php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #11970 SEPARATE_ZVAL_TO_MAKE_IS_REF doesn't like 0x0
Submitted: 2001-07-09 06:27 UTC Modified: 2002-08-02 16:29 UTC
From: teo at gecadsoftware dot com Assigned:
Status: Closed Package: Scripting Engine problem
PHP Version: 4.3.0-dev OS: Linux 2.4.4/glibc 2.2.2
Private report: No CVE-ID: None
 [2001-07-09 06:27 UTC] teo at gecadsoftware dot com
function &erm($key) { 
  return @$arr[$key];
}

$foo = erm('foo');
$bar = erm('bar');

(gdb) run bug3.php
Starting program: /usr/local/bin/php bug3.php

Program received signal SIGSEGV, Segmentation fault.
0x80a29e9 in execute (op_array=0x81d3348) at ./zend_execute.c:1592
1592     SEPARATE_ZVAL_TO_MAKE_IS_REF(retval_ptr_ptr);
(gdb) p retval_ptr_ptr
$1 = (zval **) 0x0
(gdb) bt
#0  0x80a29e9 in execute (op_array=0x81d3348) at ./zend_execute.c:1592
#1  0x80a26a8 in execute (op_array=0x81cdf5c) at ./zend_execute.c:1544
#2  0x8097234 in zend_execute_scripts (type=8, file_count=3) at zend.c:752
#3  0x8065b4f in php_execute_script (primary_file=0xbffff694) at main.c:1206
#4  0x8061173 in main (argc=2, argv=0xbffff724) at cgi_main.c:718
(gdb) list
1587    (opline->op1.op_type != IS_CONST) && 
1588    (opline->op1.op_type != IS_TMP_VAR)) {
1589              
1590    retval_ptr_ptr = get_zval_ptr_ptr(&opline->op1, Ts, BP_VAR_W);
1591    
1592    SEPARATE_ZVAL_TO_MAKE_IS_REF(retval_ptr_ptr);
1593                                                    
1594    (*retval_ptr_ptr)->refcount++;
1595    (*EG(return_value_ptr_ptr)) = (*retval_ptr_ptr);
1596     } else {

notice that the second call [ erm('bar')] actually trigger the segfault.

patch: I dunno, Zeev somebody? :)


Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2001-07-15 12:48 UTC] zeev@php.net
Fixed in CVS - thanks for the tiny reproducing script!
 [2001-07-19 12:05 UTC] zeev@php.net
My initial fix was bogus, as I misdiagnosed what was going on.  The current fix is to allow returning of plain variables only (i.e., you can return $arr[$key], but you can't return @$arr[$key]).  This means that your script will not work (it'll error out), but won't crash either...
 [2001-07-19 14:33 UTC] zeev@php.net
The fixes so far were bad;  They were reverted, and this bug is no reopened.
 [2001-12-12 08:36 UTC] yohgaki@php.net
Problem does exist in 4.1.0 :(
 [2002-04-19 09:31 UTC] yohgaki@php.net
Version updated
 [2002-08-02 16:29 UTC] iliaa@php.net
This bug has been fixed in CVS. You can grab a snapshot of the
CVS version at http://snaps.php.net/. In case this was a documentation 
problem, the fix will show up soon at http://www.php.net/manual/.
In case this was a PHP.net website problem, the change will show
up on the PHP.net site and on the mirror sites.
Thank you for the report, and for helping us make PHP better.


 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Fri Mar 29 09:01:28 2024 UTC