Page 1 of 1

Explanation of segfault

Posted: Sun Oct 05, 2008 6:36 pm
by jerrycainjr
I'm in the processing of writing a small PHP extension, and the of one of my functions calls strndup. Only very occasionally do I see the pointer returned by strndup to be truncated so that the upper two bytes are zeroed out.

In a nutsehll, I see this:

char *copy = strndup(Z_STRVAL_P(fret), Z_STRVAL_L(fret));

fret is a zval that's properly constructed to catch the return value of some call to a PHP function, and looking at it in GDB is enough to convince me that it's a string (type == 6) and that the C string inside is well-formed.

copy comes back as something like 0xabdb6060, which doesn't map to the system heap at all. However, based on the addresses of other dynamically allocated blocks, it's clear that the 0xabdb6060 is the lower nibble of the full address that should be returned by strndup, so that, say, 0xbaababdb6060 actually addresses the space with my copy of the string.

I'm using php-5.2.5, and this happens very rarely (like once out of every 100,000 to 500,000 calls.)

Has anyone ever seen anything like this or otherwise have some insight?