|
|
php.net | support | documentation | report a bug | advanced search | search howto | statistics | random bug | login |
[2003-09-02 18:28 UTC] moregan at flr dot follett dot com
Description: ------------ (This arose from working with script from the now-closed bug 23333. I accidentally put material intended for 23333 into 25275, but this now seems to me to be a separate bug.) A CLI script that builds an array of 65536 numbers and then makes 65536 copies segfaults. True for /php4-STABLE-200309020330 on RedHat 8 and for the binary from php4-win32-STABLE-200309022030.zip on Windows 2000. The example may seem contrived, but I'm hoping that this is one of the causes of a thorny heap corruption problem we're seeing. Reproduce code: --------------- <?php $elements = 65536; $big = array(); $test = array(); for($i=0; $i < $elements; $i++) { $big[$i] = $i; } for($i=0; $i < $elements; $i++) { $test[$i] = $big; } ?> If you change $elements to 65535 then there's no segfault. Expected result: ---------------- nothing Actual result: -------------- (gdb) bt full #0 0x080c6769 in php_strlcpy (dst=0x8135ac0 "-", src=0x5a5a5a5a <Address 0x5a5a5a5a out of bounds>, siz=1024) at /home/moregan/php4-STABLE-200309020330/main/strlcpy.c:58 d = 0x8135ac0 "-" s = 0x5a5a5a5a <Address 0x5a5a5a5a out of bounds> n = 1023 #1 0x080bd020 in php_error_cb (type=8, error_filename=0x5a5a5a5a <Address 0x5a5a5a5a out of bounds>, error_lineno=35, format=0x812ad40 "Use of undefined constant %s - assumed '%s'", args=0xbfffb9c8 "?\037\027\b?\037\027\b?\037\027\b\006") at /home/moregan/php4-STABLE-200309020330/main/main.c:615 buffer = 0x816a4ec "Use of undefined constant STDERR - assumed 'STDERR'" buffer_len = 51 display = 1 #2 0x080ee343 in zend_error (type=8, format=0x812ad40 "Use of undefined constant %s - assumed '%s'") at /home/moregan/php4-STABLE-200309020330/Zend/zend.c:751 args = 0xbfffb9c8 "?\037\027\b?\037\027\b?\037\027\b\006" params = (struct _zval_struct ***) 0x0 retval = (struct _zval_struct *) 0xbfffb9c8 z_error_type = (struct _zval_struct *) 0x81285c0 z_error_message = (struct _zval_struct *) 0x81716cc z_error_filename = (struct _zval_struct *) 0xbfffb9b4 z_error_lineno = (struct _zval_struct *) 0x7 z_context = (struct _zval_struct *) 0x8007272 error_filename = 0x5a5a5a5a <Address 0x5a5a5a5a out of bounds> error_lineno = 35 orig_user_error_handler = (struct _zval_struct *) 0x7 #3 0x080ffa0c in execute (op_array=0x8171b2c) at /home/moregan/php4-STABLE-200309020330/Zend/zend_execute.c:1989 execute_data = {opline = 0x8171260, function_state = {function_symbol_table = 0x0, function = 0x8171b2c, reserved = { 0x80fabde, 0x8171fbc, 0x5a9b0765, 0x1c}}, fbc = 0x0, ce = 0x0, object = {ptr = 0x0}, Ts = 0xbfffb9d0, original_in_execution = 1 '\001', op_array = 0x8171b2c, prev_execute_data = 0xbfffbe20} #4 0x080fe633 in execute (op_array=0x816a464) at /home/moregan/php4-STABLE-200309020330/Zend/zend_execute.c:1660 calling_symbol_table = (struct _hashtable *) 0x813a14c original_return_value = (struct _zval_struct **) 0xbfffbea4 return_value_used = 0 execute_data = {opline = 0x816e850, function_state = {function_symbol_table = 0x81715c4, function = 0x8171b2c, reserved = { 0x10001, 0x4000000, 0x0, 0x0}}, fbc = 0x8171b2c, ce = 0x0, object = {ptr = 0x8170a04}, Ts = 0xbfffbc20, original_in_execution = 0 '\0', op_array = 0x816a464, prev_execute_data = 0x0} #5 0x080ee81c in zend_execute_scripts (type=8, retval=0x0, file_count=3) at /home/moregan/php4-STABLE-200309020330/Zend/zend.c:885 files = 0xbfffbed4 "" i = 1 file_handle = (struct _zend_file_handle *) 0xbfffe170 orig_op_array = (struct _zend_op_array *) 0x0 local_retval = (struct _zval_struct *) 0x0 #6 0x080bf239 in php_execute_script (primary_file=0xbfffe170) at /home/moregan/php4-STABLE-200309020330/main/main.c:1723 orig_bailout = {{__jmpbuf = {1108517584, 1073815584, -1073749500, -1073749576, -1073749984, 135281170}, __mask_was_saved = 0, __saved_mask = {__val = {0 <repeats 32 times>}}}} orig_bailout_set = 1 '\001' prepend_file_p = (struct _zend_file_handle *) 0x0 append_file_p = (struct _zend_file_handle *) 0x0 prepend_file = {type = 0 '\0', filename = 0x0, opened_path = 0x0, handle = {fd = 0, fp = 0x0}, free_filename = 0 '\0'} append_file = {type = 0 '\0', filename = 0x0, opened_path = 0x0, handle = {fd = 0, fp = 0x0}, free_filename = 0 '\0'} old_cwd = 0xbfffbee0 "" old_primary_file_path = 0x0 retval = 0 #7 0x08104108 in main (argc=1, argv=0xbfffe204) at /home/moregan/php4-STABLE-200309020330/sapi/cli/php_cli.c:819 orig_bailout = {{__jmpbuf = {0, 0, 0, 0, 0, 0}, __mask_was_saved = 0, __saved_mask = {__val = {0 <repeats 32 times>}}}} orig_bailout_set = 0 '\0' exit_status = 0 c = -1 file_handle = {type = 2 '\002', filename = 0x812bb4b "-", opened_path = 0x0, handle = {fd = 1108505024, fp = 0x421271c0}, free_filename = 0 '\0'} behavior = 1 orig_optind = 1 orig_optarg = 0x0 arg_free = 0xbffffbb1 "./sapi/cli/php" arg_excp = (char **) 0xbfffe204 script_file = 0x0 global_vars = {head = 0x0, tail = 0x0, size = 4, count = 0, dtor = 0, persistent = 0 '\0', traverse_ptr = 0xbfffe204} interactive = 0 module_started = 1 lineno = 0 exec_direct = 0x0 param_error = 0x0 hide_argv = 0 #8 0x420158d4 in __libc_start_main () from /lib/i686/libc.so.6 No symbol table info available. PatchesPull RequestsHistoryAllCommentsChangesGit/SVN commits
|
|||||||||||||||||||||||||||
Copyright © 2001-2026 The PHP GroupAll rights reserved. |
Last updated: Thu Feb 12 05:00:01 2026 UTC |
That backtrace is definately not the correct one, this one is: (gdb) bt #0 __libc_free (mem=0x401aa014) at malloc.c:3005 #1 0x80d7c02 in zend_hash_destroy (ht=0x8141014) at /usr/src/web/php/php4_3/Zend/zend_hash.c:560 #2 0x80d2c88 in _zval_dtor (zvalue=0x814104c) at /usr/src/web/php/php4_3/Zend/zend_variables.c:51 #3 0x80cc118 in _zval_ptr_dtor (zval_ptr=0x8a46838) at /usr/src/web/php/php4_3/Zend/zend_execute_API.c:291 #4 0x80d7b98 in zend_hash_destroy (ht=0x814a28c) at /usr/src/web/php/php4_3/Zend/zend_hash.c:553 #5 0x80d2c88 in _zval_dtor (zvalue=0x814a2fc) at /usr/src/web/php/php4_3/Zend/zend_variables.c:51 #6 0x80cc118 in _zval_ptr_dtor (zval_ptr=0x814a2d0) at /usr/src/web/php/php4_3/Zend/zend_execute_API.c:291 #7 0x80d7b98 in zend_hash_destroy (ht=0x811ee4c) at /usr/src/web/php/php4_3/Zend/zend_hash.c:553 #8 0x80cbe91 in shutdown_executor () at /usr/src/web/php/php4_3/Zend/zend_execute_API.c:186 #9 0x80d3aef in zend_deactivate () at /usr/src/web/php/php4_3/Zend/zend.c:665 #10 0x80aecca in php_request_shutdown (dummy=0x0) at /usr/src/web/php/php4_3/main/main.c:998 #11 0x80eab47 in main (argc=2, argv=0xbffff8f4) at /usr/src/web/php/php4_3/sapi/cli/php_cli.c:870 #12 0x400709cb in __libc_start_main (main=0x80ea1b8 <main>, argc=2, argv=0xbffff8f4, init=0x80593fc <_init>, fini=0x80eaf74 <_fini>, rtld_fini=0x4000aea0 <_dl_fini>, stack_end=0xbffff8ec) at ../sysdeps/generic/libc-start.c:92 And this does NOT happen with latest CVS of PHP 5. (feel free to prove me wrong)