php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #53974 Crash in trunk zend_dtoa() with unmet loop condition
Submitted: 2011-02-09 20:22 UTC Modified: 2013-02-18 00:34 UTC
From: sixd@php.net Assigned: dmitry (profile)
Status: No Feedback Package: *General Issues
PHP Version: trunk-SVN-2011-02-09 (SVN) OS: Ubuntu 32 bit
Private report: No CVE-ID: None
View Developer Edit
 [2011-02-09 20:22 UTC] sixd@php.net 
Description:
------------
A segfault occurs after a few reloads of a phpinfo() script with PHP trunk on Ubuntu 10.04 and 10.10, both 32bit.  It doesn't occur with PHP_5_3.


Test script:
---------------
Steps:
- Start Apache: httpd -x
- Repeatedly load a script <?php phpinfo(); ?>.
- Within 10 reloads, Apache segfaults.

Actual result:
--------------
Program received signal SIGSEGV, Segmentation fault.
0x009064ae in zend_dtoa (_d=197618504, mode=2, ndigits=14, decpt=0xbfffc8cc, sign=0xbfffc8c8, rve=0x0) at /home/cjones/phpsrc/php/php-src/trunk/Zend/zend_strtod.c:1670
(gdb) bt
#0  0x009064ae in zend_dtoa (_d=197618504, mode=2, ndigits=14, decpt=0xbfffc8cc, sign=0xbfffc8c8, rve=0x0) at /home/cjones/phpsrc/php/php-src/trunk/Zend/zend_strtod.c:1670
#1  0x0086d374 in php_gcvt (value=197618504, ndigit=14, dec_point=46 '.', exponent=69 'E', buf=0xbfffc9cd "5\217") at /home/cjones/phpsrc/php/php-src/trunk/main/snprintf.c:142
#2  0x008703a5 in xbuf_format_converter (xbuf=0xbfffcbf4, fmt=0xcfb477 "G", ap=0xbfffcc58 "_(\210") at /home/cjones/phpsrc/php/php-src/trunk/main/spprintf.c:669
#3  0x00870db5 in vspprintf (pbuf=0xbfffcd04, max_len=0, format=0xcfb474 "%.*G", ap=0xbfffcc4c "\016") at /home/cjones/phpsrc/php/php-src/trunk/main/spprintf.c:797
#4  0x00903c63 in zend_spprintf (message=0xbfffcd04, max_len=0, format=0xcfb474 "%.*G") at /home/cjones/phpsrc/php/php-src/trunk/Zend/zend_exceptions.c:545
#5  0x008dc2ec in _convert_to_string (op=0xbfffcd04, __zend_filename=0xccd72c "/home/cjones/phpsrc/php/php-src/trunk/ext/standard/info.c", __zend_lineno=252) at /home/cjones/phpsrc/php/php-src/trunk/Zend/zend_operators.c:578
#6  0x007b4fc3 in php_print_gpcse_array (name=0xcce134 "_SERVER", name_length=7) at /home/cjones/phpsrc/php/php-src/trunk/ext/standard/info.c:252
#7  0x007b5e46 in php_print_info (flag=-1) at /home/cjones/phpsrc/php/php-src/trunk/ext/standard/info.c:885
#8  0x007b66d4 in zif_phpinfo (ht=0, return_value=0xb7fc1734, return_value_ptr=0x0, this_ptr=0x0, return_value_used=0) at /home/cjones/phpsrc/php/php-src/trunk/ext/standard/info.c:1141
#9  0x0091a7d0 in zend_do_fcall_common_helper_SPEC (execute_data=0xb7fa6074) at /home/cjones/phpsrc/php/php-src/trunk/Zend/zend_vm_execute.h:638
#10 0x0091fac5 in ZEND_DO_FCALL_SPEC_CONST_HANDLER (execute_data=0xb7fa6074) at /home/cjones/phpsrc/php/php-src/trunk/Zend/zend_vm_execute.h:1935
#11 0x00919632 in execute (op_array=0xb7fc0808) at /home/cjones/phpsrc/php/php-src/trunk/Zend/zend_vm_execute.h:410
#12 0x008e629e in zend_execute_scripts (type=8, retval=0x0, file_count=3) at /home/cjones/phpsrc/php/php-src/trunk/Zend/zend.c:1212
#13 0x0086cc4f in php_execute_script (primary_file=0xbffff3ac) at /home/cjones/phpsrc/php/php-src/trunk/main/main.c:2344
#14 0x009ed1f8 in php_handler (r=0x83299c8) at /home/cjones/phpsrc/php/php-src/trunk/sapi/apache2handler/sapi_apache2.c:667
#15 0x0807c556 in ap_run_handler (r=0x83299c8) at config.c:158
#16 0x0807fc01 in ap_invoke_handler (r=0x83299c8) at config.c:372
#17 0x080974e0 in ap_process_request (r=0x83299c8) at http_request.c:282
#18 0x08094520 in ap_process_http_connection (c=0x8323b48) at http_core.c:190
#19 0x08083fe6 in ap_run_process_connection (c=0x8323b48) at connection.c:43
#20 0x080b472d in child_main (child_num_arg=<value optimized out>) at prefork.c:662
#21 0x080b49df in make_child (s=0x80e5db8, slot=0) at prefork.c:702
#22 0x080b509c in ap_mpm_run (_pconf=0x80df0a8, plog=0x811d1a0, s=0x80e5db8) at prefork.c:978
#23 0x08069134 in main (argc=2, argv=0xbffff8f4) at main.c:740
(gdb) p j1
$1 = -2147483648
(gdb) p j
$2 = -1
(gdb) p *decpt
$3 = 9154443
(gdb) p *sign
$4 = 0
(gdb) p i
$5 = 4678168
(gdb) p d
$6 = {
  d = nan(0xfffffffffffff),
  ul = {4294967295, 2147483647}
}

The crash is at the assignment of bigtens[i] in:

    else if ((j1 = -k)) {
	value(d) *= tens[j1 & 0xf];
	for(j = j1 >> 4; j; j >>= 1, i++)
	    if (j & 1) {
		ieps++;
		value(d) *= bigtens[i];
	    }
    }

Because j is -1 it can never satisfy the loop condition

The relevant code in the file is unchanged from PHP 5.3 and dropping in PHP 5.3 zend_strtod.[ch] files into trunk and rebuilding doesn't fix it.

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2011-02-09 20:26 UTC] johannes@php.net
-Status: Open +Status: Assigned -Assigned To: +Assigned To: dmitry
 [2011-02-09 20:26 UTC] johannes@php.net 
Dmitry, any idea maybe?
 [2011-04-15 10:01 UTC] dmitry@php.net
-Status: Assigned +Status: Feedback
 [2011-04-15 10:01 UTC] dmitry@php.net 
I can't reproduce it. The value from the backtrace (197618504) works fine. Also to got into this crash "k" has to get value 0x80000000 and I can't see how it may happen according to the algorithm.

May be the crash occurs because of bug or wrong optimization in C compiler, but to prove it and provide workaround I have to trace it in debugger,
 [2011-04-15 10:06 UTC] pajoye@php.net 
It is not related to the float bug we had back then? Aka already fixed in 5.3.5 
and trunk.
 [2011-04-15 11:34 UTC] dmitry@php.net 
I think it's something different.
 [2013-02-18 00:34 UTC] php-bugs at lists dot php dot net 
No feedback was provided. The bug is being suspended because
we assume that you are no longer experiencing the problem.
If this is not the case and you are able to provide the
information that was requested earlier, please do so and
change the status of the bug back to "Open". Thank you.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Thu Dec 26 18:01:31 2024 UTC