[Bug 725672] [NEW] PHP 5.3.3-1ubuntu9.3 with Suhosin-Patch crashes (segfault) when using big SplFixedArray
Attila M. Magyar
725672 at bugs.launchpad.net
Sat Feb 26 18:03:02 UTC 2011
Public bug reported:
Binary package hint: php5
Test script:
--------------
test.php:
<?php
$data = new SplFixedArray(100000);
for ($i = 0; $i < 100000; ++$i)
{
fprintf(STDERR, "$i\n");
$data->offsetSet($i, array(1, 2));
}
?>
Running:
-----------
php test.php
Expected result:
--------------------
Either an error message due to memory limit or the script is executed
successfully.
Actual result:
-----------------
When the array (used inside the for loop) is empty, an error message is displayed stating: zend_mm_heap corrupted.
When the array contains at least two elements, PHP crashes.
Backtrace:
--------------
Program received signal SIGSEGV, Segmentation fault.
gc_remove_zval_from_buffer (zv=0x107ca70) at /build/buildd/php5-
5.3.3/Zend/zend_gc.h:189
189 /build/buildd/php5-5.3.3/Zend/zend_gc.h: No such file or directory.
in /build/buildd/php5-5.3.3/Zend/zend_gc.h
(gdb) bt
#0 gc_remove_zval_from_buffer (zv=0x107ca70) at /build/buildd/php5-
5.3.3/Zend/zend_gc.h:189
#1 0x000000000068c575 in _zval_ptr_dtor (zval_ptr=0x16e7218) at
/build/buildd/php5-5.3.3/Zend/zend_execute_API.c:442
#2 0x00000000006a6547 in _zend_hash_index_update_or_next_insert (ht=0x1005000,
h=682, pData=0x7fff00000008, nDataSize=0,
pDest=0x0, flag=0) at /build/buildd/php5-5.3.3/Zend/zend_hash.c:572
#3 0x00000000005b51a2 in spl_fixedarray_object_get_properties (obj=0x107ca70)
at /build/buildd/php5-5.3.3/ext/spl/spl_fixedarray.c:158
#4 0x00000000006b6a1b in gc_collect_cycles () at /build/buildd/php5-
5.3.3/Zend/zend_gc.c:395
#5 0x00000000006b70e4 in gc_zval_possible_root (zv=0x107ca70) at
/build/buildd/php5-5.3.3/Zend/zend_gc.c:166
#6 0x00000000006e95a1 in zend_do_fcall_common_helper_SPEC
(execute_data=0x7fffffffb9e8)
at /build/buildd/php5-5.3.3/Zend/zend_execute.h:318
#7 0x00000000006c0e90 in execute (op_array=0x1003de0) at /build/buildd/php5-
5.3.3/Zend/zend_vm_execute.h:107
#8 0x000000000069885d in zend_execute_scripts (type=4470331,
retval=0x7fffffffbb00, file_count=3)
at /build/buildd/php5-5.3.3/Zend/zend.c:1266
#9 0x00000000006441a8 in php_execute_script (primary_file=0x7ffff580c300) at
/build/buildd/php5-5.3.3/main/main.c:2288
#10 0x0000000000729f26 in main (argc=-7384, argv=0x0) at /build/buildd/php5-
5.3.3/sapi/cli/php_cli.c:1196
PHP version
-----------------
php --version output:
PHP 5.3.3-1ubuntu9.3 with Suhosin-Patch (cli) (built: Jan 12 2011 16:07:38)
Copyright (c) 1997-2009 The PHP Group
Zend Engine v2.3.0, Copyright (c) 1998-2010 Zend Technologies
apt-cache policy php5 output:
php5:
Installed: (none)
Candidate: 5.3.3-1ubuntu9.3
Version table:
5.3.3-1ubuntu9.3 0
500 http://hu.archive.ubuntu.com/ubuntu/ maverick-updates/main amd64 Packages
500 http://security.ubuntu.com/ubuntu/ maverick-security/main amd64 Packages
5.3.3-1ubuntu9 0
500 http://hu.archive.ubuntu.com/ubuntu/ maverick/main amd64 Packages
lsb_release -rd output:
Description: Ubuntu 10.10
Release: 10.10
file /usr/bin/php5 output
/usr/bin/php5: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.15, stripped
Reproduction with vanilla PHP:
---------------------------------------
Downloaded PHP snapshot from snaps.php.net (php5.3-201102261530), built
it manually (the only option specified for configure script was
--prefix). The test script run was successful, no errors and segfaults.
~/tmp/memory/php-vanilla$ ./bin/php --version
PHP 5.3.6RC2-dev (cli) (built: Feb 26 2011 18:09:10)
Copyright (c) 1997-2011 The PHP Group
Zend Engine v2.3.0, Copyright (c) 1998-2011 Zend Technologies
** Affects: php5 (Ubuntu)
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to php5 in ubuntu.
https://bugs.launchpad.net/bugs/725672
Title:
PHP 5.3.3-1ubuntu9.3 with Suhosin-Patch crashes (segfault) when using
big SplFixedArray
More information about the Ubuntu-server-bugs
mailing list