PHP :: Bug #25289 :: PHP segmentation fault

Bug #25289	PHP segmentation fault
Submitted:	2003-08-28 07:19 UTC	Modified:	2003-08-30 01:57 UTC
From:	skissane at ics dot mq dot edu dot au	Assigned:
Status:	Closed	Package:	Reproducible crash
PHP Version:	4.3.3	OS:	RedHat Linux 9
Private report:	No	CVE-ID:	None

View Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	skissane at ics dot mq dot edu dot au
New email:
PHP Version:		OS:

New Comment:

[2003-08-28 07:19 UTC] skissane at ics dot mq dot edu dot au

Description:
------------
PHP segfaults.

Reproduce code:
---------------
Reproduce code can be found at:
http://www.iips.mq.edu.au/bugs/

File datamodel/cms-datamodel-php.php causes crash.
Through trial and error (insertion of "echo" and "exit" statements, I believe I have isolated the segfault to the function ObjectGenerator_PHP::_generateEnums() in the file appgen/ObjectGenerator_PHP.inc, but not 100% sure).

Segfault occurs both on command line php and through Apache.

PHP was compiled myself using: './configure' '--with-apxs2=/usr/sbin/apxs' '--with-mysql=/usr/' '--without-mssql' '--with-ldap' '--with-curl=/usr' 



Expected result:
----------------
No segfault

Actual result:
--------------
Starting program: /usr/local/bin/php cms-datamodel-php.php

Program received signal SIGSEGV, Segmentation fault.
0x42074760 in _int_free () from /lib/tls/libc.so.6
(gdb) bt
#0  0x42074760 in _int_free () from /lib/tls/libc.so.6
#1  0x42073786 in free () from /lib/tls/libc.so.6
#2  0x08104302 in _efree (ptr=0x82cd0bc) at /home/skissane/php-4.3.3/Zend/zend_alloc.c:265
#3  0x0810a85a in _zval_ptr_dtor (zval_ptr=0x8312c48) at zend_execute.h:44
#4  0x08115e70 in zend_hash_destroy (ht=0x832c41c) at /home/skissane/php-4.3.3/Zend/zend_hash.c:553
#5  0x08110aae in _zval_dtor (zvalue=0xbfffa9e0) at /home/skissane/php-4.3.3/Zend/zend_variables.c:51
#6  0x0811f611 in execute (op_array=0x81eaf7c) at /home/skissane/php-4.3.3/Zend/zend_execute.c:1452
#7  0x0811e653 in execute (op_array=0x81eadd4) at /home/skissane/php-4.3.3/Zend/zend_execute.c:1660
#8  0x0811e653 in execute (op_array=0x81a2004) at /home/skissane/php-4.3.3/Zend/zend_execute.c:1660
#9  0x08111fd5 in zend_execute_scripts (type=8, retval=0x0, file_count=3) at /home/skissane/php-4.3.3/Zend/zend.c:885
#10 0x080ecb87 in php_execute_script (primary_file=0xbfffddc0) at /home/skissane/php-4.3.3/main/main.c:1723
#11 0x081234bb in main (argc=2, argv=0xbfffde44) at /home/skissane/php-4.3.3/sapi/cli/php_cli.c:818
#12 0x420156a4 in __libc_start_main () from /lib/tls/libc.so.6
(gdb) frame 6
#6  0x0811f611 in execute (op_array=0x81eaf7c) at /home/skissane/php-4.3.3/Zend/zend_execute.c:1452
1452                                    zendi_zval_dtor(EX(Ts)[EX(opline)->op1.u.var].tmp_var);
(gdb)

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2003-08-28 10:07 UTC] sniper@php.net

Please provide a short script (max 20 lines), without any external dependancies, such as database or includes().

(_one_ script, not dozens)

[2003-08-28 10:31 UTC] skissane at ics dot mq dot edu dot au

I can't work out what exactly is causing it, and so can't come up with a 20 line test. I have reduced it down to a smaller set of files, at http://www.iips.mq.edu.au/bugs/testcase.tgz

If you have any suggestions of how I can trim this down to a smaller test case, I'll try.

[2003-08-28 11:00 UTC] skissane at ics dot mq dot edu dot au

Okay, I tried a bit harder, and I have now reduced it down to a single 400 line .php file, plus three associated data files which the .php file unserializes. This results in a segmentation fault when run from the command line or Apache.

You can get the latest one from http://www.iips.mq.edu.au/bugs/testcase3.tgz

[2003-08-28 18:10 UTC] skissane at ics dot mq dot edu dot au

Sorry about giving so many testcases (only just learning how to do this), but I finally have a 20-line reproduce script:

<?
class obj_database { }
class obj_enum { }
class obj_enumvalue { }

$dm = unserialize(file_get_contents("test.dat"));
foreach ($dm->obj_enum as $enum) {
    foreach ($enum->obj_enumvalue as $enumvalue) {
    }
    $i = 0;
    foreach ($enum->obj_enumvalue as $enumvalue->name => $enumvalue) {
        $out = "                 " . $enum->prefix . "_" . $enumvalue->name . " => \"" . $enumvalue->name . "\"";
        if ($i++ < count($enum->obj_enumvalue)-1) {
        }
    }
}
?>

It depends on the test.dat data file I included with my earlier test cases.

[2003-08-29 09:43 UTC] jay@php.net

A shorter script: 
 
<?php 
$foo->bar1 = "foobar1"; 
$foo->bar2 = "foobar2"; 
foreach ($foo as $b->name => $b) { 
} 
?> 
 
The foreach loop is the problem. You're creating a new 
stdClass object with $b->name for the key, then using $b 
itself for the value, thus destroying the key used in 
stdClass. 
 
Looks to me like a ZE1 issue. Doesn't occur in HEAD.  
 
J

[2003-08-30 01:57 UTC] sniper@php.net

Fixed in PHP 5. (won't fix in PHP 4)

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Thu Oct 17 21:01:27 2024 UTC