php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #31444 Memory leak in zend_language_scanner.c
Submitted: 2005-01-07 21:16 UTC Modified: 2005-01-17 18:22 UTC
From: hexer at studentcenter dot org Assigned: andi (profile)
Status: Closed Package: Scripting Engine problem
PHP Version: 4CVS, 5CVS (2005-01-10) OS: *
Private report: No CVE-ID: None
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: hexer at studentcenter dot org
New email:
PHP Version: OS:

 

 [2005-01-07 21:16 UTC] hexer at studentcenter dot org
Description:
------------
A memory leak happens with any script that contains curly brackets { }

The global variable yy_start_stack in zend_language_scanner.c is not freed at the end of the php program execution.

Reproduce code:
---------------
Test script (test.php):

<?php

{

}

?>


Php was compiled with:

./configure --with-mysql \
--with-xml \
--with-apache=../apache_1.3.33 \
--enable-track-vars \
--with-gd \
--enable-discard-path \
--enable-bcmath \
--enable-gd-native-tt \
--with-freetype-dir=/usr/local \
--with-png-dir=/usr/local \
--with-jpeg-dir=/usr/local \
--with-zlib=/usr/local

Actual result:
--------------
Valgrind detects and reports the leak:

valgrind --tool=memcheck --leak-check=yes --show-reachable=yes php test.php


==31180== 100 bytes in 1 blocks are still reachable in loss record 1 of 1
==31180==    at 0x1B900D20: malloc (vg_replace_malloc.c:131)
==31180==    by 0x8125199: yy_push_state (Zend/zend_language_scanner.c:5805)
==31180==    by 0x8122DA7: lex_scan (Zend/zend_language_scanner.c:4252)
==31180==    by 0x812B2AD: zendlex (/usr/local/src/php-4.3.10/Zend/zend_compile.c:2472)
==31180== 
==31180== LEAK SUMMARY:
==31180==    definitely lost: 0 bytes in 0 blocks.
==31180==    possibly lost:   0 bytes in 0 blocks.
==31180==    still reachable: 100 bytes in 1 blocks.
==31180==         suppressed: 0 bytes in 0 blocks.


Code in question is at zend_language_scanner.c:4252

In the above scenario the yy_start_stack does not get freed
at the end of the program execution. 

Proposed patch frees it under shutdown_scanner()

Possible patch below:
(Note: The following patch fixed the problem but has not yet been
tested under server load / real world conditions. Will post real world test results next week)



Apply to zend_language_scanner.c:

*** 2874,2892 ****
--- 2874,2899 ----
  {
        if (CG(heredoc)) {
                efree(CG(heredoc));
                CG(heredoc_len)=0;
        } 
+       if (SCNG(yy_start_stack)) {
+               yy_flex_free(SCNG(yy_start_stack));
+               SCNG(yy_start_stack) = NULL;
+       }
+ 
  #ifdef ZEND_MULTIBYTE
        if (SCNG(code)) {
                efree(SCNG(code));
                SCNG(code) = NULL;
        }
        if (SCNG(current_code)) {
                efree(SCNG(current_code));
                SCNG(current_code) = NULL;
        }
  #endif /* ZEND_MULTIBYTE */
  }
  END_EXTERN_C()



Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2005-01-10 17:37 UTC] tony2001@php.net
hexer at studentcenter dot org:
You should probably patch zend_language_scanner.l instead of .c
Andi, this problem is reproducible with all branches.

Index: zend_language_scanner.l
===================================================================
RCS file: /repository/ZendEngine2/zend_language_scanner.l,v
retrieving revision 1.118
diff -u -r1.118 zend_language_scanner.l
--- zend_language_scanner.l     3 Jan 2005 10:01:03 -0000       1.118
+++ zend_language_scanner.l     10 Jan 2005 16:33:35 -0000
@@ -145,6 +145,10 @@
                efree(CG(heredoc));
                CG(heredoc_len)=0;
        }
+       if (SCNG(yy_start_stack)) {
+               yy_flex_free(SCNG(yy_start_stack));
+               SCNG(yy_start_stack) = NULL;
+       }
        RESET_DOC_COMMENT();

 #ifdef ZEND_MULTIBYTE

 [2005-01-11 16:30 UTC] sniper@php.net
I've tried the patch with both PHP 4 and 5 (PHP_4_3 & HEAD) and it does fix the leak. And does not seem to cause any trouble either. Just commit it. :)

 [2005-01-17 18:22 UTC] sniper@php.net
This bug has been fixed in CVS.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.
 
Thank you for the report, and for helping us make PHP better.


 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Sun Oct 13 04:01:26 2024 UTC