key_php tutorial for GDB traversal of an eg (symbol_table) hash table

Sara Golemon wrote an article that said, "Is there a special place where you can find globals arrays?" The answer is "exist", that is, eg (symbol_table)-executor globals structure, she also gives a specific example of the search, as follows

Php_function (confirm_getglobal_compiled) {

Char *varname;

int Varname_len;

Zval **varvalue;

if (Zend_parse_parameters (Zend_num_args () tsrmls_cc, "s", &varname, &varname_len) = = FAILURE) {

Return_null ();

}

if (Zend_hash_find (&eg (symbol_table), varname, Varname_len + 1, (void**) &varvalue) = = FAILURE) {

Php_error_docref (NULL tsrmls_cc, E_notice, "Undefined variable:%s", varname);

Return_null ();

}

*return_value = **varvalue;

Zval_copy_ctor (Return_value);

}

After compiling to so load, write PHP test code

$ABC = ' string ';

$def = ' string2 ';

Var_dump (confirm_getglobal_compiled (' abc '));

Execution results

String (6) "string"

People may feel strange, why write a def variable, this is the following to take a look at the eg this Hashtable

GDB--args bin/php-c php.ini a.php

The debug code is as follows

(GDB) B renzhi.c:301//Add breakpoints to the written extension place

No source file named Renzhi.c.

Make breakpoint pending on the future shared library load? (Y or [n]) y

Breakpoint 1 (renzhi.c:301) pending.

(GDB) R//run to break point

Starting program:/root/php-src-5.3/bin/php-c php.ini ceshi.php

Warning:. Dynamic section for "/lib/libc.so.6" isn't at the expected address

Warning:difference appears to being caused by prelink, adjusting expectations

[Thread debugging using libthread_db enabled]

Breakpoint 1, zif_confirm_getglobal_compiled (Ht=1, return_value=0x837a43c, return_value_ptr=0x0, this_ptr=0x0, return_value_used=1)

at/root/php-src-5.3/ext/renzhi/renzhi.c:305

305 if (Zend_parse_parameters (Zend_num_args () tsrmls_cc, "s", &varname, &varname_len) = = FAILURE) {

(GDB) n

309 if (Zend_hash_find (&eg (symbol_table), varname, Varname_len + 1, (void**) &varvalue) = = FAILURE) {

(GDB) Step//Enter Zend_hash_find Hash lookup function

Zend_hash_find (ht=0x82e3250, arkey=0x837a42c "abc", NKEYLENGTH=4, pdata=0xbfffc484) at/root/php-src-5.3/zend/zend_ hash.c:872

Let's see the key.

(GDB) P *HT

$9 = {ntablesize = 0, Ntablemask =, nnumofelements = ten, nnextfreeelement =, Pinternalpointer = 0x83edc98, PListHead = 0x83edc98,

Plisttail = 0x837a3fc, arbuckets = 0x83705a8, pdestructor = 0x81923b0 <_zval_ptr_dtor>, persistent = 0 ' \000 ', nAppl Ycount = 0 ' \000 ',

bapplyprotection = 1 ' \001 '}

(GDB) P *ht.plisthead

$ = {h = 2572561225, Nkeylength = 8, PData = 0x83edca4, pdataptr = 0x83edc7c, Plistnext = 0x8378c4c, Plistlast = 0x0, pNe XT = 0x0, PLast = 0x0,

Arkey = "G"}

(GDB) P *ht.plisthead.plistnext

$ $ = {h = 253399445, Nkeylength = 5, PData = 0x8378c58, pdataptr = 0x8378b60, Plistnext = 0x8378c7c, Plistlast = 0x83edc98 , Pnext = 0x0, PLast = 0x0,

Arkey = "A"}

(GDB) P *ht.plisthead.plistnext.plistnext

$4 = {h = 253398818, Nkeylength = 5, PData = 0x8378c88, pdataptr = 0x8378c30, Plistnext = 0x8378d20, Plistlast = 0x8378c4c , Pnext = 0x0, PLast = 0x0,

Arkey = "A"}

(GDB) P *ht.plisthead.plistnext.plistnext.plistnext

$ $ = {h = 3947724458, nkeylength = 6, PData = 0x8378d2c, pdataptr = 0X8378CAC, Plistnext = 0x8378d54, Plistlast = 0x8378c7 C, Pnext = 0x0, PLast = 0x0,

Arkey = "_"}

(GDB) P *ht.plisthead.plistnext.plistnext.plistnext.plistnext

$6 = {h = 249444164, Nkeylength = 5, PData = 0x8378d60, pdataptr = 0x83edd1c, Plistnext = 0x8378d84, Plistlast = 0X8378D20 , Pnext = 0x0, PLast = 0x0,

Arkey = "_"}

(GDB) P *ht.plisthead.plistnext.plistnext.plistnext.plistnext.plistnext

$7 = {h = 195471710, Nkeylength = 8, PData = 0x8378d90, pdataptr = 0x83edd38, Plistnext = 0x8378e2c, Plistlast = 0x8378d54 , Pnext = 0x0, PLast = 0x0,

Arkey = "_"}

(GDB) P *ht.plisthead.plistnext.plistnext.plistnext.plistnext.plistnext.plistnext

$8 = {h = 1027153623, nkeylength = 7, PData = 0x8378e38, pdataptr = 0x8378db8, Plistnext = 0x8379e8c, Plistlast = 0x8378d8 4, Pnext = 0x0, PLast = 0x0,

Arkey = "_"}

(GDB) P *ht.plisthead.plistnext.plistnext.plistnext.plistnext.plistnext.plistnext.plistnext

$9 = {h = 3291685243, Nkeylength = 8, PData = 0x8379e98, pdataptr = 0x8378e88, Plistnext = 0x837a3cc, Plistlast = 0x8378e2 C, Pnext = 0x0, PLast = 0x0,

Arkey = "_"}

(GDB) P *ht.plisthead.plistnext.plistnext.plistnext.plistnext.plistnext.plistnext.plistnext.plistnext

$ $ = {h = 2090069483, nkeylength = 4, PData = 0x837a3d8, pdataptr = 0x8379ef8, Plistnext = 0x837a3fc, Plistlast = 0x8379e 8c, Pnext = 0x0, PLast = 0x0,

Arkey = "A"}

(GDB) P *ht.plisthead.plistnext.plistnext.plistnext.plistnext.plistnext.plistnext.plistnext.plistnext.plistnext

$11 = {h = 2090180660, nkeylength = 4, PData = 0x837a408, pdataptr = 0x8379edc, Plistnext = 0x0, Plistlast = 0x837a3cc, PN ext = 0x0, PLast = 0x0,

Arkey = "D"}

It's a little messy, and the first one here is reality. Eg this hash table has nnumofelements = 10 elements

Here's

(GDB) P *ht.plisthead.plistnext.plistnext.plistnext.plistnext.plistnext.plistnext.plistnext.plistnext

$ $ = {h = 2090069483, nkeylength = 4, PData = 0x837a3d8, pdataptr = 0x8379ef8, Plistnext = 0x837a3fc, Plistlast = 0x8379e 8c, Pnext = 0x0, PLast = 0x0,

Arkey = "A"}

(GDB) P *ht.plisthead.plistnext.plistnext.plistnext.plistnext.plistnext.plistnext.plistnext.plistnext.plistnext

$11 = {h = 2090180660, nkeylength = 4, PData = 0x837a408, pdataptr = 0x8379edc, Plistnext = 0x0, Plistlast = 0x837a3cc, PN ext = 0x0, PLast = 0x0,

Arkey = "D"}

is to test the PHP code.

$ABC = ' string ';

$def = ' string2 ';

These two variables name the concrete hash of the bucket up

(GDB) P *ht.plisthead.plistnext.plistnext.plistnext.plistnext.plistnext.plistnext.plistnext.plistnext

$ $ = {h = 2090069483, nkeylength = 4, PData = 0x837a3d8, pdataptr = 0x8379ef8, Plistnext = 0x837a3fc, Plistlast = 0x8379e 8c, Pnext = 0x0, PLast = 0x0,

Arkey = "A"}

The first character Arkey is a, with nkeylength = 44 character length

(GDB) P ht.plisthead.plistnext.plistnext.plistnext.plistnext.plistnext.plistnext.plistnext.plistnext.arkey[0]

$ = $ ' a '

(GDB) P ht.plisthead.plistnext.plistnext.plistnext.plistnext.plistnext.plistnext.plistnext.plistnext.arkey[1]

$11 = 98 ' B '

(GDB) P ht.plisthead.plistnext.plistnext.plistnext.plistnext.plistnext.plistnext.plistnext.plistnext.arkey[2]

$ = "C"

(GDB) P ht.plisthead.plistnext.plistnext.plistnext.plistnext.plistnext.plistnext.plistnext.plistnext.arkey[3]

$13 = 0 ' \000 '

How to get the pointer in the GDB mode, see the corresponding execution of the content of the Zval?

Already know that the pdata in the bucket structure executes the content.

(GDB) P Ht.pListHead.pListNext.pListNext.pListNext.pListNext.pListNext.pListNext.pListNext.pListNext.pData

$19 = (void *) 0x837a3d8

But the return of this, still do not know how to obtain, please master Help

I got it.

(GDB) P *ht.plisthead.plistnext.plistnext.plistnext.plistnext.plistnext.plistnext.plistnext.plistnext

$29 = {h = 2090069483, nkeylength = 4, PData = 0x839fe28, pdataptr = 0x839f948, Plistnext = 0x839fe4c, Plistlast = 0x839f8 DC, Pnext = 0x0, PLast = 0x0,

Arkey = "A"}

(GDB) p * (Zval *) $29->pdataptr

$ = {Value = {lval = 138024112, dval = 1.2800167717828578e-313, str = {val = 0x83a14b0 "string", Len = 6}, HT = 0x83a14b 0, obj = {handle = 138024112,

handlers = 0x6}}, refcount__gc = 1, type = 6 ' \006 ', is_ref__gc = 0 ' \000 '}

Haha, you can see the exact value of the hash point.

But a little bit confused, what does pdata and pdataptr have to do with the matter?

(GDB) P &$29->pdataptr

$46 = (void * *) 0x839fe28

(GDB) P $29->pdata

$47 = (void *) 0x839fe28

Which is the address of pdataptr in pdata.

Excerpt from xiaoq3406 's column

http://www.bkjia.com/PHPjc/478497.html www.bkjia.com true http://www.bkjia.com/PHPjc/478497.html techarticle Sara Golemon wrote an article that said, "Is there a special place where you can find globals arrays?" The answer is that there is an eg (symbol_table)-executor globals structure that she also gives ...

