php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #22510 Zend Engine crashes calling FREE_ZVAL from zend_assign_to_variable_reference
Submitted: 2003-03-02 17:28 UTC Modified: 2003-07-12 04:24 UTC
Votes:10
Avg. Score:4.5 ± 0.8
Reproduced:10 of 10 (100.0%)
Same Version:7 (70.0%)
Same OS:8 (80.0%)
From: php at codewhore dot org Assigned:
Status: Closed Package: Scripting Engine problem
PHP Version: 4CVS-2003-06-01 (stable) OS: Linux 2.4
Private report: No CVE-ID: None
 [2003-03-02 17:28 UTC] php at codewhore dot org
I've been able to reproducibly crash the PHP interpreter with  a section of code that I'm working that passes around and calls through a lot of references. The function that causes the crash looks like:


function finalize()
{
  /* Note:
       These are references; we leave the value, $x, unused. */

  foreach ($this->commit_list as $k => $x)
  {
    if (!$this->commit_list[$k]->transaction_commit())
      return $this->throw(E_SYS);
  }

  return true;
}


I haven't managed to narrow it down any further - executing similar code in isolation hasn't been able to reproduce the crash yet. I'll keep trying.



The backtrace:
--------------

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 16384 (LWP 8158)]
0x4034913f in _efree (ptr=0x403b4564) at /usr/src/web-server/php-4.3-cvs/Zend/zend_alloc.c:233
233             REMOVE_POINTER_FROM_LIST(p);
(gdb) bt
#0  0x4034913f in _efree (ptr=0x403b4564) at /usr/src/web-server/php-4.3-cvs/Zend/zend_alloc.c:233
#1  0x403669fe in zend_assign_to_variable_reference (result=0x8264b6c, variable_ptr_ptr=0x82509a0,
    value_ptr_ptr=0x82637e8, Ts=0xbfffc550) at /usr/src/web-server/php-4.3-cvs/Zend/zend_execute.c:271
#2  0x40369b83 in execute (op_array=0x8263344) at /usr/src/web-server/php-4.3-cvs/Zend/zend_execute.c:1344
#3  0x4036aa90 in execute (op_array=0x817cad4) at /usr/src/web-server/php-4.3-cvs/Zend/zend_execute.c:1640
#4  0x4036aa90 in execute (op_array=0x818a144) at /usr/src/web-server/php-4.3-cvs/Zend/zend_execute.c:1640
#5  0x4036aa90 in execute (op_array=0x81fa9bc) at /usr/src/web-server/php-4.3-cvs/Zend/zend_execute.c:1640
#6  0x4035b219 in zend_execute_scripts (type=8, retval=0x0, file_count=3)
    at /usr/src/web-server/php-4.3-cvs/Zend/zend.c:864
#7  0x40329fcc in php_execute_script (primary_file=0xbffff820)
    at /usr/src/web-server/php-4.3-cvs/main/main.c:1588
#8  0x4036f1a2 in apache_php_module_main (r=0x811047c, display_source_mode=0)
    at /usr/src/web-server/php-4.3-cvs/sapi/apache/sapi_apache.c:55
#9  0x403700e6 in send_php (r=0x811047c, display_source_mode=0,
    filename=0x8112204 "/web/sites/frylock/development/node.php")
    at /usr/src/web-server/php-4.3-cvs/sapi/apache/mod_php4.c:617
#10 0x4037016c in send_parsed_php (r=0x811047c)
    at /usr/src/web-server/php-4.3-cvs/sapi/apache/mod_php4.c:632
#11 0x08054360 in ap_invoke_handler (r=0x811047c) at http_config.c:518
#12 0x08068aae in process_request_internal (r=0x811047c) at http_request.c:1308
#13 0x08068b0e in ap_process_request (r=0x811047c) at http_request.c:1324
#14 0x0805fd6e in child_main (child_num_arg=0) at http_main.c:4689
#15 0x0805ff34 in make_child (s=0x8094ec4, slot=0, now=1046645587) at http_main.c:4813
#16 0x0806009b in startup_children (number_to_start=8) at http_main.c:4895
#17 0x080606c8 in standalone_main (argc=5, argv=0xbffffca4) at http_main.c:5203
#18 0x08060f00 in main (argc=5, argv=0xbffffca4) at http_main.c:5566
#19 0x400d3bb4 in __libc_start_main () from /lib/libc.so.6

(gdb) frame 2
#2  0x40369b83 in execute (op_array=0x8263344) at /usr/src/web-server/php-4.3-cvs/Zend/zend_execute.c:1344
1344                                    zend_assign_to_variable_reference(&EX(opline)->result, get_zval_ptr_ptr(&EX(opline)->op1, EX(Ts), BP_VAR_W), get_zval_ptr_ptr(&EX(opline)->op2, EX(Ts), BP_VAR_W), EX(Ts) TSRMLS_CC);

(gdb) print (char *)(executor_globals.function_state_ptr->function)->common.function_name
$1 = 0x8258b0c "finalize"

(gdb) frame 1
#1  0x403669fe in zend_assign_to_variable_reference (result=0x8264b6c, variable_ptr_ptr=0x82509a0,
    value_ptr_ptr=0x82637e8, Ts=0xbfffc550) at /usr/src/web-server/php-4.3-cvs/Zend/zend_execute.c:271
271                             FREE_ZVAL(variable_ptr);

(gdb) p *value_ptr_ptr
$6 = (struct _zval_struct *) 0x825925c

(gdb) p **value_ptr_ptr
$7 = {value = {lval = 136677812, dval = 7.6896363518630331, str = {val = 0x82589b4 "\b",
      len = 1075757616}, ht = 0x82589b4, obj = {ce = 0x82589b4, properties = 0x401ec230}},
  type = 4 '\004', is_ref = 0 '\0', refcount = 2}

(gdb) p *result
$9 = {op_type = 4, u = {constant = {value = {lval = 3, dval = 2.1219957924474693e-314, str = {
          val = 0x3 <Address 0x3 out of bounds>, len = 1}, ht = 0x3, obj = {ce = 0x3, properties = 0x1}},
      type = 0 '\0', is_ref = 0 '\0', refcount = 0}, var = 3, opline_num = 3, fetch_type = 3,
    op_array = 0x3, EA = {var = 3, type = 1}}}

(gdb) p *variable_ptr_ptr
$10 = (struct _zval_struct *) 0x403b4564

(gdb) p **variable_ptr_ptr
$11 = {value = {lval = 0, dval = 0, str = {val = 0x0, len = 0}, ht = 0x0, obj = {ce = 0x0,
      properties = 0x0}}, type = 0 '\0', is_ref = 0 '\0', refcount = 0}

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2003-03-02 17:30 UTC] php at codewhore dot org
Accidently posted the non-crashing code snippet. Here's the one that crashes:

    function finalize()
    {
      $cl =& $this->commit_list;

      /* Note:
          These are references; we leave the value, $x, unused. */

      foreach ($cl as $k => $x)
      {
        if (!$cl[$k]->transaction_commit())
          return $this->throw(E_SYS);
      }

      return true;
    }
 [2003-06-01 11:38 UTC] php at codewhore dot org
A shorter crashing version of tests/lang/22510.phpt. 
Notice that removal of the silence operator (@) in 
method2() makes the crash go away.

<?php
  class foo
  {
    function &method1() {
      return $this->foo;
    }

    function &method2() {
      return @$this->foo;
    }
  }

  class bar
  {
    function run1() {
      $instance = new foo();
      $instance->method1();
    }

    function run2() {
      $instance = new foo();
      $instance->method2();
      $instance->method2();
    }
  }

  function ouch(&$bar) {
    $bar->run1();
  }

  function ok(&$bar) {
    $a = $a;
    $bar->run2();
  }

  $bar = new bar();
  ok($bar);
  ouch($bar);
?>
 [2003-06-02 10:56 UTC] sniper@php.net
Just tested your last script with PHP 5.0.0-dev (ZE2),
and it does not crash:

# sapi/cli/php /home/jani/t.php 

Notice: Undefined variable:  a in /home/jani/t.php on line 32
/usr/src/web/php/php5/Zend/zend_execute.c(2782) :  Freeing 0x089681F4 (16 bytes), script=/home/jani/t.php

And commenting out the line 32 (with $a=$a) makes it not crash in PHP 4.3.3-dev too:

$ php t.php 
/usr/src/web/php/php4/Zend/zend_execute.c(1702) :  Freeing 0x088A427C (12 bytes), script=t.php

 [2003-07-12 04:24 UTC] moriyoshi@php.net
The fix by Zeev will be in php5.


 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Fri Mar 29 00:01:28 2024 UTC