PHP :: Bug #22510 :: Zend Engine crashes calling FREE_ZVAL from zend_assign_to_variable

Bug #22510

Zend Engine crashes calling FREE_ZVAL from zend_assign_to_variable_reference

Submitted:

2003-03-02 17:28 UTC

Modified:

2003-07-12 04:24 UTC

Votes:	10
Avg. Score:	4.5 ± 0.8
Reproduced:	10 of 10 (100.0%)
Same Version:	7 (70.0%)
Same OS:	8 (80.0%)

From:

php at codewhore dot org

Assigned:

Status:

Closed

Package:

Scripting Engine problem

PHP Version:

4CVS-2003-06-01 (stable)

OS:

Linux 2.4

Private report:

CVE-ID:

None

View Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	php at codewhore dot org
New email:
PHP Version:		OS:

New Comment:

[2003-03-02 17:28 UTC] php at codewhore dot org

I've been able to reproducibly crash the PHP interpreter with  a section of code that I'm working that passes around and calls through a lot of references. The function that causes the crash looks like:


function finalize()
{
  /* Note:
       These are references; we leave the value, $x, unused. */

  foreach ($this->commit_list as $k => $x)
  {
    if (!$this->commit_list[$k]->transaction_commit())
      return $this->throw(E_SYS);
  }

  return true;
}


I haven't managed to narrow it down any further - executing similar code in isolation hasn't been able to reproduce the crash yet. I'll keep trying.



The backtrace:
--------------

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 16384 (LWP 8158)]
0x4034913f in _efree (ptr=0x403b4564) at /usr/src/web-server/php-4.3-cvs/Zend/zend_alloc.c:233
233             REMOVE_POINTER_FROM_LIST(p);
(gdb) bt
#0  0x4034913f in _efree (ptr=0x403b4564) at /usr/src/web-server/php-4.3-cvs/Zend/zend_alloc.c:233
#1  0x403669fe in zend_assign_to_variable_reference (result=0x8264b6c, variable_ptr_ptr=0x82509a0,
    value_ptr_ptr=0x82637e8, Ts=0xbfffc550) at /usr/src/web-server/php-4.3-cvs/Zend/zend_execute.c:271
#2  0x40369b83 in execute (op_array=0x8263344) at /usr/src/web-server/php-4.3-cvs/Zend/zend_execute.c:1344
#3  0x4036aa90 in execute (op_array=0x817cad4) at /usr/src/web-server/php-4.3-cvs/Zend/zend_execute.c:1640
#4  0x4036aa90 in execute (op_array=0x818a144) at /usr/src/web-server/php-4.3-cvs/Zend/zend_execute.c:1640
#5  0x4036aa90 in execute (op_array=0x81fa9bc) at /usr/src/web-server/php-4.3-cvs/Zend/zend_execute.c:1640
#6  0x4035b219 in zend_execute_scripts (type=8, retval=0x0, file_count=3)
    at /usr/src/web-server/php-4.3-cvs/Zend/zend.c:864
#7  0x40329fcc in php_execute_script (primary_file=0xbffff820)
    at /usr/src/web-server/php-4.3-cvs/main/main.c:1588
#8  0x4036f1a2 in apache_php_module_main (r=0x811047c, display_source_mode=0)
    at /usr/src/web-server/php-4.3-cvs/sapi/apache/sapi_apache.c:55
#9  0x403700e6 in send_php (r=0x811047c, display_source_mode=0,
    filename=0x8112204 "/web/sites/frylock/development/node.php")
    at /usr/src/web-server/php-4.3-cvs/sapi/apache/mod_php4.c:617
#10 0x4037016c in send_parsed_php (r=0x811047c)
    at /usr/src/web-server/php-4.3-cvs/sapi/apache/mod_php4.c:632
#11 0x08054360 in ap_invoke_handler (r=0x811047c) at http_config.c:518
#12 0x08068aae in process_request_internal (r=0x811047c) at http_request.c:1308
#13 0x08068b0e in ap_process_request (r=0x811047c) at http_request.c:1324
#14 0x0805fd6e in child_main (child_num_arg=0) at http_main.c:4689
#15 0x0805ff34 in make_child (s=0x8094ec4, slot=0, now=1046645587) at http_main.c:4813
#16 0x0806009b in startup_children (number_to_start=8) at http_main.c:4895
#17 0x080606c8 in standalone_main (argc=5, argv=0xbffffca4) at http_main.c:5203
#18 0x08060f00 in main (argc=5, argv=0xbffffca4) at http_main.c:5566
#19 0x400d3bb4 in __libc_start_main () from /lib/libc.so.6

(gdb) frame 2
#2  0x40369b83 in execute (op_array=0x8263344) at /usr/src/web-server/php-4.3-cvs/Zend/zend_execute.c:1344
1344                                    zend_assign_to_variable_reference(&EX(opline)->result, get_zval_ptr_ptr(&EX(opline)->op1, EX(Ts), BP_VAR_W), get_zval_ptr_ptr(&EX(opline)->op2, EX(Ts), BP_VAR_W), EX(Ts) TSRMLS_CC);

(gdb) print (char *)(executor_globals.function_state_ptr->function)->common.function_name
$1 = 0x8258b0c "finalize"

(gdb) frame 1
#1  0x403669fe in zend_assign_to_variable_reference (result=0x8264b6c, variable_ptr_ptr=0x82509a0,
    value_ptr_ptr=0x82637e8, Ts=0xbfffc550) at /usr/src/web-server/php-4.3-cvs/Zend/zend_execute.c:271
271                             FREE_ZVAL(variable_ptr);

(gdb) p *value_ptr_ptr
$6 = (struct _zval_struct *) 0x825925c

(gdb) p **value_ptr_ptr
$7 = {value = {lval = 136677812, dval = 7.6896363518630331, str = {val = 0x82589b4 "\b",
      len = 1075757616}, ht = 0x82589b4, obj = {ce = 0x82589b4, properties = 0x401ec230}},
  type = 4 '\004', is_ref = 0 '\0', refcount = 2}

(gdb) p *result
$9 = {op_type = 4, u = {constant = {value = {lval = 3, dval = 2.1219957924474693e-314, str = {
          val = 0x3 <Address 0x3 out of bounds>, len = 1}, ht = 0x3, obj = {ce = 0x3, properties = 0x1}},
      type = 0 '\0', is_ref = 0 '\0', refcount = 0}, var = 3, opline_num = 3, fetch_type = 3,
    op_array = 0x3, EA = {var = 3, type = 1}}}

(gdb) p *variable_ptr_ptr
$10 = (struct _zval_struct *) 0x403b4564

(gdb) p **variable_ptr_ptr
$11 = {value = {lval = 0, dval = 0, str = {val = 0x0, len = 0}, ht = 0x0, obj = {ce = 0x0,
      properties = 0x0}}, type = 0 '\0', is_ref = 0 '\0', refcount = 0}

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2003-03-02 17:30 UTC] php at codewhore dot org

Accidently posted the non-crashing code snippet. Here's the one that crashes:

    function finalize()
    {
      $cl =& $this->commit_list;

      /* Note:
          These are references; we leave the value, $x, unused. */

      foreach ($cl as $k => $x)
      {
        if (!$cl[$k]->transaction_commit())
          return $this->throw(E_SYS);
      }

      return true;
    }

[2003-06-01 11:38 UTC] php at codewhore dot org

A shorter crashing version of tests/lang/22510.phpt. 
Notice that removal of the silence operator (@) in 
method2() makes the crash go away.

<?php
  class foo
  {
    function &method1() {
      return $this->foo;
    }

    function &method2() {
      return @$this->foo;
    }
  }

  class bar
  {
    function run1() {
      $instance = new foo();
      $instance->method1();
    }

    function run2() {
      $instance = new foo();
      $instance->method2();
      $instance->method2();
    }
  }

  function ouch(&$bar) {
    $bar->run1();
  }

  function ok(&$bar) {
    $a = $a;
    $bar->run2();
  }

  $bar = new bar();
  ok($bar);
  ouch($bar);
?>

[2003-06-02 10:56 UTC] sniper@php.net

Just tested your last script with PHP 5.0.0-dev (ZE2),
and it does not crash:

# sapi/cli/php /home/jani/t.php 

Notice: Undefined variable:  a in /home/jani/t.php on line 32
/usr/src/web/php/php5/Zend/zend_execute.c(2782) :  Freeing 0x089681F4 (16 bytes), script=/home/jani/t.php

And commenting out the line 32 (with $a=$a) makes it not crash in PHP 4.3.3-dev too:

$ php t.php 
/usr/src/web/php/php4/Zend/zend_execute.c(1702) :  Freeing 0x088A427C (12 bytes), script=t.php

[2003-07-12 04:24 UTC] moriyoshi@php.net

The fix by Zeev will be in php5.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Thu Dec 26 16:01:31 2024 UTC