From:
Operating system: linux(debian)-64bit
PHP version: 5.3.9
Package: Reproducible crash
Bug Type: Bug
Bug description:strtotime bug in php 5.3.9
Description:
------------
Since upgrading [using dotdeb.org compiled version of php] from php 5.3.8
to php 5.3.9, strtotime appears to crash. This occurs for me on 2 VM's,
minimised to 1 line of php.
Valgrind/GDB output attached
Test script:
---------------
echo strtotime('2011-01-1 00:00 UTC');
Actual result:
--------------
valgrind /usr/bin/php test.php
==25725== Memcheck, a memory error detector
==25725== Copyright (C) 2002-2010, and GNU GPL'd, by Julian Seward et al.
==25725== Using Valgrind-3.6.0.SVN-Debian and LibVEX; rerun with -h for
copyright info
==25725== Command: /usr/bin/php test.php
==25725==
1293840000==25725== Invalid read of size 8
==25725== at 0x45D494: timelib_tzinfo_dtor (in /usr/bin/php5)
==25725== by 0x6D1217: zend_hash_destroy (in /usr/bin/php5)
==25725== by 0x437BF0: zm_deactivate_date (in /usr/bin/php5)
==25725== by 0x6C645B: module_registry_cleanup (in /usr/bin/php5)
==25725== by 0x6D0FA3: zend_hash_reverse_apply (in /usr/bin/php5)
==25725== by 0x6C4E7C: zend_deactivate_modules (in /usr/bin/php5)
==25725== by 0x66FDB4: php_request_shutdown (in /usr/bin/php5)
==25725== by 0x7547FF: main (in /usr/bin/php5)
==25725== Address 0x8bdcf90 is 0 bytes inside a block of size 112 free'd
==25725== at 0x4C240FD: free (vg_replace_malloc.c:366)
==25725== by 0x435599: zif_strtotime (in /usr/bin/php5)
==25725== by 0x715839: zend_do_fcall_common_helper_SPEC (in
/usr/bin/php5)
==25725== by 0x6ECC5F: execute (in /usr/bin/php5)
==25725== by 0x6C3FAC: zend_execute_scripts (in /usr/bin/php5)
==25725== by 0x66F147: php_execute_script (in /usr/bin/php5)
==25725== by 0x755755: main (in /usr/bin/php5)
==25725==
==25725== Invalid read of size 8
==25725== at 0x45D4A8: timelib_tzinfo_dtor (in /usr/bin/php5)
==25725== by 0x6D1217: zend_hash_destroy (in /usr/bin/php5)
==25725== by 0x437BF0: zm_deactivate_date (in /usr/bin/php5)
==25725== by 0x6C645B: module_registry_cleanup (in /usr/bin/php5)
==25725== by 0x6D0FA3: zend_hash_reverse_apply (in /usr/bin/php5)
==25725== by 0x6C4E7C: zend_deactivate_modules (in /usr/bin/php5)
==25725== by 0x66FDB4: php_request_shutdown (in /usr/bin/php5)
==25725== by 0x7547FF: main (in /usr/bin/php5)
==25725== Address 0x8bdcfb0 is 32 bytes inside a block of size 112 free'd
==25725== at 0x4C240FD: free (vg_replace_malloc.c:366)
==25725== by 0x435599: zif_strtotime (in /usr/bin/php5)
==25725== by 0x715839: zend_do_fcall_common_helper_SPEC (in
/usr/bin/php5)
==25725== by 0x6ECC5F: execute (in /usr/bin/php5)
==25725== by 0x6C3FAC: zend_execute_scripts (in /usr/bin/php5)
==25725== by 0x66F147: php_execute_script (in /usr/bin/php5)
==25725== by 0x755755: main (in /usr/bin/php5)
==25725==
==25725== Invalid read of size 8
==25725== at 0x45D4BE: timelib_tzinfo_dtor (in /usr/bin/php5)
==25725== by 0x6D1217: zend_hash_destroy (in /usr/bin/php5)
==25725== by 0x437BF0: zm_deactivate_date (in /usr/bin/php5)
==25725== by 0x6C645B: module_registry_cleanup (in /usr/bin/php5)
==25725== by 0x6D0FA3: zend_hash_reverse_apply (in /usr/bin/php5)
==25725== by 0x6C4E7C: zend_deactivate_modules (in /usr/bin/php5)
==25725== by 0x66FDB4: php_request_shutdown (in /usr/bin/php5)
==25725== by 0x7547FF: main (in /usr/bin/php5)
==25725== Address 0x8bdcfb8 is 40 bytes inside a block of size 112 free'd
==25725== at 0x4C240FD: free (vg_replace_malloc.c:366)
==25725== by 0x435599: zif_strtotime (in /usr/bin/php5)
==25725== by 0x715839: zend_do_fcall_common_helper_SPEC (in
/usr/bin/php5)
==25725== by 0x6ECC5F: execute (in /usr/bin/php5)
==25725== by 0x6C3FAC: zend_execute_scripts (in /usr/bin/php5)
==25725== by 0x66F147: php_execute_script (in /usr/bin/php5)
==25725== by 0x755755: main (in /usr/bin/php5)
==25725==
==25725== Invalid read of size 8
==25725== at 0x45D4D4: timelib_tzinfo_dtor (in /usr/bin/php5)
==25725== by 0x6D1217: zend_hash_destroy (in /usr/bin/php5)
==25725== by 0x437BF0: zm_deactivate_date (in /usr/bin/php5)
==25725== by 0x6C645B: module_registry_cleanup (in /usr/bin/php5)
==25725== by 0x6D0FA3: zend_hash_reverse_apply (in /usr/bin/php5)
==25725== by 0x6C4E7C: zend_deactivate_modules (in /usr/bin/php5)
==25725== by 0x66FDB4: php_request_shutdown (in /usr/bin/php5)
==25725== by 0x7547FF: main (in /usr/bin/php5)
==25725== Address 0x8bdcfc0 is 48 bytes inside a block of size 112 free'd
==25725== at 0x4C240FD: free (vg_replace_malloc.c:366)
==25725== by 0x435599: zif_strtotime (in /usr/bin/php5)
==25725== by 0x715839: zend_do_fcall_common_helper_SPEC (in
/usr/bin/php5)
==25725== by 0x6ECC5F: execute (in /usr/bin/php5)
==25725== by 0x6C3FAC: zend_execute_scripts (in /usr/bin/php5)
==25725== by 0x66F147: php_execute_script (in /usr/bin/php5)
==25725== by 0x755755: main (in /usr/bin/php5)
==25725==
==25725== Invalid read of size 8
==25725== at 0x45D4EA: timelib_tzinfo_dtor (in /usr/bin/php5)
==25725== by 0x6D1217: zend_hash_destroy (in /usr/bin/php5)
==25725== by 0x437BF0: zm_deactivate_date (in /usr/bin/php5)
==25725== by 0x6C645B: module_registry_cleanup (in /usr/bin/php5)
==25725== by 0x6D0FA3: zend_hash_reverse_apply (in /usr/bin/php5)
==25725== by 0x6C4E7C: zend_deactivate_modules (in /usr/bin/php5)
==25725== by 0x66FDB4: php_request_shutdown (in /usr/bin/php5)
==25725== by 0x7547FF: main (in /usr/bin/php5)
==25725== Address 0x8bdcfc8 is 56 bytes inside a block of size 112 free'd
==25725== at 0x4C240FD: free (vg_replace_malloc.c:366)
==25725== by 0x435599: zif_strtotime (in /usr/bin/php5)
==25725== by 0x715839: zend_do_fcall_common_helper_SPEC (in
/usr/bin/php5)
==25725== by 0x6ECC5F: execute (in /usr/bin/php5)
==25725== by 0x6C3FAC: zend_execute_scripts (in /usr/bin/php5)
==25725== by 0x66F147: php_execute_script (in /usr/bin/php5)
==25725== by 0x755755: main (in /usr/bin/php5)
==25725==
==25725== Invalid read of size 8
==25725== at 0x45D500: timelib_tzinfo_dtor (in /usr/bin/php5)
==25725== by 0x6D1217: zend_hash_destroy (in /usr/bin/php5)
==25725== by 0x437BF0: zm_deactivate_date (in /usr/bin/php5)
==25725== by 0x6C645B: module_registry_cleanup (in /usr/bin/php5)
==25725== by 0x6D0FA3: zend_hash_reverse_apply (in /usr/bin/php5)
==25725== by 0x6C4E7C: zend_deactivate_modules (in /usr/bin/php5)
==25725== by 0x66FDB4: php_request_shutdown (in /usr/bin/php5)
==25725== by 0x7547FF: main (in /usr/bin/php5)
==25725== Address 0x8bdcfd0 is 64 bytes inside a block of size 112 free'd
==25725== at 0x4C240FD: free (vg_replace_malloc.c:366)
==25725== by 0x435599: zif_strtotime (in /usr/bin/php5)
==25725== by 0x715839: zend_do_fcall_common_helper_SPEC (in
/usr/bin/php5)
==25725== by 0x6ECC5F: execute (in /usr/bin/php5)
==25725== by 0x6C3FAC: zend_execute_scripts (in /usr/bin/php5)
==25725== by 0x66F147: php_execute_script (in /usr/bin/php5)
==25725== by 0x755755: main (in /usr/bin/php5)
==25725==
==25725== Invalid read of size 8
==25725== at 0x45D516: timelib_tzinfo_dtor (in /usr/bin/php5)
==25725== by 0x6D1217: zend_hash_destroy (in /usr/bin/php5)
==25725== by 0x437BF0: zm_deactivate_date (in /usr/bin/php5)
==25725== by 0x6C645B: module_registry_cleanup (in /usr/bin/php5)
==25725== by 0x6D0FA3: zend_hash_reverse_apply (in /usr/bin/php5)
==25725== by 0x6C4E7C: zend_deactivate_modules (in /usr/bin/php5)
==25725== by 0x66FDB4: php_request_shutdown (in /usr/bin/php5)
==25725== by 0x7547FF: main (in /usr/bin/php5)
==25725== Address 0x8bdcff8 is 104 bytes inside a block of size 112
free'd
==25725== at 0x4C240FD: free (vg_replace_malloc.c:366)
==25725== by 0x435599: zif_strtotime (in /usr/bin/php5)
==25725== by 0x715839: zend_do_fcall_common_helper_SPEC (in
/usr/bin/php5)
==25725== by 0x6ECC5F: execute (in /usr/bin/php5)
==25725== by 0x6C3FAC: zend_execute_scripts (in /usr/bin/php5)
==25725== by 0x66F147: php_execute_script (in /usr/bin/php5)
==25725== by 0x755755: main (in /usr/bin/php5)
==25725==
==25725== Invalid free() / delete / delete[]
==25725== at 0x4C240FD: free (vg_replace_malloc.c:366)
==25725== by 0x6D1217: zend_hash_destroy (in /usr/bin/php5)
==25725== by 0x437BF0: zm_deactivate_date (in /usr/bin/php5)
==25725== by 0x6C645B: module_registry_cleanup (in /usr/bin/php5)
==25725== by 0x6D0FA3: zend_hash_reverse_apply (in /usr/bin/php5)
==25725== by 0x6C4E7C: zend_deactivate_modules (in /usr/bin/php5)
==25725== by 0x66FDB4: php_request_shutdown (in /usr/bin/php5)
==25725== by 0x7547FF: main (in /usr/bin/php5)
==25725== Address 0x8bdcf90 is 0 bytes inside a block of size 112 free'd
==25725== at 0x4C240FD: free (vg_replace_malloc.c:366)
==25725== by 0x435599: zif_strtotime (in /usr/bin/php5)
==25725== by 0x715839: zend_do_fcall_common_helper_SPEC (in
/usr/bin/php5)
==25725== by 0x6ECC5F: execute (in /usr/bin/php5)
==25725== by 0x6C3FAC: zend_execute_scripts (in /usr/bin/php5)
==25725== by 0x66F147: php_execute_script (in /usr/bin/php5)
==25725== by 0x755755: main (in /usr/bin/php5)
------------------------------------
1293840000*** glibc detected *** /usr/bin/php: corrupted double-linked
list: 0x0000000001076b30 ***
======= Backtrace: =========
/lib/libc.so.6(+0x71ad6)[0x7ffff4cc5ad6]
/lib/libc.so.6(+0x71f0d)[0x7ffff4cc5f0d]
/lib/libc.so.6(+0x73418)[0x7ffff4cc7418]
/lib/libc.so.6(cfree+0x6c)[0x7ffff4cca84c]
/usr/bin/php[0x6e4121]
/usr/bin/php(php_request_shutdown+0x306)[0x66fd26]
/usr/bin/php[0x754800]
/lib/libc.so.6(__libc_start_main+0xfd)[0x7ffff4c72c4d]
/usr/bin/php[0x42f7e9]
======= Memory map: ========
gdb BT full @ http://pastebin.com/3gQpsRng
--
Edit bug report at https://bugs.php.net/bug.php?id=60733&edit=1
--
Try a snapshot (PHP 5.4):
https://bugs.php.net/fix.php?id=60733&r=trysnapshot54
Try a snapshot (PHP 5.3):
https://bugs.php.net/fix.php?id=60733&r=trysnapshot53
Try a snapshot (trunk):
https://bugs.php.net/fix.php?id=60733&r=trysnapshottrunk
Fixed in SVN:
https://bugs.php.net/fix.php?id=60733&r=fixed
Fixed in SVN and need be documented:
https://bugs.php.net/fix.php?id=60733&r=needdocs
Fixed in release:
https://bugs.php.net/fix.php?id=60733&r=alreadyfixed
Need backtrace:
https://bugs.php.net/fix.php?id=60733&r=needtrace
Need Reproduce Script:
https://bugs.php.net/fix.php?id=60733&r=needscript
Try newer version:
https://bugs.php.net/fix.php?id=60733&r=oldversion
Not developer issue:
https://bugs.php.net/fix.php?id=60733&r=support
Expected behavior:
https://bugs.php.net/fix.php?id=60733&r=notwrong
Not enough info:
https://bugs.php.net/fix.php?id=60733&r=notenoughinfo
Submitted twice:
https://bugs.php.net/fix.php?id=60733&r=submittedtwice
register_globals:
https://bugs.php.net/fix.php?id=60733&r=globals
PHP 4 support discontinued:
https://bugs.php.net/fix.php?id=60733&r=php4
Daylight Savings: https://bugs.php.net/fix.php?id=60733&r=dst
IIS Stability:
https://bugs.php.net/fix.php?id=60733&r=isapi
Install GNU Sed:
https://bugs.php.net/fix.php?id=60733&r=gnused
Floating point limitations:
https://bugs.php.net/fix.php?id=60733&r=float
No Zend Extensions:
https://bugs.php.net/fix.php?id=60733&r=nozend
MySQL Configuration Error:
https://bugs.php.net/fix.php?id=60733&r=mysqlcfg
