php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #29707 When execute the global requisition bellow the thread crashes
Submitted: 2004-08-16 18:06 UTC Modified: 2006-01-01 01:00 UTC
Votes:3
Avg. Score:3.3 ± 0.5
Reproduced:2 of 2 (100.0%)
Same Version:1 (50.0%)
Same OS:1 (50.0%)
From: edernucci at hotmail dot com Assigned: andi (profile)
Status: No Feedback Package: Scripting Engine problem
PHP Version: 4CVS-2005-06-19 OS: *
Private report: No CVE-ID: None
View Developer Edit
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: edernucci at hotmail dot com
New email:
PHP Version: OS:

 

 [2004-08-16 18:06 UTC] edernucci at hotmail dot com 
Description:
------------
I know this is a erroneous code, but the thread hangs on the server (Apache 1.3.29 / Windows XP Professional SP1).
I don't know how to solve this.

Reproduce code:
---------------
<?php

/**
 * @return FatalError
 * @desc This function kills the PHP thread on the server.
 */
function boom()
{
	$foo = "one.simple.dot.tokenized.string";
	$bar = strtok($foo,'.');
	global $$bar[0]; //<--- The script dies here :P
}

boom(); //<--- Here you will tell the server to go sleep :D

?>

Expected result:
----------------
Just trying to hang the webserver.
Any user can do this in my shared enviroment.

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2004-08-17 08:01 UTC] derick@php.net 
Confirmed with both PHP 4 and PHP 5:

valgrind:
==12558== Invalid read of size 4
==12558==    at 0x8305A91: zend_pzval_unlock_func (zend_execute.c:65)
==12558==    by 0x8305B94: _get_zval_ptr (zend_execute.c:100)
==12558==    by 0x82FBF85: zend_fetch_var_address (zend_execute.c:737)
==12558==    by 0x82FECBF: zend_fetch_w_handler (zend_execute.c:2004)
==12558==  Address 0x9 is not stack'd, malloc'd or (recently) free'd
==12558==
==12558== Process terminating with default action of signal 11 (SIGSEGV)
==12558==  Access not within mapped region at address 0x9
==12558==    at 0x8305A91: zend_pzval_unlock_func (zend_execute.c:65)
==12558==    by 0x8305B94: _get_zval_ptr (zend_execute.c:100)
==12558==    by 0x82FBF85: zend_fetch_var_address (zend_execute.c:737)
==12558==    by 0x82FECBF: zend_fetch_w_handler (zend_execute.c:2004)
==12558==

gdb trace:
Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 16384 (LWP 12626)]
0x08305a91 in zend_pzval_unlock_func (z=0x1)
    at /dat/dev/php/php-5.0dev/Zend/zend_execute.c:65
65              z->refcount--;
(gdb) bt
#0  0x08305a91 in zend_pzval_unlock_func (z=0x1)
    at /dat/dev/php/php-5.0dev/Zend/zend_execute.c:65
#1  0x08305b95 in _get_zval_ptr (node=0x85bec78, Ts=0x85bd704,
    should_free=0xbfffd31c) at /dat/dev/php/php-5.0dev/Zend/zend_execute.c:100
#2  0x082fbf86 in zend_fetch_var_address (opline=0x85bec60, Ts=0x85bd704,
    type=1) at /dat/dev/php/php-5.0dev/Zend/zend_execute.c:737
#3  0x082fecc0 in zend_fetch_w_handler (execute_data=0xbfffd380,
    opline=0x85bec60, op_array=0x85bede8)
    at /dat/dev/php/php-5.0dev/Zend/zend_execute.c:2004
#4  0x082fd8f1 in execute (op_array=0x85bede8)
    at /dat/dev/php/php-5.0dev/Zend/zend_execute.c:1391
#5  0x408c7318 in xdebug_execute (op_array=0x85bede8)
    at /dat/dev/php/xdebug/xdebug.c:1041
#6  0x08301078 in zend_do_fcall_common_helper (execute_data=0xbfffd4d0,
    opline=0x85bd254, op_array=0x85b8de4)
    at /dat/dev/php/php-5.0dev/Zend/zend_execute.c:2728
#7  0x083015fb in zend_do_fcall_handler (execute_data=0xbfffd4d0,
    opline=0x85bd254, op_array=0x85b8de4)
    at /dat/dev/php/php-5.0dev/Zend/zend_execute.c:2828
#8  0x082fd8f1 in execute (op_array=0x85b8de4)
    at /dat/dev/php/php-5.0dev/Zend/zend_execute.c:1391
#9  0x408c7318 in xdebug_execute (op_array=0x85b8de4)
    at /dat/dev/php/xdebug/xdebug.c:1041

(And yes, it also segfaults without Xdebug at the same place)

Derick
 [2004-09-22 00:21 UTC] andi@php.net 
Please check latest version of PHP 5 CVS (Latest CVS (5.1.x-dev) at snaps.php.net).
Not sure about PHP 4.3.x and PHP 5.0.x yet because we might want to run this patch for a while before we merge into them.
 [2005-04-29 17:00 UTC] tony2001@php.net 
Still valid with 5.0.x and 4.3.x, but HEAD works fine.
 [2005-06-19 20:51 UTC] sniper@php.net 
This still crashes in PHP_4_4 branch, HEAD is fine.
 [2005-06-19 21:02 UTC] sniper@php.net 
This is what Andi did for HEAD:
http://www.php.net/~jani/patches/bug29707.HEAD.patch
 [2005-12-24 02:34 UTC] sniper@php.net 
Please try using this CVS snapshot:

  http://snaps.php.net/php4-STABLE-latest.tar.gz
 
For Windows:
 
  http://snaps.php.net/win32/php4-win32-STABLE-latest.zip
 [2006-01-01 01:00 UTC] php-bugs at lists dot php dot net 
No feedback was provided for this bug for over a week, so it is
being suspended automatically. If you are able to provide the
information that was originally requested, please do so and change
the status of the bug back to "Open".
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Sun Dec 22 02:01:28 2024 UTC