Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:57489 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 86388 invoked from network); 24 Jan 2012 13:09:00 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 24 Jan 2012 13:09:00 -0000 Authentication-Results: pb1.pair.com smtp.mail=laruence@gmail.com; spf=pass; sender-id=pass Authentication-Results: pb1.pair.com header.from=laruence@gmail.com; sender-id=pass Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.212.42 as permitted sender) X-PHP-List-Original-Sender: laruence@gmail.com X-Host-Fingerprint: 209.85.212.42 mail-vw0-f42.google.com Received: from [209.85.212.42] ([209.85.212.42:36402] helo=mail-vw0-f42.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id ED/90-15695-B6DAE1F4 for ; Tue, 24 Jan 2012 08:08:59 -0500 Received: by vbbfs19 with SMTP id fs19so2836382vbb.29 for ; Tue, 24 Jan 2012 05:08:56 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=mime-version:sender:in-reply-to:references:from:date :x-google-sender-auth:message-id:subject:to:cc:content-type :content-transfer-encoding; bh=RK7WsOmhr9zsWDUWxkfepHp10FKEH4Xq//7wYjfqEG4=; b=ebQcB3P9lHdFxu4vlMdvVTwzL+7Gzrvu5fOnZ03kgFg2eafI186mNehRbntIIu7XI8 AdrCbHYuyfkaPmMLEOdh1GdyhvuCAg1+2/XPjHOIP3rpdrirKscFZdKI5ln2foM8JRGl aejT1HMGGRgZkNQMrMZSa671tQvh6BoJ5Lj/g= Received: by 10.52.173.197 with SMTP id bm5mr5929110vdc.7.1327410536376; Tue, 24 Jan 2012 05:08:56 -0800 (PST) MIME-Version: 1.0 Sender: laruence@gmail.com Received: by 10.220.7.19 with HTTP; Tue, 24 Jan 2012 05:08:34 -0800 (PST) In-Reply-To: <4F1EA1BC.6040902@zend.com> References: <4F1D15CC.7020001@zend.com> <4F1EA1BC.6040902@zend.com> Date: Tue, 24 Jan 2012 21:08:34 +0800 X-Google-Sender-Auth: BYL9zVGnVV3ECwrmDXb90qQVmUo Message-ID: To: Dmitry Stogov Cc: Stas Malyshev , dsp@php.net, Rasmus Lerdorf , dsoria@gmx.net, stas@php.net, PHP Internals Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Subject: Re: can I commit fix for Bug #60825? From: laruence@php.net (Laruence) Hi Dmitry, ah, I see, thanks very much. in this case, the 5.3 branch should failed too since it also use a stack zval. I will make a improved fix soon.. :) thanks. On Tue, Jan 24, 2012 at 8:19 PM, Dmitry Stogov wrote: > Hi Laruence, > > I'll try to demonstrate the problem I tried to describe with a script. > The following script is still fails on trunk. > > class test { > =C2=A0 =C2=A0 =C2=A0 =C2=A0public static $x; > =C2=A0 =C2=A0 =C2=A0 =C2=A0public function __toString() { > =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0self::$x =3D $this= ; > =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0return __FILE__; > =C2=A0 =C2=A0 =C2=A0 =C2=A0} > } > $a =3D new test; > require_once $a; > var_dump(test::$x); > ?> > > So your fix is not enough. > It make no sense to play with refcounts of zvals allocated on stack. > Probably, the temporary zval needs to be allocated on heap. > > Tahnks. Dmitry. > > [dmitry@ws CGI-DEBUG]$ USE_ZEND_ALLOC=3D0 valgrind > ../../php-trunk/CGI-DEBUG/sapi/cli/php -n bug60825.php > =3D=3D25455=3D=3D Memcheck, a memory error detector > =3D=3D25455=3D=3D Copyright (C) 2002-2010, and GNU GPL'd, by Julian Sewar= d et al. > =3D=3D25455=3D=3D Using Valgrind-3.6.1 and LibVEX; rerun with -h for copy= right info > =3D=3D25455=3D=3D Command: ../../php-trunk/CGI-DEBUG/sapi/cli/php -n bug6= 0825.php > =3D=3D25455=3D=3D > =3D=3D25455=3D=3D Conditional jump or move depends on uninitialised value= (s) > =3D=3D25455=3D=3D =C2=A0 =C2=A0at 0x853E3C9: zend_send_by_var_helper_SPEC= _VAR > (zend_execute.c:71) > =3D=3D25455=3D=3D =C2=A0 =C2=A0by 0x853F9C0: ZEND_SEND_VAR_SPEC_VAR_HANDL= ER > (zend_vm_execute.h:11056) > =3D=3D25455=3D=3D =C2=A0 =C2=A0by 0x8511872: execute (zend_vm_execute.h:4= 10) > =3D=3D25455=3D=3D =C2=A0 =C2=A0by 0x84DBE85: zend_execute_scripts (zend.c= :1272) > =3D=3D25455=3D=3D =C2=A0 =C2=A0by 0x8462641: php_execute_script (main.c:2= 476) > =3D=3D25455=3D=3D =C2=A0 =C2=A0by 0x85F1506: do_cli (php_cli.c:983) > =3D=3D25455=3D=3D =C2=A0 =C2=A0by 0x85F2678: main (php_cli.c:1356) > =3D=3D25455=3D=3D > &UNKNOWN:0 > =3D=3D25455=3D=3D Invalid read of size 4 > =3D=3D25455=3D=3D =C2=A0 =C2=A0at 0x84C9964: _zval_ptr_dtor (zend.h:391) > =3D=3D25455=3D=3D =C2=A0 =C2=A0by 0x84CEE6E: cleanup_user_class_data (zen= d_opcode.c:165) > =3D=3D25455=3D=3D =C2=A0 =C2=A0by 0x84CEF5D: zend_cleanup_user_class_data= (zend_opcode.c:198) > =3D=3D25455=3D=3D =C2=A0 =C2=A0by 0x84EB22C: zend_hash_reverse_apply (zen= d_hash.c:799) > =3D=3D25455=3D=3D =C2=A0 =C2=A0by 0x84C958B: shutdown_executor (zend_exec= ute_API.c:289) > =3D=3D25455=3D=3D =C2=A0 =C2=A0by 0x84DB12B: zend_deactivate (zend.c:934) > =3D=3D25455=3D=3D =C2=A0 =C2=A0by 0x8461441: php_request_shutdown (main.c= :1782) > =3D=3D25455=3D=3D =C2=A0 =C2=A0by 0x85F1EBC: do_cli (php_cli.c:1169) > =3D=3D25455=3D=3D =C2=A0 =C2=A0by 0x85F2678: main (php_cli.c:1356) > =3D=3D25455=3D=3D =C2=A0Address 0xfee969e4 is not stack'd, malloc'd or (r= ecently) free'd > =3D=3D25455=3D=3D > =3D=3D25455=3D=3D Invalid write of size 4 > =3D=3D25455=3D=3D =C2=A0 =C2=A0at 0x84C996D: _zval_ptr_dtor (zend.h:391) > =3D=3D25455=3D=3D =C2=A0 =C2=A0by 0x84CEE6E: cleanup_user_class_data (zen= d_opcode.c:165) > =3D=3D25455=3D=3D =C2=A0 =C2=A0by 0x84CEF5D: zend_cleanup_user_class_data= (zend_opcode.c:198) > =3D=3D25455=3D=3D =C2=A0 =C2=A0by 0x84EB22C: zend_hash_reverse_apply (zen= d_hash.c:799) > =3D=3D25455=3D=3D =C2=A0 =C2=A0by 0x84C958B: shutdown_executor (zend_exec= ute_API.c:289) > =3D=3D25455=3D=3D =C2=A0 =C2=A0by 0x84DB12B: zend_deactivate (zend.c:934) > =3D=3D25455=3D=3D =C2=A0 =C2=A0by 0x8461441: php_request_shutdown (main.c= :1782) > =3D=3D25455=3D=3D =C2=A0 =C2=A0by 0x85F1EBC: do_cli (php_cli.c:1169) > =3D=3D25455=3D=3D =C2=A0 =C2=A0by 0x85F2678: main (php_cli.c:1356) > =3D=3D25455=3D=3D =C2=A0Address 0xfee969e4 is not stack'd, malloc'd or (r= ecently) free'd > =3D=3D25455=3D=3D > =3D=3D25455=3D=3D Invalid read of size 4 > =3D=3D25455=3D=3D =C2=A0 =C2=A0at 0x84C997B: _zval_ptr_dtor (zend.h:379) > =3D=3D25455=3D=3D =C2=A0 =C2=A0by 0x84CEE6E: cleanup_user_class_data (zen= d_opcode.c:165) > =3D=3D25455=3D=3D =C2=A0 =C2=A0by 0x84CEF5D: zend_cleanup_user_class_data= (zend_opcode.c:198) > =3D=3D25455=3D=3D =C2=A0 =C2=A0by 0x84EB22C: zend_hash_reverse_apply (zen= d_hash.c:799) > =3D=3D25455=3D=3D =C2=A0 =C2=A0by 0x84C958B: shutdown_executor (zend_exec= ute_API.c:289) > =3D=3D25455=3D=3D =C2=A0 =C2=A0by 0x84DB12B: zend_deactivate (zend.c:934) > =3D=3D25455=3D=3D =C2=A0 =C2=A0by 0x8461441: php_request_shutdown (main.c= :1782) > =3D=3D25455=3D=3D =C2=A0 =C2=A0by 0x85F1EBC: do_cli (php_cli.c:1169) > =3D=3D25455=3D=3D =C2=A0 =C2=A0by 0x85F2678: main (php_cli.c:1356) > =3D=3D25455=3D=3D =C2=A0Address 0xfee969e4 is not stack'd, malloc'd or (r= ecently) free'd > =3D=3D25455=3D=3D > =3D=3D25455=3D=3D Invalid read of size 4 > =3D=3D25455=3D=3D =C2=A0 =C2=A0at 0x84C9A1E: _zval_ptr_dtor (zend.h:379) > =3D=3D25455=3D=3D =C2=A0 =C2=A0by 0x84CEE6E: cleanup_user_class_data (zen= d_opcode.c:165) > =3D=3D25455=3D=3D =C2=A0 =C2=A0by 0x84CEF5D: zend_cleanup_user_class_data= (zend_opcode.c:198) > =3D=3D25455=3D=3D =C2=A0 =C2=A0by 0x84EB22C: zend_hash_reverse_apply (zen= d_hash.c:799) > =3D=3D25455=3D=3D =C2=A0 =C2=A0by 0x84C958B: shutdown_executor (zend_exec= ute_API.c:289) > =3D=3D25455=3D=3D =C2=A0 =C2=A0by 0x84DB12B: zend_deactivate (zend.c:934) > =3D=3D25455=3D=3D =C2=A0 =C2=A0by 0x8461441: php_request_shutdown (main.c= :1782) > =3D=3D25455=3D=3D =C2=A0 =C2=A0by 0x85F1EBC: do_cli (php_cli.c:1169) > =3D=3D25455=3D=3D =C2=A0 =C2=A0by 0x85F2678: main (php_cli.c:1356) > =3D=3D25455=3D=3D =C2=A0Address 0xfee969e4 is not stack'd, malloc'd or (r= ecently) free'd > =3D=3D25455=3D=3D > =3D=3D25455=3D=3D Invalid read of size 1 > =3D=3D25455=3D=3D =C2=A0 =C2=A0at 0x84C9A40: _zval_ptr_dtor (zend_gc.h:18= 2) > =3D=3D25455=3D=3D =C2=A0 =C2=A0by 0x84CEE6E: cleanup_user_class_data (zen= d_opcode.c:165) > =3D=3D25455=3D=3D =C2=A0 =C2=A0by 0x84CEF5D: zend_cleanup_user_class_data= (zend_opcode.c:198) > =3D=3D25455=3D=3D =C2=A0 =C2=A0by 0x84EB22C: zend_hash_reverse_apply (zen= d_hash.c:799) > =3D=3D25455=3D=3D =C2=A0 =C2=A0by 0x84C958B: shutdown_executor (zend_exec= ute_API.c:289) > =3D=3D25455=3D=3D =C2=A0 =C2=A0by 0x84DB12B: zend_deactivate (zend.c:934) > =3D=3D25455=3D=3D =C2=A0 =C2=A0by 0x8461441: php_request_shutdown (main.c= :1782) > =3D=3D25455=3D=3D =C2=A0 =C2=A0by 0x85F1EBC: do_cli (php_cli.c:1169) > =3D=3D25455=3D=3D =C2=A0 =C2=A0by 0x85F2678: main (php_cli.c:1356) > =3D=3D25455=3D=3D =C2=A0Address 0xfee969e8 is not stack'd, malloc'd or (r= ecently) free'd > =3D=3D25455=3D=3D > =3D=3D25455=3D=3D Invalid read of size 1 > =3D=3D25455=3D=3D =C2=A0 =C2=A0at 0x84C9A4B: _zval_ptr_dtor (zend_gc.h:18= 2) > =3D=3D25455=3D=3D =C2=A0 =C2=A0by 0x84CEE6E: cleanup_user_class_data (zen= d_opcode.c:165) > =3D=3D25455=3D=3D =C2=A0 =C2=A0by 0x84CEF5D: zend_cleanup_user_class_data= (zend_opcode.c:198) > =3D=3D25455=3D=3D =C2=A0 =C2=A0by 0x84EB22C: zend_hash_reverse_apply (zen= d_hash.c:799) > =3D=3D25455=3D=3D =C2=A0 =C2=A0by 0x84C958B: shutdown_executor (zend_exec= ute_API.c:289) > =3D=3D25455=3D=3D =C2=A0 =C2=A0by 0x84DB12B: zend_deactivate (zend.c:934) > =3D=3D25455=3D=3D =C2=A0 =C2=A0by 0x8461441: php_request_shutdown (main.c= :1782) > =3D=3D25455=3D=3D =C2=A0 =C2=A0by 0x85F1EBC: do_cli (php_cli.c:1169) > =3D=3D25455=3D=3D =C2=A0 =C2=A0by 0x85F2678: main (php_cli.c:1356) > =3D=3D25455=3D=3D =C2=A0Address 0xfee969e8 is not stack'd, malloc'd or (r= ecently) free'd > =3D=3D25455=3D=3D > =3D=3D25455=3D=3D > =3D=3D25455=3D=3D HEAP SUMMARY: > =3D=3D25455=3D=3D =C2=A0 =C2=A0 in use at exit: 36,448 bytes in 2,333 blo= cks > =3D=3D25455=3D=3D =C2=A0 total heap usage: 20,378 allocs, 18,045 frees, 2= ,405,048 bytes > allocated > =3D=3D25455=3D=3D > =3D=3D25455=3D=3D LEAK SUMMARY: > =3D=3D25455=3D=3D =C2=A0 =C2=A0definitely lost: 0 bytes in 0 blocks > =3D=3D25455=3D=3D =C2=A0 =C2=A0indirectly lost: 0 bytes in 0 blocks > =3D=3D25455=3D=3D =C2=A0 =C2=A0 =C2=A0possibly lost: 0 bytes in 0 blocks > =3D=3D25455=3D=3D =C2=A0 =C2=A0still reachable: 36,448 bytes in 2,333 blo= cks > =3D=3D25455=3D=3D =C2=A0 =C2=A0 =C2=A0 =C2=A0 suppressed: 0 bytes in 0 bl= ocks > =3D=3D25455=3D=3D Rerun with --leak-check=3Dfull to see details of leaked= memory > =3D=3D25455=3D=3D > =3D=3D25455=3D=3D For counts of detected and suppressed errors, rerun wit= h: -v > =3D=3D25455=3D=3D Use --track-origins=3Dyes to see where uninitialised va= lues come > from > =3D=3D25455=3D=3D ERROR SUMMARY: 7 errors from 7 contexts (suppressed: 0 = from 0) > > > On 01/23/2012 01:02 PM, Laruence wrote: >> >> On Mon, Jan 23, 2012 at 4:09 PM, Dmitry Stogov =C2=A0wr= ote: >>> >>> Hi Laruence, >>> >>> I'm not sure if the proposed patch fixes all the problems. >>> >>> Imagine that __FILE__ stored in some PHP variable and accessed after >>> include() has finished. That time C variable "tmp_inc_filename" won't b= e >>> valid but PHP variable may still refer to it. >>> >> Hi, >> >> I am not sure whether I got your point, >> >> but zend_std_cast_object_tostring will duplicate that "string", so >> zval_dtor tmp_inc_filename will okey(just efree that duplicate) I >> think. :) >> >> thanks >> >>> I didn't try to reproduce it, so I might be wrong. >>> >>> Thanks. Dmitry. >>> >>> >>> On 01/22/2012 06:42 AM, Laruence wrote: >>>> >>>> >>>> send again, >>>> >>>> dsp said he didn't received. >>>> >>>> thanks >>>> >>>> On Sun, Jan 22, 2012 at 1:19 AM, Laruence =C2=A0 =C2= =A0wrote: >>>>> >>>>> >>>>> Hi: >>>>> >>>>> =C2=A0I have fixed #60825 (Segfault when running symfony 2 tests) >>>>> >>>>> =C2=A0cvs mail here: http://news.php.net/php.cvs/67503 >>>>> >>>>> =C2=A0should I also commit this fix to 5.4 branch now? >>>>> >>>>> thanks >>>>> >>>>> -- >>>>> Laruence =C2=A0Xinchen Hui >>>>> http://www.laruence.com/ >>>> >>>> >>>> >>>> >>>> >>> >> >> >> > --=20 Laruence =C2=A0Xinchen Hui http://www.laruence.com/