php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #32685 Segfault when using assignment by reference within function
Submitted: 2005-04-12 18:16 UTC Modified: 2005-06-07 11:57 UTC
Votes:1
Avg. Score:5.0 ± 0.0
Reproduced:1 of 1 (100.0%)
Same Version:0 (0.0%)
Same OS:0 (0.0%)
From: david at davidheath dot org Assigned: dmitry
Status: Closed Package: Reproducible crash
PHP Version: 4CVS-2005-04-14 OS: mandrake linux 10.1
Private report: No CVE-ID:
 [2005-04-12 18:16 UTC] david at davidheath dot org
Description:
------------
The attached program always segfaults. I have stripped out as much code as possible whilst ensuring that it still segfaults, I'm afraid I haven't been able to make the repro code any simpler. The problem is either something to do with the assignment by reference on line 11 in the test2::exists() method, or otherwise something to do with the use of unserialize(). 

I'm using the standard build of php4.3.11 with no special modules.


Reproduce code:
---------------
$ wget http://www.davidheath.org/php_bug/crash.php.txt
$ wget http://www.davidheath.org/php_bug/testfile
$ mv crash.php.txt crash.php
$ php crash.php


Expected result:
----------------
no segfault, no output at all

Actual result:
--------------
[heathd@localhost dh]$ /usr/local/php4.3.11/bin/php.4.3.11 crash.php
Content-type: text/html
X-Powered-By: PHP/4.3.11

Segmentation fault (core dumped)



When I run with debug build, it doesn't segfault:

[heathd@localhost dh]$ /usr/local/php4.3.11_debug/bin/php.4.3.11 crash.php
Content-type: text/html
X-Powered-By: PHP/4.3.11

/home/heathd/downloads/php-4.3.11/Zend/zend_execute.c(279) :  Freeing 0x081EA8A4 (12 bytes), script=crash.php
/home/heathd/downloads/php-4.3.11/Zend/zend_execute.c(282) :  Freeing 0x081EA704 (28 bytes), script=crash.php
/home/heathd/downloads/php-4.3.11/Zend/zend_variables.c(111) : Actual location (location was relayed)


Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2005-04-12 20:37 UTC] helly@php.net
Two questions:

1) Does it also crash when you replace file reading by assignment from string?

2) Did you try 5.0 or HEAD?
 [2005-04-13 10:32 UTC] david at davidheath dot org
Hi,

I tried again with CVS HEAD (from PHP_4_3 branch). Still crashes.

[heathd@localhost dh]$ /usr/local/php-4.3-CVS-13apr05/bin/php crash.php
Content-type: text/html
X-Powered-By: PHP/4.3.12-dev

Segmentation fault (core dumped)
[heathd@localhost dh]$
 [2005-04-13 10:51 UTC] david at davidheath dot org
> 1) Does it also crash when you replace file reading by 
> assignment from string?

yes it does, see http://www.davidheath.org/php_bug/crash2.php.txt

I've also noticed that I had a mistake in the original repro script (crash.php.txt), which I've now corrected (the filename on line 4 was wrong). This may explain why you couldn't repro. However, having changed that I now get:

[heathd@localhost repro]$ /usr/local/php-4.3-CVS-13apr05/bin/php crash.php
Content-type: text/html
X-Powered-By: PHP/4.3.12-dev

free(): invalid pointer 0x81b14a8!

ALSO, another important observation. The crash sometimes seems to not happen if I execute the script in a different directory. For example:

[heathd@localhost repro]$ pwd
/tmp/repro
[heathd@localhost repro]$ ls
crash2.php
[heathd@localhost repro]$ /usr/local/php-4.3-CVS-13apr05/bin/php crash2.php
Content-type: text/html
X-Powered-By: PHP/4.3.12-dev

[heathd@localhost repro]$ mkdir -p foo/bar
[heathd@localhost repro]$ cd foo/bar
[heathd@localhost bar]$ cp ../../crash2.php .
[heathd@localhost bar]$ /usr/local/php-4.3-CVS-13apr05/bin/php crash2.php
Content-type: text/html
X-Powered-By: PHP/4.3.12-dev

Segmentation fault (core dumped)
 [2005-04-19 13:53 UTC] ericvanblokland at gmail dot com
This maybe related to an issue I encountered. My guess is this code will work fine with php5

http://bugs.php.net/bug.php?id=31624
 [2005-05-11 15:17 UTC] david at davidheath dot org
Hi

thanks for following this up. I tried with the snapshot you gave and still got the crash.

I tried running it in gdb as well ('fraid I don't really know whether this helps or not).

See below.

Dave


[heathd@dh dh]$ gdb
GNU gdb 6.2-2mdk (Mandrakelinux)
Copyright 2004 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for details.
This GDB was configured as "i586-mandrake-linux-gnu".
(gdb) file /usr/local/src/php4-STABLE-200505110647/sapi/cli/php
Reading symbols from /usr/local/src/php4-STABLE-200505110647/sapi/cli/php...done.
Using host libthread_db library "/lib/tls/libthread_db.so.1".
(gdb) run crash2.php
Starting program: /usr/local/src/php4-STABLE-200505110647/sapi/cli/php crash2.php

Program received signal SIGSEGV, Segmentation fault.
0x08111a41 in shutdown_memory_manager (silent=0, clean_cache=0) at /usr/local/src/php4-STABLE-200505110647/Zend/zend_alloc.c:530
530                             REMOVE_POINTER_FROM_LIST(t);
(gdb) quit
 [2005-06-07 00:09 UTC] sniper@php.net
# php crash.php 
/usr/src/php/php_4_4/Zend/zend_execute.c(282) :  Freeing 0x08CA8E7C (9 bytes), script=crash.php
/usr/src/php/php_4_4/Zend/zend_variables.c(111) : Actual location (location was relayed)
/usr/src/php/php_4_4/Zend/zend_execute.c(279) :  Freeing 0x08CA8BB4 (12 bytes), script=crash.php

 [2005-06-07 10:30 UTC] derick@php.net
Valgrind errors that I get:
PHP Notice:  Undefined property:  Root in /tmp/32685/crash.php on line 6

Notice: Undefined property:  Root in /tmp/32685/crash.php on line 6
==24279== Invalid read of size 2
==24279==    at 0x81E94F5: _zval_ptr_dtor (zend_execute_API.c:287)
==24279==    by 0x81F1920: _zval_ptr_dtor_wrapper (zend_variables.c:171)
==24279==    by 0x81F7D85: zend_hash_destroy (zend_hash.c:556)
==24279==    by 0x81F1674: _zval_dtor (zend_variables.c:60)
==24279==    by 0x81E9526: _zval_ptr_dtor (zend_execute_API.c:289)
==24279==    by 0x81F1920: _zval_ptr_dtor_wrapper (zend_variables.c:171)
==24279==    by 0x81F7E31: zend_hash_clean (zend_hash.c:582)
==24279==    by 0x82053AC: execute (zend_execute.c:1717)
==24279==    by 0x81F2EF7: zend_execute_scripts (zend.c:935)
==24279==    by 0x81C05B3: php_execute_script (main.c:1751)
==24279==    by 0x820B22E: main (php_cli.c:828)
==24279==  Address 0x1BF5F35A is 10 bytes inside a block of size 12 free'd
==24279==    at 0x1B904B04: free (vg_replace_malloc.c:152)
==24279==    by 0x81EAA3A: safe_free_zval_ptr (zend_execute.h:44)
==24279==    by 0x81E9533: _zval_ptr_dtor (zend_execute_API.c:290)
==24279==    by 0x81F1920: _zval_ptr_dtor_wrapper (zend_variables.c:171)
==24279==    by 0x81F7E31: zend_hash_clean (zend_hash.c:582)
==24279==    by 0x82053AC: execute (zend_execute.c:1717)
==24279==    by 0x8205256: execute (zend_execute.c:1700)
==24279==    by 0x81F2EF7: zend_execute_scripts (zend.c:935)
==24279==    by 0x81C05B3: php_execute_script (main.c:1751)
==24279==    by 0x820B22E: main (php_cli.c:828)
==24279==
==24279== Invalid write of size 2
==24279==    at 0x81E94FA: _zval_ptr_dtor (zend_execute_API.c:287)
==24279==    by 0x81F1920: _zval_ptr_dtor_wrapper (zend_variables.c:171)
==24279==    by 0x81F7D85: zend_hash_destroy (zend_hash.c:556)
==24279==    by 0x81F1674: _zval_dtor (zend_variables.c:60)
==24279==    by 0x81E9526: _zval_ptr_dtor (zend_execute_API.c:289)
==24279==    by 0x81F1920: _zval_ptr_dtor_wrapper (zend_variables.c:171)
==24279==    by 0x81F7E31: zend_hash_clean (zend_hash.c:582)
==24279==    by 0x82053AC: execute (zend_execute.c:1717)
==24279==    by 0x81F2EF7: zend_execute_scripts (zend.c:935)
==24279==    by 0x81C05B3: php_execute_script (main.c:1751)
==24279==    by 0x820B22E: main (php_cli.c:828)
==24279==  Address 0x1BF5F35A is 10 bytes inside a block of size 12 free'd
==24279==    at 0x1B904B04: free (vg_replace_malloc.c:152)
==24279==    by 0x81EAA3A: safe_free_zval_ptr (zend_execute.h:44)
==24279==    by 0x81E9533: _zval_ptr_dtor (zend_execute_API.c:290)
==24279==    by 0x81F1920: _zval_ptr_dtor_wrapper (zend_variables.c:171)
==24279==    by 0x81F7E31: zend_hash_clean (zend_hash.c:582)
==24279==    by 0x82053AC: execute (zend_execute.c:1717)
==24279==    by 0x8205256: execute (zend_execute.c:1700)
==24279==    by 0x81F2EF7: zend_execute_scripts (zend.c:935)
==24279==    by 0x81C05B3: php_execute_script (main.c:1751)
==24279==    by 0x820B22E: main (php_cli.c:828)
==24279==
==24279== Invalid read of size 2
==24279==    at 0x81E9503: _zval_ptr_dtor (zend_execute_API.c:288)
==24279==    by 0x81F1920: _zval_ptr_dtor_wrapper (zend_variables.c:171)
==24279==    by 0x81F7D85: zend_hash_destroy (zend_hash.c:556)
==24279==    by 0x81F1674: _zval_dtor (zend_variables.c:60)
==24279==    by 0x81E9526: _zval_ptr_dtor (zend_execute_API.c:289)
==24279==    by 0x81F1920: _zval_ptr_dtor_wrapper (zend_variables.c:171)
==24279==    by 0x81F7E31: zend_hash_clean (zend_hash.c:582)
==24279==    by 0x82053AC: execute (zend_execute.c:1717)
==24279==    by 0x81F2EF7: zend_execute_scripts (zend.c:935)
==24279==    by 0x81C05B3: php_execute_script (main.c:1751)
==24279==    by 0x820B22E: main (php_cli.c:828)
==24279==  Address 0x1BF5F35A is 10 bytes inside a block of size 12 free'd
==24279==    at 0x1B904B04: free (vg_replace_malloc.c:152)
==24279==    by 0x81EAA3A: safe_free_zval_ptr (zend_execute.h:44)
==24279==    by 0x81E9533: _zval_ptr_dtor (zend_execute_API.c:290)
==24279==    by 0x81F1920: _zval_ptr_dtor_wrapper (zend_variables.c:171)
==24279==    by 0x81F7E31: zend_hash_clean (zend_hash.c:582)
==24279==    by 0x82053AC: execute (zend_execute.c:1717)
==24279==    by 0x8205256: execute (zend_execute.c:1700)
==24279==    by 0x81F2EF7: zend_execute_scripts (zend.c:935)
==24279==    by 0x81C05B3: php_execute_script (main.c:1751)
==24279==    by 0x820B22E: main (php_cli.c:828)
==24279==
==24279== Invalid read of size 2
==24279==    at 0x81E953B: _zval_ptr_dtor (zend_execute_API.c:291)
==24279==    by 0x81F1920: _zval_ptr_dtor_wrapper (zend_variables.c:171)
==24279==    by 0x81F7D85: zend_hash_destroy (zend_hash.c:556)
==24279==    by 0x81F1674: _zval_dtor (zend_variables.c:60)
==24279==    by 0x81E9526: _zval_ptr_dtor (zend_execute_API.c:289)
==24279==    by 0x81F1920: _zval_ptr_dtor_wrapper (zend_variables.c:171)
==24279==    by 0x81F7E31: zend_hash_clean (zend_hash.c:582)
==24279==    by 0x82053AC: execute (zend_execute.c:1717)
==24279==    by 0x81F2EF7: zend_execute_scripts (zend.c:935)
==24279==    by 0x81C05B3: php_execute_script (main.c:1751)
==24279==    by 0x820B22E: main (php_cli.c:828)
==24279==  Address 0x1BF5F35A is 10 bytes inside a block of size 12 free'd
==24279==    at 0x1B904B04: free (vg_replace_malloc.c:152)
==24279==    by 0x81EAA3A: safe_free_zval_ptr (zend_execute.h:44)
==24279==    by 0x81E9533: _zval_ptr_dtor (zend_execute_API.c:290)
==24279==    by 0x81F1920: _zval_ptr_dtor_wrapper (zend_variables.c:171)
==24279==    by 0x81F7E31: zend_hash_clean (zend_hash.c:582)
==24279==    by 0x82053AC: execute (zend_execute.c:1717)
==24279==    by 0x8205256: execute (zend_execute.c:1700)
==24279==    by 0x81F2EF7: zend_execute_scripts (zend.c:935)
==24279==    by 0x81C05B3: php_execute_script (main.c:1751)
==24279==    by 0x820B22E: main (php_cli.c:828)

and re-assigning to Dmitry.
 [2005-06-07 11:57 UTC] derick@php.net
This bug has been fixed in CVS.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.
 
Thank you for the report, and for helping us make PHP better.


 
PHP Copyright © 2001-2014 The PHP Group
All rights reserved.
Last updated: Fri Apr 18 08:02:55 2014 UTC