|
|
php.net | support | documentation | report a bug | advanced search | search howto | statistics | random bug | login |
PatchesPull RequestsHistoryAllCommentsChangesGit/SVN commits
[2006-09-26 01:32 UTC] judas dot iscariote at gmail dot com
[2006-09-26 07:04 UTC] tony2001@php.net
[2006-09-26 22:01 UTC] jeannielu at hotmail dot com
[2006-09-26 22:09 UTC] tony2001@php.net
[2006-09-27 17:34 UTC] jeannielu at hotmail dot com
|
|||||||||||||||||||||||||||
Copyright © 2001-2025 The PHP GroupAll rights reserved. |
Last updated: Wed Jul 16 09:01:33 2025 UTC |
Description: ------------ I reliably get a seg fault during execution of array_walk() in our web application. Unfortunately, the seg fault is not reproducible with any simpler test case. gdb shows the death to be here: #0 zend_call_function (fci=0xbfe8bcf0, fci_cache=0xbfe8bd14) at /usr/src/redhat/SOURCES/mazu/apache/php-5.1.6/Zend/zend_execute_API.c:859 859 (*fci->params[i])->refcount++; FYI, the call looks like this: array_walk($current_set, array($this, '_format_traffic_data'), $dd ); Where $current_set is a 2-D array of 10x5 elements, $dd another 2-D array of 2x2 elements. Each element is a string of 10-30 characters. However, I don't think the argument details are important. Valgrind shows that zend_call_function died processing the third argument because it referenced memory freed by zend_ptr_stack.h. See attached backtrace. Actual result: -------------- gdb: #0 zend_call_function (fci=0xbfe8bcf0, fci_cache=0xbfe8bd14) at /usr/src/redhat/SOURCES/mazu/apache/php-5.1.6/Zend/zend_execute_API.c:859 #1 0x081bdb35 in php_array_walk (target_hash=0x90472cc, userdata=0x85ebd6c, recursive=0) at /usr/src/redhat/SOURCES/mazu/apache/php-5.1.6/ext/standard/array.c:1099 #2 0x081bdeaf in zif_array_walk (ht=3, return_value=0x904b69c, return_value_ptr=0x0, this_ptr=0x0, return_value_used=0) at /usr/src/redhat/SOURCES/mazu/apache/php-5.1.6/ext/standard/array.c:1159 #3 0x0826af4d in zend_do_fcall_common_helper_SPEC (execute_data=0xbfe8cbd0) at /usr/src/redhat/SOURCES/mazu/apache/php-5.1.6/Zend/zend_vm_execute.h:200 #4 0x0826a6f1 in execute (op_array=0x894b304) at /usr/src/redhat/SOURCES/mazu/apache/php-5.1.6/Zend/zend_vm_execute.h:92 #5 0x0826a928 in zend_do_fcall_common_helper_SPEC (execute_data=0xbfe8df80) at /usr/src/redhat/SOURCES/mazu/apache/php-5.1.6/Zend/zend_vm_execute.h:234 #6 0x0826a6f1 in execute (op_array=0x8b12e34) at /usr/src/redhat/SOURCES/mazu/apache/php-5.1.6/Zend/zend_vm_execute.h:92 #7 0x0826a928 in zend_do_fcall_common_helper_SPEC (execute_data=0xbfe8f360) at /usr/src/redhat/SOURCES/mazu/apache/php-5.1.6/Zend/zend_vm_execute.h:234 #8 0x0826a6f1 in execute (op_array=0x8ada67c) at /usr/src/redhat/SOURCES/mazu/apache/php-5.1.6/Zend/zend_vm_execute.h:92 #9 0x0826a928 in zend_do_fcall_common_helper_SPEC (execute_data=0xbfe90280) at /usr/src/redhat/SOURCES/mazu/apache/php-5.1.6/Zend/zend_vm_execute.h:234 #10 0x0826a6f1 in execute (op_array=0x8ac0bfc) at /usr/src/redhat/SOURCES/mazu/apache/php-5.1.6/Zend/zend_vm_execute.h:92 #11 0x0826a928 in zend_do_fcall_common_helper_SPEC (execute_data=0xbfe92240) at /usr/src/redhat/SOURCES/mazu/apache/php-5.1.6/Zend/zend_vm_execute.h:234 #12 0x0826a6f1 in execute (op_array=0x860b9e0) at /usr/src/redhat/SOURCES/mazu/apache/php-5.1.6/Zend/zend_vm_execute.h:92 #13 0x0826a928 in zend_do_fcall_common_helper_SPEC (execute_data=0xbfe923b0) at /usr/src/redhat/SOURCES/mazu/apache/php-5.1.6/Zend/zend_vm_execute.h:234 #14 0x0826a6f1 in execute (op_array=0x85f609c) at /usr/src/redhat/SOURCES/mazu/apache/php-5.1.6/Zend/zend_vm_execute.h:92 #15 0x0825471f in zend_execute_scripts (type=8, retval=Variable "retval" is not available. ) at /usr/src/redhat/SOURCES/mazu/apache/php-5.1.6/Zend/zend.c:1109 #16 0x0822029c in php_execute_script (primary_file=0xbfe947d4) at /usr/src/redhat/SOURCES/mazu/apache/php-5.1.6/main/main.c:1737 #17 0x082ce8ad in main (argc=5, argv=0xbfe94914) at /usr/src/redhat/SOURCES/mazu/apache/php-5.1.6/sapi/cli/php_cli.c:1093 (gdb) print *fci->params[2] $1 = (zval *) 0x39 valgrind: ==7352== LEAK SUMMARY: ==7352== definitely lost: 0 bytes in 0 blocks. ==7352== possibly lost: 1,088 bytes in 1 blocks. ==7352== still reachable: 49,274 bytes in 568 blocks. ==7352== suppressed: 0 bytes in 0 blocks. ==7352== Reachable blocks (those to which a pointer was found) are not shown. ==7352== To see them, rerun with: --show-reachable=yes ==7313== Invalid read of size 4 ==7313== at 0x81BDAF6: php_array_walk (array.c:1090) ==7313== by 0x81BDEAE: zif_array_walk (array.c:1159) ==7313== by 0x826AF4C: zend_do_fcall_common_helper_SPEC (zend_vm_execute.h:200) ==7313== by 0x826A6F0: execute (zend_vm_execute.h:92) ==7313== by 0x826A927: zend_do_fcall_common_helper_SPEC (zend_vm_execute.h:234) ==7313== by 0x826A6F0: execute (zend_vm_execute.h:92) ==7313== by 0x826A927: zend_do_fcall_common_helper_SPEC (zend_vm_execute.h:234) ==7313== by 0x826A6F0: execute (zend_vm_execute.h:92) ==7313== by 0x826A927: zend_do_fcall_common_helper_SPEC (zend_vm_execute.h:234) ==7313== by 0x826A6F0: execute (zend_vm_execute.h:92) ==7313== by 0x826A927: zend_do_fcall_common_helper_SPEC (zend_vm_execute.h:234) ==7313== by 0x826A6F0: execute (zend_vm_execute.h:92) ==7313== Address 0x437A678 is 80 bytes inside a block of size 268 free'd ==7313== at 0x4005997: realloc (vg_replace_malloc.c:306) ==7313== by 0x82406C3: _erealloc (zend_alloc.c:388) ==7313== by 0x82906D4: zend_send_by_var_helper_SPEC_CV (zend_ptr_stack.h:99) ==7313== by 0x826A6F0: execute (zend_vm_execute.h:92) ==7313== by 0x826A927: zend_do_fcall_common_helper_SPEC (zend_vm_execute.h:234) ==7313== by 0x826A6F0: execute (zend_vm_execute.h:92) ==7313== by 0x826A927: zend_do_fcall_common_helper_SPEC (zend_vm_execute.h:234) ==7313== by 0x826A6F0: execute (zend_vm_execute.h:92) ==7313== by 0x826A927: zend_do_fcall_common_helper_SPEC (zend_vm_execute.h:234) ==7313== by 0x826A6F0: execute (zend_vm_execute.h:92) ==7313== by 0x826A927: zend_do_fcall_common_helper_SPEC (zend_vm_execute.h:234) ==7313== by 0x826A6F0: execute (zend_vm_execute.h:92)