php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #27229 Abort trap (6)
Submitted: 2004-02-12 10:59 UTC Modified: 2004-02-13 08:14 UTC
From: dodell at sitetronics dot com Assigned:
Status: Not a bug Package: Reproducible crash
PHP Version: 4.3.4 OS: FreeBSD 5.1-RELEASE-p13
Private report: No CVE-ID: None
 [2004-02-12 10:59 UTC] dodell at sitetronics dot com
Description:
------------
PHP 4.3.4 is causing apache to crash. Here's the error 
in httpd-error.log

httpd in free(): error: chunk is already free

phpinfo() available at:

http://www.sitetronics.com/~dodell/phpinfo.php

Reproduce code:
---------------
I'd provide code, but it's proprietary. I'll attempt to reproduce the crash with similar code.

Actual result:
--------------
#0  0x2811db23 in kill () from /usr/lib/libc.so.5
#1  0x2818a4fd in abort () from /usr/lib/libc.so.5
#2  0x28188d1f in tcflow () from /usr/lib/libc.so.5
#3  0x28188d7e in tcflow () from /usr/lib/libc.so.5
#4  0x281897e7 in tcflow () from /usr/lib/libc.so.5
#5  0x28189a30 in free () from /usr/lib/libc.so.5
#6  0x2859b83f in _fini () from /usr/local/libexec/
apache/libphp4.so
#7  0x2857e318 in _fini () from /usr/local/libexec/
apache/libphp4.so
#8  0x285bd6dc in _fini () from /usr/local/libexec/
apache/libphp4.so
#9  0x285be2d2 in _fini () from /usr/local/libexec/
apache/libphp4.so
#10 0x285be495 in _fini () from /usr/local/libexec/
apache/libphp4.so
#11 0x08054983 in ap_invoke_handler ()
#12 0x080671d4 in process_request_internal ()
#13 0x080673e4 in ap_process_request ()
#14 0x0805f808 in child_main ()
#15 0x0805fa88 in make_child ()
#16 0x0805faff in startup_children ()
#17 0x080605fa in standalone_main ()
#18 0x08060939 in main ()
#19 0x0804fd65 in _start ()


Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2004-02-12 14:33 UTC] dodell at sitetronics dot com
This code does essentially the same operations as the code I'm using and produces the same error.

This is FreeBSD package ``mod_php4-4.3.4_6,1''

<?php
$string = "a 1 ab 2 ac 5 ad 5 ae 5 af 5 ag 5 ah 5 ai 5 aj 5 ak 5 al
a 1 ab 2 ac 5 ad 5 ae 5 af 5 ag 5 ah 5 ai 5 aj 5 ak 5 al
a 1 ab 2 ac 5 ad 5 ae 5 af 5 ag 5 ah 5 ai 5 aj 5 ak 5 al
a 1 ab 2 ac 5 ad 5 ae 5 af 5 ag 5 ah 5 ai 5 aj 5 ak 5 al
a 1 ab 2 ac 5 ad 5 ae 5 af 5 ag 5 ah 5 ai 5 aj 5 ak 5 al
a 1 ab 2 ac 5 ad 5 ae 5 af 5 ag 5 ah 5 ai 5 aj 5 ak 5 al
a 1 ab 2 ac 5 ad 5 ae 5 af 5 ag 5 ah 5 ai 5 aj 5 ak 5 al";

$regex = "(\w{1}) \d{1} (\w{2}) \d{1} (\w{2}) \d{1} (\w{2}) \d{1} (\w{2}) \d{1} (\w{2})
\d{1} (\w{2}) \d{1} (\w{2}) \d{1} (\w{2}) \d{1} (\w{2}) \d{1} (\w{2}) \d{1} (\w{2})";

$matches = array();

preg_match_all("/$regex/mi", $string, $matches);
$date = date('Y-m-d', time());
$packet_matches = array();

$i = 0;
$num_matches = count($matches[0]);

array_shift($matches);
array_multisort($matches[2], SORT_ASC);

$t = array('aj'=>0, 'ja'=>0);
$p_p = array('a'=>0, 'b'=>0, 'ai'=>0);
$diff = $s_p = $s_t = array_fill (0, 65535, 0);
for ($i = 0; $i < $num_matches; $i++) {
        $p_p[$matches[4][$i]]++;
        $s_p[$matches[8][$i]]++;
        $s_t[$matches[8][$i]] += $matches[11][$i];
        $t[$matches[9][$i]] += $matches[11][$i];
}

function _a_d($array) {
        $a = array();
        for ($i = 0; $i < count($array); $i++)
                if ($array[$i] != 0) $a[] = $array[$i];
        return $a;
}

$s_p = _a_d($s_p, $diff);
print_r($s_p);
?>
 [2004-02-12 20:50 UTC] iliaa@php.net
Please try using this CVS snapshot:

  http://snaps.php.net/php4-STABLE-latest.tar.gz
 
For Windows:
 
  http://snaps.php.net/win32/php4-win32-STABLE-latest.zip

Cannot replicate using latest CVS. 
 [2004-02-13 02:35 UTC] dodell at sitetronics dot com
This snapshot does not fix the problem. Again, the 
application works under the same environment using PHP 5 
beta 4.

Derick asked me off the record to try this on a FreeBSD 
4.x system.

test# php -q test.php
PHP Notice:  Undefined index:  ae in /usr/home/dodell/
test.php on line 28
PHP Notice:  Undefined index:  ai in /usr/home/dodell/
test.php on line 29
PHP Notice:  Undefined index:  ai in /usr/home/dodell/
test.php on line 30
PHP Notice:  Undefined offset:  65535 in /usr/home/
dodell/test.php on line 37
Array
(
)
php in free(): warning: chunk is already free
php in free(): warning: chunk is already free

These problems continue to persist with the latest 
development version.
 [2004-02-13 03:15 UTC] derick@php.net
I couldn't reproduce this on ANY system I tried. Linux with 4.3.2, 4.3.3 and 4.3.5dev, freebsd (4.9) with 4.3.5dev... all work fine, valgrind shows nothing (on Linux)... no clue what'sgoing on.
 [2004-02-13 03:51 UTC] dodell at sitetronics dot com
My arrays were too large; updating refcount from a 
ushort to a ulong has fixed my problem -- except, the 
question remains, why's it dumping core in FreeBSD 5.x 
and not in 4.x?
 [2004-02-13 08:14 UTC] sniper@php.net
Not a bug. (PHP5 allows larger arrays though)

 
PHP Copyright © 2001-2020 The PHP Group
All rights reserved.
Last updated: Tue Mar 31 18:01:23 2020 UTC