From:
Operating system: Ubuntu 10.04.1 LTS
PHP version: master-Git-2012-05-10 (Git)
Package: Scripting Engine problem
Bug Type: Bug
Bug description:Invalid memory access when incrementally assigning to a member
of a null object
Description:
------------
Valgrind reports an invalid memory access in PHP when a script
incrementally assigns to a member of a null object while a user-defined
error handler is in place. This invalid access causes occasional
segfaults. It was initially observed in PHP 5.3, but it was found to still
be present when run from vanilla github source as of 2012-04-30.
I have not been able to fix the bug, but here is what I've discovered so
far:
During the incremental assignment, PHP replaces the variable's null value
with an empty object value, while issuing a warning. However, it seems
that there is some problem with updating the references to these values.
An invalid memory access occurs during the return from the function, when
the virtual machine tries to decrement the null value's reference count
after it is already zero (and has been freed). Also, the empty object
value does not get its reference count decremented and therefore gets
leaked.
Please see the attached test script and valgrind log.
Test script:
---------------
#!/usr/bin/php
<?
function add_points($player, $points) {
$player->energy += $points;
}
function errorHandler($severity, $message, $filename, $line,
$super_globals) { }
set_error_handler('errorHandler');
add_points(NULL, 10);
Expected result:
----------------
I expect no invalid read or write messages in valgrind's output.
Actual result:
--------------
When running under valgrind:
==8441== Memcheck, a memory error detector
==8441== Copyright (C) 2002-2011, and GNU GPL'd, by Julian Seward et al.
==8441== Using Valgrind-3.8.0.SVN and LibVEX; rerun with -h for copyright
info
==8441== Command: /home/joe/bin/php broken_assignment.php
==8441==
==8441== Invalid read of size 4
==8441== at 0x7FC35C: zend_leave_helper_SPEC (zend.h:391)
==8441== by 0x8042B4: ZEND_RETURN_SPEC_CONST_HANDLER
(zend_vm_execute.h:2262)
==8441== by 0x7FB85E: execute (zend_vm_execute.h:410)
==8441== by 0x7BE1C7: zend_execute_scripts (zend.c:1272)
==8441== by 0x7320CB: php_execute_script (main.c:2473)
==8441== by 0x90CD2E: do_cli (php_cli.c:988)
==8441== by 0x90DCD3: main (php_cli.c:1361)
==8441== Address 0x6a12120 is 16 bytes inside a block of size 32 free'd
==8441== at 0x4C2879F: free (vg_replace_malloc.c:427)
==8441== by 0x78842B: _efree (zend_alloc.c:2434)
==8441== by 0x7A8448: _zval_ptr_dtor (zend_execute_API.c:439)
==8441== by 0x7BAFE9: _zval_ptr_dtor_wrapper (zend_variables.c:180)
==8441== by 0x7CF504: zend_hash_clean (zend_hash.c:596)
==8441== by 0x7FC00F: zend_leave_helper_SPEC (zend_vm_execute.h:529)
==8441== by 0x8042B4: ZEND_RETURN_SPEC_CONST_HANDLER
(zend_vm_execute.h:2262)
==8441== by 0x7FB85E: execute (zend_vm_execute.h:410)
==8441== by 0x7BE1C7: zend_execute_scripts (zend.c:1272)
==8441== by 0x7320CB: php_execute_script (main.c:2473)
==8441== by 0x90CD2E: do_cli (php_cli.c:988)
==8441== by 0x90DCD3: main (php_cli.c:1361)
[5 other invalid read/writes omitted]
--
Edit bug report at https://bugs.php.net/bug.php?id=62005&edit=1
--
Try a snapshot (PHP 5.4):
https://bugs.php.net/fix.php?id=62005&r=trysnapshot54
Try a snapshot (PHP 5.3):
https://bugs.php.net/fix.php?id=62005&r=trysnapshot53
Try a snapshot (trunk):
https://bugs.php.net/fix.php?id=62005&r=trysnapshottrunk
Fixed in SVN:
https://bugs.php.net/fix.php?id=62005&r=fixed
Fixed in SVN and need be documented:
https://bugs.php.net/fix.php?id=62005&r=needdocs
Fixed in release:
https://bugs.php.net/fix.php?id=62005&r=alreadyfixed
Need backtrace:
https://bugs.php.net/fix.php?id=62005&r=needtrace
Need Reproduce Script:
https://bugs.php.net/fix.php?id=62005&r=needscript
Try newer version:
https://bugs.php.net/fix.php?id=62005&r=oldversion
Not developer issue:
https://bugs.php.net/fix.php?id=62005&r=support
Expected behavior:
https://bugs.php.net/fix.php?id=62005&r=notwrong
Not enough info:
https://bugs.php.net/fix.php?id=62005&r=notenoughinfo
Submitted twice:
https://bugs.php.net/fix.php?id=62005&r=submittedtwice
register_globals:
https://bugs.php.net/fix.php?id=62005&r=globals
PHP 4 support discontinued:
https://bugs.php.net/fix.php?id=62005&r=php4
Daylight Savings: https://bugs.php.net/fix.php?id=62005&r=dst
IIS Stability:
https://bugs.php.net/fix.php?id=62005&r=isapi
Install GNU Sed:
https://bugs.php.net/fix.php?id=62005&r=gnused
Floating point limitations:
https://bugs.php.net/fix.php?id=62005&r=float
No Zend Extensions:
https://bugs.php.net/fix.php?id=62005&r=nozend
MySQL Configuration Error:
https://bugs.php.net/fix.php?id=62005&r=mysqlcfg
