PHP :: Bug #65784 :: Segfault with finally

Bug #65784

Segfault with finally

Submitted:

2013-09-29 12:18 UTC

Modified:

2016-05-11 14:27 UTC

Votes:	6
Avg. Score:	4.3 ± 1.5
Reproduced:	6 of 6 (100.0%)
Same Version:	2 (33.3%)
Same OS:	6 (100.0%)

From:

r dot wilczek at web-appz dot de

Assigned:

laruence (profile)

Status:

Closed

Package:

*General Issues

PHP Version:

5.5.4

OS:

Linux

Private report:

CVE-ID:

None

View Developer Edit

[2013-09-29 12:18 UTC] r dot wilczek at web-appz dot de

Description:
------------
The structures
try {
   return foo();
} finally {
   bar();
}

or 

try {
    return foo();
} catch (Exception $e) {
    throw $e;
} finally {
    bar();
}

under some circumstances segfault, whereas the equivalent structure
try {
    $result = foo();
    bar();
    return $result;
} catch (Exception $e) {
    bar();
    throw $e;
}
works as expected.

Test script:
---------------
It's hard to reproduce the failure, because it occured within a "PHPUnit Mock Monster", and I failed to reproduce it with a simple script.

All I can show is the core-dump below, which is produced by a 
try {
   return foo();
} finally {
   bar();
}


Expected result:
----------------
No Segmentation fault

Actual result:
--------------
Segmentation fault

#0  0x0000000000a41895 in zval_delref_p (pz=0x0) at /root/php-5.5.4/php-5.5.4/Zend/zend.h:409
#1  0x0000000000a4330c in zend_pzval_unlock_func (z=0x0, should_free=0x7fff17175fe0, unref=1)
    at /root/php-5.5.4/php-5.5.4/Zend/zend_execute.c:72
#2  0x0000000000a4341b in _get_zval_ptr_var (var=4294967232, execute_data=0x7fea01fe0098, should_free=0x7fff17175fe0)
    at /root/php-5.5.4/php-5.5.4/Zend/zend_execute.c:186
#3  0x0000000000a63e15 in ZEND_SEND_VAR_NO_REF_SPEC_VAR_HANDLER (execute_data=0x7fea01fe0098)
    at /root/php-5.5.4/php-5.5.4/Zend/zend_vm_execute.h:13081
#4  0x0000000000a4a772 in ZEND_USER_OPCODE_SPEC_HANDLER (execute_data=0x7fea01fe0098)
    at /root/php-5.5.4/php-5.5.4/Zend/zend_vm_execute.h:1119
#5  0x0000000000a480cf in execute_ex (execute_data=0x7fea01fe0098) at /root/php-5.5.4/php-5.5.4/Zend/zend_vm_execute.h:363
#6  0x00007fe9fbfd2c57 in xdebug_execute_ex (execute_data=0x7fea01fe0098) at /tmp/pear/temp/xdebug/xdebug.c:1437
#7  0x0000000000a48157 in zend_execute (op_array=0x1e07960) at /root/php-5.5.4/php-5.5.4/Zend/zend_vm_execute.h:388
#8  0x0000000000a48bfc in zend_do_fcall_common_helper_SPEC (execute_data=0x7fea01fdff10)
    at /root/php-5.5.4/php-5.5.4/Zend/zend_vm_execute.h:584
#9  0x0000000000a491b0 in ZEND_DO_FCALL_BY_NAME_SPEC_HANDLER (execute_data=0x7fea01fdff10)
    at /root/php-5.5.4/php-5.5.4/Zend/zend_vm_execute.h:685
#10 0x0000000000a480cf in execute_ex (execute_data=0x7fea01fdff10) at /root/php-5.5.4/php-5.5.4/Zend/zend_vm_execute.h:363
#11 0x00007fe9fbfd2c57 in xdebug_execute_ex (execute_data=0x7fea01fdff10) at /tmp/pear/temp/xdebug/xdebug.c:1437
#12 0x0000000000a48157 in zend_execute (op_array=0x1e2e1e0) at /root/php-5.5.4/php-5.5.4/Zend/zend_vm_execute.h:388
#13 0x0000000000a48bfc in zend_do_fcall_common_helper_SPEC (execute_data=0x7fea01fdfc38)
    at /root/php-5.5.4/php-5.5.4/Zend/zend_vm_execute.h:584
#14 0x0000000000a491b0 in ZEND_DO_FCALL_BY_NAME_SPEC_HANDLER (execute_data=0x7fea01fdfc38)
    at /root/php-5.5.4/php-5.5.4/Zend/zend_vm_execute.h:685
#15 0x0000000000a480cf in execute_ex (execute_data=0x7fea01fdfc38) at /root/php-5.5.4/php-5.5.4/Zend/zend_vm_execute.h:363
#16 0x00007fe9fbfd2c57 in xdebug_execute_ex (execute_data=0x7fea01fdfc38) at /tmp/pear/temp/xdebug/xdebug.c:1437
#17 0x0000000000a48157 in zend_execute (op_array=0x7fe9fb75d630) at /root/php-5.5.4/php-5.5.4/Zend/zend_vm_execute.h:388
#18 0x00000000009f6785 in zend_call_function (fci=0x7fff171766d0, fci_cache=0x7fff171766a0)
    at /root/php-5.5.4/php-5.5.4/Zend/zend_execute_API.c:939
#19 0x000000000076285c in zim_reflection_method_invokeArgs (ht=2, return_value=0x7fe9fb705d90, return_value_ptr=0x0, 
    this_ptr=0x7fe9fb7048b0, return_value_used=1) at /root/php-5.5.4/php-5.5.4/ext/reflection/php_reflection.c:3018
#20 0x0000000000a47936 in execute_internal (execute_data_ptr=0x7fea01fdf9e8, fci=0x0, return_value_used=1)
    at /root/php-5.5.4/php-5.5.4/Zend/zend_execute.c:1485
#21 0x00007fe9fbfd3118 in xdebug_execute_internal (current_execute_data=0x7fea01fdf9e8, fci=0x0, return_value_used=1)
    at /tmp/pear/temp/xdebug/xdebug.c:1553
#22 0x0000000000a48a0e in zend_do_fcall_common_helper_SPEC (execute_data=0x7fea01fdf9e8)
    at /root/php-5.5.4/php-5.5.4/Zend/zend_vm_execute.h:552
#23 0x0000000000a491b0 in ZEND_DO_FCALL_BY_NAME_SPEC_HANDLER (execute_data=0x7fea01fdf9e8)
    at /root/php-5.5.4/php-5.5.4/Zend/zend_vm_execute.h:685
---Type <return> to continue, or q <return> to quit---
#24 0x0000000000a480cf in execute_ex (execute_data=0x7fea01fdf9e8) at /root/php-5.5.4/php-5.5.4/Zend/zend_vm_execute.h:363
#25 0x00007fe9fbfd2c57 in xdebug_execute_ex (execute_data=0x7fea01fdf9e8) at /tmp/pear/temp/xdebug/xdebug.c:1437
#26 0x0000000000a48157 in zend_execute (op_array=0x7fe9fb6ded80) at /root/php-5.5.4/php-5.5.4/Zend/zend_vm_execute.h:388
#27 0x0000000000a48bfc in zend_do_fcall_common_helper_SPEC (execute_data=0x7fea01fdef70)
    at /root/php-5.5.4/php-5.5.4/Zend/zend_vm_execute.h:584
#28 0x0000000000a491b0 in ZEND_DO_FCALL_BY_NAME_SPEC_HANDLER (execute_data=0x7fea01fdef70)
    at /root/php-5.5.4/php-5.5.4/Zend/zend_vm_execute.h:685
#29 0x0000000000a480cf in execute_ex (execute_data=0x7fea01fdef70) at /root/php-5.5.4/php-5.5.4/Zend/zend_vm_execute.h:363
#30 0x00007fe9fbfd2c57 in xdebug_execute_ex (execute_data=0x7fea01fdef70) at /tmp/pear/temp/xdebug/xdebug.c:1437
#31 0x0000000000a48157 in zend_execute (op_array=0x7fe9fb6deb90) at /root/php-5.5.4/php-5.5.4/Zend/zend_vm_execute.h:388
#32 0x0000000000a48bfc in zend_do_fcall_common_helper_SPEC (execute_data=0x7fea01fddc88)
    at /root/php-5.5.4/php-5.5.4/Zend/zend_vm_execute.h:584
#33 0x0000000000a491b0 in ZEND_DO_FCALL_BY_NAME_SPEC_HANDLER (execute_data=0x7fea01fddc88)
    at /root/php-5.5.4/php-5.5.4/Zend/zend_vm_execute.h:685
#34 0x0000000000a480cf in execute_ex (execute_data=0x7fea01fddc88) at /root/php-5.5.4/php-5.5.4/Zend/zend_vm_execute.h:363
#35 0x00007fe9fbfd2c57 in xdebug_execute_ex (execute_data=0x7fea01fddc88) at /tmp/pear/temp/xdebug/xdebug.c:1437
#36 0x0000000000a48157 in zend_execute (op_array=0x7fe9fb69c850) at /root/php-5.5.4/php-5.5.4/Zend/zend_vm_execute.h:388
#37 0x0000000000a48bfc in zend_do_fcall_common_helper_SPEC (execute_data=0x7fea01fdc7d8)
    at /root/php-5.5.4/php-5.5.4/Zend/zend_vm_execute.h:584
#38 0x0000000000a491b0 in ZEND_DO_FCALL_BY_NAME_SPEC_HANDLER (execute_data=0x7fea01fdc7d8)
    at /root/php-5.5.4/php-5.5.4/Zend/zend_vm_execute.h:685
#39 0x0000000000a480cf in execute_ex (execute_data=0x7fea01fdc7d8) at /root/php-5.5.4/php-5.5.4/Zend/zend_vm_execute.h:363
#40 0x00007fe9fbfd2c57 in xdebug_execute_ex (execute_data=0x7fea01fdc7d8) at /tmp/pear/temp/xdebug/xdebug.c:1437
#41 0x0000000000a48157 in zend_execute (op_array=0x7fe9fb6e6808) at /root/php-5.5.4/php-5.5.4/Zend/zend_vm_execute.h:388
#42 0x0000000000a48bfc in zend_do_fcall_common_helper_SPEC (execute_data=0x7fea01fdb768)
    at /root/php-5.5.4/php-5.5.4/Zend/zend_vm_execute.h:584
#43 0x0000000000a491b0 in ZEND_DO_FCALL_BY_NAME_SPEC_HANDLER (execute_data=0x7fea01fdb768)
    at /root/php-5.5.4/php-5.5.4/Zend/zend_vm_execute.h:685
#44 0x0000000000a480cf in execute_ex (execute_data=0x7fea01fdb768) at /root/php-5.5.4/php-5.5.4/Zend/zend_vm_execute.h:363
#45 0x00007fe9fbfd2c57 in xdebug_execute_ex (execute_data=0x7fea01fdb768) at /tmp/pear/temp/xdebug/xdebug.c:1437
#46 0x0000000000a48157 in zend_execute (op_array=0x7fe9fb6a9f30) at /root/php-5.5.4/php-5.5.4/Zend/zend_vm_execute.h:388
#47 0x0000000000a48bfc in zend_do_fcall_common_helper_SPEC (execute_data=0x7fea01fdb540)
    at /root/php-5.5.4/php-5.5.4/Zend/zend_vm_execute.h:584
#48 0x0000000000a491b0 in ZEND_DO_FCALL_BY_NAME_SPEC_HANDLER (execute_data=0x7fea01fdb540)
    at /root/php-5.5.4/php-5.5.4/Zend/zend_vm_execute.h:685
#49 0x0000000000a480cf in execute_ex (execute_data=0x7fea01fdb540) at /root/php-5.5.4/php-5.5.4/Zend/zend_vm_execute.h:363
#50 0x00007fe9fbfd2c57 in xdebug_execute_ex (execute_data=0x7fea01fdb540) at /tmp/pear/temp/xdebug/xdebug.c:1437
#51 0x0000000000a48157 in zend_execute (op_array=0x7fe9fb6a5538) at /root/php-5.5.4/php-5.5.4/Zend/zend_vm_execute.h:388
---Type <return> to continue, or q <return> to quit---
#52 0x0000000000a48bfc in zend_do_fcall_common_helper_SPEC (execute_data=0x7fea01fda210)
    at /root/php-5.5.4/php-5.5.4/Zend/zend_vm_execute.h:584
#53 0x0000000000a491b0 in ZEND_DO_FCALL_BY_NAME_SPEC_HANDLER (execute_data=0x7fea01fda210)
    at /root/php-5.5.4/php-5.5.4/Zend/zend_vm_execute.h:685
#54 0x0000000000a480cf in execute_ex (execute_data=0x7fea01fda210) at /root/php-5.5.4/php-5.5.4/Zend/zend_vm_execute.h:363
#55 0x00007fe9fbfd2c57 in xdebug_execute_ex (execute_data=0x7fea01fda210) at /tmp/pear/temp/xdebug/xdebug.c:1437
#56 0x0000000000a48157 in zend_execute (op_array=0x7fe9fb880078) at /root/php-5.5.4/php-5.5.4/Zend/zend_vm_execute.h:388
#57 0x0000000000a48bfc in zend_do_fcall_common_helper_SPEC (execute_data=0x7fea01fd7d88)
    at /root/php-5.5.4/php-5.5.4/Zend/zend_vm_execute.h:584
#58 0x0000000000a491b0 in ZEND_DO_FCALL_BY_NAME_SPEC_HANDLER (execute_data=0x7fea01fd7d88)
    at /root/php-5.5.4/php-5.5.4/Zend/zend_vm_execute.h:685
#59 0x0000000000a480cf in execute_ex (execute_data=0x7fea01fd7d88) at /root/php-5.5.4/php-5.5.4/Zend/zend_vm_execute.h:363
#60 0x00007fe9fbfd2c57 in xdebug_execute_ex (execute_data=0x7fea01fd7d88) at /tmp/pear/temp/xdebug/xdebug.c:1437
#61 0x0000000000a48157 in zend_execute (op_array=0x7fea01e62598) at /root/php-5.5.4/php-5.5.4/Zend/zend_vm_execute.h:388
#62 0x0000000000a48bfc in zend_do_fcall_common_helper_SPEC (execute_data=0x7fea01fd7470)
    at /root/php-5.5.4/php-5.5.4/Zend/zend_vm_execute.h:584
#63 0x0000000000a491b0 in ZEND_DO_FCALL_BY_NAME_SPEC_HANDLER (execute_data=0x7fea01fd7470)
    at /root/php-5.5.4/php-5.5.4/Zend/zend_vm_execute.h:685
#64 0x0000000000a480cf in execute_ex (execute_data=0x7fea01fd7470) at /root/php-5.5.4/php-5.5.4/Zend/zend_vm_execute.h:363
#65 0x00007fe9fbfd2c57 in xdebug_execute_ex (execute_data=0x7fea01fd7470) at /tmp/pear/temp/xdebug/xdebug.c:1437
#66 0x0000000000a48157 in zend_execute (op_array=0x7fea01e57b10) at /root/php-5.5.4/php-5.5.4/Zend/zend_vm_execute.h:388
#67 0x0000000000a48bfc in zend_do_fcall_common_helper_SPEC (execute_data=0x7fea01fd72c8)
    at /root/php-5.5.4/php-5.5.4/Zend/zend_vm_execute.h:584
#68 0x0000000000a491b0 in ZEND_DO_FCALL_BY_NAME_SPEC_HANDLER (execute_data=0x7fea01fd72c8)
    at /root/php-5.5.4/php-5.5.4/Zend/zend_vm_execute.h:685
#69 0x0000000000a480cf in execute_ex (execute_data=0x7fea01fd72c8) at /root/php-5.5.4/php-5.5.4/Zend/zend_vm_execute.h:363
#70 0x00007fe9fbfd2c57 in xdebug_execute_ex (execute_data=0x7fea01fd72c8) at /tmp/pear/temp/xdebug/xdebug.c:1437
#71 0x0000000000a48157 in zend_execute (op_array=0x7fea01e56eb8) at /root/php-5.5.4/php-5.5.4/Zend/zend_vm_execute.h:388
#72 0x0000000000a0a27f in zend_execute_scripts (type=8, retval=0x0, file_count=3) at /root/php-5.5.4/php-5.5.4/Zend/zend.c:1318
#73 0x0000000000976e9e in php_execute_script (primary_file=0x7fff1717aeb0) at /root/php-5.5.4/php-5.5.4/main/main.c:2489
#74 0x0000000000ab7ac7 in do_cli (argc=5, argv=0x1932ee0) at /root/php-5.5.4/php-5.5.4/sapi/cli/php_cli.c:994
#75 0x0000000000ab8bff in main (argc=5, argv=0x1932ee0) at /root/php-5.5.4/php-5.5.4/sapi/cli/php_cli.c:1378

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2013-09-29 12:25 UTC] r dot wilczek at web-appz dot de

#0  0x0000000000a41895 in zval_delref_p (pz=0x0) at /root/php-5.5.4/php-5.5.4/Zend/zend.h:409
#1  0x0000000000a4330c in zend_pzval_unlock_func (z=0x0, should_free=0x7fffa8aa9e90, unref=1) at /root/php-5.5.4/php-5.5.4/Zend/zend_execute.c:72
#2  0x0000000000a4341b in _get_zval_ptr_var (var=4294967232, execute_data=0x7f1fceaa5098, should_free=0x7fffa8aa9e90) at /root/php-5.5.4/php-5.5.4/Zend/zend_execute.c:186
#3  0x0000000000a63e15 in ZEND_SEND_VAR_NO_REF_SPEC_VAR_HANDLER (execute_data=0x7f1fceaa5098) at /root/php-5.5.4/php-5.5.4/Zend/zend_vm_execute.h:13081
#4  0x0000000000a480cf in execute_ex (execute_data=0x7f1fceaa5098) at /root/php-5.5.4/php-5.5.4/Zend/zend_vm_execute.h:363
#5  0x0000000000a48157 in zend_execute (op_array=0x2e129f0) at /root/php-5.5.4/php-5.5.4/Zend/zend_vm_execute.h:388
#6  0x00000000009f6785 in zend_call_function (fci=0x7fffa8aaa100, fci_cache=0x7fffa8aaa0d0) at /root/php-5.5.4/php-5.5.4/Zend/zend_execute_API.c:939
#7  0x000000000076285c in zim_reflection_method_invokeArgs (ht=2, return_value=0x2e3b2d0, return_value_ptr=0x0, this_ptr=0x2e3b450, return_value_used=1)
    at /root/php-5.5.4/php-5.5.4/ext/reflection/php_reflection.c:3018
#8  0x0000000000a489de in zend_do_fcall_common_helper_SPEC (execute_data=0x7f1fceaa49e8) at /root/php-5.5.4/php-5.5.4/Zend/zend_vm_execute.h:550
#9  0x0000000000a491b0 in ZEND_DO_FCALL_BY_NAME_SPEC_HANDLER (execute_data=0x7f1fceaa49e8) at /root/php-5.5.4/php-5.5.4/Zend/zend_vm_execute.h:685
#10 0x0000000000a480cf in execute_ex (execute_data=0x7f1fceaa49e8) at /root/php-5.5.4/php-5.5.4/Zend/zend_vm_execute.h:363
#11 0x0000000000a48157 in zend_execute (op_array=0x7f1fcead9b60) at /root/php-5.5.4/php-5.5.4/Zend/zend_vm_execute.h:388
#12 0x0000000000a0a27f in zend_execute_scripts (type=8, retval=0x0, file_count=3) at /root/php-5.5.4/php-5.5.4/Zend/zend.c:1318
#13 0x0000000000976e9e in php_execute_script (primary_file=0x7fffa8aad7a0) at /root/php-5.5.4/php-5.5.4/main/main.c:2489
#14 0x0000000000ab7ac7 in do_cli (argc=5, argv=0x263beb0) at /root/php-5.5.4/php-5.5.4/sapi/cli/php_cli.c:994
#15 0x0000000000ab8bff in main (argc=5, argv=0x263beb0) at /root/php-5.5.4/php-5.5.4/sapi/cli/php_cli.c:1378

[2013-09-29 12:26 UTC] r dot wilczek at web-appz dot de

(The second core-dump is created without xdebug, to keep things simple)

[2013-10-01 22:58 UTC] nikic@php.net

Could you please post the code as it is actually used (just the part containing the finally)? Your backtrace indicates that the segfault happens during an argument send, but your code samples do not include any function calls with arguments.

[2013-10-02 01:06 UTC] felipe@php.net

-Status: Open +Status: Feedback

[2013-10-03 11:53 UTC] r dot wilczek at web-appz dot de

Here you are ...

/* @var $sql string */
/* @var $expr SomeInterface */
/* @var $ctxt AnotherInterface */

$trx     = $this->ctxt->beginTransaction(); // an interface
$memento = $this->ctxt->getMemento();       // can be anything
try {
    $this->ctxt->persist();                 // don't return or throw exception
    return $this->execute($expr, $sql);     // return scalar[] or throw exception
} finally {
    $this->ctxt->setMemento($memento);      // don't return or throw exception
    $trx->rollback();                       // don't return or throw exception
}

Don't know, if this helps.
What I forgot to mention was, that the segfault occurs, when there is an exception thrown from within the try-block.

[2013-10-15 11:54 UTC] php-bugs at lists dot php dot net

No feedback was provided. The bug is being suspended because
we assume that you are no longer experiencing the problem.
If this is not the case and you are able to provide the
information that was requested earlier, please do so and
change the status of the bug back to "Re-Opened". Thank you.

[2013-10-15 12:06 UTC] felipe@php.net

-Status: No Feedback +Status: Open

[2013-11-25 20:16 UTC] crussell52 at gmail dot com

The following script in php 5.5.5 demonstrates this problem.

Note, my testing indicates that all of these conditions must be true:

1. Exception is thrown in try block.
2. An Exception is thrown AND handled during execution of 
   the corresponding finally block.
3. The return value must be referenced. 

-----------------

class Executor
{
  public function go()
  {
    try
    {
      // 1. Throw exception in try block.
      throw new Exception("Failed to do something!");
      return true;
    }
    finally
    {
      // 2. Throw and handle exception within finally block.
      // Note, this step could occur in a function/method which
      // is called within the finally block.
      try
      {
        throw new Exception("Failed to clean up.");
      }
      catch (Exception $E) { /* Ignore */ }
    }
  }
}

$Executor = new Executor();

// 3. Reference the return value.
$value = $Executor->go();

-----------------

#3 is interesting and threw me off a bit while trying to come up 
with a reproduction script.  See the following variations and 
outcome:

$value = $Executor->go(); // fail
echo $Executor->go();     // fail
$Executor->go();          // success

[2013-11-25 20:33 UTC] crussell52 at gmail dot com

core-dump info from my example:

#0  zval_delref_p (execute_data=0xb7f12234) at /opt/src/apache2.4/php-5.5.5/Zend/zend.h:409
#1  zend_pzval_unlock_func (execute_data=0xb7f12234) at /opt/src/apache2.4/php-5.5.5/Zend/zend_execute.c:72
#2  _get_zval_ptr_var (execute_data=0xb7f12234) at /opt/src/apache2.4/php-5.5.5/Zend/zend_execute.c:186
#3  ZEND_ASSIGN_SPEC_CV_VAR_HANDLER (execute_data=0xb7f12234) at /opt/src/apache2.4/php-5.5.5/Zend/zend_vm_execute.h:36995
#4  0x012b7496 in execute_ex (execute_data=0xb7f12234) at /opt/src/apache2.4/php-5.5.5/Zend/zend_vm_execute.h:363
#5  0x007f3f35 in xdebug_execute_ex (execute_data=0xb7f12234) at /opt/src/apache2.4/xdebug-2.2.3/xdebug.c:1437
#6  0x012cf5cf in ZEND_INCLUDE_OR_EVAL_SPEC_VAR_HANDLER (execute_data=0xb7f12160) at /opt/src/apache2.4/php-5.5.5/Zend/zend_vm_execute.h:13418
#7  0x012b7496 in execute_ex (execute_data=0xb7f12160) at /opt/src/apache2.4/php-5.5.5/Zend/zend_vm_execute.h:363
#8  0x007f3f35 in xdebug_execute_ex (execute_data=0xb7f12160) at /opt/src/apache2.4/xdebug-2.2.3/xdebug.c:1437
#9  0x01286fe5 in zend_execute_scripts (type=8, retval=0x0, file_count=3) at /opt/src/apache2.4/php-5.5.5/Zend/zend.c:1320
#10 0x0122a3cf in php_execute_script (primary_file=0xbfd233c0) at /opt/src/apache2.4/php-5.5.5/main/main.c:2489
#11 0x0132812b in php_handler (r=0x9eb98c8) at /opt/src/apache2.4/php-5.5.5/sapi/apache2handler/sapi_apache2.c:667
#12 0x08098037 in ?? ()

[2013-12-09 03:24 UTC] phpmpan at mpan dot pl

Minimal code to reproduce:

-------------------------------------------------------
function foo() {
    try {
        throw new \Exception();
        return true;
    } finally {
        try {
            throw new \Exception();
        } catch (\Exception $e) {
        }
    }
}

$bar = foo();
-------------------------------------------------------

Clean gdb backtrace from `php -f` for master snap:
-------------------------------------------------------
#0  0x0000000000639587 in zval_isref_p (pz=0x0)
    at /tmp/php-master-201312082230/Zend/zend.h:415
#1  0x000000000063d47f in zend_assign_to_variable (variable_ptr_ptr=0x7ffff7fc3bc0, 
    value=0x0) at /tmp/php-master-201312082230/Zend/zend_execute.c:916
#2  0x000000000069d558 in ZEND_ASSIGN_SPEC_CV_VAR_HANDLER (execute_data=0x7ffff7f891f0)
    at /tmp/php-master-201312082230/Zend/zend_vm_execute.h:36797
#3  0x000000000063f4dd in execute_ex (execute_data=0x7ffff7f891f0)
    at /tmp/php-master-201312082230/Zend/zend_vm_execute.h:363
#4  0x000000000063f54e in zend_execute (op_array=0x7ffff7fc0498)
    at /tmp/php-master-201312082230/Zend/zend_vm_execute.h:388
#5  0x0000000000600773 in zend_execute_scripts (type=8, retval=0x0, file_count=3)
    at /tmp/php-master-201312082230/Zend/zend.c:1334
#6  0x000000000057a2b9 in php_execute_script (primary_file=0x7fffffffe490)
    at /tmp/php-master-201312082230/main/main.c:2507
#7  0x00000000006a8cf6 in do_cli (argc=3, argv=0xa3ba90)
    at /tmp/php-master-201312082230/sapi/cli/php_cli.c:994
#8  0x00000000006a9cc4 in main (argc=3, argv=0xa3ba90)
    at /tmp/php-master-201312082230/sapi/cli/php_cli.c:1378
-------------------------------------------------------

A quick dive into the code suggests that something bad happens around the catch. After this piece of code FAST_RET, instead of passing the outer exception higher, goes to ASSIGN. However, the function never provides a return value to copy from and as a result an unexpected `NULL` flies around `ZEND_ASSIGN_SPEC_CV_VAR_HANDLER`.

[2013-12-10 07:02 UTC] laruence@php.net

-Assigned To: +Assigned To: laruence

[2013-12-13 07:39 UTC] laruence@php.net

unfortunately,  this bug only fixed in 5.6 +,  we can not apply the fix to 5.5 because of ABI BC.

https://github.com/php/php-src/commit/794a888a48715af5a97e3af9a8bdd88b20432f53

thanks

[2014-04-10 14:08 UTC] tony2001@php.net

Related To: Bug #67037

[2016-05-11 14:27 UTC] nikic@php.net

-Status: Assigned +Status: Closed

[2016-05-11 14:27 UTC] nikic@php.net

Closing this as it's fixed in 5.6 and 5.5 is no longer supported for bugfixes.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2025 The PHP Group All rights reserved.	Last updated: Tue Oct 28 21:00:01 2025 UTC