php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #54460 memory leaks
Submitted: 2011-04-03 21:28 UTC Modified: 2013-02-18 00:34 UTC
Votes:2
Avg. Score:5.0 ± 0.0
Reproduced:2 of 2 (100.0%)
Same Version:1 (50.0%)
Same OS:2 (100.0%)
From: courtois at templeet dot org Assigned:
Status: No Feedback Package: Reproducible crash
PHP Version: 5.3.6 OS: debian squeeze
Private report: No CVE-ID: None
Have you experienced this issue?
Rate the importance of this bug to you:

 [2011-04-03 21:28 UTC] courtois at templeet dot org
Description:
------------
memory leaks leed to memory exhaustion (see valgrind trace below)

PHP 5.3.6 

'./configure' '--prefix=/usr/local/php53' '--with-mysql' '--with-mysqli' '--with-gd' '--with-zlib' '--enable-debug' '--disable-cli' 

called with cgi

memory exhaustion appears with zend memory manager. 

Test script:
---------------
bug can be reproduced by downloading Templeet installer at:

http://t4.templeet.org/templeet.php/makeinstaller/?action=makeinstaller&dists[core]=201104030716&dists[templeet4_admin]=201103010804

install Templeet by calling the php file downloaded. 

in templeet/serverconf.php :

set $config['usepagecache'] and $config['usetemplatecache'] to 0

go to the package install page : auth/packageinstall.html.en



Actual result:
--------------
==22302== Memcheck, a memory error detector
==22302== Copyright (C) 2002-2010, and GNU GPL'd, by Julian Seward et al.
==22302== Using Valgrind-3.6.0.SVN-Debian and LibVEX; rerun with -h for copyright info
==22302== Command: /home/courtois/test2/php-5.3.6/sapi/cgi/php-cgi
==22302== 
/var/www/dev4.sociatomdev.com/chroot/htdocs/templeet/fetch.php(215) : Warning - Cannot modify header information - headers already sent by (output started at /var/www/dev4.sociatomdev.com/chroot/htdocs/templeet/fetch.php:580)
==22302== 
==22302== HEAP SUMMARY:
==22302==     in use at exit: 60,706 bytes in 1,591 blocks
==22302==   total heap usage: 1,815,703 allocs, 1,814,112 frees, 302,914,393 bytes allocated
==22302== 
==22302== 21 (20 direct, 1 indirect) bytes in 1 blocks are definitely lost in loss record 27 of 136
==22302==    at 0x4023F50: malloc (vg_replace_malloc.c:236)
==22302==    by 0x8400D36: _emalloc (zend_alloc.c:2348)
==22302==    by 0x844BADE: zend_assign_to_variable_reference (zend_execute.c:413)
==22302==    by 0x84D6FF2: ZEND_ASSIGN_REF_SPEC_CV_VAR_HANDLER (zend_vm_execute.h:27383)
==22302==    by 0x844E8AA: execute (zend_vm_execute.h:107)
==22302==    by 0x8421BD7: zend_execute_scripts (zend.c:1194)
==22302==    by 0x83B8CC8: php_execute_script (main.c:2268)
==22302==    by 0x84E649E: main (cgi_main.c:2109)
==22302== 
==22302== 21 (20 direct, 1 indirect) bytes in 1 blocks are definitely lost in loss record 28 of 136
==22302==    at 0x4023F50: malloc (vg_replace_malloc.c:236)
==22302==    by 0x8400D36: _emalloc (zend_alloc.c:2348)
==22302==    by 0x844CE48: zend_assign_to_variable (zend_execute.c:714)
==22302==    by 0x84C5B07: ZEND_ASSIGN_SPEC_CV_CONST_HANDLER (zend_vm_execute.h:24059)
==22302==    by 0x844E8AA: execute (zend_vm_execute.h:107)
==22302==    by 0x8421BD7: zend_execute_scripts (zend.c:1194)
==22302==    by 0x83B8CC8: php_execute_script (main.c:2268)
==22302==    by 0x84E649E: main (cgi_main.c:2109)
==22302== 
==22302== 39 bytes in 3 blocks are possibly lost in loss record 46 of 136
==22302==    at 0x4023F50: malloc (vg_replace_malloc.c:236)
==22302==    by 0x8400D36: _emalloc (zend_alloc.c:2348)
==22302==    by 0x84010EA: _estrndup (zend_alloc.c:2503)
==22302==    by 0x83E748F: zend_scan_escape_string (zend_language_scanner.l:740)
==22302==    by 0x83E90AC: lex_scan (zend_language_scanner.l:2037)
==22302==    by 0x840E952: zendlex (zend_compile.c:4954)
==22302==    by 0x83E1482: zendparse (zend_language_parser.c:3280)
==22302==    by 0x83E6D7F: compile_file (zend_language_scanner.l:364)
==22302==    by 0x82658C4: phar_compile_file (phar.c:3393)
==22302==    by 0x8421B37: zend_execute_scripts (zend.c:1186)
==22302==    by 0x83B8CC8: php_execute_script (main.c:2268)
==22302==    by 0x84E649E: main (cgi_main.c:2109)
==22302== 
==22302== 40 bytes in 2 blocks are definitely lost in loss record 54 of 136
==22302==    at 0x4023F50: malloc (vg_replace_malloc.c:236)
==22302==    by 0x8400D36: _emalloc (zend_alloc.c:2348)
==22302==    by 0x84BE49D: zend_send_by_var_helper_SPEC_CV (zend_vm_execute.h:22135)
==22302==    by 0x84BEBC5: ZEND_SEND_VAR_SPEC_CV_HANDLER (zend_vm_execute.h:22242)
==22302==    by 0x844E8AA: execute (zend_vm_execute.h:107)
==22302==    by 0x8421BD7: zend_execute_scripts (zend.c:1194)
==22302==    by 0x83B8CC8: php_execute_script (main.c:2268)
==22302==    by 0x84E649E: main (cgi_main.c:2109)
==22302== 
==22302== 54 (20 direct, 34 indirect) bytes in 1 blocks are definitely lost in loss record 65 of 136
==22302==    at 0x4023F50: malloc (vg_replace_malloc.c:236)
==22302==    by 0x8400D36: _emalloc (zend_alloc.c:2348)
==22302==    by 0x844C52A: zend_assign_to_object (zend_execute.c:558)
==22302==    by 0x84C531D: ZEND_ASSIGN_OBJ_SPEC_CV_CONST_HANDLER (zend_vm_execute.h:23966)
==22302==    by 0x844E8AA: execute (zend_vm_execute.h:107)
==22302==    by 0x8421BD7: zend_execute_scripts (zend.c:1194)
==22302==    by 0x83B8CC8: php_execute_script (main.c:2268)
==22302==    by 0x84E649E: main (cgi_main.c:2109)
==22302== 
==22302== 75 bytes in 12 blocks are possibly lost in loss record 73 of 136
==22302==    at 0x4023F50: malloc (vg_replace_malloc.c:236)
==22302==    by 0x8400D36: _emalloc (zend_alloc.c:2348)
==22302==    by 0x84010EA: _estrndup (zend_alloc.c:2503)
==22302==    by 0x83E748F: zend_scan_escape_string (zend_language_scanner.l:740)
==22302==    by 0x83EB434: lex_scan (zend_language_scanner.l:1870)
==22302==    by 0x840E952: zendlex (zend_compile.c:4954)
==22302==    by 0x83E1482: zendparse (zend_language_parser.c:3280)
==22302==    by 0x83E6D7F: compile_file (zend_language_scanner.l:364)
==22302==    by 0x82658C4: phar_compile_file (phar.c:3393)
==22302==    by 0x8421B37: zend_execute_scripts (zend.c:1186)
==22302==    by 0x83B8CC8: php_execute_script (main.c:2268)
==22302==    by 0x84E649E: main (cgi_main.c:2109)
==22302== 
==22302== 85 bytes in 11 blocks are possibly lost in loss record 77 of 136
==22302==    at 0x4023F50: malloc (vg_replace_malloc.c:236)
==22302==    by 0x8400D36: _emalloc (zend_alloc.c:2348)
==22302==    by 0x84010EA: _estrndup (zend_alloc.c:2503)
==22302==    by 0x83F3D83: lex_scan (zend_language_scanner.l:1036)
==22302==    by 0x840E952: zendlex (zend_compile.c:4954)
==22302==    by 0x83E1482: zendparse (zend_language_parser.c:3280)
==22302==    by 0x83E6D7F: compile_file (zend_language_scanner.l:364)
==22302==    by 0x82658C4: phar_compile_file (phar.c:3393)
==22302==    by 0x8421B37: zend_execute_scripts (zend.c:1186)
==22302==    by 0x83B8CC8: php_execute_script (main.c:2268)
==22302==    by 0x84E649E: main (cgi_main.c:2109)
==22302== 
==22302== 92 (80 direct, 12 indirect) bytes in 4 blocks are definitely lost in loss record 82 of 136
==22302==    at 0x4023F50: malloc (vg_replace_malloc.c:236)
==22302==    by 0x8400D36: _emalloc (zend_alloc.c:2348)
==22302==    by 0x844F09E: zend_do_fcall_common_helper_SPEC (zend_vm_execute.h:300)
==22302==    by 0x8452D45: ZEND_DO_FCALL_SPEC_CONST_HANDLER (zend_vm_execute.h:1606)
==22302==    by 0x844E8AA: execute (zend_vm_execute.h:107)
==22302==    by 0x8421BD7: zend_execute_scripts (zend.c:1194)
==22302==    by 0x83B8CC8: php_execute_script (main.c:2268)
==22302==    by 0x84E649E: main (cgi_main.c:2109)
==22302== 
==22302== 100 bytes in 7 blocks are possibly lost in loss record 84 of 136
==22302==    at 0x4023F50: malloc (vg_replace_malloc.c:236)
==22302==    by 0x8400D36: _emalloc (zend_alloc.c:2348)
==22302==    by 0x841E742: zend_str_tolower_dup (zend_operators.c:1884)
==22302==    by 0x8405CB6: zend_do_begin_dynamic_function_call (zend_compile.c:1683)
==22302==    by 0x84057F8: zend_do_begin_function_call (zend_compile.c:1575)
==22302==    by 0x83E3F78: zendparse (zend_language_parser.c:4652)
==22302==    by 0x83E6D7F: compile_file (zend_language_scanner.l:364)
==22302==    by 0x82658C4: phar_compile_file (phar.c:3393)
==22302==    by 0x8421B37: zend_execute_scripts (zend.c:1186)
==22302==    by 0x83B8CC8: php_execute_script (main.c:2268)
==22302==    by 0x84E649E: main (cgi_main.c:2109)
==22302== 
==22302== 100 bytes in 12 blocks are possibly lost in loss record 85 of 136
==22302==    at 0x4023F50: malloc (vg_replace_malloc.c:236)
==22302==    by 0x8400D36: _emalloc (zend_alloc.c:2348)
==22302==    by 0x84010EA: _estrndup (zend_alloc.c:2503)
==22302==    by 0x83EC50D: lex_scan (zend_language_scanner.l:1672)
==22302==    by 0x840E952: zendlex (zend_compile.c:4954)
==22302==    by 0x83E1482: zendparse (zend_language_parser.c:3280)
==22302==    by 0x83E6D7F: compile_file (zend_language_scanner.l:364)
==22302==    by 0x82658C4: phar_compile_file (phar.c:3393)
==22302==    by 0x8421B37: zend_execute_scripts (zend.c:1186)
==22302==    by 0x83B8CC8: php_execute_script (main.c:2268)
==22302==    by 0x84E649E: main (cgi_main.c:2109)
==22302== 
==22302== 122 bytes in 9 blocks are possibly lost in loss record 90 of 136
==22302==    at 0x4023F50: malloc (vg_replace_malloc.c:236)
==22302==    by 0x8400D36: _emalloc (zend_alloc.c:2348)
==22302==    by 0x84010EA: _estrndup (zend_alloc.c:2503)
==22302==    by 0x83E9E0E: lex_scan (zend_language_scanner.l:1695)
==22302==    by 0x840E952: zendlex (zend_compile.c:4954)
==22302==    by 0x83E1482: zendparse (zend_language_parser.c:3280)
==22302==    by 0x83E6D7F: compile_file (zend_language_scanner.l:364)
==22302==    by 0x82658C4: phar_compile_file (phar.c:3393)
==22302==    by 0x8421B37: zend_execute_scripts (zend.c:1186)
==22302==    by 0x83B8CC8: php_execute_script (main.c:2268)
==22302==    by 0x84E649E: main (cgi_main.c:2109)
==22302== 
==22302== 182 bytes in 14 blocks are possibly lost in loss record 100 of 136
==22302==    at 0x4023F50: malloc (vg_replace_malloc.c:236)
==22302==    by 0x8400D36: _emalloc (zend_alloc.c:2348)
==22302==    by 0x84010EA: _estrndup (zend_alloc.c:2503)
==22302==    by 0x83EB237: lex_scan (zend_language_scanner.l:1817)
==22302==    by 0x840E952: zendlex (zend_compile.c:4954)
==22302==    by 0x83E1482: zendparse (zend_language_parser.c:3280)
==22302==    by 0x83E6D7F: compile_file (zend_language_scanner.l:364)
==22302==    by 0x82658C4: phar_compile_file (phar.c:3393)
==22302==    by 0x8421B37: zend_execute_scripts (zend.c:1186)
==22302==    by 0x83B8CC8: php_execute_script (main.c:2268)
==22302==    by 0x84E649E: main (cgi_main.c:2109)
==22302== 
==22302== 322 bytes in 34 blocks are possibly lost in loss record 112 of 136
==22302==    at 0x4023F50: malloc (vg_replace_malloc.c:236)
==22302==    by 0x8400D36: _emalloc (zend_alloc.c:2348)
==22302==    by 0x841E742: zend_str_tolower_dup (zend_operators.c:1884)
==22302==    by 0x840579D: zend_do_begin_function_call (zend_compile.c:1571)
==22302==    by 0x83E3F78: zendparse (zend_language_parser.c:4652)
==22302==    by 0x83E6D7F: compile_file (zend_language_scanner.l:364)
==22302==    by 0x82658C4: phar_compile_file (phar.c:3393)
==22302==    by 0x8421B37: zend_execute_scripts (zend.c:1186)
==22302==    by 0x83B8CC8: php_execute_script (main.c:2268)
==22302==    by 0x84E649E: main (cgi_main.c:2109)
==22302== 
==22302== 482 (144 direct, 338 indirect) bytes in 1 blocks are definitely lost in loss record 116 of 136
==22302==    at 0x4023F50: malloc (vg_replace_malloc.c:236)
==22302==    by 0x8400D36: _emalloc (zend_alloc.c:2348)
==22302==    by 0x83E6C86: compile_file (zend_language_scanner.l:334)
==22302==    by 0x82658C4: phar_compile_file (phar.c:3393)
==22302==    by 0x8421B37: zend_execute_scripts (zend.c:1186)
==22302==    by 0x83B8CC8: php_execute_script (main.c:2268)
==22302==    by 0x84E649E: main (cgi_main.c:2109)
==22302== 
==22302== 613 (60 direct, 553 indirect) bytes in 3 blocks are definitely lost in loss record 117 of 136
==22302==    at 0x4023F50: malloc (vg_replace_malloc.c:236)
==22302==    by 0x8400D36: _emalloc (zend_alloc.c:2348)
==22302==    by 0x84BEA56: ZEND_SEND_REF_SPEC_CV_HANDLER (zend_vm_execute.h:22226)
==22302==    by 0x844E8AA: execute (zend_vm_execute.h:107)
==22302==    by 0x8421BD7: zend_execute_scripts (zend.c:1194)
==22302==    by 0x83B8CC8: php_execute_script (main.c:2268)
==22302==    by 0x84E649E: main (cgi_main.c:2109)
==22302== 
==22302== 679 (120 direct, 559 indirect) bytes in 6 blocks are definitely lost in loss record 121 of 136
==22302==    at 0x4023F50: malloc (vg_replace_malloc.c:236)
==22302==    by 0x8400D36: _emalloc (zend_alloc.c:2348)
==22302==    by 0x844CEFB: zend_assign_to_variable (zend_execute.c:724)
==22302==    by 0x84CCEAB: ZEND_ASSIGN_SPEC_CV_TMP_HANDLER (zend_vm_execute.h:25697)
==22302==    by 0x844E8AA: execute (zend_vm_execute.h:107)
==22302==    by 0x8421BD7: zend_execute_scripts (zend.c:1194)
==22302==    by 0x83B8CC8: php_execute_script (main.c:2268)
==22302==    by 0x84E649E: main (cgi_main.c:2109)
==22302== 
==22302== 14,467 (88 direct, 14,379 indirect) bytes in 2 blocks are definitely lost in loss record 135 of 136
==22302==    at 0x4023F50: malloc (vg_replace_malloc.c:236)
==22302==    by 0x8400D36: _emalloc (zend_alloc.c:2348)
==22302==    by 0x8415A60: zend_rebuild_symbol_table (zend_execute_API.c:1699)
==22302==    by 0x844CFEC: zend_get_target_symbol_table (zend_execute.c:766)
==22302==    by 0x8452290: zend_fetch_var_address_helper_SPEC_CONST (zend_vm_execute.h:1340)
==22302==    by 0x8452904: ZEND_FETCH_R_SPEC_CONST_HANDLER (zend_vm_execute.h:1424)
==22302==    by 0x844E8AA: execute (zend_vm_execute.h:107)
==22302==    by 0x8421BD7: zend_execute_scripts (zend.c:1194)
==22302==    by 0x83B8CC8: php_execute_script (main.c:2268)
==22302==    by 0x84E649E: main (cgi_main.c:2109)
==22302== 
==22302== 17,328 bytes in 1 blocks are possibly lost in loss record 136 of 136
==22302==    at 0x4024046: realloc (vg_replace_malloc.c:525)
==22302==    by 0x8400DF7: _erealloc (zend_alloc.c:2369)
==22302==    by 0x84176D6: pass_two (zend_opcode.c:380)
==22302==    by 0x83E6DDB: compile_file (zend_language_scanner.l:376)
==22302==    by 0x82658C4: phar_compile_file (phar.c:3393)
==22302==    by 0x8421B37: zend_execute_scripts (zend.c:1186)
==22302==    by 0x83B8CC8: php_execute_script (main.c:2268)
==22302==    by 0x84E649E: main (cgi_main.c:2109)
==22302== 
==22302== LEAK SUMMARY:
==22302==    definitely lost: 592 bytes in 21 blocks
==22302==    indirectly lost: 15,877 bytes in 524 blocks
==22302==      possibly lost: 18,353 bytes in 103 blocks
==22302==    still reachable: 25,884 bytes in 943 blocks
==22302==         suppressed: 0 bytes in 0 blocks
==22302== Reachable blocks (those to which a pointer was found) are not shown.
==22302== To see them, rerun with: --leak-check=full --show-reachable=yes
==22302== 
==22302== For counts of detected and suppressed errors, rerun with: -v
==22302== ERROR SUMMARY: 18 errors from 18 contexts (suppressed: 38 from 11)


Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2011-04-03 23:35 UTC] decoder-php at own-hero dot net
Hello,

do you happen to have a testcase that runs on command line, or can your testcase be run on command line instead of using Apache? That would allow me to automatically reduce the testcase.


Best,

Chris
 [2011-04-04 06:48 UTC] courtois at templeet dot org
To call it from command line I simulated a cgi call with this script:

#!/bin/sh

PHPRC="/var/www/dev4.sociatomdev.com/"
export PHPRC

export USE_ZEND_ALLOC=0

export REQUEST_URI=/auth/packageinstall.html.en
export SCRIPT_NAME=/templeet.php
export QUERY_STRING=
export REQUEST_METHOD=GET
export REDIRECT_STATUS=404
export REDIRECT_URL=/templeet.php
export DOCUMENT_ROOT=/var/www/dev4.sociatomdev.com/chroot/htdocs
export SCRIPT_FILENAME=/templeet.php
export SERVER_NAME=localhost
export SERVER_PROTOCOL=HTTP/1.0
export REDIRECT_HANDLER=php-cgi
export PATH_TRANSLATED=/var/www/dev4.sociatomdev.com/chroot/htdocs/templeet.php


exec valgrind --leak-check=full /home/courtois/test2/php-5.3.6/sapi/cgi/php-cgi
 [2011-04-09 14:34 UTC] decoder-php at own-hero dot net
The following is an automatically reduced testcase that can be run in the same way as described here for the original testcase:

<?php
class TempleetRedirect extends Exception {};
Function parseform($template) {
        $txt = eval_list($templatecache[$template]['template']);
}
Function eval_list($array) {
            throw new TempleetRedirect($file);
}
Function parsetemplate($template) {
    $txt = parseform($template);
}
try 
  {  
    $output=parsetemplate($global_var['template']);
  }  
catch (TempleetRedirect $r)
  {
    exit();
  }
?>
 [2011-11-16 14:32 UTC] felipe@php.net
-Status: Open +Status: Feedback
 [2011-11-16 14:32 UTC] felipe@php.net
Please try using this snapshot:

  http://snaps.php.net/php5.3-latest.tar.gz
 
For Windows:

  http://windows.php.net/snapshots/


 [2013-02-18 00:34 UTC] php-bugs at lists dot php dot net
No feedback was provided. The bug is being suspended because
we assume that you are no longer experiencing the problem.
If this is not the case and you are able to provide the
information that was requested earlier, please do so and
change the status of the bug back to "Open". Thank you.
 
PHP Copyright © 2001-2022 The PHP Group
All rights reserved.
Last updated: Sat Aug 13 18:05:44 2022 UTC