php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #27876 list($a, $b) = $var = function() seg faults
Submitted: 2004-04-05 22:49 UTC Modified: 2004-04-29 11:47 UTC
From: aashley at optimiser dot com Assigned: andi (profile)
Status: Closed Package: Scripting Engine problem
PHP Version: 5CVS-2004-04-05 (dev) OS: Linux
Private report: No CVE-ID: None
View Developer Edit
 [2004-04-05 22:49 UTC] aashley at optimiser dot com 
Description:
------------
When testing our site in PHP5 I can across a repeatable segmentation fault whenever the HTML_QuickForm_Controller::run() function was called. The problem was tracked to line 131 of Controller.php in HTML_QuickForm_Controller 1.0.2. The problem occured in both PHP-5.0.0-RC1 and the php5-200404041830 snapshot. I have unfortunatly been unable to create a simpler test case that causes the problem however it is readily repeatable in HTML_QuickForm_Controller.

Reproduce code:
---------------
Problem Line 131:

list($page, $action) = $this->_actionName = $this->getActionName();


Changing the line to this prevents this problem from occuring.

$this->_actionName = $this->getActionName();
list($page, $action) = $this->_actionName;


Expected result:
----------------
$page and $action are set to the first and second items in the array respectivly

Actual result:
--------------
segmentation fault.

#0  0x40849f31 in zend_fetch_dim_r_handler (execute_data=0xbfffcdb0, opline=0x413d5814, op_array=0x413d35e4)
    at /root/php5-200404041830/Zend/zend_execute.c:58
#1  0x408485e8 in execute (op_array=0x413d35e4) at /root/php5-200404041830/Zend/zend_execute.c:1391
#2  0x4084be09 in zend_do_fcall_common_helper (execute_data=0xbfffd330, opline=0x413d28d0, op_array=0x413b8dbc)
    at /root/php5-200404041830/Zend/zend_execute.c:2728
#3  0x4084c113 in zend_do_fcall_by_name_handler (execute_data=0xbfffcc2c, opline=0x0, op_array=0x0)
    at /root/php5-200404041830/Zend/zend_execute.c:2810
#4  0x408485e8 in execute (op_array=0x413b8dbc) at /root/php5-200404041830/Zend/zend_execute.c:1391
#5  0x40829bff in zend_execute_scripts (type=8, retval=0x0, file_count=3) at /root/php5-200404041830/Zend/zend.c:1057
#6  0x407efc9f in php_execute_script (primary_file=0xbffff5e0) at /root/php5-200404041830/main/main.c:1630
#7  0x40853954 in php_handler (r=0x82510f8) at /root/php5-200404041830/sapi/apache2handler/sapi_apache2.c:556
#8  0x080692e1 in ap_invoke_handler ()
#9  0x080664bf in ap_process_request ()
#10 0x08060e27 in _start ()

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2004-04-06 03:05 UTC] derick@php.net 
Zend Engine 2 related, assinging to Andi.
 [2004-04-09 10:11 UTC] andi@php.net 
Please try and created a shorter reproducing script. I can't debug this bug report otherwise.
 [2004-04-09 11:38 UTC] aashley at optimiser dot com 
I havent had much luck creating a simpler example so far. I'll have another try tomorrow... errr later today.
 [2004-04-25 17:24 UTC] robinv at ecosse dot net 
Simpler test case:

<?php
class TestClass
{
  var $bar;

  function TestClass()
  {  
    list($foo) = $this->bar = array(1);
    print $foo;
  }
}

$testObject = new TestClass;
?>

running dbd on core dump:
[...]
Core was generated by `/home/robin/bin/php -f ../bug.php'.
Program terminated with signal 11, Segmentation fault.
Reading symbols from /lib/libcrypt.so.1...done.
Loaded symbols for /lib/libcrypt.so.1
Reading symbols from /lib/libresolv.so.2...done.
Loaded symbols for /lib/libresolv.so.2
Reading symbols from /lib/i686/libm.so.6...done.
Loaded symbols for /lib/i686/libm.so.6
Reading symbols from /lib/libdl.so.2...done.
Loaded symbols for /lib/libdl.so.2
Reading symbols from /lib/libnsl.so.1...done.
Loaded symbols for /lib/libnsl.so.1
Reading symbols from /lib/libz.so.1...done.
Loaded symbols for /lib/libz.so.1
Reading symbols from /usr/lib/libxml2.so.2...done.
Loaded symbols for /usr/lib/libxml2.so.2
Reading symbols from /lib/i686/libpthread.so.0...done.
Loaded symbols for /lib/i686/libpthread.so.0
Reading symbols from /lib/i686/libc.so.6...done.
Loaded symbols for /lib/i686/libc.so.6
Reading symbols from /lib/ld-linux.so.2...done.
Loaded symbols for /lib/ld-linux.so.2
#0  zend_mm_alloc (heap=0x81ec480, size=220) at /home/robin/src/php-5.0.0RC1/Zend/zend_mm.c:308
308                     if (p->size == true_size) {
(gdb) list
303                             }
304                     }
305             }
306
307             for (p = heap->free_buckets[0]; p; p = p->next_free_block) {
308                     if (p->size == true_size) {
309                             best_fit = p;
310                             break;
311                     }
312                     if ((p->size > true_size) && (!best_fit || (best_fit->size > p->size))) {       /* better fit */
(gdb) print p
$1 = (zend_mm_free_block *) 0x33146c00
(gdb) print p->size
Cannot access memory at address 0x33146c00
(gdb) print best_fit
$2 = (zend_mm_free_block *) 0x40332cab
(gdb) print best_fit->size
$3 = 972800
(gdb) print true_size
$4 = 232
 [2004-04-25 18:37 UTC] derick@php.net 
I just verified this with this simple script.

Derick
 [2004-04-29 11:47 UTC] stas@php.net 
This bug has been fixed in CVS.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.
 
Thank you for the report, and for helping us make PHP better.
 
PHP Copyright © 2001-2025 The PHP Group
All rights reserved. 		Last updated: Sun Oct 26 08:00:02 2025 UTC