php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #12908 zend engine patch (workaround) for some strange bug
Submitted: 2001-08-22 15:08 UTC Modified: 2002-09-16 01:00 UTC
Votes:1
Avg. Score:5.0 ± 0.0
Reproduced:1 of 1 (100.0%)
Same Version:0 (0.0%)
Same OS:0 (0.0%)
From: sdettmer at ingenico dot de Assigned:
Status: No Feedback Package: Scripting Engine problem
PHP Version: 4.0.5 OS: SuSE Linux 7.1
Private report: No CVE-ID: None
View Developer Edit
 [2001-08-22 15:08 UTC] sdettmer at ingenico dot de 
Hi,

This is a patch - no bug report. The bug occures with various PHP
versions (mod_php), i.e. 4.0.5 and 4.0.6 and older ones, various
PHP-4.0.4pl1 (at least I found different tarballs with that equal
version number!). I cannot deliver a small script which
reproduces the seg fault (which is a kill after failed malloc of > 1GB
mem :)). It does not happens always, I guess 0.5% of the accesses
(according to apache's server log), around 10% of accesses to two
special scripts. Only a few scripts crash (on different
locations, i.e on "returns" and others).

I found that the add_string_to_string tries to get memory for a
string with value.str.val == NULL and value.str.len == 1.5GB. To
workaround this, I set len to zero when val == NULL; I know this
is a dirty hack but I cannot understand your code and I have no
time to debug it, sorry.

The patch is against PHP-4.0.5:
----------[ php-4.0.5.dif.take4 ]---------------
diff -Nur ../php-4.0.5.dist/Zend/zend_operators.c
./Zend/zend_operators.c
--- ../php-4.0.5.dist/Zend/zend_operators.c     Mon Feb 26
06:43:27 2001
+++ ./Zend/zend_operators.c     Thu Jul 19 22:04:13 2001
@@ -960,7 +960,21 @@
 /* must support result==op1 */
 ZEND_API int add_string_to_string(zval *result, zval *op1, zval *op2)
 {
-       int length = op1->value.str.len + op2->value.str.len;
        +       /* sdettmer@ingenico.de begin */
+       int length;
+
+       /* null strings haven't a useful length */
+       if (op1->value.str.val == NULL) {
+               op1->value.str.len = 0;
+       }
+
+       if (op2->value.str.val == NULL) {
+               op2->value.str.len = 0;
+       }
+
+       length = op1->value.str.len + op2->value.str.len;
+       /* sdettmer@ingenico.de end */
+
        result->value.str.val = (char *) erealloc(op1->value.str.val, length+1);
     memcpy(result->value.str.val+op1->value.str.len, op2->value.str.val,
+op2->value.str.len);
     result->value.str.val[length] = 0;
----------[ php-4.0.5.dif.take4 end ]---------------

If you want a copy of my source RPM, just drop me a note, I can
mail it to you.

Some infos from our internal bug report system. Please note, the
backtrace may be from a different bug if it's look strange :)

>    segfault when trying to load bugs, func=browse 
>    (clicking on Bug in Sourceforge Project). 
> 
>    backtrace: 
> 
>    (gdb) bt 
>    #0 0x40378c1a in zend_binary_strcmp () from /usr/lib/apache/libphp4.so 
>    #1 0x40378dac in zend_binary_zval_strcmp () from /usr/lib/apache/libphp4.so 
>    #2 0x403790d1 in zendi_smart_strcmp () from /usr/lib/apache/libphp4.so 
>    #3 0x40377e1a in compare_function () from /usr/lib/apache/libphp4.so 
>    #4 0x40378688 in is_not_equal_function () from /usr/lib/apache/libphp4.so 
>    #5 0x40362f8f in execute () from /usr/lib/apache/libphp4.so 
>    #6 0x4036f4b2 in execute () from /usr/lib/apache/libphp4.so 
>    #7 0x4037ae86 in zend_execute_scripts () from /usr/lib/apache/libphp4.so 
>    #8 0x4038db94 in php_execute_script () from /usr/lib/apache/libphp4.so 
>    #9 0x40389de0 in apache_php_module_main () from /usr/lib/apache/libphp4.so 
>    #10 0x4038a841 in send_php () from /usr/lib/apache/libphp4.so 
>    #11 0x4038a883 in send_parsed_php () from /usr/lib/apache/libphp4.so 
>    #12 0x8055160 in ap_invoke_handler () 
>    #13 0x806760c in ap_some_auth_required () 
>    #14 0x806796c in ap_internal_redirect () 
>    #15 0x40a8fdae in _init () from /usr/lib/apache/mod_dir.so 
>    #16 0x8055160 in ap_invoke_handler () 
> 
[cut]
>     the segfault is an explicit kill (getpid, 11) done when
>     realloc fails. realloc shall get 1.5GB :) The PHP stuff uses
>     "Zend Engine" which is some very cryptic and risky
>     code. I see no chance to debug it with useful results.


You may contact me via mail (sdettmer@ingenico.de).

oki,

Steffen

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2001-12-05 19:44 UTC] yohgaki@php.net 
Your patch is not applied, but Could you try 4.1.0RC5? 
http://www.php.net/~zeev/php-4.1.0RC5.tar.gz
(The cause should be in other places. It may be fixed already)
 [2001-12-10 13:25 UTC] sdettmer at ingenico dot de 
I'm sorry, but currently I have no free resources to test it. Thank you for reviewing the problem.
 [2002-01-13 16:31 UTC] yohgaki@php.net 
Make this a scripting engine problem.
Please close if this issue is resolved already.
 [2002-08-13 22:40 UTC] iliaa@php.net 
Thank you for taking the time to report a problem with PHP.
Unfortunately you are not using a current version of PHP -- 
the problem might already be fixed. Please download a new
PHP version from http://www.php.net/downloads.php

If you are able to reproduce the bug with one of the latest
versions of PHP, please change the PHP version on this bug report
to the version you tested and change the status back to "Open".
Again, thank you for your continued support of PHP.
 [2002-09-16 01:00 UTC] php-bugs at lists dot php dot net 
No feedback was provided for this bug for over a month, so it is
being suspended automatically. If you are able to provide the
information that was originally requested, please do so and change
the status of the bug back to "Open".
 [2002-11-12 16:17 UTC] srp at zgi dot com 
I have experienced a similar bug in 4.2.3 in the zend
routine: add_char_to_string().  Without this patch,
(and the original patch included in this message)
standalone php could not run the run-tests.php script
without a SEGV, and we had similarly odd results with
the apache module.  With this patch, life is good.
It has something to do with the treatment of NULL/empty strings: whenever the crash occurs, the string is
NULL/empty and the string length is 1 !? Something's
not right there.

OS: IRIX 6.5 04101931 IP35
PHP Version: 4.2.3

*** zend_operators.c.orig       Tue Nov 12 13:42:20 2002
--- zend_operators.c    Tue Nov 12 12:20:28 2002
***************
*** 988,997 ****
  /* must support result==op1 */
  ZEND_API int add_char_to_string(zval *result, zval *op1, zval *op2)
  {
!       result->value.str.len = op1->value.str.len + 1;
!       result->value.str.val = (char *) erealloc(op1->value.str.val, result->value.str.len+1);
!     result->value.str.val[result->value.str.len - 1] = (char) op2->value.lval;
!       result->value.str.val[result->value.str.len] = 0;
        result->type = IS_STRING;
        return SUCCESS;
  }
--- 988,1013 ----
  /* must support result==op1 */
  ZEND_API int add_char_to_string(zval *result, zval *op1, zval *op2)
  {
! 
!         int length;
! 
!         /* null strings haven't a useful length */
!         if (op1->value.str.val == NULL) {
!                 op1->value.str.len = 0;
!         }
! 
!       length = op1->value.str.len + 1;
! 
!       if (op1->value.str.val==empty_string) {
!               result->value.str.val = (char *) emalloc(length+1);
!       } else {
!               result->value.str.val = (char *) erealloc(op1->value.str.val, length+1);
!       }
! 
! 
!       result->value.str.val[length - 1] = (char) op2->value.lval;
!       result->value.str.val[length] = 0;
!       result->value.str.len = length;
        result->type = IS_STRING;
        return SUCCESS;
  }
 
PHP Copyright © 2001-2025 The PHP Group
All rights reserved. 		Last updated: Wed Nov 05 08:00:02 2025 UTC