PHP :: Bug #32252 :: Segfault when offsetSet throws an Exception (only without debug)

Bug #32252	Segfault when offsetSet throws an Exception (only without debug)
Submitted:	2005-03-09 14:38 UTC	Modified:	2005-06-07 10:23 UTC
From:	shulmanb at il dot ibm dot com	Assigned:
Status:	Closed	Package:	Scripting Engine problem
PHP Version:	5.*	OS:	*
Private report:	No	CVE-ID:	None

View Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	shulmanb at il dot ibm dot com
New email:
PHP Version:		OS:

New Comment:

[2005-03-09 14:38 UTC] shulmanb at il dot ibm dot com

Description:
------------
In some cases, when offsetSet throws an exception a segfault occurs.

This does not happen when compiled with --enable-debug.

Note that if the index passed to $list is positive or a string, not segfault occurs.

Reproduce code:
---------------
class a implements ArrayAccess
{
    function offsetExists ($offset) { return false; }
    function offsetGet ($offset) { return null; }
 	function offsetSet ($offset, $value) { throw new Exception ("Ooops"); }
 	function offsetUnset ($offset) {}
}
function test()
{
    $list = new a();
    try {
        $list[-1] = 123;
    } catch (Exception $e) { }
    return true;
}
print test();


Expected result:
----------------
The output should be "1".

Actual result:
--------------
Segmentation fault.

The stack trace reported in Visual Studio, using the latest snapshot and debug pack is:

php5ts.dll!shutdown_memory_manager(int silent=0, int full_shutdown=0, void * * * tsrm_ls=0x00364b38)  Line 490 + 0xb	C
php5ts.dll!php_request_shutdown(void * dummy=0x00000000)  Line 1225 + 0x2f	C
msvcrt.dll!77c37bbe() 	
user32.dll!77d5f160()

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2005-03-09 15:13 UTC] helly@php.net

The first problem here is that the negative key results in incomplete initialized zvals internally *before* even calling offsetSet().

[2005-03-13 19:22 UTC] helly@php.net

Related to http://bugs.php.net/30346

[2005-05-03 14:55 UTC] helly@php.net

Runs in php 5.1 now.

[2005-05-11 11:44 UTC] shulmanb at il dot ibm dot com

Tested with the latest snapshot (200505110630) on Windows XP, and it is still crashing.

[2005-05-14 12:40 UTC] tony2001@php.net

Please try using this CVS snapshot:

  http://snaps.php.net/php5-STABLE-latest.tar.gz
 
For Windows:
 
  http://snaps.php.net/win32/php5.0-win32-latest.zip

Can't reproduce it on Linux with latest CVS of 5.0 & 5.1 without debug.
Make sure that you're trying the right binary.

[2005-05-15 09:15 UTC] shulmanb at il dot ibm dot com

Works fine on Linux.

Still crashes on Windows, even using the snapshot you provided.

[2005-05-18 14:38 UTC] tony2001@php.net

Reproducible on Windows.

[2005-06-07 10:11 UTC] derick@php.net

Can't reproduce this on Linux with 4.4 and 5.1 give all no errors with valgrind.
PHP 5.0 gives the following valgrind errors:
==4039== Invalid free() / delete / delete[]
==4039==    at 0x1B904B04: free (vg_replace_malloc.c:152)
==4039==    by 0x8248660: php_stdiop_close (plain_wrapper.c:396)
==4039==    by 0x82420AB: _php_stream_free (streams.c:331)
==4039==    by 0x8244032: stream_resource_regular_dtor (streams.c:1362)
==4039==    by 0x827D23A: list_entry_destructor (zend_list.c:178)
==4039==    by 0x827B3C7: zend_hash_del_key_or_index (zend_hash.c:490)
==4039==    by 0x827CF75: _zend_list_delete (zend_list.c:58)
==4039==    by 0x827250A: _zval_dtor (zend_variables.c:69)
==4039==    by 0x82666F5: free_zend_constant (zend_constants.c:33)
==4039==    by 0x827B3C7: zend_hash_del_key_or_index (zend_hash.c:490)
==4039==    by 0x827BAA6: zend_hash_reverse_apply (zend_hash.c:736)
==4039==    by 0x8266C05: clean_non_persistent_constants (zend_constants.c:158)
==4039==  Address 0x1C04644C is 36 bytes inside a block of size 160 alloc'd
==4039==    at 0x1B90459D: malloc (vg_replace_malloc.c:130)
==4039==    by 0x825BEE5: _emalloc (zend_alloc.c:182)
==4039==    by 0x8247E46: _php_stream_fopen_from_fd (plain_wrapper.c:179)
==4039==    by 0x8203D14: php_stream_url_wrap_php (php_fopen_wrapper.c:221)
==4039==    by 0x8244DA4: _php_stream_open_wrapper_ex (streams.c:1701)
==4039==    by 0x82A439E: cli_register_file_handles (php_cli.c:446)
==4039==    by 0x82A5124: main (php_cli.c:944)
==4039==
==4039== Invalid free() / delete / delete[]
==4039==    at 0x1B904B04: free (vg_replace_malloc.c:152)
==4039==    by 0x82422F1: _php_stream_free (streams.c:394)
==4039==    by 0x8244032: stream_resource_regular_dtor (streams.c:1362)
==4039==    by 0x827D23A: list_entry_destructor (zend_list.c:178)
==4039==    by 0x827B3C7: zend_hash_del_key_or_index (zend_hash.c:490)
==4039==    by 0x827CF75: _zend_list_delete (zend_list.c:58)
==4039==    by 0x827250A: _zval_dtor (zend_variables.c:69)
==4039==    by 0x82666F5: free_zend_constant (zend_constants.c:33)
==4039==    by 0x827B3C7: zend_hash_del_key_or_index (zend_hash.c:490)
==4039==    by 0x827BAA6: zend_hash_reverse_apply (zend_hash.c:736)
==4039==    by 0x8266C05: clean_non_persistent_constants (zend_constants.c:158)
==4039==    by 0x8267AFF: shutdown_executor (zend_execute_API.c:285)
==4039==  Address 0x1C04651C is 36 bytes inside a block of size 168 alloc'd
==4039==    at 0x1B90459D: malloc (vg_replace_malloc.c:130)
==4039==    by 0x825BEE5: _emalloc (zend_alloc.c:182)
==4039==    by 0x8241E05: _php_stream_alloc (streams.c:216)
==4039==    by 0x8247F9C: _php_stream_fopen_from_fd (plain_wrapper.c:204)
==4039==    by 0x8203D14: php_stream_url_wrap_php (php_fopen_wrapper.c:221)
==4039==    by 0x8244DA4: _php_stream_open_wrapper_ex (streams.c:1701)
==4039==    by 0x82A439E: cli_register_file_handles (php_cli.c:446)
==4039==    by 0x82A5124: main (php_cli.c:944)
/dat/dev/php/php-5.0dev/main/streams/streams.c(216) :  Freeing 0x1C04651C (128 bytes), script=bug32252.php
/dat/dev/php/php-5.0dev/ext/standard/php_fopen_wrapper.c(221) : Actual location (location was relayed)
Last leak repeated 2 times
/dat/dev/php/php-5.0dev/main/streams/plain_wrapper.c(179) :  Freeing 0x1C04644C (116 bytes), script=bug32252.php
/dat/dev/php/php-5.0dev/ext/standard/php_fopen_wrapper.c(221) : Actual location (location was relayed)
Last leak repeated 2 times

[2005-06-07 10:23 UTC] derick@php.net

Ok, those memory errors where caused due to streams in non-zend alloc mode. Those are fixed in CVS now. Everything else works fine. Closing report.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2025 The PHP Group All rights reserved.	Last updated: Fri May 09 13:01:28 2025 UTC