PHP :: Bug #27229 :: Abort trap (6)

Bug #27229	Abort trap (6)
Submitted:	2004-02-12 10:59 UTC	Modified:	2004-02-13 08:14 UTC
From:	dodell at sitetronics dot com	Assigned:
Status:	Not a bug	Package:	Reproducible crash
PHP Version:	4.3.4	OS:	FreeBSD 5.1-RELEASE-p13
Private report:	No	CVE-ID:	None

View Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	dodell at sitetronics dot com
New email:
PHP Version:		OS:

New Comment:

[2004-02-12 10:59 UTC] dodell at sitetronics dot com

Description:
------------
PHP 4.3.4 is causing apache to crash. Here's the error 
in httpd-error.log

httpd in free(): error: chunk is already free

phpinfo() available at:

http://www.sitetronics.com/~dodell/phpinfo.php

Reproduce code:
---------------
I'd provide code, but it's proprietary. I'll attempt to reproduce the crash with similar code.

Actual result:
--------------
#0  0x2811db23 in kill () from /usr/lib/libc.so.5
#1  0x2818a4fd in abort () from /usr/lib/libc.so.5
#2  0x28188d1f in tcflow () from /usr/lib/libc.so.5
#3  0x28188d7e in tcflow () from /usr/lib/libc.so.5
#4  0x281897e7 in tcflow () from /usr/lib/libc.so.5
#5  0x28189a30 in free () from /usr/lib/libc.so.5
#6  0x2859b83f in _fini () from /usr/local/libexec/
apache/libphp4.so
#7  0x2857e318 in _fini () from /usr/local/libexec/
apache/libphp4.so
#8  0x285bd6dc in _fini () from /usr/local/libexec/
apache/libphp4.so
#9  0x285be2d2 in _fini () from /usr/local/libexec/
apache/libphp4.so
#10 0x285be495 in _fini () from /usr/local/libexec/
apache/libphp4.so
#11 0x08054983 in ap_invoke_handler ()
#12 0x080671d4 in process_request_internal ()
#13 0x080673e4 in ap_process_request ()
#14 0x0805f808 in child_main ()
#15 0x0805fa88 in make_child ()
#16 0x0805faff in startup_children ()
#17 0x080605fa in standalone_main ()
#18 0x08060939 in main ()
#19 0x0804fd65 in _start ()

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2004-02-12 14:33 UTC] dodell at sitetronics dot com

This code does essentially the same operations as the code I'm using and produces the same error.

This is FreeBSD package ``mod_php4-4.3.4_6,1''

<?php
$string = "a 1 ab 2 ac 5 ad 5 ae 5 af 5 ag 5 ah 5 ai 5 aj 5 ak 5 al
a 1 ab 2 ac 5 ad 5 ae 5 af 5 ag 5 ah 5 ai 5 aj 5 ak 5 al
a 1 ab 2 ac 5 ad 5 ae 5 af 5 ag 5 ah 5 ai 5 aj 5 ak 5 al
a 1 ab 2 ac 5 ad 5 ae 5 af 5 ag 5 ah 5 ai 5 aj 5 ak 5 al
a 1 ab 2 ac 5 ad 5 ae 5 af 5 ag 5 ah 5 ai 5 aj 5 ak 5 al
a 1 ab 2 ac 5 ad 5 ae 5 af 5 ag 5 ah 5 ai 5 aj 5 ak 5 al
a 1 ab 2 ac 5 ad 5 ae 5 af 5 ag 5 ah 5 ai 5 aj 5 ak 5 al";

$regex = "(\w{1}) \d{1} (\w{2}) \d{1} (\w{2}) \d{1} (\w{2}) \d{1} (\w{2}) \d{1} (\w{2})
\d{1} (\w{2}) \d{1} (\w{2}) \d{1} (\w{2}) \d{1} (\w{2}) \d{1} (\w{2}) \d{1} (\w{2})";

$matches = array();

preg_match_all("/$regex/mi", $string, $matches);
$date = date('Y-m-d', time());
$packet_matches = array();

$i = 0;
$num_matches = count($matches[0]);

array_shift($matches);
array_multisort($matches[2], SORT_ASC);

$t = array('aj'=>0, 'ja'=>0);
$p_p = array('a'=>0, 'b'=>0, 'ai'=>0);
$diff = $s_p = $s_t = array_fill (0, 65535, 0);
for ($i = 0; $i < $num_matches; $i++) {
        $p_p[$matches[4][$i]]++;
        $s_p[$matches[8][$i]]++;
        $s_t[$matches[8][$i]] += $matches[11][$i];
        $t[$matches[9][$i]] += $matches[11][$i];
}

function _a_d($array) {
        $a = array();
        for ($i = 0; $i < count($array); $i++)
                if ($array[$i] != 0) $a[] = $array[$i];
        return $a;
}

$s_p = _a_d($s_p, $diff);
print_r($s_p);
?>

[2004-02-12 20:50 UTC] iliaa@php.net

Please try using this CVS snapshot:

  http://snaps.php.net/php4-STABLE-latest.tar.gz
 
For Windows:
 
  http://snaps.php.net/win32/php4-win32-STABLE-latest.zip

Cannot replicate using latest CVS.

[2004-02-13 02:35 UTC] dodell at sitetronics dot com

This snapshot does not fix the problem. Again, the 
application works under the same environment using PHP 5 
beta 4.

Derick asked me off the record to try this on a FreeBSD 
4.x system.

test# php -q test.php
PHP Notice:  Undefined index:  ae in /usr/home/dodell/
test.php on line 28
PHP Notice:  Undefined index:  ai in /usr/home/dodell/
test.php on line 29
PHP Notice:  Undefined index:  ai in /usr/home/dodell/
test.php on line 30
PHP Notice:  Undefined offset:  65535 in /usr/home/
dodell/test.php on line 37
Array
(
)
php in free(): warning: chunk is already free
php in free(): warning: chunk is already free

These problems continue to persist with the latest 
development version.

[2004-02-13 03:15 UTC] derick@php.net

I couldn't reproduce this on ANY system I tried. Linux with 4.3.2, 4.3.3 and 4.3.5dev, freebsd (4.9) with 4.3.5dev... all work fine, valgrind shows nothing (on Linux)... no clue what'sgoing on.

[2004-02-13 03:51 UTC] dodell at sitetronics dot com

My arrays were too large; updating refcount from a 
ushort to a ulong has fixed my problem -- except, the 
question remains, why's it dumping core in FreeBSD 5.x 
and not in 4.x?

[2004-02-13 08:14 UTC] sniper@php.net

Not a bug. (PHP5 allows larger arrays though)

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2025 The PHP Group All rights reserved.	Last updated: Tue Jul 01 17:01:34 2025 UTC