php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #31444 Memory leak in zend_language_scanner.c
Submitted: 2005-01-07 21:16 UTC Modified: 2005-01-17 18:22 UTC
From: hexer at studentcenter dot org Assigned: andi
Status: Closed Package: Scripting Engine problem
PHP Version: 4CVS, 5CVS (2005-01-10) OS: *
Private report: No CVE-ID:
 [2005-01-07 21:16 UTC] hexer at studentcenter dot org
Description:
------------
A memory leak happens with any script that contains curly brackets { }

The global variable yy_start_stack in zend_language_scanner.c is not freed at the end of the php program execution.

Reproduce code:
---------------
Test script (test.php):

<?php

{

}

?>


Php was compiled with:

./configure --with-mysql \
--with-xml \
--with-apache=../apache_1.3.33 \
--enable-track-vars \
--with-gd \
--enable-discard-path \
--enable-bcmath \
--enable-gd-native-tt \
--with-freetype-dir=/usr/local \
--with-png-dir=/usr/local \
--with-jpeg-dir=/usr/local \
--with-zlib=/usr/local

Actual result:
--------------
Valgrind detects and reports the leak:

valgrind --tool=memcheck --leak-check=yes --show-reachable=yes php test.php


==31180== 100 bytes in 1 blocks are still reachable in loss record 1 of 1
==31180==    at 0x1B900D20: malloc (vg_replace_malloc.c:131)
==31180==    by 0x8125199: yy_push_state (Zend/zend_language_scanner.c:5805)
==31180==    by 0x8122DA7: lex_scan (Zend/zend_language_scanner.c:4252)
==31180==    by 0x812B2AD: zendlex (/usr/local/src/php-4.3.10/Zend/zend_compile.c:2472)
==31180== 
==31180== LEAK SUMMARY:
==31180==    definitely lost: 0 bytes in 0 blocks.
==31180==    possibly lost:   0 bytes in 0 blocks.
==31180==    still reachable: 100 bytes in 1 blocks.
==31180==         suppressed: 0 bytes in 0 blocks.


Code in question is at zend_language_scanner.c:4252

In the above scenario the yy_start_stack does not get freed
at the end of the program execution. 

Proposed patch frees it under shutdown_scanner()

Possible patch below:
(Note: The following patch fixed the problem but has not yet been
tested under server load / real world conditions. Will post real world test results next week)



Apply to zend_language_scanner.c:

*** 2874,2892 ****
--- 2874,2899 ----
  {
        if (CG(heredoc)) {
                efree(CG(heredoc));
                CG(heredoc_len)=0;
        } 
+       if (SCNG(yy_start_stack)) {
+               yy_flex_free(SCNG(yy_start_stack));
+               SCNG(yy_start_stack) = NULL;
+       }
+ 
  #ifdef ZEND_MULTIBYTE
        if (SCNG(code)) {
                efree(SCNG(code));
                SCNG(code) = NULL;
        }
        if (SCNG(current_code)) {
                efree(SCNG(current_code));
                SCNG(current_code) = NULL;
        }
  #endif /* ZEND_MULTIBYTE */
  }
  END_EXTERN_C()



Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2005-01-10 17:37 UTC] tony2001@php.net
hexer at studentcenter dot org:
You should probably patch zend_language_scanner.l instead of .c
Andi, this problem is reproducible with all branches.

Index: zend_language_scanner.l
===================================================================
RCS file: /repository/ZendEngine2/zend_language_scanner.l,v
retrieving revision 1.118
diff -u -r1.118 zend_language_scanner.l
--- zend_language_scanner.l     3 Jan 2005 10:01:03 -0000       1.118
+++ zend_language_scanner.l     10 Jan 2005 16:33:35 -0000
@@ -145,6 +145,10 @@
                efree(CG(heredoc));
                CG(heredoc_len)=0;
        }
+       if (SCNG(yy_start_stack)) {
+               yy_flex_free(SCNG(yy_start_stack));
+               SCNG(yy_start_stack) = NULL;
+       }
        RESET_DOC_COMMENT();

 #ifdef ZEND_MULTIBYTE

 [2005-01-11 16:30 UTC] sniper@php.net
I've tried the patch with both PHP 4 and 5 (PHP_4_3 & HEAD) and it does fix the leak. And does not seem to cause any trouble either. Just commit it. :)

 [2005-01-17 18:22 UTC] sniper@php.net
This bug has been fixed in CVS.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.
 
Thank you for the report, and for helping us make PHP better.


 
PHP Copyright © 2001-2014 The PHP Group
All rights reserved.
Last updated: Mon Apr 21 07:02:06 2014 UTC