|
|
php.net | support | documentation | report a bug | advanced search | search howto | statistics | random bug | login |
[2012-02-22 15:08 UTC] tomas dot liska at actumg2 dot cz
Description: ------------ Running attached script causes heap corruption resulting in segfault or other simillar results in all tested PHP versions: 5.3.2, 5.3.8, 5.3.9, 5.3.10, 5.4.0-RC* Passing object with __toString() causes segfault in random script iteration. When casted to string beforehand, it runs OK. Test script: --------------- http://dl.dropbox.com/u/63573745/test.tar.gz Since I'm not sure what causes the problem, I was unable to create a smaller test case. Expected result: ---------------- Range of numbers from 0 to 9999 (included). Actual result: -------------- php-5.3.8: $ php go.php 0 1 Segmentation fault php-5.3.9: 0 1 ... 739 740 Segmentation fault Core dump: Program terminated with signal 11, Segmentation fault. #0 0x0000000000795ad1 in _zval_dtor_func (zvalue=0x7fff3f7421a0, __zend_filename=0xb00838 "/home/users/tliska/wd/php/php-5.3.9/Zend/zend_execute.c", __zend_lineno=690) at /home/users/tliska/wd/php/php-5.3.9/Zend/zend_variables.c:52 52 Z_OBJ_HT_P(zvalue)->del_ref(zvalue TSRMLS_CC); (gdb) bt #0 0x0000000000795ad1 in _zval_dtor_func (zvalue=0x7fff3f7421a0, __zend_filename=0xb00838 "/home/users/tliska/wd/php/php-5.3.9/Zend/zend_execute.c", __zend_lineno=690) at /home/users/tliska/wd/php/php-5.3.9/Zend/zend_variables.c:52 #1 0x00000000007c9ac1 in _zval_dtor (zvalue=0x7fff3f7421a0, __zend_filename=0xb00838 "/home/users/tliska/wd/php/php-5.3.9/Zend/zend_execute.c", __zend_lineno=690) at /home/users/tliska/wd/php/php-5.3.9/Zend/zend_variables.h:35 #2 0x0000000000802714 in zend_assign_to_variable (variable_ptr_ptr=0xf3810f8, value=0xf389130, is_tmp_var=0) at /home/users/tliska/wd/php/php-5.3.9/Zend/zend_execute.c:690 #3 0x000000000080218e in ZEND_ASSIGN_DIM_SPEC_VAR_CONST_HANDLER (execute_data=0x2b3bb0b002f8) at /home/users/tliska/wd/php/php-5.3.9/Zend/zend_vm_execute.h:10382 #4 0x00000000007cc29e in execute (op_array=0xf3313f8) at /home/users/tliska/wd/php/php-5.3.9/Zend/zend_vm_execute.h:107 #5 0x0000000000787822 in zend_call_function (fci=0x7fff3f742860, fci_cache=0x7fff3f7427f0) at /home/users/tliska/wd/php/php-5.3.9/Zend/zend_execute_API.c:969 #6 0x00000000007b6c75 in zend_call_method (object_pp=0x7fff3f742918, obj_ce=0xf355c60, fn_proxy=0xf355e50, function_name=0xb005be "__tostring", function_name_len=10, retval_ptr_ptr=0x7fff3f742928, param_count=0, arg1=0x0, arg2=0x0) at /home/users/tliska/wd/php/php-5.3.9/Zend/zend_interfaces.c:97 #7 0x00000000007c84f7 in zend_std_cast_object_tostring (readobj=0xf389130, writeobj=0xf389130, type=6) at /home/users/tliska/wd/php/php-5.3.9/Zend/zend_object_handlers.c:1269 #8 0x0000000000799d68 in parse_arg_object_to_string (arg=0x2b3bb0aff4f8) at /home/users/tliska/wd/php/php-5.3.9/Zend/zend_API.c:258 #9 0x000000000079c608 in zend_parse_va_args (num_args=1, type_spec=0xadeffc "s|Z", va=0x7fff3f742c00, flags=0) at /home/users/tliska/wd/php/php-5.3.9/Zend/zend_API.c:692 #10 0x000000000079d022 in zend_parse_parameters (num_args=1, type_spec=0xadeffc "s|Z") at /home/users/tliska/wd/php/php-5.3.9/Zend/zend_API.c:871 #11 0x00000000006b6d87 in zif_strip_tags (ht=1, return_value=0xf388750, return_value_ptr=0x0, this_ptr=0x0, return_value_used=0) at /home/users/tliska/wd/php/php-5.3.9/ext/standard/string.c:4056 #12 0x00000000007cd2bb in zend_do_fcall_common_helper_SPEC (execute_data=0x2b3bb0aff090) at /home/users/tliska/wd/php/php-5.3.9/Zend/zend_vm_execute.h:320 #13 0x00000000007d3185 in ZEND_DO_FCALL_SPEC_CONST_HANDLER (execute_data=0x2b3bb0aff090) at /home/users/tliska/wd/php/php-5.3.9/Zend/zend_vm_execute.h:1640 #14 0x00000000007cc29e in execute (op_array=0xf3569f0) at /home/users/tliska/wd/php/php-5.3.9/Zend/zend_vm_execute.h:107 #15 0x0000000000798f1a in zend_execute_scripts (type=8, retval=0x0, file_count=3) at /home/users/tliska/wd/php/php-5.3.9/Zend/zend.c:1236 #16 0x0000000000717a8e in php_execute_script (primary_file=0x7fff3f745560) at /home/users/tliska/wd/php/php-5.3.9/main/main.c:2308 #17 0x000000000088c464 in main (argc=2, argv=0x7fff3f7457e8) at /home/users/tliska/wd/php/php-5.3.9/sapi/cli/php_cli.c:1184 php-5.4.0RC8: 0 1 ... 689 /php-5.4.0RC8/Zend/zend_hash.c(551) : ht=0x2ada805a4960 is being destroyed No core dump produced here. Patchesbug61165.phpt (last revision 2012-02-24 17:02 UTC by laruence@php.net)Pull RequestsHistoryAllCommentsChangesGit/SVN commits
|
|||||||||||||||||||||||||||
Copyright © 2001-2024 The PHP GroupAll rights reserved. |
Last updated: Thu Nov 21 11:01:29 2024 UTC |
I might have the cause of this. This code produces $cnt - 1 leaks: <?php error_reporting(E_ALL | E_NOTICE | E_STRICT); class T { private $params = array(); private $_this; public function __toString() { //$this->params['this'] = $this; // <-- uncoment this //$this->_this = $this; // <-- or this (both cause the leak) return 'A'; } } $t = new T; $cnt = 2; for ($i = 0; $i < $cnt; $i++) { strip_tags($t); echo "$i\n"; } Output: 0 1 [Fri Feb 24 09:27:16 2012] Script: 'go_own_own.php' /home/users/tliska/wd/php/php-5.4.0RC8/ext/standard/string.c(4087) : Freeing 0x2B9B23ADC678 (2 bytes), script=go_own_own.phpI am fairly certain it is some kind of pointer deferencing here on L446 of Zend/zend_execution_API.c (php-5.3.10) I am not sure what the exact cause is yet though. 434 ZEND_API void _zval_ptr_dtor(zval **zval_ptr ZEND_FILE_LINE_DC) /* {{{ */ 435 { 436 zval *zv = *zval_ptr; 437 438 #if DEBUG_ZEND>=2 439 printf("Reducing refcount for %x (%x): %d->%d\n", *zval_ptr, zval_ptr, Z_REFCOUNT_PP(zval_ptr), Z_REFCOUNT_PP(zval_ptr) - 1); 440 #endif 441 Z_DELREF_P(zv); 442 if (Z_REFCOUNT_P(zv) == 0) { 443 TSRMLS_FETCH(); 444 445 if (zv != &EG(uninitialized_zval)) { 446 GC_REMOVE_ZVAL_FROM_BUFFER(zv); 447 zval_dtor(zv); 448 efree_rel(zv);