|
|
php.net | support | documentation | report a bug | advanced search | search howto | statistics | random bug | login |
[2004-09-15 13:47 UTC] aidan@php.net
Description:
------------
Segmantation fault when comparing a simplexml object.
Reproduce code:
---------------
<?php
class Crash {
public $param;
public function __construct($param)
{
$this->param = $param;
if ($this->param < 1) {
echo ('Param is smaller than 1');
}
}
}
$xml = simplexml_load_string('<a><b><c></c></b></a>');
$C = new Crash($xml);
?>
Actual result:
--------------
(gdb) bt
#0 0x4207acfd in free () from /lib/i686/libc.so.6
#1 0x08168b68 in _efree (ptr=0xbfffd460)
at /root/bunldes/php5-STABLE-200408261030/Zend/zend_alloc.c:287
#2 0x08179d06 in compare_function (result=0xbfffd560, op1=0xbfffd460,
op2=0x828e45c)
at /root/bunldes/php5-STABLE-200408261030/Zend/zend_operators.c:1249
#3 0x0817a519 in is_smaller_function (result=0xbfffd560, op1=0x828e72c,
op2=0x820d4b8)
at /root/bunldes/php5-STABLE-200408261030/Zend/zend_operators.c:1476
#4 0x0819e197 in zend_is_smaller_handler (execute_data=0xbfffd580,
opline=0x828e42c, op_array=0x828f5b4)
at /root/bunldes/php5-STABLE-200408261030/Zend/zend_execute.c:1547
#5 0x0819af6c in execute (op_array=0x828f5b4)
at /root/bunldes/php5-STABLE-200408261030/Zend/zend_execute.c:1400
#6 0x081b6cc9 in zend_do_fcall_common_helper (execute_data=0xbfffd750,
opline=0x828ceb0, op_array=0x82889f4)
at /root/bunldes/php5-STABLE-200408261030/Zend/zend_execute.c:2737
#7 0x081b7085 in zend_do_fcall_by_name_handler (execute_data=0xbfffd750,
opline=0x828ceb0, op_array=0x82889f4)
at /root/bunldes/php5-STABLE-200408261030/Zend/zend_execute.c:2822
#8 0x0819af6c in execute (op_array=0x82889f4)
at /root/bunldes/php5-STABLE-200408261030/Zend/zend_execute.c:1400
#9 0x0817d4b5 in zend_execute_scripts (type=8, retval=0x0, file_count=3)
---Type <return> to continue, or q <return> to quit---
at /root/bunldes/php5-STABLE-200408261030/Zend/zend.c:1061
#10 0x08149e58 in php_execute_script (primary_file=0xbffffb20)
at /root/bunldes/php5-STABLE-200408261030/main/main.c:1629
#11 0x081c0f60 in main (argc=2, argv=0xbffffbc4)
at /root/bunldes/php5-STABLE-200408261030/sapi/cli/php_cli.c:943
#12 0x42017589 in __libc_start_main () from /lib/i686/libc.so.6
(gdb) frame 5
#5 0x0819af6c in execute (op_array=0x828f5b4)
at /root/bunldes/php5-STABLE-200408261030/Zend/zend_execute.c:1400
1400 /root/bunldes/php5-STABLE-200408261030/Zend/zend_execute.c: No such file or directory.
in /root/bunldes/php5-STABLE-200408261030/Zend/zend_execute.c
$ valgrind --tool=memcheck php test.php
==13706== Memcheck, a memory error detector for x86-linux.
==13706== Copyright (C) 2002-2004, and GNU GPL'd, by Julian Seward et al.
==13706== Using valgrind-2.2.0, a program supervision framework for x86-linux.
==13706== Copyright (C) 2000-2004, and GNU GPL'd, by Julian Seward et al.
==13706== For more details, rerun with: -v
==13706==
==13706== Conditional jump or move depends on uninitialised value(s)
==13706== at 0x8179CEF: compare_function (/root/bunldes/php5-STABLE-200408261030/Zend/zend_operators.c:1247)
==13706== by 0x817A518: is_smaller_function (/root/bunldes/php5-STABLE-200408261030/Zend/zend_operators.c:1476)
==13706== by 0x819E196: zend_is_smaller_handler (/root/bunldes/php5-STABLE-200408261030/Zend/zend_execute.c:1547)
==13706== by 0x819AF6B: execute (/root/bunldes/php5-STABLE-200408261030/Zend/zend_execute.c:1400)
==13706==
==13706== Conditional jump or move depends on uninitialised value(s)
==13706== at 0x8168AFF: _efree (/root/bunldes/php5-STABLE-200408261030/Zend/zend_alloc.c:271)
==13706== by 0x8179D05: compare_function (/root/bunldes/php5-STABLE-200408261030/Zend/zend_operators.c:1249)
==13706== by 0x817A518: is_smaller_function (/root/bunldes/php5-STABLE-200408261030/Zend/zend_operators.c:1476)
==13706== by 0x819E196: zend_is_smaller_handler (/root/bunldes/php5-STABLE-200408261030/Zend/zend_execute.c:1547)
==13706==
==13706== Use of uninitialised value of size 4
==13706== at 0x8168B51: _efree (/root/bunldes/php5-STABLE-200408261030/Zend/zend_alloc.c:281)
==13706== by 0x8179D05: compare_function (/root/bunldes/php5-STABLE-200408261030/Zend/zend_operators.c:1249)
==13706== by 0x817A518: is_smaller_function (/root/bunldes/php5-STABLE-200408261030/Zend/zend_operators.c:1476)
==13706== by 0x819E196: zend_is_smaller_handler (/root/bunldes/php5-STABLE-200408261030/Zend/zend_execute.c:1547)
==13706==
==13706== Conditional jump or move depends on uninitialised value(s)
==13706== at 0x8168B57: _efree (/root/bunldes/php5-STABLE-200408261030/Zend/zend_alloc.c:281)
==13706== by 0x8179D05: compare_function (/root/bunldes/php5-STABLE-200408261030/Zend/zend_operators.c:1249)
==13706== by 0x817A518: is_smaller_function (/root/bunldes/php5-STABLE-200408261030/Zend/zend_operators.c:1476)
==13706== by 0x819E196: zend_is_smaller_handler (/root/bunldes/php5-STABLE-200408261030/Zend/zend_execute.c:1547)
==13706==
==13706== Use of uninitialised value of size 4
==13706== at 0x8168B5C: _efree (/root/bunldes/php5-STABLE-200408261030/Zend/zend_alloc.c:281)
==13706== by 0x8179D05: compare_function (/root/bunldes/php5-STABLE-200408261030/Zend/zend_operators.c:1249)
==13706== by 0x817A518: is_smaller_function (/root/bunldes/php5-STABLE-200408261030/Zend/zend_operators.c:1476)
==13706== by 0x819E196: zend_is_smaller_handler (/root/bunldes/php5-STABLE-200408261030/Zend/zend_execute.c:1547)
==13706==
==13706== Invalid free() / delete / delete[]
==13706== at 0x1B9023AA: free (vg_replace_malloc.c:153)
==13706== by 0x8168B67: _efree (/root/bunldes/php5-STABLE-200408261030/Zend/zend_alloc.c:287)
==13706== by 0x8179D05: compare_function (/root/bunldes/php5-STABLE-200408261030/Zend/zend_operators.c:1249)
==13706== by 0x817A518: is_smaller_function (/root/bunldes/php5-STABLE-200408261030/Zend/zend_operators.c:1476)
==13706== Address 0x52BFC3D4 is on thread 1's stack
Param is smaller than 1==13706==
==13706== ERROR SUMMARY: 6 errors from 6 contexts (suppressed: 50 from 3)
==13706== malloc/free: in use at exit: 316 bytes in 3 blocks.
==13706== malloc/free: 6971 allocs, 6969 frees, 531779 bytes allocated.
==13706== For a detailed leak analysis, rerun with: --leak-check=yes
==13706== For counts of detected errors, rerun with: -v
PatchesPull RequestsHistoryAllCommentsChangesGit/SVN commits
|
|||||||||||||||||||||||||||||||||||||
Copyright © 2001-2025 The PHP GroupAll rights reserved. |
Last updated: Wed Jul 02 04:01:38 2025 UTC |
This is still a issue in 5.0.2 but fixed (but not totally better) in php5-STABLE-200411241330 - although the output is slightly different. This is my test case: -- <?php $xmlfile = simplexml_load_string("<foo><bar>10</bar></foo>"); print ($xmlfile->bar < 10); ?> -- In 5.0.2 (running on Debian unstable), this returns: -- free(): invalid pointer 0xbfffd584! Allowed memory size of 8388608 bytes exhausted (tried to allocate 256 bytes) -- The segfault/memory leak has been fixed since this build (claims to be 5.0.2-0.2), but with the latest stable CVS a message like the following is still shown: -- free(): invalid pointer 0xbfffd0b4! -- If this message is shown depends on the operator being used - if the second line of code is replaced with 'print ($xmlfile->bar > 10);' then this error is not produced. In all cases, converting the number with floatval() or intval() before the comparison evalutes correctly without error.