php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #34873 Segmentation Fault on foreach in object (used by smarty)
Submitted: 2005-10-14 17:18 UTC Modified: 2005-10-17 10:02 UTC
Votes:2
Avg. Score:4.5 ± 0.5
Reproduced:2 of 2 (100.0%)
Same Version:1 (50.0%)
Same OS:1 (50.0%)
From: antleclercq at online dot fr Assigned: dmitry (profile)
Status: Closed Package: Scripting Engine problem
PHP Version: 5CVS-2005-10-14 (CVS) OS: Ubuntu (breezy)
Private report: No CVE-ID: None
 [2005-10-14 17:18 UTC] antleclercq at online dot fr
Description:
------------
Hello,

I'm running:
- PHP 5.1RC2 CVS200510141230

I've got a nice segfault with that simple piece of code. The problem is that the code style showed below is used by Smarty (in the compile system)...

That problem has been reproduced on several systems.

Thanks for your help,

Antoine

Reproduce code:
---------------
<?php
class pwa {
	public $var;

	function __construct()	{
		$this->var = array();
	}
	
	function test ()	{
		$cont = array();
		$cont["mykey"] = "myvalue";
		
		foreach ($cont as $this->var['key'] => $this->var['value'])
			echo $this->var['value'];
	}
}
$myPwa = new Pwa();
$myPwa->test();
?>

Expected result:
----------------
This code should display:
myvalue
and continue its execution.

Actual result:
--------------
antoine@DaT:/home/web/sandbox.local/html $ php pwa.php
myvalue*** glibc detected *** double free or corruption (fasttop): 0x085149c8 ***
Aborted


Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2005-10-14 21:44 UTC] tony2001@php.net
Dmitry, this patch breaks it:
http://cvs.php.net/diff.php/ZendEngine2/zend_compile.c?r1=1.647.2.7&r2=1.647.2.8&ty=u

Please, take a look at it.
 [2005-10-14 23:42 UTC] tony2001@php.net
gdb bt:

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 1081772576 (LWP 18178)]
0x083961f1 in zend_hash_find (ht=0x88b1060, arKey=0x88b2458 "value", nKeyLength=6, pData=0xbfffc6c4) at /usr/src/dev/orig/php-src_5_1/Zend/zend_hash.c:852
852             p = ht->arBuckets[nIndex];
(gdb) bt
#0  0x083961f1 in zend_hash_find (ht=0x88b1060, arKey=0x88b2458 "value", nKeyLength=6, pData=0xbfffc6c4) at /usr/src/dev/orig/php-src_5_1/Zend/zend_hash.c:852
#1  0x083f4f20 in zend_symtable_find (ht=0x88b1060, arKey=0x88b2458 "value", nKeyLength=6, pData=0xbfffc6c4) at zend_hash.h:346
#2  0x083f6f6e in zend_fetch_dimension_address_inner (ht=0x88b1060, dim=0x88b3a8c, type=0) at /usr/src/dev/orig/php-src_5_1/Zend/zend_execute.c:958
#3  0x083b31cb in zend_fetch_dimension_address (result=0xbfffc8b8, container_ptr=0xbfffc8a8, dim=0x88b3a8c, dim_is_tmp_var=0, type=0)
    at /usr/src/dev/orig/php-src_5_1/Zend/zend_execute.c:1088
#4  0x083c713d in ZEND_FETCH_DIM_R_SPEC_VAR_CONST_HANDLER (execute_data=0xbfffc8e0) at zend_vm_execute.h:8518
#5  0x083b3aee in execute (op_array=0x88b3540) at zend_vm_execute.h:88
#6  0x083b3f31 in zend_do_fcall_common_helper_SPEC (execute_data=0xbfffca80) at zend_vm_execute.h:224
#7  0x083b4328 in ZEND_DO_FCALL_BY_NAME_SPEC_HANDLER (execute_data=0xbfffca80) at zend_vm_execute.h:310
#8  0x083b3aee in execute (op_array=0x88ac8d0) at zend_vm_execute.h:88
#9  0x0838dc66 in zend_execute_scripts (type=8, retval=0x0, file_count=3) at /usr/src/dev/orig/php-src_5_1/Zend/zend.c:1087
#10 0x0834ce3b in php_execute_script (primary_file=0xbfffeed0) at /usr/src/dev/orig/php-src_5_1/main/main.c:1677
#11 0x083f9d16 in main (argc=2, argv=0xbfffefb4) at /usr/src/dev/orig/php-src_5_1/sapi/cli/php_cli.c:1041

valgrind's output is here:
http://tony2001.phpclub.net/dev/tmp/bug34873_valgrind.txt
 [2005-10-17 10:02 UTC] dmitry@php.net
Fixed in CVS HEAD and PHP_5_1.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Tue Mar 19 03:01:29 2024 UTC