PHP :: Bug #71712 :: Segmentation fault on ReflectionClass::newInstanceArgs

Bug #71712	Segmentation fault on ReflectionClass::newInstanceArgs
Submitted:	2016-03-04 13:00 UTC	Modified:	2016-03-07 14:40 UTC
From:	bashofmann at gmail dot com	Assigned:
Status:	Closed	Package:	memcached (PECL)
PHP Version:	7.0.4	OS:	Ubuntu 14.04
Private report:	No	CVE-ID:	None

View Add Comment Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If this is not your bug, you can add a comment by following this link.
If this is your bug, but you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	bashofmann at gmail dot com
New email:
PHP Version:		OS:

New Comment:

[2016-03-04 13:00 UTC] bashofmann at gmail dot com

Description:
------------
We get the following reproducible segmentation fault when running a unit test that is mocking some class which results in a ReflectionClass::newInstanceArgs. Unfortunately I was not able to reproduce this with a smaller sample script.

Is this backtrace enough to find the cause and fix it?


GNU gdb (Ubuntu 7.7.1-0ubuntu5~14.04.2) 7.7.1
Copyright (C) 2014 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>.
Find the GDB manual and other documentation resources online at:
<http://www.gnu.org/software/gdb/documentation/>.
For help, type "help".
Type "apropos word" to search for commands related to "word"...
Reading symbols from /home/researchgate/.phpbrew/php/php-7.0.4/bin/php...done.
[New LWP 16027]
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
Core was generated by `php bin/phpunit test/unit/modules/literature/classes/ClaimingServiceTest.php'.
Program terminated with signal SIGSEGV, Segmentation fault.
#0  0x000000000084ad49 in zend_mm_alloc_small (heap=0x7fd514800040, size=40, bin_num=4, __zend_filename=0xe9ec78 "/home/researchgate/.phpbrew/build/php-7.0.4/Zend/zend_opcode.c", __zend_lineno=59,
    __zend_orig_filename=0x0, __zend_orig_lineno=0) at /home/researchgate/.phpbrew/build/php-7.0.4/Zend/zend_alloc.c:1291
1291			heap->free_slot[bin_num] = p->next_free_slot;
Traceback (most recent call last):
  File "/usr/share/gdb/auto-load/usr/lib/x86_64-linux-gnu/libstdc++.so.6.0.19-gdb.py", line 63, in <module>
    from libstdcxx.v6.printers import register_libstdcxx_printers
ImportError: No module named 'libstdcxx'
(gdb) bt
#0  0x000000000084ad49 in zend_mm_alloc_small (heap=0x7fd514800040, size=40, bin_num=4, __zend_filename=0xe9ec78 "/home/researchgate/.phpbrew/build/php-7.0.4/Zend/zend_opcode.c", __zend_lineno=59,
    __zend_orig_filename=0x0, __zend_orig_lineno=0) at /home/researchgate/.phpbrew/build/php-7.0.4/Zend/zend_alloc.c:1291
#1  0x000000000084afa0 in zend_mm_alloc_heap (heap=0x7fd514800040, size=40, __zend_filename=0xe9ec78 "/home/researchgate/.phpbrew/build/php-7.0.4/Zend/zend_opcode.c", __zend_lineno=59, __zend_orig_filename=0x0,
    __zend_orig_lineno=0) at /home/researchgate/.phpbrew/build/php-7.0.4/Zend/zend_alloc.c:1358
#2  0x000000000084da03 in _emalloc (size=4, __zend_filename=0xe9ec78 "/home/researchgate/.phpbrew/build/php-7.0.4/Zend/zend_opcode.c", __zend_lineno=59, __zend_orig_filename=0x0, __zend_orig_lineno=0)
    at /home/researchgate/.phpbrew/build/php-7.0.4/Zend/zend_alloc.c:2442
#3  0x000000000086d2ca in init_op_array (op_array=0x7fd50ff73040, type=2 '\002', initial_ops_size=64) at /home/researchgate/.phpbrew/build/php-7.0.4/Zend/zend_opcode.c:59
#4  0x000000000085c724 in zend_compile_func_decl (result=0x0, ast=0x7fd51181ba00) at /home/researchgate/.phpbrew/build/php-7.0.4/Zend/zend_compile.c:4858
#5  0x000000000086335d in zend_compile_stmt (ast=0x7fd51181ba00) at /home/researchgate/.phpbrew/build/php-7.0.4/Zend/zend_compile.c:7065
#6  0x000000000085ac80 in zend_compile_stmt_list (ast=0x7fd51181bb48) at /home/researchgate/.phpbrew/build/php-7.0.4/Zend/zend_compile.c:4358
#7  0x0000000000863226 in zend_compile_stmt (ast=0x7fd51181bb48) at /home/researchgate/.phpbrew/build/php-7.0.4/Zend/zend_compile.c:7009
#8  0x000000000085db91 in zend_compile_class_decl (ast=0x7fd51181bb98) at /home/researchgate/.phpbrew/build/php-7.0.4/Zend/zend_compile.c:5305
#9  0x000000000086339e in zend_compile_stmt (ast=0x7fd51181bb98) at /home/researchgate/.phpbrew/build/php-7.0.4/Zend/zend_compile.c:7077
#10 0x0000000000862fd5 in zend_compile_top_stmt (ast=0x7fd51181bb98) at /home/researchgate/.phpbrew/build/php-7.0.4/Zend/zend_compile.c:6983
#11 0x0000000000862fb7 in zend_compile_top_stmt (ast=0x7fd51181bbe0) at /home/researchgate/.phpbrew/build/php-7.0.4/Zend/zend_compile.c:6978
#12 0x0000000000827fa6 in compile_file (file_handle=0x7ffd37faa370, type=2) at Zend/zend_language_scanner.l:607
#13 0x00000000006864f8 in phar_compile_file (file_handle=0x7ffd37faa370, type=2) at /home/researchgate/.phpbrew/build/php-7.0.4/ext/phar/phar.c:3311
#14 0x0000000000828155 in compile_filename (type=2, filename=0x7fd514821640) at Zend/zend_language_scanner.l:647
#15 0x000000000091852e in ZEND_INCLUDE_OR_EVAL_SPEC_CV_HANDLER () at /home/researchgate/.phpbrew/build/php-7.0.4/Zend/zend_vm_execute.h:29135
#16 0x00000000008dc2cc in execute_ex (ex=0x7fd514821530) at /home/researchgate/.phpbrew/build/php-7.0.4/Zend/zend_vm_execute.h:414
#17 0x0000000000869b52 in zend_call_function (fci=0x7ffd37faa770, fci_cache=0x7ffd37faa740) at /home/researchgate/.phpbrew/build/php-7.0.4/Zend/zend_execute_API.c:860
#18 0x00000000008a6df6 in zend_call_method (object=0x7fd511a6cbe8, obj_ce=0x7fd514802620, fn_proxy=0x7fd511a6cbe0, function_name=0x7fd511e025c8 "composer\\autoload\\classloader::loadclass\001",
    function_name_len=44, retval_ptr=0x0, param_count=1, arg1=0x7fd514821520, arg2=0x0) at /home/researchgate/.phpbrew/build/php-7.0.4/Zend/zend_interfaces.c:104
#19 0x00000000006dc1c3 in zif_spl_autoload_call (execute_data=0x7fd5148214c0, return_value=0x7ffd37faaa40) at /home/researchgate/.phpbrew/build/php-7.0.4/ext/spl/php_spl.c:429
#20 0x0000000000869c79 in zend_call_function (fci=0x7ffd37faaa80, fci_cache=0x7ffd37faaa50) at /home/researchgate/.phpbrew/build/php-7.0.4/Zend/zend_execute_API.c:879
#21 0x000000000086a3f7 in zend_lookup_class_ex (name=0x7fd511ed8850, key=0x7fd510f88540, use_autoload=1) at /home/researchgate/.phpbrew/build/php-7.0.4/Zend/zend_execute_API.c:1041
#22 0x000000000086af40 in zend_fetch_class_by_name (class_name=0x7fd511ed8850, key=0x7fd510f88540, fetch_type=512) at /home/researchgate/.phpbrew/build/php-7.0.4/Zend/zend_execute_API.c:1387
#23 0x00000000008e3b3a in ZEND_NEW_SPEC_CONST_HANDLER () at /home/researchgate/.phpbrew/build/php-7.0.4/Zend/zend_vm_execute.h:3354
#24 0x00000000008dc2cc in execute_ex (ex=0x7fd514820a60) at /home/researchgate/.phpbrew/build/php-7.0.4/Zend/zend_vm_execute.h:414
#25 0x0000000000869b52 in zend_call_function (fci=0x7ffd37faade0, fci_cache=0x7ffd37faadb0) at /home/researchgate/.phpbrew/build/php-7.0.4/Zend/zend_execute_API.c:860
#26 0x00000000006b1c3b in zim_reflection_class_newInstanceArgs (execute_data=0x7fd5148209f0, return_value=0x7fd5148207c0) at /home/researchgate/.phpbrew/build/php-7.0.4/ext/reflection/php_reflection.c:4743
#27 0x00000000008dd44a in ZEND_DO_FCALL_SPEC_HANDLER () at /home/researchgate/.phpbrew/build/php-7.0.4/Zend/zend_vm_execute.h:842
#28 0x00000000008dc2cc in execute_ex (ex=0x7fd514813030) at /home/researchgate/.phpbrew/build/php-7.0.4/Zend/zend_vm_execute.h:414
#29 0x00000000008dc3de in zend_execute (op_array=0x7fd514877100, return_value=0x0) at /home/researchgate/.phpbrew/build/php-7.0.4/Zend/zend_vm_execute.h:458
#30 0x0000000000881214 in zend_execute_scripts (type=8, retval=0x0, file_count=3) at /home/researchgate/.phpbrew/build/php-7.0.4/Zend/zend.c:1427
#31 0x00000000007ee5cd in php_execute_script (primary_file=0x7ffd37fad430) at /home/researchgate/.phpbrew/build/php-7.0.4/main/main.c:2484
#32 0x0000000000940756 in do_cli (argc=3, argv=0x1b0e010) at /home/researchgate/.phpbrew/build/php-7.0.4/sapi/cli/php_cli.c:974
#33 0x000000000094191a in main (argc=3, argv=0x1b0e010) at /home/researchgate/.phpbrew/build/php-7.0.4/sapi/cli/php_cli.c:1345

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports

[2016-03-04 13:05 UTC] nikic@php.net

Can you check whether running the unit test through USE_ZEND_ALLOC=0 valgrind results in any errors?

[2016-03-04 17:13 UTC] bashofmann at gmail dot com

You mean like this:

USE_ZEND_ALLOC=0 bin/phpunit test/unit/modules/literature/classes/ClaimingServiceTest.php
PHPUnit 5.2.9 by Sebastian Bergmann and contributors.

Runtime:       PHP 7.0.4-1+deb.sury.org~trusty+1 with Xdebug 2.4.0RC4
Configuration: /home/researchgate/rg_dev/community/phpunit.xml

*** Error in `php': double free or corruption (fasttop): 0x00007fdbd720c5a0 ***
Aborted (core dumped)

[2016-03-04 17:25 UTC] nikic@php.net

I mean this:

    USE_ZEND_ALLOC=0 valgrind bin/phpunit test/unit/modules/literature/classes/ClaimingServiceTest.php

[2016-03-04 17:28 UTC] bashofmann at gmail dot com

Looks the same:

$ USE_ZEND_ALLOC=0 valgrind bin/phpunit test/unit/modules/literature/classes/ClaimingServiceTest.php
==10358== Memcheck, a memory error detector
==10358== Copyright (C) 2002-2013, and GNU GPL'd, by Julian Seward et al.
==10358== Using Valgrind-3.10.1 and LibVEX; rerun with -h for copyright info
==10358== Command: bin/phpunit test/unit/modules/literature/classes/ClaimingServiceTest.php
==10358==
PHPUnit 5.2.9 by Sebastian Bergmann and contributors.

Runtime:       PHP 7.0.4-1+deb.sury.org~trusty+1 with Xdebug 2.4.0RC4
Configuration: /home/researchgate/rg_dev/community/phpunit.xml

*** Error in `php': double free or corruption (fasttop): 0x00007f0d68b4a310 ***
Aborted (core dumped)

[2016-03-04 17:43 UTC] nikic@php.net

Ah, likely you need to add --trace-children=yes to the valgrind invocation (bin/phpunit is probably a shell script or something).

[2016-03-04 17:56 UTC] bashofmann at gmail dot com

Now I get:

$ USE_ZEND_ALLOC=0 valgrind --trace-children=yes bin/phpunit test/unit/modules/literature/classes/ClaimingServiceTest.php
==11730== Memcheck, a memory error detector
==11730== Copyright (C) 2002-2013, and GNU GPL'd, by Julian Seward et al.
==11730== Using Valgrind-3.10.1 and LibVEX; rerun with -h for copyright info
==11730== Command: bin/phpunit test/unit/modules/literature/classes/ClaimingServiceTest.php
==11730==
==11730== Memcheck, a memory error detector
==11730== Copyright (C) 2002-2013, and GNU GPL'd, by Julian Seward et al.
==11730== Using Valgrind-3.10.1 and LibVEX; rerun with -h for copyright info
==11730== Command: /usr/bin/php bin/phpunit test/unit/modules/literature/classes/ClaimingServiceTest.php
==11730==
==11738== Memcheck, a memory error detector
==11738== Copyright (C) 2002-2013, and GNU GPL'd, by Julian Seward et al.
==11738== Using Valgrind-3.10.1 and LibVEX; rerun with -h for copyright info
==11738== Command: /bin/sh -c stty\ size
==11738==
==11739== Memcheck, a memory error detector
==11739== Copyright (C) 2002-2013, and GNU GPL'd, by Julian Seward et al.
==11739== Using Valgrind-3.10.1 and LibVEX; rerun with -h for copyright info
==11739== Command: /bin/stty size
==11739==
==11739==
==11739== HEAP SUMMARY:
==11739==     in use at exit: 0 bytes in 0 blocks
==11739==   total heap usage: 147 allocs, 147 frees, 15,846 bytes allocated
==11739==
==11739== All heap blocks were freed -- no leaks are possible
==11739==
==11739== For counts of detected and suppressed errors, rerun with: -v
==11739== ERROR SUMMARY: 0 errors from 0 contexts (suppressed: 0 from 0)
==11738==
==11738== HEAP SUMMARY:
==11738==     in use at exit: 1,352 bytes in 38 blocks
==11738==   total heap usage: 40 allocs, 2 frees, 1,456 bytes allocated
==11738==
==11738== LEAK SUMMARY:
==11738==    definitely lost: 0 bytes in 0 blocks
==11738==    indirectly lost: 0 bytes in 0 blocks
==11738==      possibly lost: 0 bytes in 0 blocks
==11738==    still reachable: 1,352 bytes in 38 blocks
==11738==         suppressed: 0 bytes in 0 blocks
==11738== Rerun with --leak-check=full to see details of leaked memory
==11738==
==11738== For counts of detected and suppressed errors, rerun with: -v
==11738== ERROR SUMMARY: 0 errors from 0 contexts (suppressed: 0 from 0)
PHPUnit 5.2.9 by Sebastian Bergmann and contributors.

Runtime:       PHP 7.0.4-1+deb.sury.org~trusty+1
Configuration: /home/researchgate/rg_dev/community/phpunit.xml

==11730== Invalid free() / delete / delete[] / realloc()
==11730==    at 0x4C2BDEC: free (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==11730==    by 0x1647A1A4: ??? (in /usr/lib/php/20151012/memcached.so)
==11730==    by 0x1647F51C: ??? (in /usr/lib/php/20151012/memcached.so)
==11730==    by 0x3CFA93: ??? (in /usr/bin/php7.0)
==11730==    by 0x3920CA: execute_ex (in /usr/bin/php7.0)
==11730==    by 0x347158: dtrace_execute_ex (in /usr/bin/php7.0)
==11730==    by 0x3CF75F: ??? (in /usr/bin/php7.0)
==11730==    by 0x3920CA: execute_ex (in /usr/bin/php7.0)
==11730==    by 0x347158: dtrace_execute_ex (in /usr/bin/php7.0)
==11730==    by 0x3CF75F: ??? (in /usr/bin/php7.0)
==11730==    by 0x3920CA: execute_ex (in /usr/bin/php7.0)
==11730==    by 0x347158: dtrace_execute_ex (in /usr/bin/php7.0)
==11730==  Address 0x23a74070 is 0 bytes inside a block of size 8 free'd
==11730==    at 0x4C2BDEC: free (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==11730==    by 0x1647A12D: ??? (in /usr/lib/php/20151012/memcached.so)
==11730==    by 0x1647F4DA: ??? (in /usr/lib/php/20151012/memcached.so)
==11730==    by 0x3CFA93: ??? (in /usr/bin/php7.0)
==11730==    by 0x3920CA: execute_ex (in /usr/bin/php7.0)
==11730==    by 0x347158: dtrace_execute_ex (in /usr/bin/php7.0)
==11730==    by 0x3CF75F: ??? (in /usr/bin/php7.0)
==11730==    by 0x3920CA: execute_ex (in /usr/bin/php7.0)
==11730==    by 0x347158: dtrace_execute_ex (in /usr/bin/php7.0)
==11730==    by 0x3CF75F: ??? (in /usr/bin/php7.0)
==11730==    by 0x3920CA: execute_ex (in /usr/bin/php7.0)
==11730==    by 0x347158: dtrace_execute_ex (in /usr/bin/php7.0)
==11730==
==11730== Invalid free() / delete / delete[] / realloc()
==11730==    at 0x4C2BDEC: free (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==11730==    by 0x1647A1AD: ??? (in /usr/lib/php/20151012/memcached.so)
==11730==    by 0x1647F51C: ??? (in /usr/lib/php/20151012/memcached.so)
==11730==    by 0x3CFA93: ??? (in /usr/bin/php7.0)
==11730==    by 0x3920CA: execute_ex (in /usr/bin/php7.0)
==11730==    by 0x347158: dtrace_execute_ex (in /usr/bin/php7.0)
==11730==    by 0x3CF75F: ??? (in /usr/bin/php7.0)
==11730==    by 0x3920CA: execute_ex (in /usr/bin/php7.0)
==11730==    by 0x347158: dtrace_execute_ex (in /usr/bin/php7.0)
==11730==    by 0x3CF75F: ??? (in /usr/bin/php7.0)
==11730==    by 0x3920CA: execute_ex (in /usr/bin/php7.0)
==11730==    by 0x347158: dtrace_execute_ex (in /usr/bin/php7.0)
==11730==  Address 0x20a7a4f0 is 0 bytes inside a block of size 8 free'd
==11730==    at 0x4C2BDEC: free (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==11730==    by 0x1647A11B: ??? (in /usr/lib/php/20151012/memcached.so)
==11730==    by 0x1647F4DA: ??? (in /usr/lib/php/20151012/memcached.so)
==11730==    by 0x3CFA93: ??? (in /usr/bin/php7.0)
==11730==    by 0x3920CA: execute_ex (in /usr/bin/php7.0)
==11730==    by 0x347158: dtrace_execute_ex (in /usr/bin/php7.0)
==11730==    by 0x3CF75F: ??? (in /usr/bin/php7.0)
==11730==    by 0x3920CA: execute_ex (in /usr/bin/php7.0)
==11730==    by 0x347158: dtrace_execute_ex (in /usr/bin/php7.0)
==11730==    by 0x3CF75F: ??? (in /usr/bin/php7.0)
==11730==    by 0x3920CA: execute_ex (in /usr/bin/php7.0)
==11730==    by 0x347158: dtrace_execute_ex (in /usr/bin/php7.0)
==11730==
==11730== Invalid free() / delete / delete[] / realloc()
==11730==    at 0x4C2BDEC: free (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==11730==    by 0x1647F51C: ??? (in /usr/lib/php/20151012/memcached.so)
==11730==    by 0x3CFA93: ??? (in /usr/bin/php7.0)
==11730==    by 0x3920CA: execute_ex (in /usr/bin/php7.0)
==11730==    by 0x347158: dtrace_execute_ex (in /usr/bin/php7.0)
==11730==    by 0x3CF75F: ??? (in /usr/bin/php7.0)
==11730==    by 0x3920CA: execute_ex (in /usr/bin/php7.0)
==11730==    by 0x347158: dtrace_execute_ex (in /usr/bin/php7.0)
==11730==    by 0x3CF75F: ??? (in /usr/bin/php7.0)
==11730==    by 0x3920CA: execute_ex (in /usr/bin/php7.0)
==11730==    by 0x347158: dtrace_execute_ex (in /usr/bin/php7.0)
==11730==    by 0x3CF75F: ??? (in /usr/bin/php7.0)
==11730==  Address 0x1f102ac0 is 0 bytes inside a block of size 8 free'd
==11730==    at 0x4C2BDEC: free (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==11730==    by 0x1647A124: ??? (in /usr/lib/php/20151012/memcached.so)
==11730==    by 0x1647F4DA: ??? (in /usr/lib/php/20151012/memcached.so)
==11730==    by 0x3CFA93: ??? (in /usr/bin/php7.0)
==11730==    by 0x3920CA: execute_ex (in /usr/bin/php7.0)
==11730==    by 0x347158: dtrace_execute_ex (in /usr/bin/php7.0)
==11730==    by 0x3CF75F: ??? (in /usr/bin/php7.0)
==11730==    by 0x3920CA: execute_ex (in /usr/bin/php7.0)
==11730==    by 0x347158: dtrace_execute_ex (in /usr/bin/php7.0)
==11730==    by 0x3CF75F: ??? (in /usr/bin/php7.0)
==11730==    by 0x3920CA: execute_ex (in /usr/bin/php7.0)
==11730==    by 0x347158: dtrace_execute_ex (in /usr/bin/php7.0)
==11730==
.                                                                   1 / 1 (100%)

Time: 19.21 seconds, Memory: 0.00Mb

OK (1 test, 1 assertion)
==11730==
==11730== HEAP SUMMARY:
==11730==     in use at exit: 863,801 bytes in 5,088 blocks
==11730==   total heap usage: 1,497,514 allocs, 1,492,429 frees, 2,752,640,474 bytes allocated
==11730==
==11730== LEAK SUMMARY:
==11730==    definitely lost: 7,501 bytes in 51 blocks
==11730==    indirectly lost: 624,079 bytes in 2,886 blocks
==11730==      possibly lost: 212,626 bytes in 2,074 blocks
==11730==    still reachable: 19,595 bytes in 77 blocks
==11730==         suppressed: 0 bytes in 0 blocks
==11730== Rerun with --leak-check=full to see details of leaked memory
==11730==
==11730== For counts of detected and suppressed errors, rerun with: -v
==11730== ERROR SUMMARY: 3 errors from 3 contexts (suppressed: 0 from 0)

[2016-03-04 18:12 UTC] nikic@php.net

-Package: Reproducible crash +Package: memcached

[2016-03-04 18:12 UTC] nikic@php.net

Okay, so this is a double free in the memcached extension. Reassigning package, though I'm not sure if they use this bug tracker (logging an issue on https://github.com/php-memcached-dev/php-memcached/issues probably won't hurt).

[2016-03-05 02:24 UTC] rasmus@php.net

-Status: Open +Status: Feedback

[2016-03-05 02:24 UTC] rasmus@php.net

Where is your memcached extension build from?

Are you using the latest build from this php7 branch?

https://github.com/php-memcached-dev/php-memcached/tree/php7

[2016-03-05 14:04 UTC] bashofmann at gmail dot com

I can reproduce this with both the latest php-memcached package (2.2.0-95-g6ace07d+2.2.0-2+deb.sury.org~trusty+6) from https://launchpad.net/~ondrej/+archive/ubuntu/php as well as with the current HEAD of the php7 branch (https://github.com/php-memcached-dev/php-memcached/tree/php7)

When compiling from source I actually get a bit better debug output with line numbers pointing to the memcached source:

==2432== Invalid free() / delete / delete[] / realloc()
==2432==    at 0x4C2BDEC: free (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==2432==    by 0x1E845104: s_clear_keys (php_memcached.c:1345)
==2432==    by 0x1E84A20C: php_memc_get_impl (php_memcached.c:1409)
==2432==    by 0x3CFA93: ??? (in /usr/bin/php7.0)
==2432==    by 0x3920CA: execute_ex (in /usr/bin/php7.0)
==2432==    by 0x347158: dtrace_execute_ex (in /usr/bin/php7.0)
==2432==    by 0x3CF75F: ??? (in /usr/bin/php7.0)
==2432==    by 0x3920CA: execute_ex (in /usr/bin/php7.0)
==2432==    by 0x347158: dtrace_execute_ex (in /usr/bin/php7.0)
==2432==    by 0x3CF75F: ??? (in /usr/bin/php7.0)
==2432==    by 0x3920CA: execute_ex (in /usr/bin/php7.0)
==2432==    by 0x347158: dtrace_execute_ex (in /usr/bin/php7.0)
==2432==  Address 0x23b2f6b0 is 0 bytes inside a block of size 8 free'd
==2432==    at 0x4C2BDEC: free (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==2432==    by 0x1E84508D: s_hash_to_keys (php_memcached.c:1321)
==2432==    by 0x1E84A1CA: s_key_to_keys (php_memcached.c:1334)
==2432==    by 0x1E84A1CA: php_memc_get_impl (php_memcached.c:1407)
==2432==    by 0x3CFA93: ??? (in /usr/bin/php7.0)
==2432==    by 0x3920CA: execute_ex (in /usr/bin/php7.0)
==2432==    by 0x347158: dtrace_execute_ex (in /usr/bin/php7.0)
==2432==    by 0x3CF75F: ??? (in /usr/bin/php7.0)
==2432==    by 0x3920CA: execute_ex (in /usr/bin/php7.0)
==2432==    by 0x347158: dtrace_execute_ex (in /usr/bin/php7.0)
==2432==    by 0x3CF75F: ??? (in /usr/bin/php7.0)
==2432==    by 0x3920CA: execute_ex (in /usr/bin/php7.0)
==2432==    by 0x347158: dtrace_execute_ex (in /usr/bin/php7.0)
==2432==
==2432== Invalid free() / delete / delete[] / realloc()
==2432==    at 0x4C2BDEC: free (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==2432==    by 0x1E84510D: s_clear_keys (php_memcached.c:1346)
==2432==    by 0x1E84A20C: php_memc_get_impl (php_memcached.c:1409)
==2432==    by 0x3CFA93: ??? (in /usr/bin/php7.0)
==2432==    by 0x3920CA: execute_ex (in /usr/bin/php7.0)
==2432==    by 0x347158: dtrace_execute_ex (in /usr/bin/php7.0)
==2432==    by 0x3CF75F: ??? (in /usr/bin/php7.0)
==2432==    by 0x3920CA: execute_ex (in /usr/bin/php7.0)
==2432==    by 0x347158: dtrace_execute_ex (in /usr/bin/php7.0)
==2432==    by 0x3CF75F: ??? (in /usr/bin/php7.0)
==2432==    by 0x3920CA: execute_ex (in /usr/bin/php7.0)
==2432==    by 0x347158: dtrace_execute_ex (in /usr/bin/php7.0)
==2432==  Address 0x6c5d6c0 is 0 bytes inside a block of size 8 free'd
==2432==    at 0x4C2BDEC: free (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==2432==    by 0x1E84507B: s_hash_to_keys (php_memcached.c:1319)
==2432==    by 0x1E84A1CA: s_key_to_keys (php_memcached.c:1334)
==2432==    by 0x1E84A1CA: php_memc_get_impl (php_memcached.c:1407)
==2432==    by 0x3CFA93: ??? (in /usr/bin/php7.0)
==2432==    by 0x3920CA: execute_ex (in /usr/bin/php7.0)
==2432==    by 0x347158: dtrace_execute_ex (in /usr/bin/php7.0)
==2432==    by 0x3CF75F: ??? (in /usr/bin/php7.0)
==2432==    by 0x3920CA: execute_ex (in /usr/bin/php7.0)
==2432==    by 0x347158: dtrace_execute_ex (in /usr/bin/php7.0)
==2432==    by 0x3CF75F: ??? (in /usr/bin/php7.0)
==2432==    by 0x3920CA: execute_ex (in /usr/bin/php7.0)
==2432==    by 0x347158: dtrace_execute_ex (in /usr/bin/php7.0)
==2432==
==2432== Invalid free() / delete / delete[] / realloc()
==2432==    at 0x4C2BDEC: free (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==2432==    by 0x1E84A20C: php_memc_get_impl (php_memcached.c:1409)
==2432==    by 0x3CFA93: ??? (in /usr/bin/php7.0)
==2432==    by 0x3920CA: execute_ex (in /usr/bin/php7.0)
==2432==    by 0x347158: dtrace_execute_ex (in /usr/bin/php7.0)
==2432==    by 0x3CF75F: ??? (in /usr/bin/php7.0)
==2432==    by 0x3920CA: execute_ex (in /usr/bin/php7.0)
==2432==    by 0x347158: dtrace_execute_ex (in /usr/bin/php7.0)
==2432==    by 0x3CF75F: ??? (in /usr/bin/php7.0)
==2432==    by 0x3920CA: execute_ex (in /usr/bin/php7.0)
==2432==    by 0x347158: dtrace_execute_ex (in /usr/bin/php7.0)
==2432==    by 0x3CF75F: ??? (in /usr/bin/php7.0)
==2432==  Address 0x23746220 is 0 bytes inside a block of size 8 free'd
==2432==    at 0x4C2BDEC: free (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==2432==    by 0x1E845084: s_hash_to_keys (php_memcached.c:1320)
==2432==    by 0x1E84A1CA: s_key_to_keys (php_memcached.c:1334)
==2432==    by 0x1E84A1CA: php_memc_get_impl (php_memcached.c:1407)
==2432==    by 0x3CFA93: ??? (in /usr/bin/php7.0)
==2432==    by 0x3920CA: execute_ex (in /usr/bin/php7.0)
==2432==    by 0x347158: dtrace_execute_ex (in /usr/bin/php7.0)
==2432==    by 0x3CF75F: ??? (in /usr/bin/php7.0)
==2432==    by 0x3920CA: execute_ex (in /usr/bin/php7.0)
==2432==    by 0x347158: dtrace_execute_ex (in /usr/bin/php7.0)
==2432==    by 0x3CF75F: ??? (in /usr/bin/php7.0)
==2432==    by 0x3920CA: execute_ex (in /usr/bin/php7.0)
==2432==    by 0x347158: dtrace_execute_ex (in /usr/bin/php7.0)
==2432==

[2016-03-05 14:05 UTC] bashofmann at gmail dot com

I also just opened a ticket at the memcached github project:

https://github.com/php-memcached-dev/php-memcached/issues/224

[2016-03-07 14:40 UTC] bashofmann at gmail dot com

-Status: Feedback +Status: Closed

[2016-03-07 14:40 UTC] bashofmann at gmail dot com

The bug is fixed in https://github.com/php-memcached-dev/php-memcached/commit/4ee38195289edfa7ae936d2b0a434869c97d8817

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Fri Apr 19 17:01:30 2024 UTC