php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #79781 zend_mm_heap corrupted in zend_array_destroy
Submitted: 2020-07-04 00:37 UTC Modified: 2020-07-11 08:38 UTC
Votes:1
Avg. Score:2.0 ± 0.0
Reproduced:1 of 1 (100.0%)
Same Version:1 (100.0%)
Same OS:0 (0.0%)
From: changochen1 at gmail dot com Assigned:
Status: Open Package: Scripting Engine problem
PHP Version: 8.0Git-2020-07-04 (Git) OS:
Private report: No CVE-ID: None
View Developer Edit
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: changochen1 at gmail dot com
New email:
PHP Version: OS:

 

 [2020-07-04 00:37 UTC] changochen1 at gmail dot com 
Description:
------------
Cmdline: php -f poc

Stack dump:
---
Fatal error: Allowed memory size of 134217728 bytes exhausted at /home/yongheng/php_clean/Zend/zend_hash.c:2104 (tried to allocate 320 bytes) in /home/yongheng/php_poc5.php on line 2
zend_mm_heap corrupted
MemorySanitizer:DEADLYSIGNAL
==230806==ERROR: MemorySanitizer: SEGV on unknown address 0x03e900038596 (pc 0x7fbc7c66d187 bp 0x000001e00000 sp 0x7ffc089355c8 T230806)
==230806==The signal is caused by a READ memory access.
    #0 0x7fbc7c66d186 in kill /build/glibc-OTsEL5/glibc-2.27/signal/../sysdeps/unix/syscall-template.S:78
    #1 0x120f077 in zend_mm_panic /home/yongheng/php_clean/Zend/zend_alloc.c:364:2
    #2 0x121628a in zend_mm_free_heap /home/yongheng/php_clean/Zend/zend_alloc.c
    #3 0x13e29a8 in zend_array_destroy /home/yongheng/php_clean/Zend/zend_hash.c:1660:2
    #4 0x174fdeb in zend_objects_store_free_object_storage /home/yongheng/php_clean/Zend/zend_objects_API.c:117:6
    #5 0x13246c0 in shutdown_executor /home/yongheng/php_clean/Zend/zend_execute_API.c:338:2
    #6 0x137edc3 in zend_deactivate /home/yongheng/php_clean/Zend/zend.c:1206:2
    #7 0x10e6c13 in php_request_shutdown /home/yongheng/php_clean/main/main.c:1876:2
    #8 0x177a53d in do_cli /home/yongheng/php_clean/sapi/cli/php_cli.c:1127:3
    #9 0x1779b7f in main /home/yongheng/php_clean/sapi/cli/php_cli.c:1357:18
    #10 0x7fbc7c64fb96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310
    #11 0x43f8c9 in _start (/home/yongheng/php_clean/bld/sapi/cli/php+0x43f8c9)

MemorySanitizer can not provide additional info.
SUMMARY: MemorySanitizer: SEGV /build/glibc-OTsEL5/glibc-2.27/signal/../sysdeps/unix/syscall-template.S:78 in kill
==230806==ABORTING
...
---

Test script:
---------------
<?
a () ;
function a () {
    a ( new ArrayIterator ( [ 1 ] ) )  ;
}

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2020-07-07 14:44 UTC] nikic@php.net 
I can't reproduce with this script under valgrind, but very likely this is the same issue as bug #79788.
 [2020-07-07 21:44 UTC] changochen1 at gmail dot com 
The php I used is built with address santizer. The command is
CONFIGURE_COMMAND = '../configure' '--enable-debug-assertions' '--enable-memory-sanitizer'
 [2020-07-11 08:38 UTC] nikic@php.net 
@changochen1: Note that --enable-memory-sanitizer enables the memory sanitizer, not the address sanitizer. The memory sanitizer primarily detects uninitialized memory.

For address sanitizer, you would use ./configure CFLAGS="-fsanitize=address".

When running under address/memory sanitizer, it is also useful to set the USE_ZEND_ALLOC=0 and USE_TRACKED_ALLOC=1 environment variables, which will force use of the system allocator. Otherwise you will not get most of the benefit from the sanitizer.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Mon Dec 30 17:01:29 2024 UTC