malloc.c:323)
==9030==    by 0x840104A: _efree (zend_alloc.c:2290)
==9030==    by 0x84131E8: safe_free_zval_ptr_rel (zend_execute.h:70)
==9030==    by 0x8413127: _zval_ptr_dtor (zend_execute_API.c:415)
==9030==    by 0x8450153: zend_switch_free (zend_execute.c:372)
==9030==    by 0x84518D4: zend_brk_cont (zend_execute.c:1328)
==9030==    by 0x845195D: ZEND_CONT_SPEC_CONST_HANDLER (zend_vm_execute.h:825)
==9030==    by 0x844D36F: execute (zend_vm_execute.h:92)
==9030==    by 0x844DB22: zend_do_fcall_common_helper_SPEC (zend_vm_execute.h:234)
==9030==    by 0x8454339: ZEND_DO_FCALL_SPEC_CONST_HANDLER (zend_vm_execute.h:1679)
==9030==    by 0x844D36F: execute (zend_vm_execute.h:92)
==9030==    by 0x8424F72: zend_execute_scripts (zend.c:1134)
==9030== 
==9030== Invalid read of size 1
==9030==    at 0x843E39B: zend_iterator_unwrap (zend_iterators.c:91)
==9030==    by 0x84677A7: ZEND_FE_FETCH_SPEC_VAR_HANDLER (zend_vm_execute.h:8020)
==9030==    by 0x844D36F: execute (zend_vm_execute.h:92)
==9030==    by 0x844DB22: zend_do_fcall_common_helper_SPEC (zend_vm_execute.h:234)
==9030==    by 0x8454339: ZEND_DO_FCALL_SPEC_CONST_HANDLER (zend_vm_execute.h:1679)
==9030==    by 0x844D36F: execute (zend_vm_execute.h:92)
==9030==    by 0x8424F72: zend_execute_scripts (zend.c:1134)
==9030==    by 0x83BFDE9: php_execute_script (main.c:2005)
==9030==    by 0x84AD23C: main (php_cli.c:1140)
==9030==  Address 0x4d02e74 is 12 bytes inside a block of size 16 free'd
==9030==    at 0x402265C: free (vg_replace_malloc.c:323)
==9030==    by 0x840104A: _efree (zend_alloc.c:2290)
==9030==    by 0x84131E8: safe_free_zval_ptr_rel (zend_execute.h:70)
==9030==    by 0x8413127: _zval_ptr_dtor (zend_execute_API.c:415)
==9030==    by 0x8450153: zend_switch_free (zend_execute.c:372)
==9030==    by 0x84518D4: zend_brk_cont (zend_execute.c:1328)
==9030==    by 0x845195D: ZEND_CONT_SPEC_CONST_HANDLER (zend_vm_execute.h:825)
==9030==    by 0x844D36F: execute (zend_vm_execute.h:92)
==9030==    by 0x844DB22: zend_do_fcall_common_helper_SPEC (zend_vm_execute.h:234)
==9030==    by 0x8454339: ZEND_DO_FCALL_SPEC_CONST_HANDLER (zend_vm_execute.h:1679)
==9030==    by 0x844D36F: execute (zend_vm_execute.h:92)
==9030==    by 0x8424F72: zend_execute_scripts (zend.c:1134)
==9030== 
==9030== Invalid read of size 4
==9030==    at 0x843E3A6: zend_iterator_unwrap (zend_iterators.c:91)
==9030==    by 0x84677A7: ZEND_FE_FETCH_SPEC_VAR_HANDLER (zend_vm_execute.h:8020)
==9030==    by 0x844D36F: execute (zend_vm_execute.h:92)
==9030==    by 0x844DB22: zend_do_fcall_common_helper_SPEC (zend_vm_execute.h:234)
==9030==    by 0x8454339: ZEND_DO_FCALL_SPEC_CONST_HANDLER (zend_vm_execute.h:1679)
==9030==    by 0x844D36F: execute (zend_vm_execute.h:92)
==9030==    by 0x8424F72: zend_execute_scripts (zend.c:1134)
==9030==    by 0x83BFDE9: php_execute_script (main.c:2005)
==9030==    by 0x84AD23C: main (php_cli.c:1140)
==9030==  Address 0x4d02e68 is 0 bytes inside a block of size 16 free'd
==9030==    at 0x402265C: free (vg_replace_malloc.c:323)
==9030==    by 0x840104A: _efree (zend_alloc.c:2290)
==9030==    by 0x84131E8: safe_free_zval_ptr_rel (zend_execute.h:70)
==9030==    by 0x8413127: _zval_ptr_dtor (zend_execute_API.c:415)
==9030==    by 0x8450153: zend_switch_free (zend_execute.c:372)
==9030==    by 0x84518D4: zend_brk_cont (zend_execute.c:1328)
==9030==    by 0x845195D: ZEND_CONT_SPEC_CONST_HANDLER (zend_vm_execute.h:825)
==9030==    by 0x844D36F: execute (zend_vm_execute.h:92)
==9030==    by 0x844DB22: zend_do_fcall_common_helper_SPEC (zend_vm_execute.h:234)
==9030==    by 0x8454339: ZEND_DO_FCALL_SPEC_CONST_HANDLER (zend_vm_execute.h:1679)
==9030==    by 0x844D36F: execute (zend_vm_execute.h:92)
==9030==    by 0x8424F72: zend_execute_scripts (zend.c:1134)
==9030== 
==9030== Invalid read of size 1
==9030==    at 0x8467A61: ZEND_FE_FETCH_SPEC_VAR_HANDLER (zend_vm_execute.h:8054)
==9030==    by 0x844D36F: execute (zend_vm_execute.h:92)
==9030==    by 0x844DB22: zend_do_fcall_common_helper_SPEC (zend_vm_execute.h:234)
==9030==    by 0x8454339: ZEND_DO_FCALL_SPEC_CONST_HANDLER (zend_vm_execute.h:1679)
==9030==    by 0x844D36F: execute (zend_vm_execute.h:92)
==9030==    by 0x8424F72: zend_execute_scripts (zend.c:1134)
==9030==    by 0x83BFDE9: php_execute_script (main.c:2005)
==9030==    by 0x84AD23C: main (php_cli.c:1140)
==9030==  Address 0x4d02e74 is 12 bytes inside a block of size 16 free'd
==9030==    at 0x402265C: free (vg_replace_malloc.c:323)
==9030==    by 0x840104A: _efree (zend_alloc.c:2290)
==9030==    by 0x84131E8: safe_free_zval_ptr_rel (zend_execute.h:70)
==9030==    by 0x8413127: _zval_ptr_dtor (zend_execute_API.c:415)
==9030==    by 0x8450153: zend_switch_free (zend_execute.c:372)
==9030==    by 0x84518D4: zend_brk_cont (zend_execute.c:1328)
==9030==    by 0x845195D: ZEND_CONT_SPEC_CONST_HANDLER (zend_vm_execute.h:825)
==9030==    by 0x844D36F: execute (zend_vm_execute.h:92)
==9030==    by 0x844DB22: zend_do_fcall_common_helper_SPEC (zend_vm_execute.h:234)
==9030==    by 0x8454339: ZEND_DO_FCALL_SPEC_CONST_HANDLER (zend_vm_execute.h:1679)
==9030==    by 0x844D36F: execute (zend_vm_execute.h:92)
==9030==    by 0x8424F72: zend_execute_scripts (zend.c:1134)
==9030== 
==9030== Invalid read of size 4
==9030==    at 0x8467A6C: ZEND_FE_FETCH_SPEC_VAR_HANDLER (zend_vm_execute.h:8054)
==9030==    by 0x844D36F: execute (zend_vm_execute.h:92)
==9030==    by 0x844DB22: zend_do_fcall_common_helper_SPEC (zend_vm_execute.h:234)
==9030==    by 0x8454339: ZEND_DO_FCALL_SPEC_CONST_HANDLER (zend_vm_execute.h:1679)
==9030==    by 0x844D36F: execute (zend_vm_execute.h:92)
==9030==    by 0x8424F72: zend_execute_scripts (zend.c:1134)
==9030==    by 0x83BFDE9: php_execute_script (main.c:2005)
==9030==    by 0x84AD23C: main (php_cli.c:1140)
==9030==  Address 0x4d02e68 is 0 bytes inside a block of size 16 free'd
==9030==    at 0x402265C: free (vg_replace_malloc.c:323)
==9030==    by 0x840104A: _efree (zend_alloc.c:2290)
==9030==    by 0x84131E8: safe_free_zval_ptr_rel (zend_execute.h:70)
==9030==    by 0x8413127: _zval_ptr_dtor (zend_execute_API.c:415)
==9030==    by 0x8450153: zend_switch_free (zend_execute.c:372)
==9030==    by 0x84518D4: zend_brk_cont (zend_execute.c:1328)
==9030==    by 0x845195D: ZEND_CONT_SPEC_CONST_HANDLER (zend_vm_execute.h:825)
==9030==    by 0x844D36F: execute (zend_vm_execute.h:92)
==9030==    by 0x844DB22: zend_do_fcall_common_helper_SPEC (zend_vm_execute.h:234)
==9030==    by 0x8454339: ZEND_DO_FCALL_SPEC_CONST_HANDLER (zend_vm_execute.h:1679)
==9030==    by 0x844D36F: execute (zend_vm_execute.h:92)
==9030==    by 0x8424F72: zend_execute_scripts (zend.c:1134)
==9030== 
==9030== Invalid read of size 4
==9030==    at 0x8432996: zend_hash_set_pointer (zend_hash.c:1037)
==9030==    by 0x8467AD0: ZEND_FE_FETCH_SPEC_VAR_HANDLER (zend_vm_execute.h:8055)
==9030==    by 0x844D36F: execute (zend_vm_execute.h:92)
==9030==    by 0x844DB22: zend_do_fcall_common_helper_SPEC (zend_vm_execute.h:234)
==9030==    by 0x8454339: ZEND_DO_FCALL_SPEC_CONST_HANDLER (zend_vm_execute.h:1679)
==9030==    by 0x844D36F: execute (zend_vm_execute.h:92)
==9030==    by 0x8424F72: zend_execute_scripts (zend.c:1134)
==9030==    by 0x83BFDE9: php_execute_script (main.c:2005)
==9030==    by 0x84AD23C: main (php_cli.c:1140)
==9030==  Address 0x4d02c98 is 16 bytes inside a block of size 44 free'd
==9030==    at 0x402265C: free (vg_replace_malloc.c:323)
==9030==    by 0x840104A: _efree (zend_alloc.c:2290)
==9030==    by 0x8421B1B: _zval_dtor_func (zend_variables.c:44)
==9030==    by 0x8412E5C: _zval_dtor (zend_variables.h:35)
==9030==    by 0x84130FC: _zval_ptr_dtor (zend_execute_API.c:414)
==9030==    by 0x8450153: zend_switch_free (zend_execute.c:372)
==9030==    by 0x84518D4: zend_brk_cont (zend_execute.c:1328)
==9030==    by 0x845195D: ZEND_CONT_SPEC_CONST_HANDLER (zend_vm_execute.h:825)
==9030==    by 0x844D36F: execute (zend_vm_execute.h:92)
==9030==    by 0x844DB22: zend_do_fcall_common_helper_SPEC (zend_vm_execute.h:234)
==9030==    by 0x8454339: ZEND_DO_FCALL_SPEC_CONST_HANDLER (zend_vm_execute.h:1679)
==9030==    by 0x844D36F: execute (zend_vm_execute.h:92)
==9030== 
==9030== Invalid read of size 4
==9030==    at 0x8432CE3: zend_hash_get_current_data_ex (zend_hash.c:1158)
==9030==    by 0x8467AEA: ZEND_FE_FETCH_SPEC_VAR_HANDLER (zend_vm_execute.h:8056)
==9030==    by 0x844D36F: execute (zend_vm_execute.h:92)
==9030==    by 0x844DB22: zend_do_fcall_common_helper_SPEC (zend_vm_execute.h:234)
==9030==    by 0x8454339: ZEND_DO_FCALL_SPEC_CONST_HANDLER (zend_vm_execute.h:1679)
==9030==    by 0x844D36F: execute (zend_vm_execute.h:92)
==9030==    by 0x8424F72: zend_execute_scripts (zend.c:1134)
==9030==    by 0x83BFDE9: php_execute_script (main.c:2005)
==9030==    by 0x84AD23C: main (php_cli.c:1140)
==9030==  Address 0x4d02c98 is 16 bytes inside a block of size 44 free'd
==9030==    at 0x402265C: free (vg_replace_malloc.c:323)
==9030==    by 0x840104A: _efree (zend_alloc.c:2290)
==9030==    by 0x8421B1B: _zval_dtor_func (zend_variables.c:44)
==9030==    by 0x8412E5C: _zval_dtor (zend_variables.h:35)
==9030==    by 0x84130FC: _zval_ptr_dtor (zend_execute_API.c:414)
==9030==    by 0x8450153: zend_switch_free (zend_execute.c:372)
==9030==    by 0x84518D4: zend_brk_cont (zend_execute.c:1328)
==9030==    by 0x845195D: ZEND_CONT_SPEC_CONST_HANDLER (zend_vm_execute.h:825)
==9030==    by 0x844D36F: execute (zend_vm_execute.h:92)
==9030==    by 0x844DB22: zend_do_fcall_common_helper_SPEC (zend_vm_execute.h:234)
==9030==    by 0x8454339: ZEND_DO_FCALL_SPEC_CONST_HANDLER (zend_vm_execute.h:1679)
==9030==    by 0x844D36F: execute (zend_vm_execute.h:92)
==9030== 
==9030== Invalid read of size 4
==9030==    at 0x842FCBD: _zend_is_inconsistent (zend_hash.c:53)
==9030==    by 0x8432D09: zend_hash_get_current_data_ex (zend_hash.c:1160)
==9030==    by 0x8467AEA: ZEND_FE_FETCH_SPEC_VAR_HANDLER (zend_vm_execute.h:8056)
==9030==    by 0x844D36F: execute (zend_vm_execute.h:92)
==9030==    by 0x844DB22: zend_do_fcall_common_helper_SPEC (zend_vm_execute.h:234)
==9030==    by 0x8454339: ZEND_DO_FCALL_SPEC_CONST_HANDLER (zend_vm_execute.h:1679)
==9030==    by 0x844D36F: execute (zend_vm_execute.h:92)
==9030==    by 0x8424F72: zend_execute_scripts (zend.c:1134)
==9030==    by 0x83BFDE9: php_execute_script (main.c:2005)
==9030==    by 0x84AD23C: main (php_cli.c:1140)
==9030==  Address 0x4d02cb0 is 40 bytes inside a block of size 44 free'd
==9030==    at 0x402265C: free (vg_replace_malloc.c:323)
==9030==    by 0x840104A: _efree (zend_alloc.c:2290)
==9030==    by 0x8421B1B: _zval_dtor_func (zend_variables.c:44)
==9030==    by 0x8412E5C: _zval_dtor (zend_variables.h:35)
==9030==    by 0x84130FC: _zval_ptr_dtor (zend_execute_API.c:414)
==9030==    by 0x8450153: zend_switch_free (zend_execute.c:372)
==9030==    by 0x84518D4: zend_brk_cont (zend_execute.c:1328)
==9030==    by 0x845195D: ZEND_CONT_SPEC_CONST_HANDLER (zend_vm_execute.h:825)
==9030==    by 0x844D36F: execute (zend_vm_execute.h:92)
==9030==    by 0x844DB22: zend_do_fcall_common_helper_SPEC (zend_vm_execute.h:234)
==9030==    by 0x8454339: ZEND_DO_FCALL_SPEC_CONST_HANDLER (zend_vm_execute.h:1679)
==9030==    by 0x844D36F: execute (zend_vm_execute.h:92)
==9030== 
==9030== Invalid read of size 4
==9030==    at 0x842FCCB: _zend_is_inconsistent (zend_hash.c:56)
==9030==    by 0x8432D09: zend_hash_get_current_data_ex (zend_hash.c:1160)
==9030==    by 0x8467AEA: ZEND_FE_FETCH_SPEC_VAR_HANDLER (zend_vm_execute.h:8056)
==9030==    by 0x844D36F: execute (zend_vm_execute.h:92)
==9030==    by 0x844DB22: zend_do_fcall_common_helper_SPEC (zend_vm_execute.h:234)
==9030==    by 0x8454339: ZEND_DO_FCALL_SPEC_CONST_HANDLER (zend_vm_execute.h:1679)
==9030==    by 0x844D36F: execute (zend_vm_execute.h:92)
==9030==    by 0x8424F72: zend_execute_scripts (zend.c:1134)
==9030==    by 0x83BFDE9: php_execute_script (main.c:2005)
==9030==    by 0x84AD23C: main (php_cli.c:1140)
==9030==  Address 0x4d02cb0 is 40 bytes inside a block of size 44 free'd
==9030==    at 0x402265C: free (vg_replace_malloc.c:323)
==9030==    by 0x840104A: _efree (zend_alloc.c:2290)
==9030==    by 0x8421B1B: _zval_dtor_func (zend_variables.c:44)
==9030==    by 0x8412E5C: _zval_dtor (zend_variables.h:35)
==9030==    by 0x84130FC: _zval_ptr_dtor (zend_execute_API.c:414)
==9030==    by 0x8450153: zend_switch_free (zend_execute.c:372)
==9030==    by 0x84518D4: zend_brk_cont (zend_execute.c:1328)
==9030==    by 0x845195D: ZEND_CONT_SPEC_CONST_HANDLER (zend_vm_execute.h:825)
==9030==    by 0x844D36F: execute (zend_vm_execute.h:92)
==9030==    by 0x844DB22: zend_do_fcall_common_helper_SPEC (zend_vm_execute.h:234)
==9030==    by 0x8454339: ZEND_DO_FCALL_SPEC_CONST_HANDLER (zend_vm_execute.h:1679)
==9030==    by 0x844D36F: execute (zend_vm_execute.h:92)
/usr/local/src/php/php-5.2/Zend/zend_hash.c(1160) : ht=0x4d02c88 is already destroyed
==9030== 
==9030== ERROR SUMMARY: 15 errors from 15 contexts (suppressed: 71 from 1)
==9030== malloc/free: in use at exit: 23,229 bytes in 1,518 blocks.
==9030== malloc/free: 22,297 allocs, 20,779 frees, 2,113,468 bytes allocated.
==9030== For counts of detected errors, rerun with: -v
==9030== searching for pointers to 1,518 not-freed blocks.
==9030== checked 1,224,640 bytes.
==9030== 
==9030== LEAK SUMMARY:
==9030==    definitely lost: 801 bytes in 12 blocks.
==9030==      possibly lost: 0 bytes in 0 blocks.
==9030==    still reachable: 22,428 bytes in 1,506 blocks.
==9030==         suppressed: 0 bytes in 0 blocks.
==9030== Rerun with --leak-check=full to see details of leaked memory.

[2008-05-05 11:04 UTC] dmitry@php.net

Fixed in CVS HEAD and PHP_5_3 (but not in PHP_5_2).

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2025 The PHP Group All rights reserved.	Last updated: Thu Jul 17 14:04:04 2025 UTC