PHP :: Bug #25289 :: PHP segmentation fault

Bug #25289	PHP segmentation fault
Submitted:	2003-08-28 07:19 UTC	Modified:	2003-08-30 01:57 UTC
From:	skissane at ics dot mq dot edu dot au	Assigned:
Status:	Closed	Package:	Reproducible crash
PHP Version:	4.3.3	OS:	RedHat Linux 9
Private report:	No	CVE-ID:	None

View Add Comment Developer Edit

Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.

php.net Username: php.net Password:

Quick Fix:	(description)
	Block user comment
Status:		Assign to:
Package:
Bug Type:
Summary:
From:	skissane at ics dot mq dot edu dot au
New email:
PHP Version:		OS:

New/Additional Comment:

[2003-08-28 07:19 UTC] skissane at ics dot mq dot edu dot au

Description:
------------
PHP segfaults.

Reproduce code:
---------------
Reproduce code can be found at:
http://www.iips.mq.edu.au/bugs/

File datamodel/cms-datamodel-php.php causes crash.
Through trial and error (insertion of "echo" and "exit" statements, I believe I have isolated the segfault to the function ObjectGenerator_PHP::_generateEnums() in the file appgen/ObjectGenerator_PHP.inc, but not 100% sure).

Segfault occurs both on command line php and through Apache.

PHP was compiled myself using: './configure' '--with-apxs2=/usr/sbin/apxs' '--with-mysql=/usr/' '--without-mssql' '--with-ldap' '--with-curl=/usr' 



Expected result:
----------------
No segfault

Actual result:
--------------
Starting program: /usr/local/bin/php cms-datamodel-php.php

Program received signal SIGSEGV, Segmentation fault.
0x42074760 in _int_free () from /lib/tls/libc.so.6
(gdb) bt
#0  0x42074760 in _int_free () from /lib/tls/libc.so.6
#1  0x42073786 in free () from /lib/tls/libc.so.6
#2  0x08104302 in _efree (ptr=0x82cd0bc) at /home/skissane/php-4.3.3/Zend/zend_alloc.c:265
#3  0x0810a85a in _zval_ptr_dtor (zval_ptr=0x8312c48) at zend_execute.h:44
#4  0x08115e70 in zend_hash_destroy (ht=0x832c41c) at /home/skissane/php-4.3.3/Zend/zend_hash.c:553
#5  0x08110aae in _zval_dtor (zvalue=0xbfffa9e0) at /home/skissane/php-4.3.3/Zend/zend_variables.c:51
#6  0x0811f611 in execute (op_array=0x81eaf7c) at /home/skissane/php-4.3.3/Zend/zend_execute.c:1452
#7  0x0811e653 in execute (op_array=0x81eadd4) at /home/skissane/php-4.3.3/Zend/zend_execute.c:1660
#8  0x0811e653 in execute (op_array=0x81a2004) at /home/skissane/php-4.3.3/Zend/zend_execute.c:1660
#9  0x08111fd5 in zend_execute_scripts (type=8, retval=0x0, file_count=3) at /home/skissane/php-4.3.3/Zend/zend.c:885
#10 0x080ecb87 in php_execute_script (primary_file=0xbfffddc0) at /home/skissane/php-4.3.3/main/main.c:1723
#11 0x081234bb in main (argc=2, argv=0xbfffde44) at /home/skissane/php-4.3.3/sapi/cli/php_cli.c:818
#12 0x420156a4 in __libc_start_main () from /lib/tls/libc.so.6
(gdb) frame 6
#6  0x0811f611 in execute (op_array=0x81eaf7c) at /home/skissane/php-4.3.3/Zend/zend_execute.c:1452
1452                                    zendi_zval_dtor(EX(Ts)[EX(opline)->op1.u.var].tmp_var);
(gdb)

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports

[2003-08-28 10:07 UTC] sniper@php.net

Please provide a short script (max 20 lines), without any external dependancies, such as database or includes().

(_one_ script, not dozens)

[2003-08-28 10:31 UTC] skissane at ics dot mq dot edu dot au

I can't work out what exactly is causing it, and so can't come up with a 20 line test. I have reduced it down to a smaller set of files, at http://www.iips.mq.edu.au/bugs/testcase.tgz

If you have any suggestions of how I can trim this down to a smaller test case, I'll try.

[2003-08-28 11:00 UTC] skissane at ics dot mq dot edu dot au

Okay, I tried a bit harder, and I have now reduced it down to a single 400 line .php file, plus three associated data files which the .php file unserializes. This results in a segmentation fault when run from the command line or Apache.

You can get the latest one from http://www.iips.mq.edu.au/bugs/testcase3.tgz

[2003-08-28 18:10 UTC] skissane at ics dot mq dot edu dot au

Sorry about giving so many testcases (only just learning how to do this), but I finally have a 20-line reproduce script:

<?
class obj_database { }
class obj_enum { }
class obj_enumvalue { }

$dm = unserialize(file_get_contents("test.dat"));
foreach ($dm->obj_enum as $enum) {
    foreach ($enum->obj_enumvalue as $enumvalue) {
    }
    $i = 0;
    foreach ($enum->obj_enumvalue as $enumvalue->name => $enumvalue) {
        $out = "                 " . $enum->prefix . "_" . $enumvalue->name . " => \"" . $enumvalue->name . "\"";
        if ($i++ < count($enum->obj_enumvalue)-1) {
        }
    }
}
?>

It depends on the test.dat data file I included with my earlier test cases.

[2003-08-29 09:43 UTC] jay@php.net

A shorter script: 
 
<?php 
$foo->bar1 = "foobar1"; 
$foo->bar2 = "foobar2"; 
foreach ($foo as $b->name => $b) { 
} 
?> 
 
The foreach loop is the problem. You're creating a new 
stdClass object with $b->name for the key, then using $b 
itself for the value, thus destroying the key used in 
stdClass. 
 
Looks to me like a ZE1 issue. Doesn't occur in HEAD.  
 
J

[2003-08-30 01:57 UTC] sniper@php.net

Fixed in PHP 5. (won't fix in PHP 4)

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Tue Jun 11 13:01:33 2024 UTC