Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:41071
Return-Path: <php-dev.list@daevel.net>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 68082 invoked from network); 15 Oct 2008 13:44:20 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 15 Oct 2008 13:44:20 -0000
Authentication-Results: pb1.pair.com header.from=php-dev.list@daevel.net; sender-id=pass
Authentication-Results: pb1.pair.com smtp.mail=php-dev.list@daevel.net; spf=pass; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain daevel.net designates 91.121.160.166 as permitted sender)
X-PHP-List-Original-Sender: php-dev.list@daevel.net
X-Host-Fingerprint: 91.121.160.166 scrubby.daevel.fr Linux 2.6
Received: from [91.121.160.166] ([91.121.160.166:51715] helo=scrubby.daevel.fr)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id 61/30-19544-2B3F5F84 for <internals@lists.php.net>; Wed, 15 Oct 2008 09:44:19 -0400
Received: from 213-245-197-58.rev.numericable.fr ([213.245.197.58] helo=[192.168.1.3])
	by scrubby.daevel.fr with esmtpsa (TLS-1.0:DHE_RSA_AES_256_CBC_SHA1:32)
	(Exim 4.68)
	(envelope-from <php-dev.list@daevel.net>)
	id 1Kq6ff-0007AE-Ja
	for internals@lists.php.net; Wed, 15 Oct 2008 15:44:15 +0200
Message-ID: <48F5F3AE.4090306@daevel.net>
Date: Wed, 15 Oct 2008 15:44:14 +0200
User-Agent: Thunderbird 2.0.0.17 (Windows/20080914)
MIME-Version: 1.0
To: internals@lists.php.net
References: <48EF89BD.5030904@daevel.fr> <48F05C90.1070609@suse.de> <48F0E7F2.2010607@daevel.fr>
In-Reply-To: <48F0E7F2.2010607@daevel.fr>
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit
Subject: Re: [PHP-DEV] segfault after an "invalid read of size 8"
From: php-dev.list@daevel.net (Olivier Bonvalet)

So, I reduce the script which throw the segmentation fault.

My environment :
    Debian Lenny, 64bits
    Latest PHP 5.2 from CVS (php5.2-200810151030) compiled with :
        ./configure --prefix=/home/dev-olivier/usr/ --disable-all 
--enable-debug


In "first.php" I have this code :
============================================================
<?php
class main
{
    public static $dummy        = NULL ;
    public static $dataAccessor = NULL ;
}

class dataAccessor
{
}

class relay
{
    public function __get( $name )
    {
        main::$dataAccessor = new dataAccessor;
    }
}

class dummy
{
}

main::$dummy        = new dummy();
main::$dataAccessor = new relay();
?>
============================================================

And in "second.php" I have this :
(if I regroup all code in one file, there is no segfault)

============================================================
<?php
error_reporting( E_ALL | E_NOTICE );

require 'first.php';

main::$dataAccessor->bar;
?>
============================================================


If I do :
export USE_ZEND_ALLOC=1 ; /home/dev-olivier/usr/bin/php second.php
==> no segfault
export USE_ZEND_ALLOC=0 ; /home/dev-olivier/usr/bin/php second.php
==> segfault

Sometimes I obtain this output :
*** glibc detected *** /home/dev-olivier/usr/bin/php: corrupted 
double-linked list: 0x0000000002603800 ***
======= Backtrace: =========
/lib/libc.so.6[0x7f038ba39948]
/lib/libc.so.6[0x7f038ba39bda]
/lib/libc.so.6[0x7f038ba3b708]
/lib/libc.so.6(cfree+0x76)[0x7f038ba3ba56]
/home/dev-olivier/usr/bin/php[0x53ec31]
/home/dev-olivier/usr/bin/php[0x53ecb3]
/home/dev-olivier/usr/bin/php[0x541d2b]
/home/dev-olivier/usr/bin/php(zend_mm_shutdown+0x4c)[0x540a80]
/home/dev-olivier/usr/bin/php(shutdown_memory_manager+0x20)[0x5436ae]
/home/dev-olivier/usr/bin/php(php_request_shutdown+0x31c)[0x50add9]
/home/dev-olivier/usr/bin/php(main+0x17c1)[0x5e6c24]
/lib/libc.so.6(__libc_start_main+0xe6)[0x7f038b9e41a6]
/home/dev-olivier/usr/bin/php[0x425c39]
======= Memory map: ========
00400000-006ad000 r-xp 00000000 fd:04 1968300                            
/home/dev-olivier/usr/bin/php
008ac000-008ca000 rw-p 002ac000 fd:04 1968300                            
/home/dev-olivier/usr/bin/php
008ca000-008cf000 rw-p 008ca000 00:00 0
0253b000-0260c000 rw-p 0253b000 00:00 0                                  
[heap]
7f0384000000-7f0384021000 rw-p 7f0384000000 00:00 0
7f0384021000-7f0388000000 ---p 7f0384021000 00:00 0
7f038b5fe000-7f038b614000 r-xp 00000000 09:01 285898                     
/lib/libgcc_s.so.1
7f038b614000-7f038b814000 ---p 00016000 09:01 285898                     
/lib/libgcc_s.so.1
7f038b814000-7f038b815000 rw-p 00016000 09:01 285898                     
/lib/libgcc_s.so.1
7f038b815000-7f038b9c6000 r--p 00000000 09:01 261814                     
/usr/lib/locale/locale-archive
7f038b9c6000-7f038bb10000 r-xp 00000000 09:01 288347                     
/lib/libc-2.7.so
7f038bb10000-7f038bd0f000 ---p 0014a000 09:01 288347                     
/lib/libc-2.7.so
7f038bd0f000-7f038bd12000 r--p 00149000 09:01 288347                     
/lib/libc-2.7.so
7f038bd12000-7f038bd14000 rw-p 0014c000 09:01 288347                     
/lib/libc-2.7.so
7f038bd14000-7f038bd19000 rw-p 7f038bd14000 00:00 0
7f038bd19000-7f038bd2e000 r-xp 00000000 09:01 288291                     
/lib/libnsl-2.7.so
7f038bd2e000-7f038bf2d000 ---p 00015000 09:01 288291                     
/lib/libnsl-2.7.so
7f038bf2d000-7f038bf2f000 rw-p 00014000 09:01 288291                     
/lib/libnsl-2.7.so
7f038bf2f000-7f038bf31000 rw-p 7f038bf2f000 00:00 0
7f038bf31000-7f038bf33000 r-xp 00000000 09:01 288283                     
/lib/libdl-2.7.so
7f038bf33000-7f038c133000 ---p 00002000 09:01 288283                     
/lib/libdl-2.7.so
7f038c133000-7f038c135000 rw-p 00002000 09:01 288283                     
/lib/libdl-2.7.so
7f038c135000-7f038c1b7000 r-xp 00000000 09:01 301994                     
/lib/libm-2.7.so
7f038c1b7000-7f038c3b6000 ---p 00082000 09:01 301994                     
/lib/libm-2.7.so
7f038c3b6000-7f038c3b8000 rw-p 00081000 09:01 301994                     
/lib/libm-2.7.so
7f038c3b8000-7f038c3c8000 r-xp 00000000 09:01 301990                     
/lib/libresolv-2.7.so
7f038c3c8000-7f038c5c8000 ---p 00010000 09:01 301990                     
/lib/libresolv-2.7.so
7f038c5c8000-7f038c5ca000 rw-p 00010000 09:01 301990                     
/lib/libresolv-2.7.so
7f038c5ca000-7f038c5cc000 rw-p 7f038c5ca000 00:00 0
7f038c5cc000-7f038c5d4000 r-xp 00000000 09:01 288290                     
/lib/libcrypt-2.7.so
7f038c5d4000-7f038c7d4000 ---p 00008000 09:01 288290                     
/lib/libcrypt-2.7.so
7f038c7d4000-7f038c7d6000 rw-p 00008000 09:01 288290                     
/lib/libcrypt-2.7.so
7f038c7d6000-7f038c804000 rw-p 7f038c7d6000 00:00 0
7f038c804000-7f038c820000 r-xp 00000000 09:01 288285                     
/lib/ld-2.7.so
7f038ca0a000-7f038ca0e000 rw-p 7f038ca0a000 00:00 0
7f038ca19000-7f038ca1a000 rw-p 7f038ca19000 00:00 0
7f038ca1c000-7f038ca1f000 rw-p 7f038ca1c000 00:00 0
7f038ca1f000-7f038ca21000 rw-p 0001b000 09:01 288285                     
/lib/ld-2.7.so
7fff94a0b000-7fff94a20000 rw-p 7ffffffea000 00:00 0                      
[stack]
7fff94bfe000-7fff94bff000 r-xp 7fff94bfe000 00:00 0                      
[vdso]
ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0                  
[vsyscall]
Abort


And valgrind outputs this :
==12485== Memcheck, a memory error detector.
==12485== Copyright (C) 2002-2007, and GNU GPL'd, by Julian Seward et al.
==12485== Using LibVEX rev 1854, a library for dynamic binary translation.
==12485== Copyright (C) 2004-2007, and GNU GPL'd, by OpenWorks LLP.
==12485== Using valgrind-3.3.1-Debian, a dynamic binary instrumentation 
framework.
==12485== Copyright (C) 2000-2007, and GNU GPL'd, by Julian Seward et al.
==12485== For more details, rerun with: -v
==12485==
==12485== Invalid write of size 1
==12485==    at 0x585F25: zend_std_read_property 
(zend_object_handlers.c:333)
==12485==    by 0x5A796E: 
zend_fetch_property_address_read_helper_SPEC_VAR_CONST 
(zend_vm_execute.h:9107)
==12485==    by 0x5A7AE6: ZEND_FETCH_OBJ_R_SPEC_VAR_CONST_HANDLER 
(zend_vm_execute.h:9130)
==12485==    by 0x58AE3A: execute (zend_vm_execute.h:92)
==12485==    by 0x562D40: zend_execute_scripts (zend.c:1134)
==12485==    by 0x50B98C: php_execute_script (main.c:2011)
==12485==    by 0x5E635D: main (php_cli.c:1134)
==12485==  Address 0x5db37d8 is 0 bytes inside a block of size 5 free'd
==12485==    at 0x4C20B6E: free (vg_replace_malloc.c:323)
==12485==    by 0x5430AC: _efree (zend_alloc.c:2293)
==12485==    by 0x56FF50: zend_hash_destroy (zend_hash.c:529)
==12485==    by 0x584837: zend_object_std_dtor (zend_objects.c:41)
==12485==    by 0x584C71: zend_objects_free_object_storage 
(zend_objects.c:122)
==12485==    by 0x588E46: zend_objects_store_del_ref_by_handle 
(zend_objects_API.c:206)
==12485==    by 0x588C9E: zend_objects_store_del_ref 
(zend_objects_API.c:168)
==12485==    by 0x560748: _zval_dtor_func (zend_variables.c:52)
==12485==    by 0x551772: _zval_dtor (zend_variables.h:35)
==12485==    by 0x551986: _zval_ptr_dtor (zend_execute_API.c:414)
==12485==    by 0x554323: zend_call_function (zend_execute_API.c:1040)
==12485==    by 0x57C4A1: zend_call_method (zend_interfaces.c:88)
==12485==
==12485== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 8 from 1)
==12485== malloc/free: in use at exit: 0 bytes in 0 blocks.
==12485== malloc/free: 4,998 allocs, 4,998 frees, 1,397,127 bytes allocated.
==12485== For counts of detected errors, rerun with: -v
==12485== All heap blocks were freed -- no leaks are possible.


I hope this will help.

Olivier