PHP :: Bug #25275 :: script crashs in _efree (ptr=0x8a8828c) at php-4.3.3/Zend/zend

Bug #25275

script crashs in _efree (ptr=0x8a8828c) at php-4.3.3/Zend/zend_alloc.c:259

Submitted:

2003-08-27 11:35 UTC

Modified:

2003-09-06 21:00 UTC

Votes:	3
Avg. Score:	3.3 ± 0.5
Reproduced:	2 of 2 (100.0%)
Same Version:	1 (50.0%)
Same OS:	0 (0.0%)

From:

rehsack at liwing dot de

Assigned:

Status:

No Feedback

Package:

Reproducible crash

PHP Version:

4.3.3

OS:

FreeBSD 5.1 i386

Private report:

CVE-ID:

None

View Add Comment Developer Edit

Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.

php.net Username: php.net Password:

Quick Fix:	(description)
	Block user comment
Status:		Assign to:
Package:
Bug Type:
Summary:
From:	rehsack at liwing dot de
New email:
PHP Version:		OS:

New/Additional Comment:

[2003-08-27 11:35 UTC] rehsack at liwing dot de

Description:
------------
When I excecute a test-skript on my workstation, php crashs. The crash is since php-4.3.3, prior releases or release candidates didn't.

The information from gdb are:
$ gdb --args  php test/documenttest.php
GNU gdb 5.2.1 (FreeBSD)
Copyright 2002 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for details.
This GDB was configured as "i386-undermydesk-freebsd"...
(gdb) run
Starting program: /usr/local/bin/php test/documenttest.php
 
Program received signal SIGBUS, Bus error.
0x08146eb5 in _efree (ptr=0x8a8828c) at /usr/ports/lang/php4/work/php-4.3.3/Zend/zend_alloc.c:259
259             REMOVE_POINTER_FROM_LIST(p);
(gdb) The program is running.  Exit anyway? (y or n) y
trevor@statler $ gdb --args  php test/documenttest.php
GNU gdb 5.2.1 (FreeBSD)
Copyright 2002 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for details.
This GDB was configured as "i386-undermydesk-freebsd"...
(gdb) run
Starting program: /usr/local/bin/php test/documenttest.php
 
Program received signal SIGBUS, Bus error.
0x08146eb5 in _efree (ptr=0x8a8828c) at /usr/ports/lang/php4/work/php-4.3.3/Zend/zend_alloc.c:259
259             REMOVE_POINTER_FROM_LIST(p);
(gdb) bt
#0  0x08146eb5 in _efree (ptr=0x8a8828c) at /usr/ports/lang/php4/work/php-4.3.3/Zend/zend_alloc.c:259
#1  0x081545d1 in _zval_dtor (zvalue=0x8a88280) at /usr/ports/lang/php4/work/php-4.3.3/Zend/zend_variables.c:61
#2  0x0814e03f in _zval_ptr_dtor (zval_ptr=0x8a88280) at /usr/ports/lang/php4/work/php-4.3.3/Zend/zend_execute_API.c:291
#3  0x0816188b in execute (op_array=0x837ac0c) at /usr/ports/lang/php4/work/php-4.3.3/Zend/zend_execute_locks.h:26
#4  0x081636b4 in execute (op_array=0x8261600) at /usr/ports/lang/php4/work/php-4.3.3/Zend/zend_execute.c:1660
#5  0x081636b4 in execute (op_array=0x863ef0c) at /usr/ports/lang/php4/work/php-4.3.3/Zend/zend_execute.c:1660
#6  0x081636b4 in execute (op_array=0x8397f8c) at /usr/ports/lang/php4/work/php-4.3.3/Zend/zend_execute.c:1660
#7  0x081636b4 in execute (op_array=0x864530c) at /usr/ports/lang/php4/work/php-4.3.3/Zend/zend_execute.c:1660
#8  0x081636b4 in execute (op_array=0x83b448c) at /usr/ports/lang/php4/work/php-4.3.3/Zend/zend_execute.c:1660
#9  0x081636b4 in execute (op_array=0x83a3e8c) at /usr/ports/lang/php4/work/php-4.3.3/Zend/zend_execute.c:1660
#10 0x081636b4 in execute (op_array=0x8982d8c) at /usr/ports/lang/php4/work/php-4.3.3/Zend/zend_execute.c:1660
#11 0x081636b4 in execute (op_array=0x827610c) at /usr/ports/lang/php4/work/php-4.3.3/Zend/zend_execute.c:1660
#12 0x081636b4 in execute (op_array=0x8276d8c) at /usr/ports/lang/php4/work/php-4.3.3/Zend/zend_execute.c:1660
#13 0x081636b4 in execute (op_array=0x8990300) at /usr/ports/lang/php4/work/php-4.3.3/Zend/zend_execute.c:1660
#14 0x081636b4 in execute (op_array=0x8964a0c) at /usr/ports/lang/php4/work/php-4.3.3/Zend/zend_execute.c:1660
#15 0x081651e7 in execute (op_array=0x8945c0c) at /usr/ports/lang/php4/work/php-4.3.3/Zend/zend_execute.c:2181
#16 0x081651e7 in execute (op_array=0x824598c) at /usr/ports/lang/php4/work/php-4.3.3/Zend/zend_execute.c:2181
#17 0x081651e7 in execute (op_array=0x824578c) at /usr/ports/lang/php4/work/php-4.3.3/Zend/zend_execute.c:2181
#18 0x081651e7 in execute (op_array=0x8232e8c) at /usr/ports/lang/php4/work/php-4.3.3/Zend/zend_execute.c:2181
#19 0x08155feb in zend_execute_scripts (type=8, retval=0x0, file_count=3) at /usr/ports/lang/php4/work/php-4.3.3/Zend/zend.c:885
#20 0x0812b0be in php_execute_script (primary_file=0xbfbff904) at /usr/ports/lang/php4/work/php-4.3.3/main/main.c:1723
#21 0x0816a568 in main (argc=2, argv=0xbfbff964) at /usr/ports/lang/php4/work/php-4.3.3/sapi/cli/php_cli.c:818
#22 0x0806c200 in _start ()
(gdb) display *p
1: *p = {pNext = 0xd0d0d0d0, pLast = 0xd0d0d0d0, size = 1355862224, cached = 1}
(gdb) up
#1  0x081545d1 in _zval_dtor (zvalue=0x8a88280) at /usr/ports/lang/php4/work/php-4.3.3/Zend/zend_variables.c:61
61                                              FREE_HASHTABLE(zvalue->value.obj.properties);

(gdb) display zvalue->value
2: zvalue->value = {lval = -791621424, dval = -1.993854408381186e+81, str = {
    val = 0xd0d0d0d0 <Error reading address 0xd0d0d0d0: Bad address>, len = -791621424}, ht = 0xd0d0d0d0, obj = {ce = 0xd0d0d0d0,
    properties = 0xd0d0d0d0}}
(gdb) up
#2  0x0814e03f in _zval_ptr_dtor (zval_ptr=0x8a88280) at /usr/ports/lang/php4/work/php-4.3.3/Zend/zend_execute_API.c:291
291                     zval_dtor(*zval_ptr);
(gdb) display *zval_ptr
3: *zval_ptr = (zval *) 0xd0d0d0d0

(gdb) up
#3  0x0816188b in execute (op_array=0x837ac0c) at /usr/ports/lang/php4/work/php-4.3.3/Zend/zend_execute_locks.h:26
26                      zval_ptr_dtor(&EG(garbage)[--EG(garbage_ptr)]);
(gdb) quit


Reproduce code:
---------------
Code is to long, but I can send a php.core file.

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports

[2003-08-28 06:32 UTC] sniper@php.net

<?php
  class FDefaultContentAccess
  {
    function InitFDefaultContentAccess()
    {
      $this->Flags |= 1;
    }
  }

  class FDirectContentAccess
  {
    function InitFDirectContentAccess()
    {
      $this->Flags |= 2;
      $this->Flags &= ~3;
    }
  }
 
  class FFilePhysicalAccess
  {
    var $Flags;

    function FFilePhysicalAccess( )
    {
      aggregate( $this, "FDirectContentAccess" );
      $this->InitFDirectContentAccess();         
      aggregate( $this, "FDefaultContentAccess" );
      $this->InitFDefaultContentAccess();         
    }
   
    function CleanUp()
    {
      fwrite( STDERR, "before deaggregate\n");
      deaggregate( $this );                   
      fwrite( STDERR, "after deaggregate\n");
    }
  }  // end of class FFilePhysicalAccess

  $inst = new FFilePhysicalAccess();
  $inst->CleanUp();
?>

[2003-08-28 06:33 UTC] sniper@php.net

That script does not crash for me.
What was the configure line you used to configure PHP?

[2003-08-28 10:23 UTC] rehsack at liwing dot de

Sorry, misunderstood. Thought you've asked for php.ini.

# ./configure  --enable-versioning --enable-memory-limit --with-layout=GNU --with-zlib-dir=/usr --disable-all --with-regex=php --disable-ipv6 --with-apxs=/usr/local/sbin/apxs --with-bz2=/usr --with-dom=/usr/local --with-dom-xslt=/usr/local --with-dom-exslt=/usr/local --with-gettext=/usr/local --with-gmp=/usr/local --with-iconv=/usr/local --with-mcrypt=/usr/local --with-mhash=/usr/local --with-mysql=/usr/local --with-ldap=/usr/local --with-openssl=/usr --enable-pcntl --with-pcre-regex=yes --enable-posix --with-readline --enable-session --enable-sockets --enable-sysvsem --enable-sysvshm --enable-tokenizer --enable-xml --with-expat-dir=/usr/local --with-xmlrpc --enable-xslt --with-xslt-sablot=/usr/local --with-zlib=yes --prefix=/usr/local i386-portbld-freebsd5.1

CC="cc"
CFLAGS="-O -pipe -g"

Addition: deaggregating from classes by adding name of
class to deaggregate doesn't dump.

[2003-08-30 02:00 UTC] sniper@php.net

Try this:

# rm config.cache
# ./configure --disable-all --disable-cgi --enable-debug
# make clean && make
# sapi/cli/php yourscript.php

Does it crash now?

[2003-08-30 06:10 UTC] rehsack at liwing dot de

Nope, it runs fine. Do you suggest enabling each extension I used until it crash's?

[2003-08-30 07:21 UTC] sniper@php.net

Yes, that's the idea..

[2003-08-30 08:39 UTC] rehsack at liwing dot de

This may take a while. I can't start before monday, so I think tuesday you can reach results.

[2003-08-30 08:52 UTC] derick@php.net

Cool, let's keep the status set to feedback during this time then.

[2003-09-06 21:00 UTC] sniper@php.net

No feedback was provided. The bug is being suspended because
we assume that you are no longer experiencing the problem.
If this is not the case and you are able to provide the
information that was requested earlier, please do so and
change the status of the bug back to "Open". Thank you.

[2003-11-20 06:52 UTC] Joerg dot Dieter dot Friedrich at uni-konstanz dot de

Hi!
I encountered the same bug with 4.3.4 on Solaris 9
it seems to occur if iconv or mbstring is enabled.

Yours Joerg

ps see http://bugs.php.net/bug.php?id=26264

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Sun Apr 28 07:01:30 2024 UTC