[php-maint] Bug#481737: additional info FTBFS: php5

Joerg Friedrich Joerg.Friedrich at friedrich-kn.de
Wed Jul 2 00:50:58 UTC 2008


Hi, I tried to collect some more info.

this is a try to see what happening. The problem is
/usr/local/src/php5-5.2.6/Zend/zend_alloc.c:1991
    SUHOSIN_MM_SET_END_CANARY(best_fit);

This is:
size_t *p = (size_t*)(((char*)(ZEND_MM_DATA_OF(best_fit))) + ((zend_mm_block*)(best_fit))->info.size + END_MAGIC_SIZE);
memcpy(p, &heap->canary_3, CANARY_SIZE);

disassemble shows:
0x0025931c <_zend_mm_alloc_int+940>:    add  %i1, 0x18, %g3
0x00259320 <_zend_mm_alloc_int+944>:    ld  [ %l1 + 0x254 ], %g1
0x00259324 <_zend_mm_alloc_int+948>:    st  %g1, [ %i0 + %g3 ]


size_t *p = (size_t*)(((char*)(ZEND_MM_DATA_OF(best_fit))) + ((zend_mm_block*)(best_fit))->info.size + END_MAGIC_SIZE);
			 ------------------------      ---------------------------------------   --------------
			 = best_fit +                   = size (function arg, stored in %i1)      fix_val at compile time
			   fix_val calculated at
			   compile time

0x0025931c is: size + two fix_vals, stored into %g3
0x00259320 is: load heap->canary_d into %g1 (addr of heap is in %l1)
0x00259324 is: store %g1 into "best_fit (%i0) + %g3
which is the same as
	 store %g1 into "bestfit + size + two fix_vals"
since bestfit is aligned and the fix_vals are 0x18 (does not change the alignment) 
the problem must be the argument size.


#if SUHOSIN_PATCH
            SUHOSIN_MM_SET_CANARIES(best_fit);
            ((zend_mm_block*)best_fit)->info.size = size;
            SUHOSIN_MM_SET_END_CANARY(best_fit);
#endif


maybe instead of size it's better to use true_size


atm, i try to compile php this way, but my machine is not the fastest.




(gdb) run
The program being debugged has been started already.
Start it from the beginning? (y or n) y
Starting program: /usr/local/src/php5-5.2.6/cgi-build/sapi/cli/php 
[Thread debugging using libthread_db enabled]
[New Thread 0xf75a66d0 (LWP 3659)]
[Switching to Thread 0xf75a66d0 (LWP 3659)]

Breakpoint 5, _zend_mm_alloc_int (heap=0x5085d0, size=<error type>) at /usr/local/src/php5-5.2.6/Zend/zend_alloc.c:1991
1991	    SUHOSIN_MM_SET_END_CANARY(best_fit);
7: /x $pc = 0x25931c
5: /x $i0 + $g3 = 0xf7552010
4: /x $i0 = 0xf7552010
3: /x $g3 = 0x0
2: /x $g1 = 0x3247c1bf
(gdb) disassemble 0x25931c 0x259328
Dump of assembler code from 0x25931c to 0x259328:
0x0025931c <_zend_mm_alloc_int+940>:	add  %i1, 0x18, %g3
0x00259320 <_zend_mm_alloc_int+944>:	ld  [ %l1 + 0x254 ], %g1
0x00259324 <_zend_mm_alloc_int+948>:	st  %g1, [ %i0 + %g3 ]
End of assembler dump.
(gdb) si
0x00259320	1991	    SUHOSIN_MM_SET_END_CANARY(best_fit);
7: /x $pc = 0x259320
5: /x $i0 + $g3 = 0xf7554028
4: /x $i0 = 0xf7552010
3: /x $g3 = 0x2018
2: /x $g1 = 0x3247c1bf
(gdb) si
0x00259324	1991	    SUHOSIN_MM_SET_END_CANARY(best_fit);
7: /x $pc = 0x259324
5: /x $i0 + $g3 = 0xf7554028
4: /x $i0 = 0xf7552010
3: /x $g3 = 0x2018
2: /x $g1 = 0x2f8f5219
(gdb) si
1994		heap->size += true_size;
7: /x $pc = 0x259328
5: /x $i0 + $g3 = 0xf7554028
4: /x $i0 = 0xf7552010
3: /x $g3 = 0x2018
2: /x $g1 = 0x2f8f5219
(gdb) c
Continuing.

Breakpoint 5, _zend_mm_alloc_int (heap=0x5085d0, size=<error type>) at /usr/local/src/php5-5.2.6/Zend/zend_alloc.c:1991
1991	    SUHOSIN_MM_SET_END_CANARY(best_fit);
7: /x $pc = 0x25931c
5: /x $i0 + $g3 = 0xf7554030
4: /x $i0 = 0xf7554030
3: /x $g3 = 0x0
2: /x $g1 = 0x3247c1bf
(gdb) si
0x00259320	1991	    SUHOSIN_MM_SET_END_CANARY(best_fit);
7: /x $pc = 0x259320
5: /x $i0 + $g3 = 0xf755404d
4: /x $i0 = 0xf7554030
3: /x $g3 = 0x1d
2: /x $g1 = 0x3247c1bf
(gdb) si
0x00259324	1991	    SUHOSIN_MM_SET_END_CANARY(best_fit);
7: /x $pc = 0x259324
5: /x $i0 + $g3 = 0xf755404d
4: /x $i0 = 0xf7554030
3: /x $g3 = 0x1d
2: /x $g1 = 0x2f8f5219
(gdb) si

Program received signal SIGBUS, Bus error.
0x00259324 in _zend_mm_alloc_int (heap=0x5085d0, size=<error type>) at /usr/local/src/php5-5.2.6/Zend/zend_alloc.c:1991
1991	    SUHOSIN_MM_SET_END_CANARY(best_fit);
7: /x $pc = 0x259324
5: /x $i0 + $g3 = 0xf755404d
4: /x $i0 = 0xf7554030
3: /x $g3 = 0x1d
2: /x $g1 = 0x2f8f5219

-- 
Jörg Friedrich

There are only 10 types of people:
Those who understand binary and those who don't.





More information about the pkg-php-maint mailing list