php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #59242 ZEND_DO_FCALL/ZEND_DO_FCALL_BY_NAME
Submitted: 2010-05-30 00:45 UTC Modified: 2017-10-24 23:38 UTC
Votes:1
Avg. Score:5.0 ± 0.0
Reproduced:1 of 1 (100.0%)
Same Version:0 (0.0%)
Same OS:0 (0.0%)
From: mat999 at gmail dot com Assigned:
Status: Suspended Package: optimizer (PECL)
PHP Version: 5.3.2 OS: Debian Lenny / Linux
Private report: No CVE-ID: None
 [2010-05-30 00:45 UTC] mat999 at gmail dot com
Description:
------------
All function calls fail. Other scripts run fine.

Reproduce code:
---------------
<?
phpinfo();
?>

Expected result:
----------------
PHP INFO

Actual result:
--------------
Segmentation Fault.

==38934== Process terminating with default action of signal 11 (SIGSEGV)
==38934==  Access not within mapped region at address 0x4D705C9610
==38934==    at 0xB56E31C: optimize_op_array (optimize.c:3828)
==38934==    by 0xB56F915: optimizer_compile_file (optimize.c:4757)
==38934==    by 0x5C2558: phar_compile_file (in /usr/bin/php5)
==38934==    by 0x7461C9: zend_execute_scripts (in /usr/bin/php5)
==38934==    by 0x6EF777: php_execute_script (in /usr/bin/php5)
==38934==    by 0x7D991A: main (in /usr/bin/php5)


Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2010-05-30 01:30 UTC] mat999 at gmail dot com
And here is another one.

==50370== Invalid read of size 1
==50370==    at 0xB5622A1: mark_used_cb (optimize.c:568)
==50370==    by 0xB5622FC: mark_used_cb (optimize.c:579)
==50370==    by 0xB5623BC: mark_used_cb (optimize.c:591)
==50370==    by 0xB5622FC: mark_used_cb (optimize.c:579)
==50370==    by 0xB5622FC: mark_used_cb (optimize.c:579)
==50370==    by 0xB5622FC: mark_used_cb (optimize.c:579)
==50370==    by 0xB5622FC: mark_used_cb (optimize.c:579)
==50370==    by 0xB5622FC: mark_used_cb (optimize.c:579)
==50370==    by 0xB5622FC: mark_used_cb (optimize.c:579)
==50370==    by 0xB56EBA2: optimize_op_array (optimize.c:4382)
==50370==    by 0xB56F925: optimizer_compile_file (optimize.c:4757)
==50370==    by 0x5C2558: phar_compile_file (in /usr/bin/php5)
==50370==  Address 0xa65b2444c is not stack'd, malloc'd or (recently) free'd
==50370==
==50370== Process terminating with default action of signal 11 (SIGSEGV)
==50370==  Access not within mapped region at address 0xA65B2444C
==50370==    at 0xB5622A1: mark_used_cb (optimize.c:568)
==50370==    by 0xB5622FC: mark_used_cb (optimize.c:579)
==50370==    by 0xB5623BC: mark_used_cb (optimize.c:591)
==50370==    by 0xB5622FC: mark_used_cb (optimize.c:579)
==50370==    by 0xB5622FC: mark_used_cb (optimize.c:579)
==50370==    by 0xB5622FC: mark_used_cb (optimize.c:579)
==50370==    by 0xB5622FC: mark_used_cb (optimize.c:579)
==50370==    by 0xB5622FC: mark_used_cb (optimize.c:579)
==50370==    by 0xB5622FC: mark_used_cb (optimize.c:579)
==50370==    by 0xB56EBA2: optimize_op_array (optimize.c:4382)
==50370==    by 0xB56F925: optimizer_compile_file (optimize.c:4757)
==50370==    by 0x5C2558: phar_compile_file (in /usr/bin/php5)
 [2010-05-30 02:37 UTC] mat999 at gmail dot com
another fault, 

<?=dirname(__FILE__);?>


==58293== Invalid read of size 8
==58293==    at 0xB568C14: optimize_to_string_ex (optimize.c:1981)
==58293==    by 0xB5714CE: optimize_fcall_fcr (optimize_fcr.c:1435)
==58293==    by 0xB574D71: optimize_fcall (optimize_fcr.c:1026)
==58293==    by 0xB569F12: optimize_code_block (optimize.c:2478)
==58293==    by 0xB56EBFD: optimize_op_array (optimize.c:4392)
==58293==    by 0xB56F925: optimizer_compile_file (optimize.c:4757)
==58293==    by 0x5C2558: phar_compile_file (in /usr/bin/php5)
==58293==    by 0x7461C9: zend_execute_scripts (in /usr/bin/php5)
==58293==    by 0x6EF777: php_execute_script (in /usr/bin/php5)
==58293==    by 0x7D991A: main (in /usr/bin/php5)
==58293==  Address 0x40 is not stack'd, malloc'd or (recently) free'd
==58293==
==58293== Process terminating with default action of signal 11 (SIGSEGV)
==58293==  Access not within mapped region at address 0x40
==58293==    at 0xB568C14: optimize_to_string_ex (optimize.c:1981)
==58293==    by 0xB5714CE: optimize_fcall_fcr (optimize_fcr.c:1435)
==58293==    by 0xB574D71: optimize_fcall (optimize_fcr.c:1026)
==58293==    by 0xB569F12: optimize_code_block (optimize.c:2478)
==58293==    by 0xB56EBFD: optimize_op_array (optimize.c:4392)
==58293==    by 0xB56F925: optimizer_compile_file (optimize.c:4757)
==58293==    by 0x5C2558: phar_compile_file (in /usr/bin/php5)
==58293==    by 0x7461C9: zend_execute_scripts (in /usr/bin/php5)
==58293==    by 0x6EF777: php_execute_script (in /usr/bin/php5)
==58293==    by 0x7D991A: main (in /usr/bin/php5)
 [2010-05-30 04:00 UTC] mat999 at gmail dot com
Last bug fixed, dont know if its the correct patch but it fixes the problem.

new definition of the OPTIMIZE_TO_FOOTER struct

flags!=NULL check can be removed, that was just a debug check

======

#define OPTIMIZE_TO_FOOTER                               \
	if (flags!=NULL && flags & OPTIMIZE_TO_DEL_PREV) {                  \
		SET_TO_NOP_EX(prev);                             \
	}                                                    \
	if (flags!=NULL && flags & OPTIMIZE_TO_DEL_OP) {                    \
		if (op && op->opcode == ZEND_FETCH_DIM_R) {	     \
			if (op) {	                                 \
				zval_dtor(&__OP2_VAL(op));      	     \
				SET_TO_NOP(op);	                         \
			}	                                         \
		} else {	                                     \
			if (op) {	                                 \
				zval_dtor(&__OP1_VAL(op));	             \
				SET_TO_NOP(op);	                         \
			}	                                         \
			if(cbl->jmp_2!=NULL){ \
				CB_DEL_PRED(cbl->jmp_2, cbl);       	     \
				cbl->jmp_2 = NULL;	                         \
			}
		}                                                \
	}
 [2010-05-30 04:03 UTC] mat999 at gmail dot com
Just a reminder, still havent patched this bug.  Still looking for the cause.

==50370== Invalid read of size 1
==50370==    at 0xB5622A1: mark_used_cb (optimize.c:568)
==50370==    by 0xB5622FC: mark_used_cb (optimize.c:579)
==50370==    by 0xB5623BC: mark_used_cb (optimize.c:591)
==50370==    by 0xB5622FC: mark_used_cb (optimize.c:579)
==50370==    by 0xB5622FC: mark_used_cb (optimize.c:579)
==50370==    by 0xB5622FC: mark_used_cb (optimize.c:579)
==50370==    by 0xB5622FC: mark_used_cb (optimize.c:579)
==50370==    by 0xB5622FC: mark_used_cb (optimize.c:579)
==50370==    by 0xB5622FC: mark_used_cb (optimize.c:579)
==50370==    by 0xB56EBA2: optimize_op_array (optimize.c:4382)
==50370==    by 0xB56F925: optimizer_compile_file (optimize.c:4757)
==50370==    by 0x5C2558: phar_compile_file (in /usr/bin/php5)
==50370==  Address 0xa65b2444c is not stack'd, malloc'd or (recently)
free'd
==50370==
==50370== Process terminating with default action of signal 11
(SIGSEGV)
==50370==  Access not within mapped region at address 0xA65B2444C
==50370==    at 0xB5622A1: mark_used_cb (optimize.c:568)
==50370==    by 0xB5622FC: mark_used_cb (optimize.c:579)
==50370==    by 0xB5623BC: mark_used_cb (optimize.c:591)
==50370==    by 0xB5622FC: mark_used_cb (optimize.c:579)
==50370==    by 0xB5622FC: mark_used_cb (optimize.c:579)
==50370==    by 0xB5622FC: mark_used_cb (optimize.c:579)
==50370==    by 0xB5622FC: mark_used_cb (optimize.c:579)
==50370==    by 0xB5622FC: mark_used_cb (optimize.c:579)
==50370==    by 0xB5622FC: mark_used_cb (optimize.c:579)
==50370==    by 0xB56EBA2: optimize_op_array (optimize.c:4382)
==50370==    by 0xB56F925: optimizer_compile_file (optimize.c:4757)
==50370==    by 0x5C2558: phar_compile_file (in /usr/bin/php5)
 [2010-05-30 04:32 UTC] mat999 at gmail dot com
Found a test case for the bug above.

<?
if (version_compare('5.3.2','6.0.0-dev', '>='))
{
        echo '1';
}
?>


==17706== Invalid read of size 1
==17706==    at 0xB5622A1: mark_used_cb (optimize.c:568)
==17706==    by 0xB5622FC: mark_used_cb (optimize.c:579)
==17706==    by 0xB5622FC: mark_used_cb (optimize.c:579)
==17706==    by 0xB56EBD2: optimize_op_array (optimize.c:4405)
==17706==    by 0xB56F955: optimizer_compile_file (optimize.c:4780)
==17706==    by 0x5C2558: phar_compile_file (in /usr/bin/php5)
==17706==    by 0x7461C9: zend_execute_scripts (in /usr/bin/php5)
==17706==    by 0x6EF777: php_execute_script (in /usr/bin/php5)
==17706==    by 0x7D991A: main (in /usr/bin/php5)
==17706==  Address 0xa65b2b70c is not stack'd, malloc'd or (recently) free'd
==17706==
==17706== Process terminating with default action of signal 11 (SIGSEGV)
==17706==  Access not within mapped region at address 0xA65B2B70C
==17706==    at 0xB5622A1: mark_used_cb (optimize.c:568)
==17706==    by 0xB5622FC: mark_used_cb (optimize.c:579)
==17706==    by 0xB5622FC: mark_used_cb (optimize.c:579)
==17706==    by 0xB56EBD2: optimize_op_array (optimize.c:4405)
==17706==    by 0xB56F955: optimizer_compile_file (optimize.c:4780)
==17706==    by 0x5C2558: phar_compile_file (in /usr/bin/php5)
==17706==    by 0x7461C9: zend_execute_scripts (in /usr/bin/php5)
==17706==    by 0x6EF777: php_execute_script (in /usr/bin/php5)
==17706==    by 0x7D991A: main (in /usr/bin/php5)
 [2017-10-24 23:38 UTC] kalle@php.net
-Status: Open +Status: Suspended
 [2017-10-24 23:38 UTC] kalle@php.net
The optimizer pecl extension had not had a release since 2008 and its safe to say that development has ceased in favor of alternatives such as opcache included with PHP as of PHP5.5+, I'm gonna suspend this in case the package does pick back up development, and in that case it should be re-opened
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Sat Dec 21 12:01:31 2024 UTC