Edit report at http://bugs.php.net/bug.php?id=53347&edit=1
ID: 53347
Updated by: fel...@php.net
Reported by: sebast...@php.net
Summary: Segfault in zend_is_inconsistent()
-Status: Open
+Status: Assigned
Type: Bug
Package: Reproducible crash
Operating System: Linux
PHP Version: trunk-SVN-2010-11-18 (SVN)
-Assigned To:
+Assigned To: dmitry
Block user comment: N
Private report: N
Previous Comments:
------------------------------------------------------------------------
[2010-11-19 11:47:47] sebast...@php.net
The following script reproduces the issue:
<?php
class ezcConsoleOutput
{
protected static $color = array( 'gray' => 30 );
public static function isValidFormatCode( $type, $key )
{
return isset( self::${$type}[$key] );
}
}
var_dump( ezcConsoleOutput::isValidFormatCode( 'color', 'gray' ) );
?>
This does not print bool(true) but instead segfaults. Works fine with
PHP_5_3, btw.
s...@thinkpad ~ % USE_ZEND_ALLOC=0 valgrind --leak-check=full php
53347.php
==22840== Memcheck, a memory error detector
==22840== Copyright (C) 2002-2010, and GNU GPL'd, by Julian Seward et
al.
==22840== Using Valgrind-3.6.0.SVN-Debian and LibVEX; rerun with -h for
copyright info
==22840== Command: php 53347.php
==22840==
==22840== Invalid read of size 4
==22840== at 0x92C021: _zend_is_inconsistent (zend_hash.c:54)
==22840== by 0x92EDAE: zend_hash_quick_find (zend_hash.c:929)
==22840== by 0xA49488: zend_fetch_var_address_helper_SPEC_CV_UNUSED
(zend_vm_execute.h:33194)
==22840== by 0xA49DEF: ZEND_FETCH_IS_SPEC_CV_UNUSED_HANDLER
(zend_vm_execute.h:33294)
==22840== by 0x957F02: execute (zend_vm_execute.h:410)
==22840== by 0x91CD93: zend_execute_scripts (zend.c:1195)
==22840== by 0x89661E: php_execute_script (main.c:2341)
==22840== by 0xA57D89: main (php_cli.c:1254)
==22840== Address 0x44 is not stack'd, malloc'd or (recently) free'd
==22840==
==22840==
==22840== Process terminating with default action of signal 11
(SIGSEGV)
==22840== Access not within mapped region at address 0x44
==22840== at 0x92C021: _zend_is_inconsistent (zend_hash.c:54)
==22840== by 0x92EDAE: zend_hash_quick_find (zend_hash.c:929)
==22840== by 0xA49488: zend_fetch_var_address_helper_SPEC_CV_UNUSED
(zend_vm_execute.h:33194)
==22840== by 0xA49DEF: ZEND_FETCH_IS_SPEC_CV_UNUSED_HANDLER
(zend_vm_execute.h:33294)
==22840== by 0x957F02: execute (zend_vm_execute.h:410)
==22840== by 0x91CD93: zend_execute_scripts (zend.c:1195)
==22840== by 0x89661E: php_execute_script (main.c:2341)
==22840== by 0xA57D89: main (php_cli.c:1254)
==22840== If you believe this happened as a result of a stack
==22840== overflow in your program's main thread (unlikely but
==22840== possible), you can try to increase the size of the
==22840== main thread stack using the --main-stacksize= flag.
==22840== The main thread stack size used in this run was 8388608.
==22840==
==22840== HEAP SUMMARY:
==22840== in use at exit: 3,289,698 bytes in 16,177 blocks
==22840== total heap usage: 19,718 allocs, 3,541 frees, 3,484,743
bytes allocated
==22840==
==22840== LEAK SUMMARY:
==22840== definitely lost: 0 bytes in 0 blocks
==22840== indirectly lost: 0 bytes in 0 blocks
==22840== possibly lost: 0 bytes in 0 blocks
==22840== still reachable: 3,289,698 bytes in 16,177 blocks
==22840== suppressed: 0 bytes in 0 blocks
==22840== Reachable blocks (those to which a pointer was found) are not
shown.
==22840== To see them, rerun with: --leak-check=full
--show-reachable=yes
==22840==
==22840== For counts of detected and suppressed errors, rerun with: -v
==22840== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 4 from
4)
zsh: segmentation fault USE_ZEND_ALLOC=0 valgrind --leak-check=full php
53347.php
s...@thinkpad ~ % gdb php
GNU gdb (GDB) 7.2-ubuntu
Copyright (C) 2010 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later
<http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law. Type "show
copying"
and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu".
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>...
Reading symbols from /usr/local/php-5.4/bin/php...done.
(gdb) r 53347.php
Starting program: /usr/local/php-5.4/bin/php 53347.php
[Thread debugging using libthread_db enabled]
Program received signal SIGSEGV, Segmentation fault.
0x000000000092c021 in _zend_is_inconsistent (ht=0x0, file=0xf8d9e8
"/usr/local/src/php/src/php/php-src/trunk/Zend/zend_hash.c", line=929)
at /usr/local/src/php/src/php/php-src/trunk/Zend/zend_hash.c:54
54 if (ht->inconsistent==HT_OK) {
(gdb) bt
#0 0x000000000092c021 in _zend_is_inconsistent (ht=0x0, file=0xf8d9e8
"/usr/local/src/php/src/php/php-src/trunk/Zend/zend_hash.c", line=929)
at /usr/local/src/php/src/php/php-src/trunk/Zend/zend_hash.c:54
#1 0x000000000092edaf in zend_hash_quick_find (ht=0x0,
arKey=0x7ffff7ebb380 "color", nKeyLength=6, h=6953399188164,
pData=0x7fffffffbe90)
at /usr/local/src/php/src/php/php-src/trunk/Zend/zend_hash.c:929
#2 0x0000000000a49489 in zend_fetch_var_address_helper_SPEC_CV_UNUSED
(type=3, execute_data=0x7ffff7f901f0)
at
/usr/local/src/php/src/php/php-src/trunk/Zend/zend_vm_execute.h:33194
#3 0x0000000000a49df0 in ZEND_FETCH_IS_SPEC_CV_UNUSED_HANDLER
(execute_data=0x7ffff7f901f0) at
/usr/local/src/php/src/php/php-src/trunk/Zend/zend_vm_execute.h:33294
#4 0x0000000000957f03 in execute (op_array=0x7ffff7fca668) at
/usr/local/src/php/src/php/php-src/trunk/Zend/zend_vm_execute.h:410
#5 0x000000000091cd94 in zend_execute_scripts (type=8, retval=0x0,
file_count=3) at
/usr/local/src/php/src/php/php-src/trunk/Zend/zend.c:1195
#6 0x000000000089661f in php_execute_script
(primary_file=0x7fffffffe530) at
/usr/local/src/php/src/php/php-src/trunk/main/main.c:2341
#7 0x0000000000a57d8a in main (argc=2, argv=0x7fffffffe798) at
/usr/local/src/php/src/php/php-src/trunk/sapi/cli/php_cli.c:1254
------------------------------------------------------------------------
[2010-11-18 20:09:56] paj...@php.net
Thank you for this bug report. To properly diagnose the problem, we
need a short but complete example script to be able to reproduce
this bug ourselves.
A proper reproducing script starts with <?php and ends with ?>,
is max. 10-20 lines long and does not require any external
resources such as databases, etc. If the script requires a
database to demonstrate the issue, please make sure it creates
all necessary tables, stored procedures etc.
Please avoid embedding huge scripts into the report.
------------------------------------------------------------------------
[2010-11-18 20:03:40] sebast...@php.net
Description:
------------
PHP 5.3.99 (current trunk) segfaults in zend_is_inconsistent().
Test script:
---------------
The segfault is triggered by code that is part of ezcConsoleTools, for
instance by just invoking phploc on the commandline. Unfortunately, I
was not able to reduce this further, yet.
Expected result:
----------------
No segfault.
Actual result:
--------------
s...@thinkpad ~ % USE_ZEND_ALLOC=0 valgrind --leak-check=full php
/usr/local/src/phploc/phploc.php
==1760== Memcheck, a memory error detector
==1760== Copyright (C) 2002-2010, and GNU GPL'd, by Julian Seward et
al.
==1760== Using Valgrind-3.6.0.SVN-Debian and LibVEX; rerun with -h for
copyright info
==1760== Command: php /usr/local/src/phploc/phploc.php
==1760==
==1760== Invalid read of size 4
==1760== at 0x92C021: _zend_is_inconsistent (zend_hash.c:54)
==1760== by 0x92EDAE: zend_hash_quick_find (zend_hash.c:929)
==1760== by 0xA49488: zend_fetch_var_address_helper_SPEC_CV_UNUSED
(zend_vm_execute.h:33194)
==1760== by 0xA49DEF: ZEND_FETCH_IS_SPEC_CV_UNUSED_HANDLER
(zend_vm_execute.h:33294)
==1760== by 0x957F02: execute (zend_vm_execute.h:410)
==1760== by 0x91CD93: zend_execute_scripts (zend.c:1195)
==1760== by 0x89661E: php_execute_script (main.c:2341)
==1760== by 0xA57D89: main (php_cli.c:1254)
==1760== Address 0x44 is not stack'd, malloc'd or (recently) free'd
==1760==
==1760==
==1760== Process terminating with default action of signal 11 (SIGSEGV)
==1760== Access not within mapped region at address 0x44
==1760== at 0x92C021: _zend_is_inconsistent (zend_hash.c:54)
==1760== by 0x92EDAE: zend_hash_quick_find (zend_hash.c:929)
==1760== by 0xA49488: zend_fetch_var_address_helper_SPEC_CV_UNUSED
(zend_vm_execute.h:33194)
==1760== by 0xA49DEF: ZEND_FETCH_IS_SPEC_CV_UNUSED_HANDLER
(zend_vm_execute.h:33294)
==1760== by 0x957F02: execute (zend_vm_execute.h:410)
==1760== by 0x91CD93: zend_execute_scripts (zend.c:1195)
==1760== by 0x89661E: php_execute_script (main.c:2341)
==1760== by 0xA57D89: main (php_cli.c:1254)
==1760== If you believe this happened as a result of a stack
==1760== overflow in your program's main thread (unlikely but
==1760== possible), you can try to increase the size of the
==1760== main thread stack using the --main-stacksize= flag.
==1760== The main thread stack size used in this run was 8388608.
==1760==
==1760== HEAP SUMMARY:
==1760== in use at exit: 3,823,481 bytes in 18,002 blocks
==1760== total heap usage: 34,509 allocs, 16,507 frees, 5,584,071
bytes allocated
==1760==
==1760== LEAK SUMMARY:
==1760== definitely lost: 0 bytes in 0 blocks
==1760== indirectly lost: 0 bytes in 0 blocks
==1760== possibly lost: 0 bytes in 0 blocks
==1760== still reachable: 3,823,481 bytes in 18,002 blocks
==1760== suppressed: 0 bytes in 0 blocks
==1760== Reachable blocks (those to which a pointer was found) are not
shown.
==1760== To see them, rerun with: --leak-check=full
--show-reachable=yes
==1760==
==1760== For counts of detected and suppressed errors, rerun with: -v
==1760== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 4 from 4)
zsh: segmentation fault USE_ZEND_ALLOC=0 valgrind --leak-check=full php
s...@thinkpad ~ % gdb php
GNU gdb (GDB) 7.2-ubuntu
Copyright (C) 2010 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later
<http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law. Type "show
copying"
and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu".
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>...
Reading symbols from /usr/local/php-5.4/bin/php...done.
(gdb) r /usr/local/src/phploc/phploc.php
Starting program: /usr/local/php-5.4/bin/php
/usr/local/src/phploc/phploc.php
[Thread debugging using libthread_db enabled]
Program received signal SIGSEGV, Segmentation fault.
0x000000000092c021 in _zend_is_inconsistent (ht=0x0, file=0xf8d9e8
"/usr/local/src/php/src/php/php-src/trunk/Zend/zend_hash.c", line=929)
at /usr/local/src/php/src/php/php-src/trunk/Zend/zend_hash.c:54
54 if (ht->inconsistent==HT_OK) {
(gdb) bt
#0 0x000000000092c021 in _zend_is_inconsistent (ht=0x0, file=0xf8d9e8
"/usr/local/src/php/src/php/php-src/trunk/Zend/zend_hash.c", line=929)
at /usr/local/src/php/src/php/php-src/trunk/Zend/zend_hash.c:54
#1 0x000000000092edaf in zend_hash_quick_find (ht=0x0,
arKey=0x7ffff7ecc7e0 "color", nKeyLength=6, h=6953399188164,
pData=0x7fffffffbe80)
at /usr/local/src/php/src/php/php-src/trunk/Zend/zend_hash.c:929
#2 0x0000000000a49489 in zend_fetch_var_address_helper_SPEC_CV_UNUSED
(type=3, execute_data=0x7ffff7f92338)
at
/usr/local/src/php/src/php/php-src/trunk/Zend/zend_vm_execute.h:33194
#3 0x0000000000a49df0 in ZEND_FETCH_IS_SPEC_CV_UNUSED_HANDLER
(execute_data=0x7ffff7f92338) at
/usr/local/src/php/src/php/php-src/trunk/Zend/zend_vm_execute.h:33294
#4 0x0000000000957f03 in execute (op_array=0x7ffff3627810) at
/usr/local/src/php/src/php/php-src/trunk/Zend/zend_vm_execute.h:410
#5 0x000000000091cd94 in zend_execute_scripts (type=8, retval=0x0,
file_count=3) at
/usr/local/src/php/src/php/php-src/trunk/Zend/zend.c:1195
#6 0x000000000089661f in php_execute_script
(primary_file=0x7fffffffe520) at
/usr/local/src/php/src/php/php-src/trunk/main/main.c:2341
#7 0x0000000000a57d8a in main (argc=2, argv=0x7fffffffe788) at
/usr/local/src/php/src/php/php-src/trunk/sapi/cli/php_cli.c:1254
------------------------------------------------------------------------
--
Edit this bug report at http://bugs.php.net/bug.php?id=53347&edit=1
