php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #27728 Segfault in combination of php_check_syntax() and exit.
Submitted: 2004-03-27 07:47 UTC Modified: 2004-12-11 00:17 UTC
Votes:5
Avg. Score:3.8 ± 1.0
Reproduced:4 of 4 (100.0%)
Same Version:0 (0.0%)
Same OS:2 (50.0%)
From: mail at patrickwitte dot de Assigned: ilia (profile)
Status: Closed Package: Reproducible crash
PHP Version: 5.0.0RC1, 5.0.1, 5.0.2 OS: *
Private report: No CVE-ID: None
View Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
If you reported this bug, you can edit this bug over here.
(description)
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: mail at patrickwitte dot de
New email:
PHP Version: OS:

 

 [2004-03-27 07:47 UTC] mail at patrickwitte dot de
Description:
------------
This happens no matter if the checked file is syntactically ok or not or even doesn't exists.
In all cases the result of php_check_syntax() is the expexted, but if exit (or die()) is called afterwards you get a segfault.
Experienced with sapi-module and cli on linux and cli on win32. (win32-sapi not tested)

Reproduce code:
---------------
<?php
echo php_check_syntax(__FILE__) ? "Ok" : "failed";
exit;
?>

Expected result:
----------------
Ok

Actual result:
--------------
Ok

segfault

Backtrace:
#0  _emalloc (size=Cannot access memory at address 0xc
) at /home/patrick/php-5.0.0RC1/Zend/zend_alloc.c:140
140             CALCULATE_REAL_SIZE_AND_CACHE_INDEX(size);


Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2004-03-27 08:39 UTC] derick@php.net
Valgrind reports errors while parsing the parameter. Perhaps we free the __FILE__ stuff too early? Assigning to Ilia :)

==3720== Invalid read of size 4
==3720==    at 0x8293343: zend_parse_arg_impl (zend_API.c:301)
==3720==    by 0x8293887: zend_parse_arg (zend_API.c:450)
==3720==    by 0x8293BC1: zend_parse_va_args (zend_API.c:542)
==3720==    by 0x8293C43: zend_parse_parameters (zend_API.c:569)
==3720==    by 0x81BF10C: zif_php_check_syntax (basic_functions.c:2247)
==3720==    by 0x82B89D4: zend_do_fcall_common_helper (zend_execute.c:2689)
==3720==    by 0x82B90D0: zend_do_fcall_handler (zend_execute.c:2818)
==3720==    by 0x82B53C6: execute (zend_execute.c:1381)
==3720==  Address 0x4B20E38C is not stack'd, malloc'd or free'd
==3720==

 [2004-03-27 16:30 UTC] mail at patrickwitte dot de
I made a few more test to get more systematic results:

1) Check of file(test.php) with parse error, no matter if 'php_check_syntax()' is followed by 'exit' or not, results in debug message:
/home/patrick/php-5.0.0RC1/main/streams/streams.c(371) : Stream of type 'STDIO' 0x4047363c (path:test.php) was not closed

2) Check of correct or non-existant file:
2a) without following 'exit': result as expected
2b) with following 'exit': segfault

After looking in streams.c it seems to be a memory leak.
 [2004-08-23 21:35 UTC] sean@php.net
I also stumbled upon this, today.

Here is my reproduce code:
if (!php_check_syntax(NULL)) { die(); }

(segfaults)
Seems this is not related to __FILE__

I concur that if exit (die) is not called, no segfault.

S
 [2004-10-24 19:09 UTC] mikael dot suvi at trigger dot ee
Version 5.0.2
This should do the trick...

====================
diff ext/standard/basic_functions.c.old ext/standard/basic_functions.c
2329a2330
>       zend_op_array *op_array;
2345c2346,2349
<       if (php_lint_script(&file_handle TSRMLS_CC) != SUCCESS) {
---
>       op_array = zend_compile_file(&file_handle, ZEND_INCLUDE TSRMLS_CC);
>       zend_destroy_file_handle(&file_handle TSRMLS_CC);
>
>       if (!op_array) {
2354a2359,2360
>               destroy_op_array(op_array TSRMLS_CC);
>               efree(op_array);
====================
 [2004-10-25 19:54 UTC] mail at patrickwitte dot de
Tested the patch on gentoo mod_php-5.0.2 ebuild.
No more segfault with reproduce code.
Thanks, mikael.
 [2004-12-11 00:17 UTC] andi@php.net
This bug has been fixed in CVS.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.
 
Thank you for the report, and for helping us make PHP better.


 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Thu Nov 21 12:01:29 2024 UTC