PHP :: Bug #20327 :: Using already free()ed memory

[2002-11-09 07:56 UTC] michael at miknet dot net

I get these messages when changing items in a customer's shopping cart code:

/home/michael/src/php4/Zend/zend_hash.c(178) :  Freeing 0x440C72EC (32 bytes), 
script=/home/michael/swish_src/worldVision/www/cart.php
Last leak repeated 11 times
/home/michael/src/php4/Zend/zend_hash.c(262) :  Freeing 0x440E23E8 (44 bytes), 
script=/home/michael/swish_src/worldVision/www/cart.php
Last leak repeated 11 times
/home/michael/src/php4/Zend/zend_execute.c(277) :  Freeing 0x442DBB10 (12 bytes), 
script=/home/michael/swish_src/worldVision/www/cart.php
Last leak repeated 11 times
/home/michael/src/php4/Zend/zend_execute.c(280) :  Freeing 0x44300C54 (44 bytes), 
script=/home/michael/swish_src/worldVision/www/cart.php
/home/michael/src/php4/Zend/zend_variables.c(122) : Actual location (location was relayed)
Last leak repeated 11 times
/home/michael/src/php4/main/php_variables.c(175) :  Freeing 0x43C6CF7C (12 bytes), 
script=/home/michael/swish_src/worldVision/www/cart.php
Last leak repeated 3 times
/home/michael/src/php4/main/php_variables.c(52) :  Freeing 0x43C6CC54 (7 bytes), 
script=/home/michael/swish_src/worldVision/www/cart.php
Last leak repeated 3 times

The number of leaks is directly related to the number of "items" in the cart.  I can't include the code that 
causes this (it's not my code, and I can't narrow down exactly which part of the code causes it)

Occasionally I get a segfault when trying to access junk memory (in the latest CVS snapshot, compiled with 
debugging enabled, it tries to free() the memory address 0x5a5a5a5a on random occasions)

It also sometimes complains about 1 byte being overflowed.

No other code I have causes these problems.

[2002-11-09 08:04 UTC] michael at miknet dot net

Here's a backtrace:
#0  0x40101f6a in strlen () from /lib/libc.so.6
#1  0x403ac0e8 in zif_addslashes (ht=1, return_value=0x833d124, this_ptr=0x0,
    return_value_used=1) at /home/michael/src/php4/ext/standard/string.c:2258
#2  0x40449672 in execute (op_array=0x8348cfc)
    at /home/michael/src/php4/Zend/zend_execute.c:1595
#3  0x404498c4 in execute (op_array=0x834677c)
    at /home/michael/src/php4/Zend/zend_execute.c:1639
#4  0x404498c4 in execute (op_array=0x836202c)
    at /home/michael/src/php4/Zend/zend_execute.c:1639
#5  0x404498c4 in execute (op_array=0x831c204)
    at /home/michael/src/php4/Zend/zend_execute.c:1639
#6  0x404498c4 in execute (op_array=0x811c8c4)
    at /home/michael/src/php4/Zend/zend_execute.c:1639
#7  0x404498c4 in execute (op_array=0x81147fc)
    at /home/michael/src/php4/Zend/zend_execute.c:1639
#8  0x40436664 in zend_execute_scripts (type=8, retval=0x0, file_count=3)
    at /home/michael/src/php4/Zend/zend.c:840
#9  0x403fc415 in php_execute_script (primary_file=0xbffff544)
    at /home/michael/src/php4/main/main.c:1541
#10 0x4044eb00 in apache_php_module_main (r=0x808bf64, display_source_mode=0)
    at /home/michael/src/php4/sapi/apache/sapi_apache.c:55
#11 0x4044fa80 in send_php (r=0x808bf64, display_source_mode=0,
    filename=0x808dadc "/home/michael/swish_src/worldVision/www/cart.php")
    at /home/michael/src/php4/sapi/apache/mod_php4.c:556
#12 0x4044faff in send_parsed_php (r=0x808bf64)
    at /home/michael/src/php4/sapi/apache/mod_php4.c:571
#13 0x08052c24 in ap_invoke_handler (r=0x808bf64) at http_config.c:518
#14 0x08062745 in process_request_internal (r=0x808bf64) at http_request.c:1308
#15 0x080627a4 in ap_process_request (r=0x808bf64) at http_request.c:1324
#16 0x0805bec6 in child_main (child_num_arg=1) at http_main.c:4689
#17 0x0805c0fd in make_child (s=0x8087f44, slot=1, now=1036817337)
    at http_main.c:4868
#18 0x0805c378 in perform_idle_server_maintenance () at http_main.c:5050
#19 0x0805c825 in standalone_main (argc=4, argv=0xbffff9b4) at http_main.c:5287

and here's another one:
#0  0x4034bb58 in _php_mb_regex_ereg_replace_exec (ht=135198660,
    return_value=0x0, this_ptr=0xbffff818, return_value_used=134543683,
    option=134774556) at /home/michael/src/php4/ext/mbstring/php_mbregex.c:518
#1  0x0804f96f in ap_clear_pool (a=0x8087f1c) at alloc.c:690
#2  0x0804f9d0 in ap_destroy_pool (a=0x8087f1c) at alloc.c:720
#3  0x0804f95b in ap_clear_pool (a=0x8085f0c) at alloc.c:683
#4  0x0804f9d0 in ap_destroy_pool (a=0x8085f0c) at alloc.c:720
#5  0x0805a3a8 in clean_parent_exit (code=0) at http_main.c:2607
#6  0x0805c90d in standalone_main (argc=4, argv=0xbffff9b4) at http_main.c:5323
#7  0x0805cd7d in main (argc=4, argv=0xbffff9b4) at http_main.c:5566

I can get more, if you want 'em...

[2002-11-09 08:24 UTC] nicos@php.net

Please try using this CVS snapshot:

  http://snaps.php.net/php4-latest.tar.gz
 
For Windows:
 
  http://snaps.php.net/win32/php4-win32-latest.zip

[2002-11-09 08:25 UTC] derick@php.net

He already did that

[2002-11-09 09:51 UTC] sniper@php.net

If you use the snapshot, and add '--disable-mbstring' does it work any better?

[2002-11-09 19:49 UTC] michael at miknet dot net

--disable-mbstring didn't help. (The crash in _php_mb_regex_ereg_replace_exec was just an unlucky corruption 
of the stack, it seems.  None of the args to the function were sensible...

[2002-11-09 20:45 UTC] sniper@php.net

Please provide a short but complete example script which can be used to reproduce this crash.

[2002-11-21 17:14 UTC] sniper@php.net

No feedback was provided. The bug is being suspended because
we assume that you are no longer experiencing the problem.
If this is not the case and you are able to provide the
information that was requested earlier, please do so and
change the status of the bug back to "Open". Thank you.

Patches

Pull Requests

History

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Sat Apr 20 15:01:29 2024 UTC