php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #55339 Segfault with allow_call_time_pass_reference = Off
Submitted: 2011-08-01 19:47 UTC Modified: 2011-08-02 07:40 UTC
Votes:1
Avg. Score:3.0 ± 0.0
Reproduced:1 of 1 (100.0%)
Same Version:0 (0.0%)
Same OS:0 (0.0%)
From: tomas dot brastavicius at quantum dot lt Assigned: dmitry (profile)
Status: Closed Package: Scripting Engine problem
PHP Version: 5.3SVN-2011-08-01 (SVN) OS: Linux
Private report: No CVE-ID: None
 [2011-08-01 19:47 UTC] tomas dot brastavicius at quantum dot lt
Description:
------------
The scripts that are provided below causes segfault. The following configuration was used to compile PHP:
./configure --disable-all

Test script:
---------------
To reproduce the bug one needs 3 PHP files:

1. index.php
<?php

function error_handler($errno, $errstr, $errfile, $errline)
{
    require_once 'error_handler.php';
}
set_error_handler('error_handler');

require_once('inc.php');

echo 'Never prints';


2. error_handler.php
<?php

// The file may be empty. It's OK.


3. inc.php
<?php

function foo()
{
    $array = array();
    foreach ($array as $key => $value) {
        bar($key, &$value);
    }
}

function bar()
{

}

Before running index.php be sure allow_call_time_pass_reference is Off

Expected result:
----------------
Never prints

Actual result:
--------------
Program terminated with signal 11, Segmentation fault.
#0  0x00000000006210e7 in ?? ()
(gdb) bt
#0  0x00000000006210e7 in ?? ()
#1  0x0000000100000000 in ?? ()
#2  0x00007f3a4a29d390 in ?? ()
#3  0x0000000000000000 in ?? ()


Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2011-08-01 20:09 UTC] tony2001@php.net
-Status: Open +Status: Assigned -Assigned To: +Assigned To: dmitry
 [2011-08-01 20:31 UTC] pajoye@php.net
-Status: Assigned +Status: Feedback
 [2011-08-01 20:31 UTC] pajoye@php.net
The symbols are missing so the backtrace is rather useless. Compile php with --
enable-debug to get them.
 [2011-08-01 20:50 UTC] tomas dot brastavicius at quantum dot lt
@pajoye@php.net

I did. I have made a mistake in a bug report. The following configuration was used: ./configure --disable-all --enable-debug.
I was able to reproduce this issue on 3 separate servers.
 [2011-08-01 20:58 UTC] pajoye@php.net
Program terminated with signal 11, Segmentation fault.
#0  0x00000000006210e7 in ?? ()
(gdb) bt
#0  0x00000000006210e7 in ?? ()


No, the debug mode was not used sorry. the ?? are here to say that gdb has no 
idea about the symbols.
 [2011-08-01 21:25 UTC] tomas dot brastavicius at quantum dot lt
Oops, here is the backtrace.

Program terminated with signal 11, Segmentation fault.
#0  0x00000000006210e7 in zval_delref_p (T=0x7f91d9630390, extended_value=1)
    at /home/tomas/php-5.3/Zend/zend.h:385
385		return --pz->refcount__gc;
(gdb) bt
#0  0x00000000006210e7 in zval_delref_p (T=0x7f91d9630390, extended_value=1)
    at /home/tomas/php-5.3/Zend/zend.h:385
#1  zend_pzval_unlock_free_func (T=0x7f91d9630390, extended_value=1) at /home/tomas/php-5.3/Zend/zend_execute.c:86
#2  zend_switch_free (T=0x7f91d9630390, extended_value=1) at /home/tomas/php-5.3/Zend/zend_execute.c:382
#3  0x00000000006459b6 in ZEND_SWITCH_FREE_SPEC_VAR_HANDLER (execute_data=0x7f91d96302a8)
    at /home/tomas/php-5.3/Zend/zend_vm_execute.h:8453
#4  0x0000000000624a36 in execute (op_array=0x29be158) at /home/tomas/php-5.3/Zend/zend_vm_execute.h:107
#5  0x00000000005e16b7 in zend_call_function (fci=0x7fff63d50ae0, fci_cache=0x7fff63d50970)
    at /home/tomas/php-5.3/Zend/zend_execute_API.c:968
#6  0x00000000005e089c in call_user_function_ex (function_table=0x28b7bd0, object_pp=0x0, function_name=0x29ba828, 
    retval_ptr_ptr=0x7fff63d50be8, param_count=5, params=0x29bedb0, no_separation=1, symbol_table=0x0)
    at /home/tomas/php-5.3/Zend/zend_execute_API.c:758
#7  0x00000000005f0d2a in zend_error (type=8192, format=0x794ad8 "Call-time pass-by-reference has been deprecated")
    at /home/tomas/php-5.3/Zend/zend.c:1102
#8  0x00000000005d2f9d in zend_do_pass_param (param=0x7fff63d51110, op=67 'C', offset=2)
    at /home/tomas/php-5.3/Zend/zend_compile.c:2093
#9  0x00000000005aae3b in zendparse () at /home/tomas/php-5.3/Zend/zend_language_parser.y:483
#10 0x00000000005af8cb in compile_file (file_handle=0x7fff63d52bc0, type=8) at Zend/zend_language_scanner.l:364
#11 0x000000000062a236 in ZEND_INCLUDE_OR_EVAL_SPEC_CONST_HANDLER (execute_data=0x7f91d9630090)
    at /home/tomas/php-5.3/Zend/zend_vm_execute.h:1946
#12 0x0000000000624a36 in execute (op_array=0x29ba5b0) at /home/tomas/php-5.3/Zend/zend_vm_execute.h:107
#13 0x00000000005f11ec in zend_execute_scripts (type=8, retval=0x0, file_count=3)
    at /home/tomas/php-5.3/Zend/zend.c:1195
#14 0x000000000057a60c in php_execute_script (primary_file=0x7fff63d552a0) at /home/tomas/php-5.3/main/main.c:2284
#15 0x00000000006d5061 in main (argc=4, argv=0x7fff63d55508) at /home/tomas/php-5.3/sapi/cli/php_cli.c:1184
 [2011-08-02 07:38 UTC] dmitry@php.net
Automatic comment from SVN on behalf of dmitry
Revision: http://svn.php.net/viewvc/?view=revision&amp;revision=314086
Log: Fixed bug #55339 (Segfault with allow_call_time_pass_reference = Off)
 [2011-08-02 07:40 UTC] dmitry@php.net
-Status: Feedback +Status: Closed
 [2011-08-02 07:40 UTC] dmitry@php.net
This bug has been fixed in SVN.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.

 For Windows:

http://windows.php.net/snapshots/
 
Thank you for the report, and for helping us make PHP better.


 [2012-04-18 09:49 UTC] laruence@php.net
Automatic comment on behalf of dmitry
Revision: http://git.php.net/?p=php-src.git;a=commit;h=6803a389284d8ae29d3d8e00d3e62ba8106362f1
Log: Fixed bug #55339 (Segfault with allow_call_time_pass_reference = Off)
 [2012-07-24 23:40 UTC] rasmus@php.net
Automatic comment on behalf of dmitry
Revision: http://git.php.net/?p=php-src.git;a=commit;h=6803a389284d8ae29d3d8e00d3e62ba8106362f1
Log: Fixed bug #55339 (Segfault with allow_call_time_pass_reference = Off)
 [2013-11-17 09:37 UTC] laruence@php.net
Automatic comment on behalf of dmitry
Revision: http://git.php.net/?p=php-src.git;a=commit;h=6803a389284d8ae29d3d8e00d3e62ba8106362f1
Log: Fixed bug #55339 (Segfault with allow_call_time_pass_reference = Off)
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Sat Dec 21 14:01:32 2024 UTC