PHP :: Bug #36825 :: Exceptions thrown in ArrayObject::offsetGet cause segfault

Bug #36825	Exceptions thrown in ArrayObject::offsetGet cause segfault
Submitted:	2006-03-22 22:09 UTC	Modified:	2006-03-22 22:57 UTC
From:	small at cybertronic dot com	Assigned:	tony2001 (profile)
Status:	Closed	Package:	SPL related
PHP Version:	5.1.2	OS:	Linux
Private report:	No	CVE-ID:	None

View Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	small at cybertronic dot com
New email:
PHP Version:		OS:

New Comment:

[2006-03-22 22:09 UTC] small at cybertronic dot com

Description:
------------
Throwing exceptions in an overloaded offsetGet() functions seems to cause segfaults in PHP 5.1.2.

Reproduce code:
---------------
<?php
    class foo extends ArrayObject {
        public function __construct($obj, $flags = 0, $iterator_class = "ArrayIterator") {
        }

        public function offsetGet($key) {
            throw new Exception("hi");
        }
    }

    $test=new foo();
    try{
        $a=$test['bar'];
    } catch (Exception $e) {
        echo "got exception";
    }
?>


Expected result:
----------------
I expect the output:

got exception

Actual result:
--------------
I get a segfault, with backtrace as follows:

#0  0x081cb2cd in spl_array_read_dimension_ex ()
#1  0x081cb35f in spl_array_read_dimension ()
#2  0x08309d27 in zend_fetch_dimension_address ()
#3  0x0833d89e in ZEND_FETCH_DIM_R_SPEC_CV_CONST_HANDLER ()
#4  0x0830a386 in execute ()
#5  0x082ed585 in zend_execute_scripts ()
#6  0x082a917e in php_execute_script ()
#7  0x0835039d in main ()

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2006-03-22 22:40 UTC] judas dot iscariote at gmail dot com

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 46912511254464 (LWP 861)]
0x000000000050381f in spl_array_read_dimension_ex (check_inherited=1, object=0xa13c60, offset=0xa19310, type=0)
    at /local/local/bodegon/php-debug/ext/spl/spl_array.c:265
265        ZVAL_ZVAL(intern->retval, rv, 1, 1);
(gdb) bt full
#0  0x000000000050381f in spl_array_read_dimension_ex (check_inherited=1, object=0xa13c60, offset=0xa19310, type=0)
    at /local/local/bodegon/php-debug/ext/spl/spl_array.c:265
   is_ref = <value optimized out>
   refcount = <value optimized out>
   rv = (zval *) 0x0
   intern = (spl_array_object *) 0x9f17e0
#1  0x0000000000633c07 in zend_fetch_dimension_address (result=0x7fffffdaa660, container_ptr=0xa198d8, dim=0xa19310,
    dim_is_tmp_var=0, type=0) at /local/local/bodegon/php-debug/Zend/zend_execute.c:1164
   overloaded_result = <value optimized out>
   container = <value optimized out>
#2  0x0000000000642fe6 in ZEND_FETCH_DIM_R_SPEC_CV_CONST_HANDLER (execute_data=0x7fffffdaa6f0)
    at zend_vm_execute.h:20430
   opline = (zend_op *) 0xa192c0
   dim = (zval *) 0xa19310
#3  0x0000000000628a3e in execute (op_array=0xa14cc0) at zend_vm_execute.h:92
   execute_data = {opline = 0xa19518, function_state = {function_symbol_table = 0xa19790, function = 0xa14cc0,
    reserved = {0x7fffffdacda0, 0x8d7138, 0x2aaaab642e9c, 0xc}}, fbc = 0x0, op_array = 0xa14cc0, object = 0x0,
  Ts = 0x7fffffdaa570, CVs = 0x7fffffdaa550, original_in_execution = 0 '\0', symbol_table = 0x8d7368,
  prev_execute_data = 0x0, old_error_reporting = 0x0}
#4  0x000000000060b784 in zend_execute_scripts (type=8, retval=<value optimized out>, file_count=3)
    at /local/local/bodegon/php-debug/Zend/zend.c:1109
   files = {{gp_offset = 40, fp_offset = 48, overflow_arg_area = 0x7fffffdaa970, reg_save_area = 0x7fffffdaa880}}
   i = 1
   file_handle = (zend_file_handle *) 0x7fffffdacda0
   orig_op_array = (zend_op_array *) 0x0
   local_retval = (zval *) 0x0
#5  0x00000000005caa9b in php_execute_script (primary_file=0x7fffffdacda0)
    at /local/local/bodegon/php-debug/main/main.c:1726
   realfile = "/srv/www/htdocs/php-bugs/array-obejct.php\000a\000\000\000\000\000symlink\000&#65533;p\000\000\000\000\000`\006\000\000\000\000\000\0001\ta\000\000\000\000\000P&#65533;*\000\000\000\200]*\000\000`\006\000\000\000\000\000\000,\206\000\000\000\000\000 vj\000\000\000\000\000`&#65533;\177", '\0' <repeats 26 times>, "&#65533;*\000\000\001", '\0' <repeats 15 times>, "rawurldeP&#65533;*\000\000\000\000\000\000\000\000\000\0002O*\000\0000[j", '\0' <repeats 13 times>...
   prepend_file_p = (zend_file_handle *) 0x0
   append_file_p = <value optimized out>
   prepend_file = {type = 0 '\0', filename = 0x0, opened_path = 0x0, handle = {fd = 0, fp = 0x0, stream = {
      handle = 0x0, reader = 0, closer = 0, fteller = 0, interactive = 0}}, free_filename = 0 '\0'}
   append_file = {type = 0 '\0', filename = 0x0, opened_path = 0x0, handle = {fd = 0, fp = 0x0, stream = {


PHP 5.1.3RC2-dev (cli) (built: Mar 22 2006 15:29:32) (DEBUG)

[2006-03-22 22:57 UTC] tony2001@php.net

This bug has been fixed in CVS.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.
 
Thank you for the report, and for helping us make PHP better.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Thu Nov 21 11:01:29 2024 UTC