php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #25620 Crash / "String is not zero-terminated"
Submitted: 2003-09-21 11:21 UTC Modified: 2003-09-28 16:21 UTC
Votes:6
Avg. Score:4.0 ± 1.4
Reproduced:5 of 5 (100.0%)
Same Version:3 (60.0%)
Same OS:3 (60.0%)
From: xris at farcaster dot net Assigned:
Status: Wont fix Package: Scripting Engine problem
PHP Version: 4.3.4-dev OS: GNU/Linux 2.4.20
Private report: No CVE-ID: None
View Developer Edit
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: xris at farcaster dot net
New email:
PHP Version: OS:

 

 [2003-09-21 11:21 UTC] xris at farcaster dot net 
Description:
------------
I run a rather large PHP System (250k+ LOC).
Recently, a number of "Segmentation-Faults" started popping up
in my Apache error log. Only some of the PHP pages caused a segfault. These segfaults are mostly reproducible, but could be suppressed by moving code around - like changing order of method definitions, etc.

So i set up an identical system as our production server, but with --enable debug. The segfaults did not happen anymore, but i keep getting notices like these:

[21-Sep-2003 16:25:34] PHP Warning:  String is not zero-terminated (SetVerband??̏**rtID'  aa) (source: /home/develop/mod_php-4.3.3/Zend/zend_opcode.c:165) in Unknown on line 0

The problem occurres with PHP from at least 4.2.2 to 4.3.3, regardless wether running with Apache 1.3x or Apache 2.0.

I would like to provide more information, but i don't know how .. any info on how to trace the reason for this problem would greatly appreciated.


Reproduce code:
---------------
sorry, i'cant construct a small snippted reproducing this error - it seems to pop up on pages with a large amount of used objects, though (but thats only a guess ..)

Expected result:
----------------
well, no php crash?

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2003-09-26 07:45 UTC] xris at farcaster dot net 
Just to be sure, i compiled a new valgrind using
the latest stable version: valgrind-20030725

As far as i can tell, the output is identical...

1) valgrind --run-libc-freeres=yes ;# SEGFAULT
http://farcaster.net/valgrind2-err.log

1) valgrind --run-libc-freeres=no ;# NO SEGFAULT
http://farcaster.net/valgrind2-noerr.log
 [2003-09-26 09:45 UTC] xris at farcaster dot net 
I don't know if it's of any help, but i found out that the 4.3.4-dev version prints out more debug information as the 4.3.3 i initially ([21 Sep 11:21am EDT]) used (if compiled "--with-debug"), so here once again a debug output:

--- snip ---

Warning: String is not zero-terminated (Bundesland??̏*Z?̏*ZZZZZZZZZZZZZZZZZZZZZZ?̏*) (source: /var/tmp/portage/php-4.3.4/work/php-4.3.4/Zend/zend_opcode.c:159) in Unknown on line 0
[Fri Sep 26 15:14:21 2003]  Script:  'htdocs/sport/auswahl.php'
---------------------------------------
/home/develop/php-4.3.4/Zend/zend_opcode.c(159) : Block 0x424DB744 status:
/home/develop/php-4.3.4/Zend/zend_variables.c(44) : Actual location (location was relayed)
Beginning:      OK (allocated on Zend/zend_language_scanner.c:4492, 11 bytes)
      End:      Overflown (magic=0x2A8FCC83 instead of 0x2A8FCC84)
                1 byte(s) overflown
---------------------------------------
 [2003-09-27 09:22 UTC] xris at farcaster dot net 
Rechecked both strings; "SetVerband" is definitely a method (theres no other usage of this string in the whole system), but "Bundesland" is a variable (i replaced all '$Bundesland' variables with '$dnalsednuB'). I'll try to identify the
offending usage of this var, but there are 146 places where
such a variable name is used. In almost all cases, $Bundesland contains a class, though..
 [2003-09-27 11:00 UTC] moriyoshi@php.net 
Seems to me the same issue addressed in bug #22510. I suspect you are trying to return a value by reference that is not originated from a variable somewhere in a function. That is,

function &return_ref_a() {
    return $a + $b;
}

function &return_ref_b() {
    return @$a;
}

function &return_ref_c() {
    return -$a;
}

None of the above examples don't actually work, which are verified to cause random heap corruption. Please check if such an error is somewhere in your code.
 [2003-09-27 12:07 UTC] xris at farcaster dot net 
So far i checked 600 methods, but could'nt find any
return's similar to your examples. What about these
constructs, are they known to cause heap corruption, too?

// Example 1
function &return_ref_constant() {
    return FALSE; // or "return (1<2):"
}
// Example 2
function &a() {
  return $b
}
function &return_ref_method() {
    return $this->a();
}
// Example 3
function &return_ref_array() {
    return array();
}

Yes, i know, some of them are "wrong".
 [2003-09-27 13:20 UTC] sniper@php.net 
Please try using this CVS snapshot:

  http://snaps.php.net/php5-latest.tar.gz
 
For Windows:
 
  http://snaps.php.net/win32/php5-win32-latest.zip
 [2003-09-27 21:23 UTC] xris at farcaster dot net 
I had to modify some minor stuff of the script (our system) to get it working with php5.

Then php complained on a couple of occasions about an illegal return value for a refercence return method ( we had some calls like the one in my "Example 2" and some methods doing "return new XYZ();).

I fixed these by first assigning the return value to a
variable, then returned this var.

After that, php5 ran the code without complaints/errors.

The same (modified) code, run by the php4 version, still throws the error.
 [2003-09-28 16:17 UTC] sniper@php.net 
So it is the same basic problem as in bug #22510 and is 'fixed' in PHP5. This will not be fixed in PHP 4.
 [2003-09-28 16:21 UTC] xris at farcaster dot net 
OK. Thanks to you all for your help and efforts anyway.
Keep up the good work, your are doing a tremendous job.
 
PHP Copyright © 2001-2025 The PHP Group
All rights reserved. 		Last updated: Thu Jul 03 12:01:33 2025 UTC