PHP :: Bug #23132 :: Strange engine crash (reference counting problem)

Bug #23132	Strange engine crash (reference counting problem)
Submitted:	2003-04-09 09:39 UTC	Modified:	2003-10-13 19:24 UTC
From:	edink at proventum dot net	Assigned:	stas (profile)
Status:	Closed	Package:	Scripting Engine problem
PHP Version:	4CVS-2003-04-09 (stable)	OS:	Linux (RedHat 7.3)
Private report:	No	CVE-ID:	None

View Developer Edit

Welcome! If you don't have a Git account, you can't do anything here.
If you reported this bug, you can edit this bug over here.

php.net Username: php.net Password:

Quick Fix:	(description)
	Block user comment
Status:		Assign to:
Package:
Bug Type:
Summary:
From:	edink at proventum dot net
New email:
PHP Version:		OS:

New/Additional Comment:

[2003-04-09 09:39 UTC] edink at proventum dot net

This piece of code crashes the engine in PHP 4.2.x and 4.3.x including the latest CVS vers?on from PHP_4_3 branch:

function trim_field(&$row) {}

$row = array();
for ($i=0; $i<70000; $i++) {
  trim_field($row);
  $agreement_arr[] = $agreement;
}

Comment out any of the two lines inside the loop and it works.

Just before the crash PHP reports:
[Wed Apr  9 16:40:32 2003]  Script:  'bug.php'
---------------------------------------
/data/src/PHP_4_3/Zend/zend_execute.c(271) : Block 0x0813FB40 status:
Beginning:      Overrun (magic=0x00000000, expected=0x7312F8DC)

And backtrace:

Program received signal SIGSEGV, Segmentation fault.
0x420828fc in memcpy () from /lib/i686/libc.so.6
(gdb) bt
#0  0x420828fc in memcpy () from /lib/i686/libc.so.6
#1  0x080e1f8a in _mem_block_check (ptr=0x813fb64, silent=0,
    __zend_filename=0x8130720 "/data/src/PHP_4_3/Zend/zend_execute.c",
    __zend_lineno=271, __zend_orig_filename=0x0, __zend_orig_lineno=0)
    at /data/src/PHP_4_3/Zend/zend_alloc.c:649
#2  0x080e1f4d in _mem_block_check (ptr=0x813fb64, silent=1,
    __zend_filename=0x8130720 "/data/src/PHP_4_3/Zend/zend_execute.c",
    __zend_lineno=271, __zend_orig_filename=0x0, __zend_orig_lineno=0)
    at /data/src/PHP_4_3/Zend/zend_alloc.c:641
#3  0x080e1337 in _efree (ptr=0x813fb64,
    __zend_filename=0x8130720 "/data/src/PHP_4_3/Zend/zend_execute.c",
    __zend_lineno=271, __zend_orig_filename=0x0, __zend_orig_lineno=0)
    at /data/src/PHP_4_3/Zend/zend_alloc.c:217
#4  0x080fe992 in zend_assign_to_variable_reference (result=0x0,
    variable_ptr_ptr=0x86e4540, value_ptr_ptr=0x815e49c, Ts=0x0)
    at /data/src/PHP_4_3/Zend/zend_execute.c:271
#5  0x081034e4 in execute (op_array=0x81686e8)
    at /data/src/PHP_4_3/Zend/zend_execute.c:1827
#6  0x08102a02 in execute (op_array=0x8163484)
    at /data/src/PHP_4_3/Zend/zend_execute.c:1650
#7  0x080f270a in zend_execute_scripts (type=8, retval=0x0, file_count=3)
    at /data/src/PHP_4_3/Zend/zend.c:864
#8  0x080c25c0 in php_execute_script (primary_file=0xbffffa20)
    at /data/src/PHP_4_3/main/main.c:1653
#9  0x0810825c in main (argc=2, argv=0xbffffac4)
    at /data/src/PHP_4_3/sapi/cli/php_cli.c:753
#10 0x42017499 in __libc_start_main () from /lib/i686/libc.so.6

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2003-04-09 09:44 UTC] sniper@php.net

I heard that stas almost begged for fixing this bug. :)

[2003-04-09 20:09 UTC] gschlossnagle@php.net

variable_ptr->refcount is getting overflowed in 
zend_assign_to_variable_reference.  It appears that the 
variable doesn't get derefenced in the example below.  If 
you inteject $agreement =1; as a line 2 in the loop, the 
reference count seems to stay correct.

[2003-04-10 16:05 UTC] thekid@php.net

Bug is not existant in Zend Engine 2 [PHP5]:

thekid@friebes:~/devel/php/tests > cat overflow.php 
<?php
function trim_field(&$row) {}

$row = array();
for ($i=0; $i<70000; $i++) {
  trim_field($row);
  $agreement_arr[] = $agreement;
}

var_dump(sizeof($agreement_arr));
?>
thekid@friebes:~/devel/php/tests > php5 overflow.php 
int(70000)

[2003-04-11 01:53 UTC] zeev@php.net

The reference count is correct all along - it's just that in this particular example, the very same (empty) $agreement ends up being referenced more than 64K times, which overflows ZE1's refcount limit.

Either way, it's a bug related to the 64K limit, so it'll be fixed in ZE2 only.

[2003-10-13 19:24 UTC] moriyoshi@php.net

Related to bug #25856

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2025 The PHP Group All rights reserved.	Last updated: Fri Oct 24 19:00:01 2025 UTC