php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #53144 Segfault in SplObjectStorage::removeAll()
Submitted: 2010-10-24 09:32 UTC Modified: 2010-10-24 16:03 UTC
From: sebastian@php.net Assigned: felipe (profile)
Status: Closed Package: Scripting Engine problem
PHP Version: 5.3SVN-2010-10-24 (SVN) OS: Linux
Private report: No CVE-ID: None
 [2010-10-24 09:32 UTC] sebastian@php.net
Description:
------------
I can only reproduce this with PHPUnit and the Symfony2 testsuite.

Expected result:
----------------
No segfault.

Actual result:
--------------
GNU gdb (GDB) 7.1-ubuntu
Copyright (C) 2010 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu".
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>...
Reading symbols from /usr/local/php-5.3/bin/php...done.
(gdb) r /usr/local/bin/phpunit --filter CrawlerTest::testClear
Starting program: /usr/local/php-5.3/bin/php /usr/local/bin/phpunit --filter CrawlerTest::testClear
[Thread debugging using libthread_db enabled]
PHPUnit @package_version@ by Sebastian Bergmann.


Program received signal SIGSEGV, Segmentation fault.
0x0000000000955383 in zend_hash_get_current_data_ex (ht=0x54892f8, pData=0x7fffffffb9a0, pos=0x7fffffffb998) at /usr/local/src/php/src/branches/PHP_5_3/Zend/zend_hash.c:1166
1166			*pData = p->pData;
(gdb) bt
#0  0x0000000000955383 in zend_hash_get_current_data_ex (ht=0x54892f8, pData=0x7fffffffb9a0, pos=0x7fffffffb998) at /usr/local/src/php/src/branches/PHP_5_3/Zend/zend_hash.c:1166
#1  0x0000000000797dbb in zim_spl_SplObjectStorage_removeAll (ht=1, return_value=0x5476948, return_value_ptr=0x0, this_ptr=0x5476de8, return_value_used=0) at /usr/local/src/php/src/branches/PHP_5_3/ext/spl/spl_observer.c:424
#2  0x0000000000979b35 in zend_do_fcall_common_helper_SPEC (execute_data=0x7ffff7e7dd08) at /usr/local/src/php/src/branches/PHP_5_3/Zend/zend_vm_execute.h:316
#3  0x000000000097a2c0 in ZEND_DO_FCALL_BY_NAME_SPEC_HANDLER (execute_data=0x7ffff7e7dd08) at /usr/local/src/php/src/branches/PHP_5_3/Zend/zend_vm_execute.h:421
#4  0x0000000000978eea in execute (op_array=0x5478880) at /usr/local/src/php/src/branches/PHP_5_3/Zend/zend_vm_execute.h:107
#5  0x0000000000932ba0 in zend_call_function (fci=0x7fffffffbd20, fci_cache=0x7fffffffbd70) at /usr/local/src/php/src/branches/PHP_5_3/Zend/zend_execute_API.c:964
#6  0x00000000006f6efc in zim_reflection_method_invokeArgs (ht=2, return_value=0x5476f78, return_value_ptr=0x0, this_ptr=0x5477420, return_value_used=1) at /usr/local/src/php/src/branches/PHP_5_3/ext/reflection/php_reflection.c:2738
#7  0x0000000000979b35 in zend_do_fcall_common_helper_SPEC (execute_data=0x7ffff7e7cea8) at /usr/local/src/php/src/branches/PHP_5_3/Zend/zend_vm_execute.h:316
#8  0x000000000097a2c0 in ZEND_DO_FCALL_BY_NAME_SPEC_HANDLER (execute_data=0x7ffff7e7cea8) at /usr/local/src/php/src/branches/PHP_5_3/Zend/zend_vm_execute.h:421
#9  0x0000000000978eea in execute (op_array=0x4bb6c18) at /usr/local/src/php/src/branches/PHP_5_3/Zend/zend_vm_execute.h:107
#10 0x0000000000943599 in zend_execute_scripts (type=8, retval=0x0, file_count=3) at /usr/local/src/php/src/branches/PHP_5_3/Zend/zend.c:1194
#11 0x00000000008c3e34 in php_execute_script (primary_file=0x7fffffffe4a0) at /usr/local/src/php/src/branches/PHP_5_3/main/main.c:2260
#12 0x0000000000a3083a in main (argc=4, argv=0x7fffffffe708) at /usr/local/src/php/src/branches/PHP_5_3/sapi/cli/php_cli.c:1193




==16795== Memcheck, a memory error detector
==16795== Copyright (C) 2002-2009, and GNU GPL'd, by Julian Seward et al.
==16795== Using Valgrind-3.6.0.SVN-Debian and LibVEX; rerun with -h for copyright info
==16795== Command: /usr/local/php-5.3/bin/php /usr/local/bin/phpunit --filter CrawlerTest::testClear
==16795== Parent PID: 18102
==16795== 
==16795== Invalid read of size 8
==16795==    at 0x955141: zend_hash_move_forward_ex (zend_hash.c:1089)
==16795==    by 0x797D9F: zim_spl_SplObjectStorage_removeAll (spl_observer.c:426)
==16795==    by 0x979B34: zend_do_fcall_common_helper_SPEC (zend_vm_execute.h:316)
==16795==    by 0x97A2BF: ZEND_DO_FCALL_BY_NAME_SPEC_HANDLER (zend_vm_execute.h:421)
==16795==    by 0x978EE9: execute (zend_vm_execute.h:107)
==16795==    by 0x932B9F: zend_call_function (zend_execute_API.c:964)
==16795==    by 0x6F6EFB: zim_reflection_method_invokeArgs (php_reflection.c:2738)
==16795==    by 0x979B34: zend_do_fcall_common_helper_SPEC (zend_vm_execute.h:316)
==16795==    by 0x97A2BF: ZEND_DO_FCALL_BY_NAME_SPEC_HANDLER (zend_vm_execute.h:421)
==16795==    by 0x978EE9: execute (zend_vm_execute.h:107)
==16795==    by 0x943598: zend_execute_scripts (zend.c:1194)
==16795==    by 0x8C3E33: php_execute_script (main.c:2260)
==16795==  Address 0xd4bbfd0 is 32 bytes inside a block of size 87 free'd
==16795==    at 0x4C270BD: free (vg_replace_malloc.c:366)
==16795==    by 0x91B7D5: _efree (zend_alloc.c:2348)
==16795==    by 0x953A20: zend_hash_del_key_or_index (zend_hash.c:505)
==16795==    by 0x79726A: spl_object_storage_detach (spl_observer.c:179)
==16795==    by 0x797D88: zim_spl_SplObjectStorage_removeAll (spl_observer.c:425)
==16795==    by 0x979B34: zend_do_fcall_common_helper_SPEC (zend_vm_execute.h:316)
==16795==    by 0x97A2BF: ZEND_DO_FCALL_BY_NAME_SPEC_HANDLER (zend_vm_execute.h:421)
==16795==    by 0x978EE9: execute (zend_vm_execute.h:107)
==16795==    by 0x932B9F: zend_call_function (zend_execute_API.c:964)
==16795==    by 0x6F6EFB: zim_reflection_method_invokeArgs (php_reflection.c:2738)
==16795==    by 0x979B34: zend_do_fcall_common_helper_SPEC (zend_vm_execute.h:316)
==16795==    by 0x97A2BF: ZEND_DO_FCALL_BY_NAME_SPEC_HANDLER (zend_vm_execute.h:421)
==16795== 
==16795== 
==16795== HEAP SUMMARY:
==16795==     in use at exit: 52,294 bytes in 1,629 blocks
==16795==   total heap usage: 3,172,159 allocs, 3,170,530 frees, 236,918,334 bytes allocated
==16795== 
==16795== 32 bytes in 1 blocks are definitely lost in loss record 19 of 89
==16795==    at 0x4C274A8: malloc (vg_replace_malloc.c:236)
==16795==    by 0x91B75C: _emalloc (zend_alloc.c:2338)
==16795==    by 0x97B6E8: ZEND_RECV_INIT_SPEC_CONST_HANDLER (zend_vm_execute.h:817)
==16795==    by 0x978EE9: execute (zend_vm_execute.h:107)
==16795==    by 0x943598: zend_execute_scripts (zend.c:1194)
==16795==    by 0x8C3E33: php_execute_script (main.c:2260)
==16795==    by 0xA30839: main (php_cli.c:1193)
==16795== 
==16795== 96 bytes in 3 blocks are definitely lost in loss record 33 of 89
==16795==    at 0x4C274A8: malloc (vg_replace_malloc.c:236)
==16795==    by 0x91B75C: _emalloc (zend_alloc.c:2338)
==16795==    by 0x97A675: ZEND_NEW_SPEC_HANDLER (zend_vm_execute.h:475)
==16795==    by 0x978EE9: execute (zend_vm_execute.h:107)
==16795==    by 0x943598: zend_execute_scripts (zend.c:1194)
==16795==    by 0x8C3E33: php_execute_script (main.c:2260)
==16795==    by 0xA30839: main (php_cli.c:1193)
==16795== 
==16795== 532 (32 direct, 500 indirect) bytes in 1 blocks are definitely lost in loss record 60 of 89
==16795==    at 0x4C274A8: malloc (vg_replace_malloc.c:236)
==16795==    by 0x91B75C: _emalloc (zend_alloc.c:2338)
==16795==    by 0x8D7701: php_build_argv (php_variables.c:474)
==16795==    by 0x8D866C: php_hash_environment (php_variables.c:738)
==16795==    by 0x8C25E2: php_request_startup (main.c:1440)
==16795==    by 0xA306EA: main (php_cli.c:1089)
==16795== 
==16795== 4,586 (232 direct, 4,354 indirect) bytes in 1 blocks are definitely lost in loss record 88 of 89
==16795==    at 0x4C274A8: malloc (vg_replace_malloc.c:236)
==16795==    by 0x91B75C: _emalloc (zend_alloc.c:2338)
==16795==    by 0x8FA99B: compile_file (zend_language_scanner.l:324)
==16795==    by 0x6D7ED3: phar_compile_file (phar.c:3393)
==16795==    by 0x9434B2: zend_execute_scripts (zend.c:1186)
==16795==    by 0x8C3E33: php_execute_script (main.c:2260)
==16795==    by 0xA30839: main (php_cli.c:1193)
==16795== 
==16795== LEAK SUMMARY:
==16795==    definitely lost: 392 bytes in 6 blocks
==16795==    indirectly lost: 4,854 bytes in 37 blocks
==16795==      possibly lost: 0 bytes in 0 blocks
==16795==    still reachable: 47,048 bytes in 1,586 blocks
==16795==         suppressed: 0 bytes in 0 blocks
==16795== Reachable blocks (those to which a pointer was found) are not shown.
==16795== To see them, rerun with: --leak-check=full --show-reachable=yes
==16795== 
==16795== For counts of detected and suppressed errors, rerun with: -v
==16795== ERROR SUMMARY: 5 errors from 5 contexts (suppressed: 6 from 6)

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2010-10-24 16:03 UTC] felipe@php.net
-Summary: Segfault in zend_hash_get_current_data_ex +Summary: Segfault in SplObjectStorage::removeAll() -Status: Open +Status: Closed -Assigned To: +Assigned To: felipe
 [2010-10-24 16:03 UTC] felipe@php.net
This bug has been fixed in SVN.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.
 
Thank you for the report, and for helping us make PHP better.


 [2010-10-24 16:03 UTC] felipe@php.net
Automatic comment from SVN on behalf of felipe
Revision: http://svn.php.net/viewvc/?view=revision&amp;revision=304700
Log: - Fixed bug #53144 (SplObjectStorage::removeAll())
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Sat Dec 21 12:01:31 2024 UTC