#24842 [Opn->Fbk]: Corrupted memory/segfault when using destructors

[sniper]

 ID:               24842
 Updated by:       [EMAIL PROTECTED]
 Reported By:      vma1 at abv dot bg
-Status:           Open
+Status:           Feedback
 Bug Type:         Zend Engine 2 problem
 Operating System: Slackware Linux 9.0
 PHP Version:      5CVS-2003-07-28 (dev)
 New Comment:

Also tested with the CGI, can't reproduce this with it either. And
neither could anybody else reproduce this (whom I asked). So are you
sure there is a bug? And not just something wrong with your system?
Which GCC are you using?
What glibc do you have?



Previous Comments:
------------------------------------------------------------------------

[2003-07-29 06:34:28] vma1 at abv dot bg

"php -n bug.php" gives the same script output, including the segfault.
The only difference are the HTTP headers in the beginning, because of
the missing -f option.
I started digging into the PHP code, so I'll post a patch when/if I
correct the bug.

------------------------------------------------------------------------

[2003-07-29 06:06:36] [EMAIL PROTECTED]

I'm still unable to reproduce this, can you try running
the script with this command:

# sapi/cli/php -n test.php

(to make it ignore any php.ini you have..)


------------------------------------------------------------------------

[2003-07-29 00:30:15] vma1 at abv dot bg

I have modified slightly zend_execute.c to print more info and tried a
simpler version of the script.

Here is the script:

<?
class broken
{
        public function __destruct ()
        {
                $this->show (array (
                        "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa",
                        "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa",
                        "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa",
                        "", "", "", "", "", "", "", "", "", "", "", "", "", ""
                ));
        }
        
        private function show ($values)
        {
                foreach ($values as $val) {
                        printf ("%s\n", $val);
                }
        }
}

$brk = new broken ();
?>

Here is the resulting backtrace:
#0  0x081ad855 in zend_pzval_lock_func (z=0x0) at
/usr/src/php5-200307280930/Zend/zend_execute_locks.h:29
29              z->refcount++;
(gdb) bt
#0  0x081ad855 in zend_pzval_lock_func (z=0x0) at
/usr/src/php5-200307280930/Zend/zend_execute_locks.h:29
#1  0x081a4101 in zend_fetch_var_address (opline=0x402d17b4,
Ts=0xbfffe940, type=1) at
/usr/src/php5-200307280930/Zend/zend_execute.c:660
#2  0x081a6e2a in zend_fetch_w_handler (execute_data=0xbfffea90,
op_array=0x402d0050) at
/usr/src/php5-200307280930/Zend/zend_execute.c:1786
#3  0x081a552e in execute (op_array=0x402d0050) at
/usr/src/php5-200307280930/Zend/zend_execute.c:1194
#4  0x081a9222 in zend_do_fcall_common_helper (execute_data=0xbfffebc0,
op_array=0x402d0ee4) at
/usr/src/php5-200307280930/Zend/zend_execute.c:2542
#5  0x081a95f0 in zend_do_fcall_by_name_handler
(execute_data=0xbfffebc0, op_array=0x402d0ee4) at
/usr/src/php5-200307280930/Zend/zend_execute.c:2616
#6  0x081a552e in execute (op_array=0x402d0ee4) at
/usr/src/php5-200307280930/Zend/zend_execute.c:1194
#7  0x081811be in fast_call_user_function (function_table=0x402cf3f4,
object_pp=0xbfffed98, function_name=0x402cd2c4,
retval_ptr_ptr=0xbfffed90,
    param_count=0, params=0x0, no_separation=0,
symbol_table=0xbfffed60, function_pointer=0xbfffed24)
    at /usr/src/php5-200307280930/Zend/zend_execute_API.c:703
#8  0x08180792 in call_user_function_ex (function_table=0x0,
object_pp=0xbfffed98, function_name=0x402cd2c4,
retval_ptr_ptr=0xbfffed90, param_count=0,
    params=0x0, no_separation=0, symbol_table=0xbfffed60) at
/usr/src/php5-200307280930/Zend/zend_execute_API.c:486
#9  0x081986d9 in zend_objects_destroy_object (object=0x402d0320,
handle=1) at /usr/src/php5-200307280930/Zend/zend_objects.c:79
#10 0x0819a724 in zend_objects_store_del_ref (zobject=0x402d02dc) at
/usr/src/php5-200307280930/Zend/zend_objects_API.c:142
#11 0x08188d13 in _zval_dtor (zvalue=0x402d02dc,
__zend_filename=0x81ee900
"/usr/src/php5-200307280930/Zend/zend_execute_API.c",
__zend_lineno=354)
    at /usr/src/php5-200307280930/Zend/zend_variables.c:61
#12 0x08180159 in _zval_ptr_dtor (zval_ptr=0x402d03fc,
__zend_filename=0x81ef3e0
"/usr/src/php5-200307280930/Zend/zend_variables.c", __zend_lineno=165)
    at /usr/src/php5-200307280930/Zend/zend_execute_API.c:354
#13 0x08188f19 in _zval_ptr_dtor_wrapper (zval_ptr=0x402d03fc) at
/usr/src/php5-200307280930/Zend/zend_variables.c:165
#14 0x0819000c in zend_hash_destroy (ht=0x82082b0) at
/usr/src/php5-200307280930/Zend/zend_hash.c:510
#15 0x0817fc01 in shutdown_executor () at
/usr/src/php5-200307280930/Zend/zend_execute_API.c:211
#16 0x0818a07d in zend_deactivate () at
/usr/src/php5-200307280930/Zend/zend.c:795
#17 0x081525ef in php_request_shutdown (dummy=0x0) at
/usr/src/php5-200307280930/main/main.c:1174
#18 0x081b0af5 in main (argc=3, argv=0xbffffa74) at
/usr/src/php5-200307280930/sapi/cgi/cgi_main.c:1617
#19 0x401a5bb4 in __libc_start_main () from /lib/libc.so.6

and here is the output of my modified php:
[EMAIL PROTECTED]:/website/usr/local/apache/site/htdocs# php -f ./bug.php
Executing opcode 139 on line: 3
Executing opcode 146 on line: 20
Executing opcode 109 on line: 22
Executing opcode 68 on line: 22
Executing opcode 69 on line: 22
Executing opcode 83 on line: 22
Fetching (non-static property) variable: "brk"
Executing opcode 38 on line: 22
Executing opcode 62 on line: 24
Executing opcode 112 on line: 6
Executing opcode 71 on line: 7
Executing opcode 72 on line: 8
Executing opcode 72 on line: 9
Executing opcode 72 on line: 10
Executing opcode 72 on line: 10
Executing opcode 72 on line: 10
Executing opcode 72 on line: 10
Executing opcode 72 on line: 10
Executing opcode 72 on line: 10
Executing opcode 72 on line: 10
Executing opcode 72 on line: 10
Executing opcode 72 on line: 10
Executing opcode 72 on line: 10
Executing opcode 72 on line: 10
Executing opcode 72 on line: 10
Executing opcode 72 on line: 10
Executing opcode 72 on line: 11
Executing opcode 65 on line: 11
Executing opcode 61 on line: 11
CALLING FUNCTION: "show"
Executing opcode 83 on line: 14
Fetching (non-static property) variable: "values"
Executing opcode 63 on line: 14
Executing opcode 83 on line: 16
Fetching (non-static property) variable: "values"
Executing opcode 77 on line: 16
Executing opcode 78 on line: 16
Executing opcode 83 on line: 16
Fetching (non-static property) variable: "val"
Executing opcode 98 on line: 16
Executing opcode 38 on line: 16
Executing opcode 70 on line: 16
Executing opcode 65 on line: 17
Executing opcode 80 on line: 17
Fetching (non-static property) variable: "val"
Executing opcode 66 on line: 17
Executing opcode 60 on line: 17
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
Executing opcode 42 on line: 18
Executing opcode 78 on line: 16
Executing opcode 83 on line: 16
Fetching (non-static property) variable: "val"
Segmentation fault (core dumped)

------------------------------------------------------------------------

[2003-07-28 08:53:02] vma1 at abv dot bg

In this case php was compiled and installed with:
configure --enable-debug --without-pear;make;make install

the script was run with:
php -f ./bug.php

------------------------------------------------------------------------

[2003-07-28 08:34:39] vma1 at abv dot bg

Description:
------------
This is a repost of an existing bug that was closed. Running the
following script from the comman line causes memory corruption or a
segfault.


Reproduce code:
---------------
<?
class database
{
}

$a = new database;
$b = new database;

class broken
{
        public function __construct ()
        {
        }

        public function __destruct ()
        {
                $this->show (array (
                       
"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa",
                       
"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa",
                       
"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa",
                        "", "", "", "", "", "", "", "", "", "", "", "",
"", ""
                ));
        }

        private function show ($values)
        {
                $values_string = "";
                foreach ($values as $val) {
                        $values_string .= $val;
                }
                printf ("%s\n", $values_string);
        }
}

$brk = new broken ();
?>


Expected result:
----------------
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa

Actual result:
--------------
This is the gdb backtrace when a segfault happens. In other cases the
output string is corrupted.

#0  0x08180134 in _zval_ptr_dtor (zval_ptr=0x402c3a48,
__zend_filename=0x81ef380
"/usr/src/php5-200307280930/Zend/zend_variables.c", __zend_lineno=165)
    at /usr/src/php5-200307280930/Zend/zend_execute_API.c:352
352             (*zval_ptr)->refcount--;
(gdb) bt
#0  0x08180134 in _zval_ptr_dtor (zval_ptr=0x402c3a48,
__zend_filename=0x81ef380
"/usr/src/php5-200307280930/Zend/zend_variables.c", __zend_lineno=165)
    at /usr/src/php5-200307280930/Zend/zend_execute_API.c:352
#1  0x08188f19 in _zval_ptr_dtor_wrapper (zval_ptr=0x402c3a48) at
/usr/src/php5-200307280930/Zend/zend_variables.c:165
#2  0x08190145 in zend_hash_clean (ht=0x402d0d04) at
/usr/src/php5-200307280930/Zend/zend_hash.c:536
#3  0x081a931a in zend_do_fcall_common_helper (execute_data=0xbfffebe0,
op_array=0x402cfe20) at
/usr/src/php5-200307280930/Zend/zend_execute.c:2560
#4  0x081a9595 in zend_do_fcall_by_name_handler
(execute_data=0xbfffebe0, op_array=0x402cfe20) at
/usr/src/php5-200307280930/Zend/zend_execute.c:2613
#5  0x081a54f2 in execute (op_array=0x402cfe20) at
/usr/src/php5-200307280930/Zend/zend_execute.c:1192
#6  0x081811be in fast_call_user_function (function_table=0x402cf954,
object_pp=0xbfffedb8, function_name=0x402d0b14,
retval_ptr_ptr=0xbfffedb0,
    param_count=0, params=0x0, no_separation=0,
symbol_table=0xbfffed80, function_pointer=0xbfffed44)
    at /usr/src/php5-200307280930/Zend/zend_execute_API.c:703
#7  0x08180792 in call_user_function_ex (function_table=0x0,
object_pp=0xbfffedb8, function_name=0x402d0b14,
retval_ptr_ptr=0xbfffedb0, param_count=0,
    params=0x0, no_separation=0, symbol_table=0xbfffed80) at
/usr/src/php5-200307280930/Zend/zend_execute_API.c:486
#8  0x081986d9 in zend_objects_destroy_object (object=0x402d0c5c,
handle=3) at /usr/src/php5-200307280930/Zend/zend_objects.c:79
#9  0x0819a724 in zend_objects_store_del_ref (zobject=0x402d0c18) at
/usr/src/php5-200307280930/Zend/zend_objects_API.c:142
#10 0x08188d13 in _zval_dtor (zvalue=0x402d0c18,
__zend_filename=0x81ee8a0
"/usr/src/php5-200307280930/Zend/zend_execute_API.c",
__zend_lineno=354)
    at /usr/src/php5-200307280930/Zend/zend_variables.c:61
#11 0x08180159 in _zval_ptr_dtor (zval_ptr=0x402d0e0c,
__zend_filename=0x81ef380
"/usr/src/php5-200307280930/Zend/zend_variables.c", __zend_lineno=165)
    at /usr/src/php5-200307280930/Zend/zend_execute_API.c:354
#12 0x08188f19 in _zval_ptr_dtor_wrapper (zval_ptr=0x402d0e0c) at
/usr/src/php5-200307280930/Zend/zend_variables.c:165
#13 0x0819000c in zend_hash_destroy (ht=0x82082b0) at
/usr/src/php5-200307280930/Zend/zend_hash.c:510
#14 0x0817fc01 in shutdown_executor () at
/usr/src/php5-200307280930/Zend/zend_execute_API.c:211
#15 0x0818a07d in zend_deactivate () at
/usr/src/php5-200307280930/Zend/zend.c:795
#16 0x081525ef in php_request_shutdown (dummy=0x0) at
/usr/src/php5-200307280930/main/main.c:1174
#17 0x081b0a9d in main (argc=4, argv=0xbffffa94) at
/usr/src/php5-200307280930/sapi/cgi/cgi_main.c:1617
#18 0x401a5bb4 in __libc_start_main () from /lib/libc.so.6
(gdb)



------------------------------------------------------------------------


-- 
Edit this bug report at http://bugs.php.net/?id=24842&edit=1