[PHP-BUG] Bug #62525 [NEW]: sigabrt while converting floating point to string
From: perryjp at gmail dot com Operating system: Ubuntu 10.04.3 LTS PHP version: master-Git-2012-07-10 (Git) Package: Reproducible crash Bug Type: Bug Bug description:sigabrt while converting floating point to string Description: I traced the root of my problem to compilation issues but I while debugging my issues I traced a sigabrt to a bug in snprintf.c freeing a static string. php_conv_fp(snprintf.c:396) tries to free the static strings "NAN" or "INF" returned from __cvt(snprintf.c:97) Actual result: -- #0 0x0f8fc0d0 in raise () from /lib/tls/libc.so.6 #1 0x0f8fd924 in abort () from /lib/tls/libc.so.6 #2 0x0f93f658 in __libc_message () from /lib/tls/libc.so.6 #3 0x0f945f70 in malloc_printerr () from /lib/tls/libc.so.6 #4 0x0f947330 in _int_free () from /lib/tls/libc.so.6 #5 0x0f9478c0 in free () from /lib/tls/libc.so.6 #6 0x102bb960 in php_conv_fp (format=70 'F', num=2.0824708938098908, add_dp=NO, precision=8, dec_point=46 '.', is_negative=0xbfb8d040, buf=0xbfb8ce3d "NAN", len=0xbfb8ce38) at /php/main/snprintf.c:399 #7 0x102bffdc in xbuf_format_converter (xbuf=0xbfb8d138, fmt=0x104463b7 "F", ap=0xbfb8d16c) at /php/main/spprintf.c:588 #8 0x102c0d14 in vspprintf (pbuf=0xbfb8d29c, max_len=0, format=0x104463a8 "%.15s%ld%ld%0.8F", ap=0xbfb8d16c) at /php/main/spprintf.c:769 #9 0x102c0df0 in spprintf (pbuf=0xbfb8d29c, max_len=0, format=0x104463a8 "%.15s%ld%ld%0.8F") at /php/main/spprintf.c:788 #10 0x1017a59c in php_session_create_id (mod_data=0x104b3f08, newlen=0x0) at /php/ext/session/session.c:736 #11 0x1017aa2c in php_session_initialize () at /php/ext/session/session.c:830 #12 0x1017d530 in php_session_start () at /php/ext/session/session.c:1325 #13 0x1017fe48 in zif_session_start (ht=0, return_value=0x105695c0, return_value_ptr=0x0, this_ptr=0x0, return_value_used=0) at /php/ext/session/session.c:1815 #14 0x103539d4 in zend_do_fcall_common_helper_SPEC (execute_data=0xbfb8dff8) at /php/Zend/zend_vm_execute.h:200 #15 0x1035b428 in ZEND_DO_FCALL_SPEC_CONST_HANDLER (execute_data=0xbfb8dff8) at /php/Zend/zend_vm_execute.h:1679 #16 0x1035334c in execute (op_array=0x10596f88) at /php/Zend/zend_vm_execute.h:92 #17 0x10353ba4 in zend_do_fcall_common_helper_SPEC (execute_data=0xbfb8e148) at /php/Zend/zend_vm_execute.h:234 #18 0x1035b428 in ZEND_DO_FCALL_SPEC_CONST_HANDLER (execute_data=0xbfb8e148) at /php/Zend/zend_vm_execute.h:1679 #19 0x1035334c in execute (op_array=0x10560418) at /php/Zend/zend_vm_execute.h:92 #20 0x10365278 in ZEND_INCLUDE_OR_EVAL_SPEC_TMP_HANDLER ( execute_data=0xbfb8f2e8) at /php/Zend/zend_vm_execute.h:4612 #21 0x1035334c in execute (op_array=0x1055d000) at /php/Zend/zend_vm_execute.h:92 #22 0x10322798 in zend_execute_scripts (type=8, retval=0x0, file_count=3) at /php/Zend/zend.c:1134 #23 0x102ba7c0 in php_execute_script (primary_file=0xbfb9175c) at /php/main/main.c:2005 #24 0x103cb7dc in main (argc=3, argv=0xbfb93d24) at /php/sapi/cgi/cgi_main.c:1919 -- Edit bug report at https://bugs.php.net/bug.php?id=62525&edit=1 -- Try a snapshot (PHP 5.4): https://bugs.php.net/fix.php?id=62525&r=trysnapshot54 Try a snapshot (PHP 5.3): https://bugs.php.net/fix.php?id=62525&r=trysnapshot53 Try a snapshot (trunk): https://bugs.php.net/fix.php?id=62525&r=trysnapshottrunk Fixed in SVN: https://bugs.php.net/fix.php?id=62525&r=fixed Fixed in SVN and need be documented: https://bugs.php.net/fix.php?id=62525&r=needdocs Fixed in release: https://bugs.php.net/fix.php?id=62525&r=alreadyfixed Need backtrace: https://bugs.php.net/fix.php?id=62525&r=needtrace Need Reproduce Script: https://bugs.php.net/fix.php?id=62525&r=needscript Try newer version: https://bugs.php.net/fix.php?id=62525&r=oldversion Not developer issue: https://bugs.php.net/fix.php?id=62525&r=support Expected behavior: https://bugs.php.net/fix.php?id=62525&r=notwrong Not enough info: https://bugs.php.net/fix.php?id=62525&r=notenoughinfo Submitted twice: https://bugs.php.net/fix.php?id=62525&r=submittedtwice register_globals: https://bugs.php.net/fix.php?id=62525&r=globals PHP 4 support discontinued: https://bugs.php.net/fix.php?id=62525&r=php4 Daylight Savings:https://bugs.php.net/fix.php?id=62525&r=dst IIS Stability: https://bugs.php.net/fix.php?id=62525&r=isapi Install GNU Sed: https://bugs.php.net/fix.php?id=62525&r=gnused Floating point limitations: https://bugs.php.net/fix.php?id=62525&r=
Bug #62525 [Opn]: sigabrt while converting floating point to string
Edit report at https://bugs.php.net/bug.php?id=62525&edit=1 ID: 62525 User updated by:perryjp at gmail dot com Reported by:perryjp at gmail dot com Summary:sigabrt while converting floating point to string Status: Open Type: Bug Package:Reproducible crash Operating System: Ubuntu 10.04.3 LTS PHP Version:master-Git-2012-07-10 (Git) Block user comment: N Private report: N New Comment: Apologies, I should have mentioned that the core dump is from 5.2.6 but I looked at the head in git and the issue still exists and the line numbers in my description are based on the head as of today as is the patch file. As I mentioned previously, the core of my issue was a compilation issue so I'm not entirely sure how you would reproduce it with a good build but if you look at php_conv_fp(snprintf:396) it blindly frees p_orig which was initialized by the calls to php_fcvt()/php_ecvt() which both call __cvt. If __cvt detects Infinity or Nan, it returns the static strings "INF" or "NAN"(snprintf.c:97) which can't be freed and thus the sigabrt. Previous Comments: [2012-07-10 17:32:06] a...@php.net But your trace says snprintf.c:399. Could you give a piece of code causing this? -------- [2012-07-10 17:06:00] perryjp at gmail dot com Description: I traced the root of my problem to compilation issues but I while debugging my issues I traced a sigabrt to a bug in snprintf.c freeing a static string. php_conv_fp(snprintf.c:396) tries to free the static strings "NAN" or "INF" returned from __cvt(snprintf.c:97) Actual result: -- #0 0x0f8fc0d0 in raise () from /lib/tls/libc.so.6 #1 0x0f8fd924 in abort () from /lib/tls/libc.so.6 #2 0x0f93f658 in __libc_message () from /lib/tls/libc.so.6 #3 0x0f945f70 in malloc_printerr () from /lib/tls/libc.so.6 #4 0x0f947330 in _int_free () from /lib/tls/libc.so.6 #5 0x0f9478c0 in free () from /lib/tls/libc.so.6 #6 0x102bb960 in php_conv_fp (format=70 'F', num=2.0824708938098908, add_dp=NO, precision=8, dec_point=46 '.', is_negative=0xbfb8d040, buf=0xbfb8ce3d "NAN", len=0xbfb8ce38) at /php/main/snprintf.c:399 #7 0x102bffdc in xbuf_format_converter (xbuf=0xbfb8d138, fmt=0x104463b7 "F", ap=0xbfb8d16c) at /php/main/spprintf.c:588 #8 0x102c0d14 in vspprintf (pbuf=0xbfb8d29c, max_len=0, format=0x104463a8 "%.15s%ld%ld%0.8F", ap=0xbfb8d16c) at /php/main/spprintf.c:769 #9 0x102c0df0 in spprintf (pbuf=0xbfb8d29c, max_len=0, format=0x104463a8 "%.15s%ld%ld%0.8F") at /php/main/spprintf.c:788 #10 0x1017a59c in php_session_create_id (mod_data=0x104b3f08, newlen=0x0) at /php/ext/session/session.c:736 #11 0x1017aa2c in php_session_initialize () at /php/ext/session/session.c:830 #12 0x1017d530 in php_session_start () at /php/ext/session/session.c:1325 #13 0x1017fe48 in zif_session_start (ht=0, return_value=0x105695c0, return_value_ptr=0x0, this_ptr=0x0, return_value_used=0) at /php/ext/session/session.c:1815 #14 0x103539d4 in zend_do_fcall_common_helper_SPEC (execute_data=0xbfb8dff8) at /php/Zend/zend_vm_execute.h:200 #15 0x1035b428 in ZEND_DO_FCALL_SPEC_CONST_HANDLER (execute_data=0xbfb8dff8) at /php/Zend/zend_vm_execute.h:1679 #16 0x1035334c in execute (op_array=0x10596f88) at /php/Zend/zend_vm_execute.h:92 #17 0x10353ba4 in zend_do_fcall_common_helper_SPEC (execute_data=0xbfb8e148) at /php/Zend/zend_vm_execute.h:234 #18 0x1035b428 in ZEND_DO_FCALL_SPEC_CONST_HANDLER (execute_data=0xbfb8e148) at /php/Zend/zend_vm_execute.h:1679 #19 0x1035334c in execute (op_array=0x10560418) at /php/Zend/zend_vm_execute.h:92 #20 0x10365278 in ZEND_INCLUDE_OR_EVAL_SPEC_TMP_HANDLER ( execute_data=0xbfb8f2e8) at /php/Zend/zend_vm_execute.h:4612 #21 0x1035334c in execute (op_array=0x1055d000) at /php/Zend/zend_vm_execute.h:92 #22 0x10322798 in zend_execute_scripts (type=8, retval=0x0, file_count=3) at /php/Zend/zend.c:1134 #23 0x102ba7c0 in php_execute_script (primary_file=0xbfb9175c) at /php/main/main.c:2005 #24 0x103cb7dc in main (argc=3, argv=0xbfb93d24) at /php/sapi/cgi/cgi_main.c:1919 -- Edit this bug report at https://bugs.php.net/bug.php?id=62525&edit=1
Bug #62525 [Opn]: sigabrt while converting floating point to string
Edit report at https://bugs.php.net/bug.php?id=62525&edit=1
ID: 62525
User updated by:perryjp at gmail dot com
Reported by:perryjp at gmail dot com
Summary:sigabrt while converting floating point to string
Status: Open
Type: Bug
Package:Reproducible crash
Operating System: Ubuntu 10.04.3 LTS
PHP Version:master-Git-2012-07-10 (Git)
Block user comment: N
Private report: N
New Comment:
I fixed it the master because the version that I'm using isn't open for bug
reports but looking at the code I can tell that the incorrect code still exists
in the tree.
I don't want to get too much in the weeds here, my compile issues caused
zend_dtoa() to mis-evaluate the value so it wouldn't think it could represent
the number and thus zend_dtoa() returns decopt= (snprintf.c:91) and so
snprintf.c:97 returns a string from the data section of the program rather than
allocated memory as it does for snprintf:88 and snprintf:121
My environment doesn't have the necessary dependencies to build the newer
versions of PHP for my target which is why I'm still on the older one so
getting a bt on master could prove untenable.
Still, I decided to submit the crash report/bug because it should be clear that
doing a free on something from the data portion of the code (what I called a
statically declared string) is incorrect. You can't do free("NAN") or
free("INF") which is essentially what happens.
Previous Comments:
[2012-07-10 18:55:15] a...@php.net
I'm not sure i get you right, the bt is from 5.2, but you fix it for master?
Could you produce a bt for the current master so one could evaluate that?
Also, which compilation do you mean? Dynamic memory operations usually don't
affect the compilation of C programs.
Despite like it looks like it could be a bug. a valid bt should be there to
ensure that. I'll try to make an erroneous prog too.
--------------------
[2012-07-10 17:44:04] perryjp at gmail dot com
Apologies, I should have mentioned that the core dump is from 5.2.6 but I
looked at the head in git and the issue still exists and the line numbers in my
description are based on the head as of today as is the patch file.
As I mentioned previously, the core of my issue was a compilation issue so I'm
not entirely sure how you would reproduce it with a good build but if you look
at php_conv_fp(snprintf:396) it blindly frees p_orig which was initialized by
the calls to php_fcvt()/php_ecvt() which both call __cvt. If __cvt detects
Infinity or Nan, it returns the static strings "INF" or "NAN"(snprintf.c:97)
which can't be freed and thus the sigabrt.
[2012-07-10 17:32:06] a...@php.net
But your trace says snprintf.c:399. Could you give a piece of code causing this?
------------
[2012-07-10 17:06:00] perryjp at gmail dot com
Description:
I traced the root of my problem to compilation issues but I while debugging my
issues I traced a sigabrt to a bug in snprintf.c freeing a static string.
php_conv_fp(snprintf.c:396) tries to free the static strings "NAN" or "INF"
returned from __cvt(snprintf.c:97)
Actual result:
--
#0 0x0f8fc0d0 in raise () from /lib/tls/libc.so.6
#1 0x0f8fd924 in abort () from /lib/tls/libc.so.6
#2 0x0f93f658 in __libc_message () from /lib/tls/libc.so.6
#3 0x0f945f70 in malloc_printerr () from /lib/tls/libc.so.6
#4 0x0f947330 in _int_free () from /lib/tls/libc.so.6
#5 0x0f9478c0 in free () from /lib/tls/libc.so.6
#6 0x102bb960 in php_conv_fp (format=70 'F', num=2.0824708938098908,
add_dp=NO, precision=8, dec_point=46 '.', is_negative=0xbfb8d040,
buf=0xbfb8ce3d "NAN", len=0xbfb8ce38)
at /php/main/snprintf.c:399
#7 0x102bffdc in xbuf_format_converter (xbuf=0xbfb8d138, fmt=0x104463b7 "F",
ap=0xbfb8d16c)
at /php/main/spprintf.c:588
#8 0x102c0d14 in vspprintf (pbuf=0xbfb8d29c, max_len=0,
format=0x104463a8 "%.15s%ld%ld%0.8F", ap=0xbfb8d16c)
at /php/main/spprintf.c:769
#9 0x102c0df0 in spprintf (pbuf=0xbfb8d29c, max_len=0,
format=0x104463a8 "%.15s%ld%ld%0.8F")
at /php/main/spprintf.c:788
#10 0x1017a59c in php_session_create_id (mod_data=0x104b3f08, newlen=0x0)
at /php/ext/session/session.c:736
#11 0x1017aa2c in php_session_initialize ()
at /php/ext/session/session.c:830
#12 0x1017d530 in php_session_start ()
at /php/ext/session/session.c:1325
#13 0x1017fe48 in zif_session_start (ht=0, return_value=0x105695c0,
return_value_ptr=0x0, this_ptr=0x0, return_va
Bug #62525 [Csd]: sigabrt while converting floating point to string
Edit report at https://bugs.php.net/bug.php?id=62525&edit=1
ID: 62525
User updated by:perryjp at gmail dot com
Reported by:perryjp at gmail dot com
Summary:sigabrt while converting floating point to string
Status: Closed
Type: Bug
Package:Reproducible crash
Operating System: Ubuntu 10.04.3 LTS
PHP Version:master-Git-2012-07-10 (Git)
Assigned To:felipe
Block user comment: N
Private report: N
New Comment:
Looks great, thanks!
Previous Comments:
[2012-07-14 18:17:50] fel...@php.net
This bug has been fixed in SVN.
Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.
For Windows:
http://windows.php.net/snapshots/
Thank you for the report, and for helping us make PHP better.
I've committed a slight different patch.
Thanks.
[2012-07-14 18:17:05] fel...@php.net
Automatic comment on behalf of felipe...@gmail.com
Revision:
http://git.php.net/?p=php-src.git;a=commit;h=63f3962a9015cd119b028e4c6e3f5533fb9f38e0
Log: - Fixed bug #62525 (sigabrt while converting floating point to string)
[2012-07-10 19:48:57] perryjp at gmail dot com
I fixed it the master because the version that I'm using isn't open for bug
reports but looking at the code I can tell that the incorrect code still exists
in the tree.
I don't want to get too much in the weeds here, my compile issues caused
zend_dtoa() to mis-evaluate the value so it wouldn't think it could represent
the number and thus zend_dtoa() returns decopt= (snprintf.c:91) and so
snprintf.c:97 returns a string from the data section of the program rather than
allocated memory as it does for snprintf:88 and snprintf:121
My environment doesn't have the necessary dependencies to build the newer
versions of PHP for my target which is why I'm still on the older one so
getting a bt on master could prove untenable.
Still, I decided to submit the crash report/bug because it should be clear that
doing a free on something from the data portion of the code (what I called a
statically declared string) is incorrect. You can't do free("NAN") or
free("INF") which is essentially what happens.
[2012-07-10 18:55:15] a...@php.net
I'm not sure i get you right, the bt is from 5.2, but you fix it for master?
Could you produce a bt for the current master so one could evaluate that?
Also, which compilation do you mean? Dynamic memory operations usually don't
affect the compilation of C programs.
Despite like it looks like it could be a bug. a valid bt should be there to
ensure that. I'll try to make an erroneous prog too.
----------------
[2012-07-10 17:44:04] perryjp at gmail dot com
Apologies, I should have mentioned that the core dump is from 5.2.6 but I
looked at the head in git and the issue still exists and the line numbers in my
description are based on the head as of today as is the patch file.
As I mentioned previously, the core of my issue was a compilation issue so I'm
not entirely sure how you would reproduce it with a good build but if you look
at php_conv_fp(snprintf:396) it blindly frees p_orig which was initialized by
the calls to php_fcvt()/php_ecvt() which both call __cvt. If __cvt detects
Infinity or Nan, it returns the static strings "INF" or "NAN"(snprintf.c:97)
which can't be freed and thus the sigabrt.
The remainder of the comments for this report are too long. To view
the rest of the comments, please view the bug report online at
https://bugs.php.net/bug.php?id=62525
--
Edit this bug report at https://bugs.php.net/bug.php?id=62525&edit=1
