php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #59659 zend_mm_heap corrupted
Submitted: 2011-03-10 05:08 UTC Modified: 2021-03-25 16:43 UTC
Votes:1
Avg. Score:5.0 ± 0.0
Reproduced:1 of 1 (100.0%)
Same Version:0 (0.0%)
Same OS:0 (0.0%)
From: dark9 at rune dot ws Assigned: cmb (profile)
Status: Closed Package: memcache (PECL)
PHP Version: 5.3.5 OS: centos
Private report: No CVE-ID: None
View Developer Edit
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: dark9 at rune dot ws
New email:
PHP Version: OS:

 

 [2011-03-10 05:08 UTC] dark9 at rune dot ws 
Description:
------------
memcache.c search keyword:
zval_ptr_dtor(callback);
and
zval_add_ref(callback);



Reproduce code:
---------------
	if (Z_TYPE_PP(callback) == IS_ARRAY && 
		zend_hash_index_find(Z_ARRVAL_PP(callback), 0, (void **)&this_obj) == SUCCESS &&
		Z_TYPE_PP(this_obj) == IS_OBJECT) {
		zval_ptr_dtor(this_obj);
	}

	zval_ptr_dtor(callback);

/********************and************************/

	if (Z_TYPE_PP(callback) == IS_ARRAY && 
		zend_hash_index_find(Z_ARRVAL_PP(callback), 0, (void **)&this_obj) == SUCCESS &&
		Z_TYPE_PP(this_obj) == IS_OBJECT) {
		zval_add_ref(this_obj);
	}

	zval_add_ref(callback);


Expected result:
----------------
	if (Z_TYPE_PP(callback) == IS_ARRAY && 
		zend_hash_index_find(Z_ARRVAL_PP(callback), 
0, (void **)&this_obj) == SUCCESS &&
		Z_TYPE_PP(this_obj) == IS_OBJECT) {
		zval_ptr_dtor(this_obj);
	}
	else
	{
		zval_ptr_dtor(callback);
	}


/********************and************************/

	if (Z_TYPE_PP(callback) == IS_ARRAY && 
		zend_hash_index_find(Z_ARRVAL_PP(callback), 
0, (void **)&this_obj) == SUCCESS &&
		Z_TYPE_PP(this_obj) == IS_OBJECT) {
		zval_add_ref(this_obj);
	}
	else
	{
		zval_add_ref(callback);
	}

Actual result:
--------------
#0  0x0000003f95830265 in raise () from /lib64/libc.so.6
#1  0x0000003f95831d10 in abort () from /lib64/libc.so.6
#2  0x0000003f9586a84b in __libc_message () from 
/lib64/libc.so.6
#3  0x0000003f958722ef in _int_free () from /lib64/libc.so.6
#4  0x0000003f9587273b in free () from /lib64/libc.so.6
#5  0x00000000006c67ee in zend_hash_destroy (ht=0xd76ee60) 
at /tmp/softs/PHP/php-5.2.6/Zend/zend_hash.c:531
#6  0x00000000006d60e9 in zend_object_std_dtor 
(object=0xd76f8f0) at /tmp/softs/PHP/php-
5.2.6/Zend/zend_objects.c:45
#7  0x00000000006d6109 in zend_objects_free_object_storage 
(object=0x2d16) at /tmp/softs/PHP/php-
5.2.6/Zend/zend_objects.c:122
#8  0x00000000006d96ea in 
zend_objects_store_del_ref_by_handle (handle=12) at 
/tmp/softs/PHP/php-5.2.6/Zend/zend_objects_API.c:206
#9  0x00000000006d971f in zend_objects_store_del_ref 
(zobject=0xd76f8d0) at /tmp/softs/PHP/php-
5.2.6/Zend/zend_objects_API.c:168
#10 0x00000000006af1d6 in _zval_ptr_dtor 
(zval_ptr=0xd76f468) at /tmp/softs/PHP/php-
5.2.6/Zend/zend_variables.h:35
#11 0x00000000006c67c8 in zend_hash_destroy (ht=0xd76eab0) 
at /tmp/softs/PHP/php-5.2.6/Zend/zend_hash.c:526
#12 0x00000000006d60e9 in zend_object_std_dtor 
(object=0xd76ec80) at /tmp/softs/PHP/php-
5.2.6/Zend/zend_objects.c:45
#13 0x00000000006d6109 in zend_objects_free_object_storage 
(object=0x2d16) at /tmp/softs/PHP/php-
5.2.6/Zend/zend_objects.c:122
#14 0x00000000006d96ea in 
zend_objects_store_del_ref_by_handle (handle=11) at 
/tmp/softs/PHP/php-5.2.6/Zend/zend_objects_API.c:206
#15 0x00000000006d971f in zend_objects_store_del_ref 
(zobject=0xd76efd0) at /tmp/softs/PHP/php-
5.2.6/Zend/zend_objects_API.c:168
#16 0x00000000006af1d6 in _zval_ptr_dtor 
(zval_ptr=0xd7700c8) at /tmp/softs/PHP/php-
5.2.6/Zend/zend_variables.h:35
#17 0x00000000006c67c8 in zend_hash_destroy (ht=0xd76ee10) 
at /tmp/softs/PHP/php-5.2.6/Zend/zend_hash.c:526
#18 0x00000000006bb84f in _zval_dtor_func (zvalue=0xd770070) 
at /tmp/softs/PHP/php-5.2.6/Zend/zend_variables.c:43
#19 0x00000000006af1d6 in _zval_ptr_dtor 
(zval_ptr=0xd746a60) at /tmp/softs/PHP/php-
5.2.6/Zend/zend_variables.h:35
#20 0x00002b7fb5d5b483 in mmc_server_callback_dtor 
(callback=0xd746a60) at /root/memcache-2.2.6/memcache.c:416
#21 0x00002b7fb5d5b4d0 in mmc_server_sleep (mmc=0xd7459f0) 
at /root/memcache-2.2.6/memcache.c:438
#22 0x00002b7fb5d5b748 in mmc_pool_free (pool=0xd729880) at 
/root/memcache-2.2.6/memcache.c:680
#23 0x00000000006c91ee in list_entry_destructor (ptr=<value 
optimized out>) at /tmp/softs/PHP/php-
5.2.6/Zend/zend_list.c:184
#24 0x00000000006c7614 in zend_hash_del_key_or_index 
(ht=0xc575c8, arKey=0x202 <Address 0x202 out of bounds>,
    nKeyLength=4294967295, h=72340172838076673, flag=<value 
optimized out>) at /tmp/softs/PHP/php-
5.2.6/Zend/zend_hash.c:497
#25 0x00000000006c9469 in _zend_list_delete (id=<value 
optimized out>) at /tmp/softs/PHP/php-
5.2.6/Zend/zend_list.c:58
#26 0x00000000006af1d6 in _zval_ptr_dtor 
(zval_ptr=0xd729978) at /tmp/softs/PHP/php-
5.2.6/Zend/zend_variables.h:35
#27 0x00000000006c67c8 in zend_hash_destroy (ht=0xd74eda0) 
at /tmp/softs/PHP/php-5.2.6/Zend/zend_hash.c:526
#28 0x00000000006d60e9 in zend_object_std_dtor 
(object=0xd7363e0) at /tmp/softs/PHP/php-
5.2.6/Zend/zend_objects.c:45
#29 0x00000000006d6109 in zend_objects_free_object_storage 
(object=0x2d16) at /tmp/softs/PHP/php-
5.2.6/Zend/zend_objects.c:122
#30 0x00000000006d96ea in 
zend_objects_store_del_ref_by_handle (handle=5) at 
/tmp/softs/PHP/php-5.2.6/Zend/zend_objects_API.c:206
#31 0x00000000006d971f in zend_objects_store_del_ref 
(zobject=0xd7292a0) at /tmp/softs/PHP/php-
5.2.6/Zend/zend_objects_API.c:168

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2011-03-10 05:10 UTC] pierre dot php at gmail dot com 
That's where it happens but it is certainly not why it 
happens.

Do you a script to reproduce this problem? Which version of 
the extension do you use?
 [2011-03-10 07:13 UTC] dark9 at rune dot ws 
hi pajoye:
my memcache client
Version => 2.2.6

but script too many.

this example:
class bug
{
	private $_mc;

	public function  __construct()
	{
		$this->_mc=new memcache();
		$this->_mc->addserver('127.0.0.1', 11211, 
true, 1, 2, -1, true, array($this, 'callBack'));
	}

	public function callBack($host, $port)
	{
		echo $host.$port;
	}
}

I think error time of recycling resource.

backtrace key:
#19 0x00000000006af1d6 in _zval_ptr_dtor 
(zval_ptr=0xd746a60) at /tmp/softs/PHP/php-
5.2.6/Zend/zend_variables.h:35
#20 0x00002b7fb5d5b483 in mmc_server_callback_dtor 
(callback=0xd746a60) at /root/memcache-2.2.6/memcache.c:416
#21 0x00002b7fb5d5b4d0 in mmc_server_sleep (mmc=0xd7459f0) 
at /root/memcache-2.2.6/memcache.c:438
#22 0x00002b7fb5d5b748 in mmc_pool_free (pool=0xd729880) at 
/root/memcache-2.2.6/memcache.c:680
#23 0x00000000006c91ee in list_entry_destructor (ptr=<value 
optimized out>) at /tmp/softs/PHP/php-
5.2.6/Zend/zend_list.c:184

btw: sorry, i speak english very poor .
 [2011-03-10 22:06 UTC] hradtke@php.net 
That script doesn't cause the error for me on 2.2.6 or 3.0.x.  Does it happen all the time or only when it fails to connect?
 [2011-03-11 01:05 UTC] dark9 at rune dot ws 
look like script exec time too many.
this problems of php gc start time.
 [2021-03-25 16:43 UTC] cmb@php.net
-Status: Open +Status: Closed -Assigned To: +Assigned To: cmb
 [2021-03-25 16:43 UTC] cmb@php.net 
The official bug tracker for PECL/memcache is now at
<https://github.com/websupport-sk/pecl-memcache/issues>.

So, if this is still an issue with either of the current memcache
versions (4 or 8), please file an issue there.
 
PHP Copyright © 2001-2025 The PHP Group
All rights reserved. 		Last updated: Thu Jul 03 00:01:35 2025 UTC