PHP :: Bug #27876 :: list($a, $b) = $var = function() seg faults

Bug #27876	list($a, $b) = $var = function() seg faults
Submitted:	2004-04-05 22:49 UTC	Modified:	2004-04-29 11:47 UTC
From:	aashley at optimiser dot com	Assigned:	andi (profile)
Status:	Closed	Package:	Scripting Engine problem
PHP Version:	5CVS-2004-04-05 (dev)	OS:	Linux
Private report:	No	CVE-ID:	None

View Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	aashley at optimiser dot com
New email:
PHP Version:		OS:

New Comment:

[2004-04-05 22:49 UTC] aashley at optimiser dot com

Description:
------------
When testing our site in PHP5 I can across a repeatable segmentation fault whenever the HTML_QuickForm_Controller::run() function was called. The problem was tracked to line 131 of Controller.php in HTML_QuickForm_Controller 1.0.2. The problem occured in both PHP-5.0.0-RC1 and the php5-200404041830 snapshot. I have unfortunatly been unable to create a simpler test case that causes the problem however it is readily repeatable in HTML_QuickForm_Controller.

Reproduce code:
---------------
Problem Line 131:

list($page, $action) = $this->_actionName = $this->getActionName();


Changing the line to this prevents this problem from occuring.

$this->_actionName = $this->getActionName();
list($page, $action) = $this->_actionName;


Expected result:
----------------
$page and $action are set to the first and second items in the array respectivly

Actual result:
--------------
segmentation fault.

#0  0x40849f31 in zend_fetch_dim_r_handler (execute_data=0xbfffcdb0, opline=0x413d5814, op_array=0x413d35e4)
    at /root/php5-200404041830/Zend/zend_execute.c:58
#1  0x408485e8 in execute (op_array=0x413d35e4) at /root/php5-200404041830/Zend/zend_execute.c:1391
#2  0x4084be09 in zend_do_fcall_common_helper (execute_data=0xbfffd330, opline=0x413d28d0, op_array=0x413b8dbc)
    at /root/php5-200404041830/Zend/zend_execute.c:2728
#3  0x4084c113 in zend_do_fcall_by_name_handler (execute_data=0xbfffcc2c, opline=0x0, op_array=0x0)
    at /root/php5-200404041830/Zend/zend_execute.c:2810
#4  0x408485e8 in execute (op_array=0x413b8dbc) at /root/php5-200404041830/Zend/zend_execute.c:1391
#5  0x40829bff in zend_execute_scripts (type=8, retval=0x0, file_count=3) at /root/php5-200404041830/Zend/zend.c:1057
#6  0x407efc9f in php_execute_script (primary_file=0xbffff5e0) at /root/php5-200404041830/main/main.c:1630
#7  0x40853954 in php_handler (r=0x82510f8) at /root/php5-200404041830/sapi/apache2handler/sapi_apache2.c:556
#8  0x080692e1 in ap_invoke_handler ()
#9  0x080664bf in ap_process_request ()
#10 0x08060e27 in _start ()

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2004-04-06 03:05 UTC] derick@php.net

Zend Engine 2 related, assinging to Andi.

[2004-04-09 10:11 UTC] andi@php.net

Please try and created a shorter reproducing script. I can't debug this bug report otherwise.

[2004-04-09 11:38 UTC] aashley at optimiser dot com

I havent had much luck creating a simpler example so far. I'll have another try tomorrow... errr later today.

[2004-04-25 17:24 UTC] robinv at ecosse dot net

Simpler test case:

<?php
class TestClass
{
  var $bar;

  function TestClass()
  {  
    list($foo) = $this->bar = array(1);
    print $foo;
  }
}

$testObject = new TestClass;
?>

running dbd on core dump:
[...]
Core was generated by `/home/robin/bin/php -f ../bug.php'.
Program terminated with signal 11, Segmentation fault.
Reading symbols from /lib/libcrypt.so.1...done.
Loaded symbols for /lib/libcrypt.so.1
Reading symbols from /lib/libresolv.so.2...done.
Loaded symbols for /lib/libresolv.so.2
Reading symbols from /lib/i686/libm.so.6...done.
Loaded symbols for /lib/i686/libm.so.6
Reading symbols from /lib/libdl.so.2...done.
Loaded symbols for /lib/libdl.so.2
Reading symbols from /lib/libnsl.so.1...done.
Loaded symbols for /lib/libnsl.so.1
Reading symbols from /lib/libz.so.1...done.
Loaded symbols for /lib/libz.so.1
Reading symbols from /usr/lib/libxml2.so.2...done.
Loaded symbols for /usr/lib/libxml2.so.2
Reading symbols from /lib/i686/libpthread.so.0...done.
Loaded symbols for /lib/i686/libpthread.so.0
Reading symbols from /lib/i686/libc.so.6...done.
Loaded symbols for /lib/i686/libc.so.6
Reading symbols from /lib/ld-linux.so.2...done.
Loaded symbols for /lib/ld-linux.so.2
#0  zend_mm_alloc (heap=0x81ec480, size=220) at /home/robin/src/php-5.0.0RC1/Zend/zend_mm.c:308
308                     if (p->size == true_size) {
(gdb) list
303                             }
304                     }
305             }
306
307             for (p = heap->free_buckets[0]; p; p = p->next_free_block) {
308                     if (p->size == true_size) {
309                             best_fit = p;
310                             break;
311                     }
312                     if ((p->size > true_size) && (!best_fit || (best_fit->size > p->size))) {       /* better fit */
(gdb) print p
$1 = (zend_mm_free_block *) 0x33146c00
(gdb) print p->size
Cannot access memory at address 0x33146c00
(gdb) print best_fit
$2 = (zend_mm_free_block *) 0x40332cab
(gdb) print best_fit->size
$3 = 972800
(gdb) print true_size
$4 = 232

[2004-04-25 18:37 UTC] derick@php.net

I just verified this with this simple script.

Derick

[2004-04-29 11:47 UTC] stas@php.net

This bug has been fixed in CVS.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.
 
Thank you for the report, and for helping us make PHP better.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Thu Sep 19 14:01:28 2024 UTC