php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #79781 zend_mm_heap corrupted in zend_array_destroy
Submitted: 2020-07-04 00:37 UTC Modified: 2020-07-11 08:38 UTC
From: changochen1 at gmail dot com Assigned:
Status: Open Package: Scripting Engine problem
PHP Version: 8.0Git-2020-07-04 (Git) OS:
Private report: No CVE-ID: None
View Add Comment Developer Edit
Anyone can comment on a bug. Have a simpler test case? Does it work for you on a different platform? Let us know!
Just going to say 'Me too!'? Don't clutter the database with that please — but make sure to vote on the bug!
Your email address:
MUST BE VALID
Solve the problem:
42 + 38 = ?
Subscribe to this entry?

 
 [2020-07-04 00:37 UTC] changochen1 at gmail dot com
Description:
------------
Cmdline: php -f poc

Stack dump:
---
Fatal error: Allowed memory size of 134217728 bytes exhausted at /home/yongheng/php_clean/Zend/zend_hash.c:2104 (tried to allocate 320 bytes) in /home/yongheng/php_poc5.php on line 2
zend_mm_heap corrupted
MemorySanitizer:DEADLYSIGNAL
==230806==ERROR: MemorySanitizer: SEGV on unknown address 0x03e900038596 (pc 0x7fbc7c66d187 bp 0x000001e00000 sp 0x7ffc089355c8 T230806)
==230806==The signal is caused by a READ memory access.
    #0 0x7fbc7c66d186 in kill /build/glibc-OTsEL5/glibc-2.27/signal/../sysdeps/unix/syscall-template.S:78
    #1 0x120f077 in zend_mm_panic /home/yongheng/php_clean/Zend/zend_alloc.c:364:2
    #2 0x121628a in zend_mm_free_heap /home/yongheng/php_clean/Zend/zend_alloc.c
    #3 0x13e29a8 in zend_array_destroy /home/yongheng/php_clean/Zend/zend_hash.c:1660:2
    #4 0x174fdeb in zend_objects_store_free_object_storage /home/yongheng/php_clean/Zend/zend_objects_API.c:117:6
    #5 0x13246c0 in shutdown_executor /home/yongheng/php_clean/Zend/zend_execute_API.c:338:2
    #6 0x137edc3 in zend_deactivate /home/yongheng/php_clean/Zend/zend.c:1206:2
    #7 0x10e6c13 in php_request_shutdown /home/yongheng/php_clean/main/main.c:1876:2
    #8 0x177a53d in do_cli /home/yongheng/php_clean/sapi/cli/php_cli.c:1127:3
    #9 0x1779b7f in main /home/yongheng/php_clean/sapi/cli/php_cli.c:1357:18
    #10 0x7fbc7c64fb96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310
    #11 0x43f8c9 in _start (/home/yongheng/php_clean/bld/sapi/cli/php+0x43f8c9)

MemorySanitizer can not provide additional info.
SUMMARY: MemorySanitizer: SEGV /build/glibc-OTsEL5/glibc-2.27/signal/../sysdeps/unix/syscall-template.S:78 in kill
==230806==ABORTING
...
---

Test script:
---------------
<?
a () ;
function a () {
    a ( new ArrayIterator ( [ 1 ] ) )  ;
}


Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2020-07-07 14:44 UTC] nikic@php.net
I can't reproduce with this script under valgrind, but very likely this is the same issue as bug #79788.
 [2020-07-07 21:44 UTC] changochen1 at gmail dot com
The php I used is built with address santizer. The command is
CONFIGURE_COMMAND = '../configure' '--enable-debug-assertions' '--enable-memory-sanitizer'
 [2020-07-11 08:38 UTC] nikic@php.net
@changochen1: Note that --enable-memory-sanitizer enables the memory sanitizer, not the address sanitizer. The memory sanitizer primarily detects uninitialized memory.

For address sanitizer, you would use ./configure CFLAGS="-fsanitize=address".

When running under address/memory sanitizer, it is also useful to set the USE_ZEND_ALLOC=0 and USE_TRACKED_ALLOC=1 environment variables, which will force use of the system allocator. Otherwise you will not get most of the benefit from the sanitizer.
 
PHP Copyright © 2001-2020 The PHP Group
All rights reserved.
Last updated: Thu Oct 22 10:01:24 2020 UTC