php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #23132 Strange engine crash (reference counting problem)
Submitted: 2003-04-09 09:39 UTC Modified: 2003-10-13 19:24 UTC
From: edink at proventum dot net Assigned: stas (profile)
Status: Closed Package: Scripting Engine problem
PHP Version: 4CVS-2003-04-09 (stable) OS: Linux (RedHat 7.3)
Private report: No CVE-ID: None
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If this is not your bug, you can add a comment by following this link.
If this is your bug, but you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: edink at proventum dot net
New email:
PHP Version: OS:

 

 [2003-04-09 09:39 UTC] edink at proventum dot net
This piece of code crashes the engine in PHP 4.2.x and 4.3.x including the latest CVS vers?on from PHP_4_3 branch:

function trim_field(&$row) {}

$row = array();
for ($i=0; $i<70000; $i++) {
  trim_field($row);
  $agreement_arr[] = $agreement;
}

Comment out any of the two lines inside the loop and it works.

Just before the crash PHP reports:
[Wed Apr  9 16:40:32 2003]  Script:  'bug.php'
---------------------------------------
/data/src/PHP_4_3/Zend/zend_execute.c(271) : Block 0x0813FB40 status:
Beginning:      Overrun (magic=0x00000000, expected=0x7312F8DC)

And backtrace:

Program received signal SIGSEGV, Segmentation fault.
0x420828fc in memcpy () from /lib/i686/libc.so.6
(gdb) bt
#0  0x420828fc in memcpy () from /lib/i686/libc.so.6
#1  0x080e1f8a in _mem_block_check (ptr=0x813fb64, silent=0,
    __zend_filename=0x8130720 "/data/src/PHP_4_3/Zend/zend_execute.c",
    __zend_lineno=271, __zend_orig_filename=0x0, __zend_orig_lineno=0)
    at /data/src/PHP_4_3/Zend/zend_alloc.c:649
#2  0x080e1f4d in _mem_block_check (ptr=0x813fb64, silent=1,
    __zend_filename=0x8130720 "/data/src/PHP_4_3/Zend/zend_execute.c",
    __zend_lineno=271, __zend_orig_filename=0x0, __zend_orig_lineno=0)
    at /data/src/PHP_4_3/Zend/zend_alloc.c:641
#3  0x080e1337 in _efree (ptr=0x813fb64,
    __zend_filename=0x8130720 "/data/src/PHP_4_3/Zend/zend_execute.c",
    __zend_lineno=271, __zend_orig_filename=0x0, __zend_orig_lineno=0)
    at /data/src/PHP_4_3/Zend/zend_alloc.c:217
#4  0x080fe992 in zend_assign_to_variable_reference (result=0x0,
    variable_ptr_ptr=0x86e4540, value_ptr_ptr=0x815e49c, Ts=0x0)
    at /data/src/PHP_4_3/Zend/zend_execute.c:271
#5  0x081034e4 in execute (op_array=0x81686e8)
    at /data/src/PHP_4_3/Zend/zend_execute.c:1827
#6  0x08102a02 in execute (op_array=0x8163484)
    at /data/src/PHP_4_3/Zend/zend_execute.c:1650
#7  0x080f270a in zend_execute_scripts (type=8, retval=0x0, file_count=3)
    at /data/src/PHP_4_3/Zend/zend.c:864
#8  0x080c25c0 in php_execute_script (primary_file=0xbffffa20)
    at /data/src/PHP_4_3/main/main.c:1653
#9  0x0810825c in main (argc=2, argv=0xbffffac4)
    at /data/src/PHP_4_3/sapi/cli/php_cli.c:753
#10 0x42017499 in __libc_start_main () from /lib/i686/libc.so.6

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2003-04-09 09:44 UTC] sniper@php.net
I heard that stas almost begged for fixing this bug. :)

 [2003-04-09 20:09 UTC] gschlossnagle@php.net
variable_ptr->refcount is getting overflowed in 
zend_assign_to_variable_reference.  It appears that the 
variable doesn't get derefenced in the example below.  If 
you inteject $agreement =1; as a line 2 in the loop, the 
reference count seems to stay correct.
 [2003-04-10 16:05 UTC] thekid@php.net
Bug is not existant in Zend Engine 2 [PHP5]:

thekid@friebes:~/devel/php/tests > cat overflow.php 
<?php
function trim_field(&$row) {}

$row = array();
for ($i=0; $i<70000; $i++) {
  trim_field($row);
  $agreement_arr[] = $agreement;
}

var_dump(sizeof($agreement_arr));
?>
thekid@friebes:~/devel/php/tests > php5 overflow.php 
int(70000)


 [2003-04-11 01:53 UTC] zeev@php.net
The reference count is correct all along - it's just that in this particular example, the very same (empty) $agreement ends up being referenced more than 64K times, which overflows ZE1's refcount limit.

Either way, it's a bug related to the 64K limit, so it'll be fixed in ZE2 only. 
 [2003-10-13 19:24 UTC] moriyoshi@php.net
Related to bug #25856
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Fri Mar 29 01:01:28 2024 UTC