php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #59659 zend_mm_heap corrupted
Submitted: 2011-03-10 05:08 UTC Modified: 2011-03-11 01:05 UTC
Votes:1
Avg. Score:5.0 ± 0.0
Reproduced:1 of 1 (100.0%)
Same Version:0 (0.0%)
Same OS:0 (0.0%)
From: dark9 at rune dot ws Assigned:
Status: Open Package: memcache (PECL)
PHP Version: 5.3.5 OS: centos
Private report: No CVE-ID: None
Have you experienced this issue?
Rate the importance of this bug to you:

 [2011-03-10 05:08 UTC] dark9 at rune dot ws
Description:
------------
memcache.c search keyword:
zval_ptr_dtor(callback);
and
zval_add_ref(callback);



Reproduce code:
---------------
	if (Z_TYPE_PP(callback) == IS_ARRAY && 
		zend_hash_index_find(Z_ARRVAL_PP(callback), 0, (void **)&this_obj) == SUCCESS &&
		Z_TYPE_PP(this_obj) == IS_OBJECT) {
		zval_ptr_dtor(this_obj);
	}

	zval_ptr_dtor(callback);

/********************and************************/

	if (Z_TYPE_PP(callback) == IS_ARRAY && 
		zend_hash_index_find(Z_ARRVAL_PP(callback), 0, (void **)&this_obj) == SUCCESS &&
		Z_TYPE_PP(this_obj) == IS_OBJECT) {
		zval_add_ref(this_obj);
	}

	zval_add_ref(callback);


Expected result:
----------------
	if (Z_TYPE_PP(callback) == IS_ARRAY && 
		zend_hash_index_find(Z_ARRVAL_PP(callback), 
0, (void **)&this_obj) == SUCCESS &&
		Z_TYPE_PP(this_obj) == IS_OBJECT) {
		zval_ptr_dtor(this_obj);
	}
	else
	{
		zval_ptr_dtor(callback);
	}


/********************and************************/

	if (Z_TYPE_PP(callback) == IS_ARRAY && 
		zend_hash_index_find(Z_ARRVAL_PP(callback), 
0, (void **)&this_obj) == SUCCESS &&
		Z_TYPE_PP(this_obj) == IS_OBJECT) {
		zval_add_ref(this_obj);
	}
	else
	{
		zval_add_ref(callback);
	}

Actual result:
--------------
#0  0x0000003f95830265 in raise () from /lib64/libc.so.6
#1  0x0000003f95831d10 in abort () from /lib64/libc.so.6
#2  0x0000003f9586a84b in __libc_message () from 
/lib64/libc.so.6
#3  0x0000003f958722ef in _int_free () from /lib64/libc.so.6
#4  0x0000003f9587273b in free () from /lib64/libc.so.6
#5  0x00000000006c67ee in zend_hash_destroy (ht=0xd76ee60) 
at /tmp/softs/PHP/php-5.2.6/Zend/zend_hash.c:531
#6  0x00000000006d60e9 in zend_object_std_dtor 
(object=0xd76f8f0) at /tmp/softs/PHP/php-
5.2.6/Zend/zend_objects.c:45
#7  0x00000000006d6109 in zend_objects_free_object_storage 
(object=0x2d16) at /tmp/softs/PHP/php-
5.2.6/Zend/zend_objects.c:122
#8  0x00000000006d96ea in 
zend_objects_store_del_ref_by_handle (handle=12) at 
/tmp/softs/PHP/php-5.2.6/Zend/zend_objects_API.c:206
#9  0x00000000006d971f in zend_objects_store_del_ref 
(zobject=0xd76f8d0) at /tmp/softs/PHP/php-
5.2.6/Zend/zend_objects_API.c:168
#10 0x00000000006af1d6 in _zval_ptr_dtor 
(zval_ptr=0xd76f468) at /tmp/softs/PHP/php-
5.2.6/Zend/zend_variables.h:35
#11 0x00000000006c67c8 in zend_hash_destroy (ht=0xd76eab0) 
at /tmp/softs/PHP/php-5.2.6/Zend/zend_hash.c:526
#12 0x00000000006d60e9 in zend_object_std_dtor 
(object=0xd76ec80) at /tmp/softs/PHP/php-
5.2.6/Zend/zend_objects.c:45
#13 0x00000000006d6109 in zend_objects_free_object_storage 
(object=0x2d16) at /tmp/softs/PHP/php-
5.2.6/Zend/zend_objects.c:122
#14 0x00000000006d96ea in 
zend_objects_store_del_ref_by_handle (handle=11) at 
/tmp/softs/PHP/php-5.2.6/Zend/zend_objects_API.c:206
#15 0x00000000006d971f in zend_objects_store_del_ref 
(zobject=0xd76efd0) at /tmp/softs/PHP/php-
5.2.6/Zend/zend_objects_API.c:168
#16 0x00000000006af1d6 in _zval_ptr_dtor 
(zval_ptr=0xd7700c8) at /tmp/softs/PHP/php-
5.2.6/Zend/zend_variables.h:35
#17 0x00000000006c67c8 in zend_hash_destroy (ht=0xd76ee10) 
at /tmp/softs/PHP/php-5.2.6/Zend/zend_hash.c:526
#18 0x00000000006bb84f in _zval_dtor_func (zvalue=0xd770070) 
at /tmp/softs/PHP/php-5.2.6/Zend/zend_variables.c:43
#19 0x00000000006af1d6 in _zval_ptr_dtor 
(zval_ptr=0xd746a60) at /tmp/softs/PHP/php-
5.2.6/Zend/zend_variables.h:35
#20 0x00002b7fb5d5b483 in mmc_server_callback_dtor 
(callback=0xd746a60) at /root/memcache-2.2.6/memcache.c:416
#21 0x00002b7fb5d5b4d0 in mmc_server_sleep (mmc=0xd7459f0) 
at /root/memcache-2.2.6/memcache.c:438
#22 0x00002b7fb5d5b748 in mmc_pool_free (pool=0xd729880) at 
/root/memcache-2.2.6/memcache.c:680
#23 0x00000000006c91ee in list_entry_destructor (ptr=<value 
optimized out>) at /tmp/softs/PHP/php-
5.2.6/Zend/zend_list.c:184
#24 0x00000000006c7614 in zend_hash_del_key_or_index 
(ht=0xc575c8, arKey=0x202 <Address 0x202 out of bounds>,
    nKeyLength=4294967295, h=72340172838076673, flag=<value 
optimized out>) at /tmp/softs/PHP/php-
5.2.6/Zend/zend_hash.c:497
#25 0x00000000006c9469 in _zend_list_delete (id=<value 
optimized out>) at /tmp/softs/PHP/php-
5.2.6/Zend/zend_list.c:58
#26 0x00000000006af1d6 in _zval_ptr_dtor 
(zval_ptr=0xd729978) at /tmp/softs/PHP/php-
5.2.6/Zend/zend_variables.h:35
#27 0x00000000006c67c8 in zend_hash_destroy (ht=0xd74eda0) 
at /tmp/softs/PHP/php-5.2.6/Zend/zend_hash.c:526
#28 0x00000000006d60e9 in zend_object_std_dtor 
(object=0xd7363e0) at /tmp/softs/PHP/php-
5.2.6/Zend/zend_objects.c:45
#29 0x00000000006d6109 in zend_objects_free_object_storage 
(object=0x2d16) at /tmp/softs/PHP/php-
5.2.6/Zend/zend_objects.c:122
#30 0x00000000006d96ea in 
zend_objects_store_del_ref_by_handle (handle=5) at 
/tmp/softs/PHP/php-5.2.6/Zend/zend_objects_API.c:206
#31 0x00000000006d971f in zend_objects_store_del_ref 
(zobject=0xd7292a0) at /tmp/softs/PHP/php-
5.2.6/Zend/zend_objects_API.c:168


Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2011-03-10 05:10 UTC] pierre dot php at gmail dot com
That's where it happens but it is certainly not why it 
happens.

Do you a script to reproduce this problem? Which version of 
the extension do you use?
 [2011-03-10 07:13 UTC] dark9 at rune dot ws
hi pajoye:
my memcache client
Version => 2.2.6

but script too many.

this example:
class bug
{
	private $_mc;

	public function  __construct()
	{
		$this->_mc=new memcache();
		$this->_mc->addserver('127.0.0.1', 11211, 
true, 1, 2, -1, true, array($this, 'callBack'));
	}

	public function callBack($host, $port)
	{
		echo $host.$port;
	}
}

I think error time of recycling resource.

backtrace key:
#19 0x00000000006af1d6 in _zval_ptr_dtor 
(zval_ptr=0xd746a60) at /tmp/softs/PHP/php-
5.2.6/Zend/zend_variables.h:35
#20 0x00002b7fb5d5b483 in mmc_server_callback_dtor 
(callback=0xd746a60) at /root/memcache-2.2.6/memcache.c:416
#21 0x00002b7fb5d5b4d0 in mmc_server_sleep (mmc=0xd7459f0) 
at /root/memcache-2.2.6/memcache.c:438
#22 0x00002b7fb5d5b748 in mmc_pool_free (pool=0xd729880) at 
/root/memcache-2.2.6/memcache.c:680
#23 0x00000000006c91ee in list_entry_destructor (ptr=<value 
optimized out>) at /tmp/softs/PHP/php-
5.2.6/Zend/zend_list.c:184

btw: sorry, i speak english very poor .
 [2011-03-10 22:06 UTC] hradtke@php.net
That script doesn't cause the error for me on 2.2.6 or 3.0.x.  Does it happen all the time or only when it fails to connect?
 [2011-03-11 01:05 UTC] dark9 at rune dot ws
look like script exec time too many.
this problems of php gc start time.
 
PHP Copyright © 2001-2019 The PHP Group
All rights reserved.
Last updated: Thu Jul 18 21:01:25 2019 UTC