-
Notifications
You must be signed in to change notification settings - Fork 119
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Deserializing a large array of nested objects gives "zend_mm_heap corrupted" #2
Comments
Here is a test case that is consistantly giving segfaults on my osx 10.7.4, macports php 5.3.15.
Can anybody confirm this? |
I can not get segfault, but: |
Are you fixing the memory leaks? i have the same problem with an array bigger than 40 objects and more than 456466 Chars of payload. |
I can confirm the segfault now, digging |
@advect could you please look at this too? |
I got a fix: #include "ext/standard/php_var.h" -#define MSGPACK_EMBED_STACK_SIZE 1024 #include "msgpack/unpack_define.h" but I need more time to confirm it, maybe we should use heap memory for that stack |
Hey Laurence, thanks for the patch! Unfortunately, is does not seem to do what You expected: The test script gives me: And my own test above still segfaults:
|
https://github.com/kjdev/php-ext-msgpacki msgpacki is this no problem. |
php-msgpacki looks interesting, but it doesn't compile on osx yet. I'll give it a shot. |
It's a shame that |
@advect it's better if there is only one msgpack php extension, so maybe we should contact with the msgpacki guy, merge our works together.. |
Hello, The test bug002.phpt for this issue makes the RPM build impossible.
|
hey, maybe you can remove that from the rpm package? thanks |
…ck#2 (Deserializing a large array of nested objects gives "zend_mm_heap corrupted") [tests/bug002.phpt]"
Done. Check out the pull request #9 |
Program received signal SIGSEGV, Segmentation fault. add_next_index_zval (arg=0x0, value=0x159e650) at src/service/php/php-5.4.11/Zend/zend_API.c:1406 1406 return zend_hash_next_index_insert(Z_ARRVAL_P(arg), &value, sizeof(zval *), NULL); (gdb) bt #0 add_next_index_zval (arg=0x0, value=0x159e650) at src/service/php/php-5.4.11/Zend/zend_API.c:1406 msgpack#1 0x00007ffff3aefa52 in msgpack_unserialize_array_item (unpack=0x7fffffff11e0, container=0x7fffffff3290, obj=0x159e650) at src/service/php/msgpack-php/msgpack_unpack.c:498 msgpack#2 0x00007ffff3aea769 in template_execute (ctx=0x7fffffff11e0, data=<value optimized out>, len=<value optimized out>, off=<value optimized out>) at src/service/php/msgpack-php/msgpack/unpack_template.h:338 msgpack#3 0x00007ffff3aeb195 in php_msgpack_unserialize (return_value=0x13328c0, str=<value optimized out>, str_len=165671) at src/service/php/msgpack-php/msgpack.c:267
Unserializing largish object collections aborts php with "zend_mm_heap_corrupted".
Unfortunately I can't produce a testcase yet, since the data this happened with is company confidential.
I try to come up with a synthetic case though.
It is an array, that contains 50 php objects. The serialized payload is 517466 characters.
With USE_ZEND_ALLOC=0 I get this:
php(32501) malloc: *** error for object 0x7fe65ab2b048: incorrect checksum for freed object - object was probably modified after being freed.
*** set a breakpoint in malloc_error_break to debug
Stacktrace:
Application Specific Information:
*** error for object 0x7fbd8232b028: incorrect checksum for freed object - object was probably modified after being freed.
objc[32539]: garbage collection is OFF
Thread 0 Crashed:: Dispatch queue: com.apple.main-thread
0 libsystem_kernel.dylib 0x00007fff87f0182a __kill + 10
1 libsystem_c.dylib 0x00007fff8a571a9c abort + 177
2 libsystem_c.dylib 0x00007fff8a5934ac szone_error + 459
3 libsystem_c.dylib 0x00007fff8a5934e8 free_list_checksum_botch + 29
4 libsystem_c.dylib 0x00007fff8a59a38c tiny_malloc_from_free_list + 145
5 libsystem_c.dylib 0x00007fff8a59b00e szone_malloc_should_clear + 1115
6 libsystem_c.dylib 0x00007fff8a5d03c8 malloc_zone_malloc + 77
7 libsystem_c.dylib 0x00007fff8a5d11a4 malloc + 44
8 php 0x000000010f40fa2f _estrdup + 63
9 php 0x000000010f3e197e sapi_send_headers + 110
10 php 0x000000010f36fc99 php_header + 9
11 php 0x000000010f3e8ece php_ub_body_write + 78
12 php 0x000000010f3d799d php_printf + 157
13 php 0x000000010f3d89a4 php_error_cb + 1492
14 php 0x000000010f42ac45 zend_error + 469
15 msgpack.so 0x000000011270df63 php_msgpack_unserialize + 227 (msgpack.c:254)
16 msgpack.so 0x000000011270d055 zif_msgpack_unserialize + 85 (msgpack.c:331)
17 php 0x000000010f4917f9 zend_do_fcall_common_helper_SPEC + 1081
18 php 0x000000010f491ef1 execute + 609
19 php 0x000000010f42a968 zend_execute_scripts + 440
20 php 0x000000010f3d6872 php_execute_script + 722
21 php 0x000000010f4a8f01 main + 4529
22 php 0x000000010f2637d4 start + 52
The text was updated successfully, but these errors were encountered: