PHP :: Bug #29566 :: foreach/string handling strangeness (crash)

Bug #29566	foreach/string handling strangeness (crash)
Submitted:	2004-08-08 00:01 UTC	Modified:	2004-09-22 09:16 UTC
From:	stefan at hotpaenz dot de	Assigned:
Status:	Closed	Package:	Reproducible crash
PHP Version:	5.0.1	OS:	Linux 2.6.3
Private report:	No	CVE-ID:	None

View Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	stefan at hotpaenz dot de
New email:
PHP Version:		OS:

New Comment:

[2004-08-08 00:01 UTC] stefan at hotpaenz dot de

Description:
------------
Consider the following code. Of course it isn't useful,  
but nevertheless it shouldn't crash PHP.  
 
Perhaps this is related to bug 28487 (another crash,  
affecting real-world scripts) because the same function  
zend_switch_free_handler is involved.  
 
Perhaps this is the same bug as 28574, which was closed as 
the problem went away. The crash I am reporting now occurs 
with a current snapshot (200408071830). 
 

Reproduce code:
---------------
<?
$var="This is a string";

$dummy="";
unset($dummy);

foreach($var['nosuchkey'] as $v) {
}


Expected result:
----------------
Warning:  Invalid argument supplied for foreach() in 
crash.php on line 7 
 
[no crash of course] 
 

Actual result:
--------------
Warning:  Invalid argument supplied for foreach() in 
crash.php on line 7 
Segmentation fault (core dumped) 
 
[backtrace follows] 
 
#0  _efree (ptr=0x75736f6e) 
at /root/php/200408071830/php5-5.0.0/Zend/zend_alloc.c:285 
285  CALCULATE_REAL_SIZE_AND_CACHE_INDEX(p->size); 
 
(gdb) bt 
 
#0  _efree (ptr=0x75736f6e) 
at /root/php/200408071830/php5-5.0.0/Zend/zend_alloc.c:285 
 
#1  0x082424f8 in _zval_ptr_dtor (zval_ptr=0xbfffd698) 
at /root/php/200408071830/php5-5.0.0/Zend/zend_execute_API.c:396 
 
#2  0x0827288b in zend_switch_free_handler 
(execute_data=0xbfffd710, opline=0x872749c, 
op_array=0x8722f24, tsrm_ls=0x8431018) 
at /root/php/200408071830/php5-5.0.0/Zend/zend_execute.c:210 
 
#3  0x0826ce85 in execute (op_array=0x8722f24, 
tsrm_ls=0x8431018) 
at /root/php/200408071830/php5-5.0.0/Zend/zend_execute.c:1400 
 
#4  0x0824d971 in zend_execute_scripts (type=8, 
tsrm_ls=0x8431018, retval=0x0, file_count=3) 
at /root/php/200408071830/php5-5.0.0/Zend/zend.c:1068 
 
#5  0x08210ab4 in php_execute_script 
(primary_file=0xbffffae0, tsrm_ls=0x8431018) 
at /root/php/200408071830/php5-5.0.0/main/main.c:1631 
 
#6  0x08279bec in main (argc=2, argv=0xbffffba4) 
at /root/php/200408071830/php5-5.0.0/sapi/cgi/cgi_main.c:1568

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2004-08-08 23:03 UTC] iliaa@php.net

Please try using this CVS snapshot:

  http://snaps.php.net/php4-STABLE-latest.tar.gz
 
For Windows:
 
  http://snaps.php.net/win32/php4-win32-STABLE-latest.zip

Works fine with latest CVS.

[2004-08-24 01:00 UTC] php-bugs at lists dot php dot net

No feedback was provided for this bug for over a week, so it is
being suspended automatically. If you are able to provide the
information that was originally requested, please do so and change
the status of the bug back to "Open".

[2004-08-24 09:40 UTC] stefan at hotpaenz dot de

Indeed it works fine with the latest PHP4 snapshot  
(200408232230 tested), but this is a PHP5 bug. For the  
record: It still crashes with the 200408232230 PHP5  
snapshot (unstable)

[2004-08-24 09:46 UTC] tony2001@php.net

No crash with latest HEAD (Linux 2.6.8.1, glibc 2.3.2).

[2004-08-24 10:32 UTC] stefan at hotpaenz dot de

I use Linux 2.6.3 and glibc 2.3.2. 
 
PHP crashes _after_ printing the warning "Invalid argument 
supplied for foreach()" at the end of the script (perhaps 
when cleaning up?). I tested again with the 200408240630 
snapshots (stable and HEAD). This is the HEAD backtrace: 
 
#0  _efree (ptr=0x75736f6e) 
at /root/php/test/php5-200408240630/Zend/zend_alloc.c:285 
285             
CALCULATE_REAL_SIZE_AND_CACHE_INDEX(p->size); 
 
(gdb) bt 
 
#0  _efree (ptr=0x75736f6e) 
at /root/php/test/php5-200408240630/Zend/zend_alloc.c:285 
 
#1  0x08178298 in _zval_ptr_dtor (zval_ptr=0xbfffd6a8) 
at /root/php/test/php5-200408240630/Zend/zend_execute_API.c:390 
 
#2  0x081a3407 in zend_switch_free_handler 
(execute_data=0xbfffd710) 
at /root/php/test/php5-200408240630/Zend/zend_execute.c:245 
 
#3  0x0819eb48 in execute (op_array=0x8274014) 
at /root/php/test/php5-200408240630/Zend/zend_execute.c:1498 
 
#4  0x08181f95 in zend_execute_scripts (type=8, 
retval=0x0, file_count=3) 
at /root/php/test/php5-200408240630/Zend/zend.c:1052 
 
#5  0x0814d5ad in php_execute_script 
(primary_file=0xbffffaa0) 
at /root/php/test/php5-200408240630/main/main.c:1633 
 
#6  0x081a9c81 in main (argc=2, argv=0xbffffb64) 
at /root/php/test/php5-200408240630/sapi/cgi/cgi_main.c:1568 
 
 
The backtrace of stable is slightly different: 
 
 
#0  _efree (ptr=0x75736f6e) 
at /root/php/test/php5-STABLE-200408240630/Zend/zend_alloc.c:263 
263             
CALCULATE_REAL_SIZE_AND_CACHE_INDEX(p->size); 
 
(gdb) bt 
 
#0  _efree (ptr=0x75736f6e) 
at /root/php/test/php5-STABLE-200408240630/Zend/zend_alloc.c:263 
 
#1  0x081764b8 in _zval_ptr_dtor (zval_ptr=0xbfffd678) 
at /root/php/test/php5-STABLE-200408240630/Zend/zend_execute_API.c:391 
 
#2  0x081a0632 in zend_switch_free_handler 
(execute_data=0xbfffd6f0, opline=0x8272464, 
op_array=0x826deec) 
at /root/php/test/php5-STABLE-200408240630/Zend/zend_execute.c:210 
 
#3  0x0819c0a9 in execute (op_array=0x826deec) 
at /root/php/test/php5-STABLE-200408240630/Zend/zend_execute.c:1400 
 
#4  0x081802b5 in zend_execute_scripts (type=8, 
retval=0x0, file_count=3) 
at /root/php/test/php5-STABLE-200408240630/Zend/zend.c:1061 
 
#5  0x0814b99d in php_execute_script 
(primary_file=0xbffffa80) 
at /root/php/test/php5-STABLE-200408240630/main/main.c:1629 
 
#6  0x081a68c7 in main (argc=2, argv=0xbffffb44) 
at /root/php/test/php5-STABLE-200408240630/sapi/cgi/cgi_main.c:1568

[2004-08-24 23:43 UTC] helly@php.net

Please try using this CVS snapshot:

  http://snaps.php.net/php5-STABLE-latest.tar.gz
 
For Windows:
 
  http://snaps.php.net/win32/php5.0-win32-latest.zip

[2004-08-25 09:13 UTC] stefan at hotpaenz dot de

It still crashes with stable PHP5 snapshot 200408250430 
and HEAD snapshot 200408250630. 
 
Is there anything else I could do beside testing again and 
again? I would like to help you making PHP better, and I 
have some C knowledge, but I don't really understand the 
inner workings of Zend/PHP. Is there anything I could add 
to the code to reveal what leads to the crash?

[2004-08-25 09:21 UTC] stefan at hotpaenz dot de

Okay, I just discovered PHP only crashes with a non-debug 
build. My configure line is: 
 
./configure --disable-cli --enable-cgi --without-pear

[2004-09-22 09:16 UTC] dmitry@php.net

Fixed in CVS HEAD and PHP_5_0.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Thu Nov 21 15:01:30 2024 UTC