PHP :: Bug #23132 :: Strange engine crash (reference counting problem)

Bug #23132	Strange engine crash (reference counting problem)
Submitted:	2003-04-09 09:39 UTC	Modified:	2003-10-13 19:24 UTC
From:	edink at proventum dot net	Assigned:	stas (profile)
Status:	Closed	Package:	Scripting Engine problem
PHP Version:	4CVS-2003-04-09 (stable)	OS:	Linux (RedHat 7.3)
Private report:	No	CVE-ID:	None

View Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	edink at proventum dot net
New email:
PHP Version:		OS:

New Comment:

[2003-04-09 09:39 UTC] edink at proventum dot net

This piece of code crashes the engine in PHP 4.2.x and 4.3.x including the latest CVS vers?on from PHP_4_3 branch:

function trim_field(&$row) {}

$row = array();
for ($i=0; $i<70000; $i++) {
  trim_field($row);
  $agreement_arr[] = $agreement;
}

Comment out any of the two lines inside the loop and it works.

Just before the crash PHP reports:
[Wed Apr  9 16:40:32 2003]  Script:  'bug.php'
---------------------------------------
/data/src/PHP_4_3/Zend/zend_execute.c(271) : Block 0x0813FB40 status:
Beginning:      Overrun (magic=0x00000000, expected=0x7312F8DC)

And backtrace:

Program received signal SIGSEGV, Segmentation fault.
0x420828fc in memcpy () from /lib/i686/libc.so.6
(gdb) bt
#0  0x420828fc in memcpy () from /lib/i686/libc.so.6
#1  0x080e1f8a in _mem_block_check (ptr=0x813fb64, silent=0,
    __zend_filename=0x8130720 "/data/src/PHP_4_3/Zend/zend_execute.c",
    __zend_lineno=271, __zend_orig_filename=0x0, __zend_orig_lineno=0)
    at /data/src/PHP_4_3/Zend/zend_alloc.c:649
#2  0x080e1f4d in _mem_block_check (ptr=0x813fb64, silent=1,
    __zend_filename=0x8130720 "/data/src/PHP_4_3/Zend/zend_execute.c",
    __zend_lineno=271, __zend_orig_filename=0x0, __zend_orig_lineno=0)
    at /data/src/PHP_4_3/Zend/zend_alloc.c:641
#3  0x080e1337 in _efree (ptr=0x813fb64,
    __zend_filename=0x8130720 "/data/src/PHP_4_3/Zend/zend_execute.c",
    __zend_lineno=271, __zend_orig_filename=0x0, __zend_orig_lineno=0)
    at /data/src/PHP_4_3/Zend/zend_alloc.c:217
#4  0x080fe992 in zend_assign_to_variable_reference (result=0x0,
    variable_ptr_ptr=0x86e4540, value_ptr_ptr=0x815e49c, Ts=0x0)
    at /data/src/PHP_4_3/Zend/zend_execute.c:271
#5  0x081034e4 in execute (op_array=0x81686e8)
    at /data/src/PHP_4_3/Zend/zend_execute.c:1827
#6  0x08102a02 in execute (op_array=0x8163484)
    at /data/src/PHP_4_3/Zend/zend_execute.c:1650
#7  0x080f270a in zend_execute_scripts (type=8, retval=0x0, file_count=3)
    at /data/src/PHP_4_3/Zend/zend.c:864
#8  0x080c25c0 in php_execute_script (primary_file=0xbffffa20)
    at /data/src/PHP_4_3/main/main.c:1653
#9  0x0810825c in main (argc=2, argv=0xbffffac4)
    at /data/src/PHP_4_3/sapi/cli/php_cli.c:753
#10 0x42017499 in __libc_start_main () from /lib/i686/libc.so.6

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2003-04-09 09:44 UTC] sniper@php.net

I heard that stas almost begged for fixing this bug. :)

[2003-04-09 20:09 UTC] gschlossnagle@php.net

variable_ptr->refcount is getting overflowed in 
zend_assign_to_variable_reference.  It appears that the 
variable doesn't get derefenced in the example below.  If 
you inteject $agreement =1; as a line 2 in the loop, the 
reference count seems to stay correct.

[2003-04-10 16:05 UTC] thekid@php.net

Bug is not existant in Zend Engine 2 [PHP5]:

thekid@friebes:~/devel/php/tests > cat overflow.php 
<?php
function trim_field(&$row) {}

$row = array();
for ($i=0; $i<70000; $i++) {
  trim_field($row);
  $agreement_arr[] = $agreement;
}

var_dump(sizeof($agreement_arr));
?>
thekid@friebes:~/devel/php/tests > php5 overflow.php 
int(70000)

[2003-04-11 01:53 UTC] zeev@php.net

The reference count is correct all along - it's just that in this particular example, the very same (empty) $agreement ends up being referenced more than 64K times, which overflows ZE1's refcount limit.

Either way, it's a bug related to the 64K limit, so it'll be fixed in ZE2 only.

[2003-10-13 19:24 UTC] moriyoshi@php.net

Related to bug #25856

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2025 The PHP Group All rights reserved.	Last updated: Wed Jul 02 07:01:33 2025 UTC