Bug #53974 [Opn->Asn]: Crash in trunk zend_dtoa() with unmet loop condition

johannes Wed, 09 Feb 2011 11:26:40 -0800

Edit report at http://bugs.php.net/bug.php?id=53974&edit=1


 ID:                 53974
 Updated by:         johan...@php.net
 Reported by:        s...@php.net
 Summary:            Crash in trunk zend_dtoa() with unmet loop condition
-Status:             Open
+Status:             Assigned
 Type:               Bug
 Package:            *General Issues
 Operating System:   Ubuntu 32 bit
 PHP Version:        trunk-SVN-2011-02-09 (SVN)
-Assigned To:        
+Assigned To:        dmitry
 Block user comment: N
 Private report:     N

 New Comment:

Dmitry, any idea maybe?


Previous Comments:
------------------------------------------------------------------------
[2011-02-09 20:22:18] s...@php.net

Description:
------------
A segfault occurs after a few reloads of a phpinfo() script with PHP
trunk on Ubuntu 10.04 and 10.10, both 32bit.  It doesn't occur with
PHP_5_3.



Test script:
---------------
Steps:

- Start Apache: httpd -x

- Repeatedly load a script <?php phpinfo(); ?>.

- Within 10 reloads, Apache segfaults.

Actual result:
--------------
Program received signal SIGSEGV, Segmentation fault.

0x009064ae in zend_dtoa (_d=197618504, mode=2, ndigits=14,
decpt=0xbfffc8cc, sign=0xbfffc8c8, rve=0x0) at
/home/cjones/phpsrc/php/php-src/trunk/Zend/zend_strtod.c:1670

(gdb) bt

#0  0x009064ae in zend_dtoa (_d=197618504, mode=2, ndigits=14,
decpt=0xbfffc8cc, sign=0xbfffc8c8, rve=0x0) at
/home/cjones/phpsrc/php/php-src/trunk/Zend/zend_strtod.c:1670

#1  0x0086d374 in php_gcvt (value=197618504, ndigit=14, dec_point=46
'.', exponent=69 'E', buf=0xbfffc9cd "5\217") at
/home/cjones/phpsrc/php/php-src/trunk/main/snprintf.c:142

#2  0x008703a5 in xbuf_format_converter (xbuf=0xbfffcbf4, fmt=0xcfb477
"G", ap=0xbfffcc58 "_(\210") at
/home/cjones/phpsrc/php/php-src/trunk/main/spprintf.c:669

#3  0x00870db5 in vspprintf (pbuf=0xbfffcd04, max_len=0, format=0xcfb474
"%.*G", ap=0xbfffcc4c "\016") at
/home/cjones/phpsrc/php/php-src/trunk/main/spprintf.c:797

#4  0x00903c63 in zend_spprintf (message=0xbfffcd04, max_len=0,
format=0xcfb474 "%.*G") at
/home/cjones/phpsrc/php/php-src/trunk/Zend/zend_exceptions.c:545

#5  0x008dc2ec in _convert_to_string (op=0xbfffcd04,
__zend_filename=0xccd72c
"/home/cjones/phpsrc/php/php-src/trunk/ext/standard/info.c",
__zend_lineno=252) at
/home/cjones/phpsrc/php/php-src/trunk/Zend/zend_operators.c:578

#6  0x007b4fc3 in php_print_gpcse_array (name=0xcce134 "_SERVER",
name_length=7) at
/home/cjones/phpsrc/php/php-src/trunk/ext/standard/info.c:252

#7  0x007b5e46 in php_print_info (flag=-1) at
/home/cjones/phpsrc/php/php-src/trunk/ext/standard/info.c:885

#8  0x007b66d4 in zif_phpinfo (ht=0, return_value=0xb7fc1734,
return_value_ptr=0x0, this_ptr=0x0, return_value_used=0) at
/home/cjones/phpsrc/php/php-src/trunk/ext/standard/info.c:1141

#9  0x0091a7d0 in zend_do_fcall_common_helper_SPEC
(execute_data=0xb7fa6074) at
/home/cjones/phpsrc/php/php-src/trunk/Zend/zend_vm_execute.h:638

#10 0x0091fac5 in ZEND_DO_FCALL_SPEC_CONST_HANDLER
(execute_data=0xb7fa6074) at
/home/cjones/phpsrc/php/php-src/trunk/Zend/zend_vm_execute.h:1935

#11 0x00919632 in execute (op_array=0xb7fc0808) at
/home/cjones/phpsrc/php/php-src/trunk/Zend/zend_vm_execute.h:410

#12 0x008e629e in zend_execute_scripts (type=8, retval=0x0,
file_count=3) at /home/cjones/phpsrc/php/php-src/trunk/Zend/zend.c:1212

#13 0x0086cc4f in php_execute_script (primary_file=0xbffff3ac) at
/home/cjones/phpsrc/php/php-src/trunk/main/main.c:2344

#14 0x009ed1f8 in php_handler (r=0x83299c8) at
/home/cjones/phpsrc/php/php-src/trunk/sapi/apache2handler/sapi_apache2.c:667

#15 0x0807c556 in ap_run_handler (r=0x83299c8) at config.c:158

#16 0x0807fc01 in ap_invoke_handler (r=0x83299c8) at config.c:372

#17 0x080974e0 in ap_process_request (r=0x83299c8) at
http_request.c:282

#18 0x08094520 in ap_process_http_connection (c=0x8323b48) at
http_core.c:190

#19 0x08083fe6 in ap_run_process_connection (c=0x8323b48) at
connection.c:43

#20 0x080b472d in child_main (child_num_arg=<value optimized out>) at
prefork.c:662

#21 0x080b49df in make_child (s=0x80e5db8, slot=0) at prefork.c:702

#22 0x080b509c in ap_mpm_run (_pconf=0x80df0a8, plog=0x811d1a0,
s=0x80e5db8) at prefork.c:978

#23 0x08069134 in main (argc=2, argv=0xbffff8f4) at main.c:740

(gdb) p j1

$1 = -2147483648

(gdb) p j

$2 = -1

(gdb) p *decpt

$3 = 9154443

(gdb) p *sign

$4 = 0

(gdb) p i

$5 = 4678168

(gdb) p d

$6 = {

  d = nan(0xfffffffffffff),

  ul = {4294967295, 2147483647}

}



The crash is at the assignment of bigtens[i] in:



    else if ((j1 = -k)) {

        value(d) *= tens[j1 & 0xf];

        for(j = j1 >> 4; j; j >>= 1, i++)

            if (j & 1) {

                ieps++;

                value(d) *= bigtens[i];

            }

    }



Because j is -1 it can never satisfy the loop condition



The relevant code in the file is unchanged from PHP 5.3 and dropping in
PHP 5.3 zend_strtod.[ch] files into trunk and rebuilding doesn't fix
it.




------------------------------------------------------------------------



-- 
Edit this bug report at http://bugs.php.net/bug.php?id=53974&edit=1

Bug #53974 [Opn->Asn]: Crash in trunk zend_dtoa() with unmet loop condition

Reply via email to