Edit report at https://bugs.php.net/bug.php?id=60733&edit=1
ID: 60733 Updated by: g...@php.net Reported by: paul at minimoo dot org Summary: strtotime bug in php 5.3.9 -Status: Assigned +Status: Closed Type: Bug Package: Reproducible crash Operating System: linux(debian)-64bit PHP Version: 5.3.9 Assigned To: gui Block user comment: N Private report: N New Comment: This issue has been fixed in the latest Dotdeb packages.Be sure to upgrade at least : * to 5.3.9-0~dotdeb.3 if you're running Squeeze * to 5.3.9-0~dotdeb.2 if you're running Lenny Please send future Dotdeb-specific issues directly on http://www.dotdeb.org/ or on my email. Previous Comments: ------------------------------------------------------------------------ [2012-01-12 22:38:21] g...@php.net It seems to be a Dotdeb-specific issue, I'm looking for a fix. No need to post it here without warning me first. ------------------------------------------------------------------------ [2012-01-12 22:37:24] paul at minimoo dot org This is looking like it may be an issue with the dotdeb.org build of 5.3.9 - have had 3-4 people confirm that this code breaks with the .deb files at http://dotdeb.mirror.somersettechsolutions.co.uk/dists/stable/php5/binary-amd64/ and 2 people unable to reproduce from a build from latest svn ------------------------------------------------------------------------ [2012-01-12 21:29:59] paul at minimoo dot org Description: ------------ Since upgrading [using dotdeb.org compiled version of php] from php 5.3.8 to php 5.3.9, strtotime appears to crash. This occurs for me on 2 VM's, minimised to 1 line of php. Valgrind/GDB output attached Test script: --------------- echo strtotime('2011-01-1 00:00 UTC'); Actual result: -------------- valgrind /usr/bin/php test.php ==25725== Memcheck, a memory error detector ==25725== Copyright (C) 2002-2010, and GNU GPL'd, by Julian Seward et al. ==25725== Using Valgrind-3.6.0.SVN-Debian and LibVEX; rerun with -h for copyright info ==25725== Command: /usr/bin/php test.php ==25725== 1293840000==25725== Invalid read of size 8 ==25725== at 0x45D494: timelib_tzinfo_dtor (in /usr/bin/php5) ==25725== by 0x6D1217: zend_hash_destroy (in /usr/bin/php5) ==25725== by 0x437BF0: zm_deactivate_date (in /usr/bin/php5) ==25725== by 0x6C645B: module_registry_cleanup (in /usr/bin/php5) ==25725== by 0x6D0FA3: zend_hash_reverse_apply (in /usr/bin/php5) ==25725== by 0x6C4E7C: zend_deactivate_modules (in /usr/bin/php5) ==25725== by 0x66FDB4: php_request_shutdown (in /usr/bin/php5) ==25725== by 0x7547FF: main (in /usr/bin/php5) ==25725== Address 0x8bdcf90 is 0 bytes inside a block of size 112 free'd ==25725== at 0x4C240FD: free (vg_replace_malloc.c:366) ==25725== by 0x435599: zif_strtotime (in /usr/bin/php5) ==25725== by 0x715839: zend_do_fcall_common_helper_SPEC (in /usr/bin/php5) ==25725== by 0x6ECC5F: execute (in /usr/bin/php5) ==25725== by 0x6C3FAC: zend_execute_scripts (in /usr/bin/php5) ==25725== by 0x66F147: php_execute_script (in /usr/bin/php5) ==25725== by 0x755755: main (in /usr/bin/php5) ==25725== ==25725== Invalid read of size 8 ==25725== at 0x45D4A8: timelib_tzinfo_dtor (in /usr/bin/php5) ==25725== by 0x6D1217: zend_hash_destroy (in /usr/bin/php5) ==25725== by 0x437BF0: zm_deactivate_date (in /usr/bin/php5) ==25725== by 0x6C645B: module_registry_cleanup (in /usr/bin/php5) ==25725== by 0x6D0FA3: zend_hash_reverse_apply (in /usr/bin/php5) ==25725== by 0x6C4E7C: zend_deactivate_modules (in /usr/bin/php5) ==25725== by 0x66FDB4: php_request_shutdown (in /usr/bin/php5) ==25725== by 0x7547FF: main (in /usr/bin/php5) ==25725== Address 0x8bdcfb0 is 32 bytes inside a block of size 112 free'd ==25725== at 0x4C240FD: free (vg_replace_malloc.c:366) ==25725== by 0x435599: zif_strtotime (in /usr/bin/php5) ==25725== by 0x715839: zend_do_fcall_common_helper_SPEC (in /usr/bin/php5) ==25725== by 0x6ECC5F: execute (in /usr/bin/php5) ==25725== by 0x6C3FAC: zend_execute_scripts (in /usr/bin/php5) ==25725== by 0x66F147: php_execute_script (in /usr/bin/php5) ==25725== by 0x755755: main (in /usr/bin/php5) ==25725== ==25725== Invalid read of size 8 ==25725== at 0x45D4BE: timelib_tzinfo_dtor (in /usr/bin/php5) ==25725== by 0x6D1217: zend_hash_destroy (in /usr/bin/php5) ==25725== by 0x437BF0: zm_deactivate_date (in /usr/bin/php5) ==25725== by 0x6C645B: module_registry_cleanup (in /usr/bin/php5) ==25725== by 0x6D0FA3: zend_hash_reverse_apply (in /usr/bin/php5) ==25725== by 0x6C4E7C: zend_deactivate_modules (in /usr/bin/php5) ==25725== by 0x66FDB4: php_request_shutdown (in /usr/bin/php5) ==25725== by 0x7547FF: main (in /usr/bin/php5) ==25725== Address 0x8bdcfb8 is 40 bytes inside a block of size 112 free'd ==25725== at 0x4C240FD: free (vg_replace_malloc.c:366) ==25725== by 0x435599: zif_strtotime (in /usr/bin/php5) ==25725== by 0x715839: zend_do_fcall_common_helper_SPEC (in /usr/bin/php5) ==25725== by 0x6ECC5F: execute (in /usr/bin/php5) ==25725== by 0x6C3FAC: zend_execute_scripts (in /usr/bin/php5) ==25725== by 0x66F147: php_execute_script (in /usr/bin/php5) ==25725== by 0x755755: main (in /usr/bin/php5) ==25725== ==25725== Invalid read of size 8 ==25725== at 0x45D4D4: timelib_tzinfo_dtor (in /usr/bin/php5) ==25725== by 0x6D1217: zend_hash_destroy (in /usr/bin/php5) ==25725== by 0x437BF0: zm_deactivate_date (in /usr/bin/php5) ==25725== by 0x6C645B: module_registry_cleanup (in /usr/bin/php5) ==25725== by 0x6D0FA3: zend_hash_reverse_apply (in /usr/bin/php5) ==25725== by 0x6C4E7C: zend_deactivate_modules (in /usr/bin/php5) ==25725== by 0x66FDB4: php_request_shutdown (in /usr/bin/php5) ==25725== by 0x7547FF: main (in /usr/bin/php5) ==25725== Address 0x8bdcfc0 is 48 bytes inside a block of size 112 free'd ==25725== at 0x4C240FD: free (vg_replace_malloc.c:366) ==25725== by 0x435599: zif_strtotime (in /usr/bin/php5) ==25725== by 0x715839: zend_do_fcall_common_helper_SPEC (in /usr/bin/php5) ==25725== by 0x6ECC5F: execute (in /usr/bin/php5) ==25725== by 0x6C3FAC: zend_execute_scripts (in /usr/bin/php5) ==25725== by 0x66F147: php_execute_script (in /usr/bin/php5) ==25725== by 0x755755: main (in /usr/bin/php5) ==25725== ==25725== Invalid read of size 8 ==25725== at 0x45D4EA: timelib_tzinfo_dtor (in /usr/bin/php5) ==25725== by 0x6D1217: zend_hash_destroy (in /usr/bin/php5) ==25725== by 0x437BF0: zm_deactivate_date (in /usr/bin/php5) ==25725== by 0x6C645B: module_registry_cleanup (in /usr/bin/php5) ==25725== by 0x6D0FA3: zend_hash_reverse_apply (in /usr/bin/php5) ==25725== by 0x6C4E7C: zend_deactivate_modules (in /usr/bin/php5) ==25725== by 0x66FDB4: php_request_shutdown (in /usr/bin/php5) ==25725== by 0x7547FF: main (in /usr/bin/php5) ==25725== Address 0x8bdcfc8 is 56 bytes inside a block of size 112 free'd ==25725== at 0x4C240FD: free (vg_replace_malloc.c:366) ==25725== by 0x435599: zif_strtotime (in /usr/bin/php5) ==25725== by 0x715839: zend_do_fcall_common_helper_SPEC (in /usr/bin/php5) ==25725== by 0x6ECC5F: execute (in /usr/bin/php5) ==25725== by 0x6C3FAC: zend_execute_scripts (in /usr/bin/php5) ==25725== by 0x66F147: php_execute_script (in /usr/bin/php5) ==25725== by 0x755755: main (in /usr/bin/php5) ==25725== ==25725== Invalid read of size 8 ==25725== at 0x45D500: timelib_tzinfo_dtor (in /usr/bin/php5) ==25725== by 0x6D1217: zend_hash_destroy (in /usr/bin/php5) ==25725== by 0x437BF0: zm_deactivate_date (in /usr/bin/php5) ==25725== by 0x6C645B: module_registry_cleanup (in /usr/bin/php5) ==25725== by 0x6D0FA3: zend_hash_reverse_apply (in /usr/bin/php5) ==25725== by 0x6C4E7C: zend_deactivate_modules (in /usr/bin/php5) ==25725== by 0x66FDB4: php_request_shutdown (in /usr/bin/php5) ==25725== by 0x7547FF: main (in /usr/bin/php5) ==25725== Address 0x8bdcfd0 is 64 bytes inside a block of size 112 free'd ==25725== at 0x4C240FD: free (vg_replace_malloc.c:366) ==25725== by 0x435599: zif_strtotime (in /usr/bin/php5) ==25725== by 0x715839: zend_do_fcall_common_helper_SPEC (in /usr/bin/php5) ==25725== by 0x6ECC5F: execute (in /usr/bin/php5) ==25725== by 0x6C3FAC: zend_execute_scripts (in /usr/bin/php5) ==25725== by 0x66F147: php_execute_script (in /usr/bin/php5) ==25725== by 0x755755: main (in /usr/bin/php5) ==25725== ==25725== Invalid read of size 8 ==25725== at 0x45D516: timelib_tzinfo_dtor (in /usr/bin/php5) ==25725== by 0x6D1217: zend_hash_destroy (in /usr/bin/php5) ==25725== by 0x437BF0: zm_deactivate_date (in /usr/bin/php5) ==25725== by 0x6C645B: module_registry_cleanup (in /usr/bin/php5) ==25725== by 0x6D0FA3: zend_hash_reverse_apply (in /usr/bin/php5) ==25725== by 0x6C4E7C: zend_deactivate_modules (in /usr/bin/php5) ==25725== by 0x66FDB4: php_request_shutdown (in /usr/bin/php5) ==25725== by 0x7547FF: main (in /usr/bin/php5) ==25725== Address 0x8bdcff8 is 104 bytes inside a block of size 112 free'd ==25725== at 0x4C240FD: free (vg_replace_malloc.c:366) ==25725== by 0x435599: zif_strtotime (in /usr/bin/php5) ==25725== by 0x715839: zend_do_fcall_common_helper_SPEC (in /usr/bin/php5) ==25725== by 0x6ECC5F: execute (in /usr/bin/php5) ==25725== by 0x6C3FAC: zend_execute_scripts (in /usr/bin/php5) ==25725== by 0x66F147: php_execute_script (in /usr/bin/php5) ==25725== by 0x755755: main (in /usr/bin/php5) ==25725== ==25725== Invalid free() / delete / delete[] ==25725== at 0x4C240FD: free (vg_replace_malloc.c:366) ==25725== by 0x6D1217: zend_hash_destroy (in /usr/bin/php5) ==25725== by 0x437BF0: zm_deactivate_date (in /usr/bin/php5) ==25725== by 0x6C645B: module_registry_cleanup (in /usr/bin/php5) ==25725== by 0x6D0FA3: zend_hash_reverse_apply (in /usr/bin/php5) ==25725== by 0x6C4E7C: zend_deactivate_modules (in /usr/bin/php5) ==25725== by 0x66FDB4: php_request_shutdown (in /usr/bin/php5) ==25725== by 0x7547FF: main (in /usr/bin/php5) ==25725== Address 0x8bdcf90 is 0 bytes inside a block of size 112 free'd ==25725== at 0x4C240FD: free (vg_replace_malloc.c:366) ==25725== by 0x435599: zif_strtotime (in /usr/bin/php5) ==25725== by 0x715839: zend_do_fcall_common_helper_SPEC (in /usr/bin/php5) ==25725== by 0x6ECC5F: execute (in /usr/bin/php5) ==25725== by 0x6C3FAC: zend_execute_scripts (in /usr/bin/php5) ==25725== by 0x66F147: php_execute_script (in /usr/bin/php5) ==25725== by 0x755755: main (in /usr/bin/php5) ------------------------------------ 1293840000*** glibc detected *** /usr/bin/php: corrupted double-linked list: 0x0000000001076b30 *** ======= Backtrace: ========= /lib/libc.so.6(+0x71ad6)[0x7ffff4cc5ad6] /lib/libc.so.6(+0x71f0d)[0x7ffff4cc5f0d] /lib/libc.so.6(+0x73418)[0x7ffff4cc7418] /lib/libc.so.6(cfree+0x6c)[0x7ffff4cca84c] /usr/bin/php[0x6e4121] /usr/bin/php(php_request_shutdown+0x306)[0x66fd26] /usr/bin/php[0x754800] /lib/libc.so.6(__libc_start_main+0xfd)[0x7ffff4c72c4d] /usr/bin/php[0x42f7e9] ======= Memory map: ======== gdb BT full @ http://pastebin.com/3gQpsRng ------------------------------------------------------------------------ -- Edit this bug report at https://bugs.php.net/bug.php?id=60733&edit=1
