php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #43426 dmitry
Submitted: 2007-11-27 13:45 UTC Modified: 2008-01-24 11:01 UTC
From: cweiske@php.net Assigned: dmitry (profile)
Status: Closed Package: Scripting Engine problem
PHP Version: 5.2.5 OS: Gentoo Linux 2.6.23
Private report: No CVE-ID: None
View Developer Edit
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: cweiske@php.net
New email:
PHP Version: OS:

 

 [2007-11-27 13:45 UTC] cweiske@php.net 
Description:
------------
I get a reproducible crash when running a file in the pear-core test suite against a pear 1.7.0 installation.
The test is pear-core/tests/PEAR_DependencyDB/test_assertDepsDB_fail.phpt

The problem seems to be some nested call_user_func.
PEAR_ErrorStack::push calls
$context = call_user_func($this->_contextCallback, $code, $params, $backtrace);

which in return calls push() again, which calls the same _contextCallback again. This time, php crashes.

The contextcallback is PEAR_ErrorStack::getFileLine() - it is reached the first time, but not the second.

Reproduce code:
---------------
1. checkout pear-core from cvs
2. install pear, install xml_rpc
3. cd pear-core/tests
4. pear run-tests PEAR_DependencyDB/test_assertDepsDB_fail.phpt


Expected result:
----------------
no crash.

Actual result:
--------------
Program received signal SIGSEGV, Segmentation fault.
0x00000000006e1491 in zend_call_function (fci=0x7fff35552e90, fci_cache=0x0) at /home/cweiske/compilethings/php-5.2.5/Zend/zend_execute_API.c:911
911                             (*fci->params[i])->refcount++;
(gdb)
(gdb) bt
#0  0x00000000006e1491 in zend_call_function (fci=0x7fff35552e90, fci_cache=0x0) at /home/cweiske/compilethings/php-5.2.5/Zend/zend_execute_API.c:911
#1  0x00000000006e0024 in call_user_function_ex (function_table=0xacfbc0, object_pp=0x0, function_name=0xf874b8, retval_ptr_ptr=0x7fff35552f30,
    param_count=3, params=0xc2df00, no_separation=0, symbol_table=0x0) at /home/cweiske/compilethings/php-5.2.5/Zend/zend_execute_API.c:617
#2  0x00000000005fe639 in zif_call_user_func (ht=4, return_value=0x1862c08, return_value_ptr=0x0, this_ptr=0x0, return_value_used=1)
    at /home/cweiske/compilethings/php-5.2.5/ext/standard/basic_functions.c:5083
#3  0x0000000000719216 in zend_do_fcall_common_helper_SPEC (execute_data=0x7fff35554030) at /home/cweiske/compilethings/php-5.2.5/Zend/zend_vm_execute.h:200
#4  0x000000000071f35f in ZEND_DO_FCALL_SPEC_CONST_HANDLER (execute_data=0x7fff35554030)
    at /home/cweiske/compilethings/php-5.2.5/Zend/zend_vm_execute.h:1681
#5  0x0000000000718cb9 in execute (op_array=0xf99ba0) at /home/cweiske/compilethings/php-5.2.5/Zend/zend_vm_execute.h:92
#6  0x00000000007193a5 in zend_do_fcall_common_helper_SPEC (execute_data=0x7fff355543d0) at /home/cweiske/compilethings/php-5.2.5/Zend/zend_vm_execute.h:234
#7  0x0000000000719f81 in ZEND_DO_FCALL_BY_NAME_SPEC_HANDLER (execute_data=0x7fff355543d0)
    at /home/cweiske/compilethings/php-5.2.5/Zend/zend_vm_execute.h:322
#8  0x0000000000718cb9 in execute (op_array=0xf9c608) at /home/cweiske/compilethings/php-5.2.5/Zend/zend_vm_execute.h:92
#9  0x00000000007193a5 in zend_do_fcall_common_helper_SPEC (execute_data=0x7fff35554bc0) at /home/cweiske/compilethings/php-5.2.5/Zend/zend_vm_execute.h:234
#10 0x0000000000719f81 in ZEND_DO_FCALL_BY_NAME_SPEC_HANDLER (execute_data=0x7fff35554bc0)
    at /home/cweiske/compilethings/php-5.2.5/Zend/zend_vm_execute.h:322
#11 0x0000000000718cb9 in execute (op_array=0xfb9ad8) at /home/cweiske/compilethings/php-5.2.5/Zend/zend_vm_execute.h:92
#12 0x00000000006e1888 in zend_call_function (fci=0x7fff35554f30, fci_cache=0x0) at /home/cweiske/compilethings/php-5.2.5/Zend/zend_execute_API.c:990
#13 0x00000000006e0024 in call_user_function_ex (function_table=0xacfbc0, object_pp=0x0, function_name=0x1814fb0, retval_ptr_ptr=0x7fff35554fd8,
    param_count=2, params=0x1859308, no_separation=0, symbol_table=0x0) at /home/cweiske/compilethings/php-5.2.5/Zend/zend_execute_API.c:617
#14 0x00000000005ff092 in zif_call_user_func_array (ht=2, return_value=0x1858d08, return_value_ptr=0x0, this_ptr=0x0, return_value_used=1)
    at /home/cweiske/compilethings/php-5.2.5/ext/standard/basic_functions.c:5153
#15 0x0000000000719216 in zend_do_fcall_common_helper_SPEC (execute_data=0x7fff355560e0) at /home/cweiske/compilethings/php-5.2.5/Zend/zend_vm_execute.h:200
---Type <return> to continue, or q <return> to quit---
#16 0x000000000071f35f in ZEND_DO_FCALL_SPEC_CONST_HANDLER (execute_data=0x7fff355560e0)
    at /home/cweiske/compilethings/php-5.2.5/Zend/zend_vm_execute.h:1681
#17 0x0000000000718cb9 in execute (op_array=0xf99ba0) at /home/cweiske/compilethings/php-5.2.5/Zend/zend_vm_execute.h:92
#18 0x00000000007193a5 in zend_do_fcall_common_helper_SPEC (execute_data=0x7fff35556480) at /home/cweiske/compilethings/php-5.2.5/Zend/zend_vm_execute.h:234
#19 0x0000000000719f81 in ZEND_DO_FCALL_BY_NAME_SPEC_HANDLER (execute_data=0x7fff35556480)
    at /home/cweiske/compilethings/php-5.2.5/Zend/zend_vm_execute.h:322
#20 0x0000000000718cb9 in execute (op_array=0xf9c608) at /home/cweiske/compilethings/php-5.2.5/Zend/zend_vm_execute.h:92
#21 0x00000000007193a5 in zend_do_fcall_common_helper_SPEC (execute_data=0x7fff35556750) at /home/cweiske/compilethings/php-5.2.5/Zend/zend_vm_execute.h:234
#22 0x0000000000719f81 in ZEND_DO_FCALL_BY_NAME_SPEC_HANDLER (execute_data=0x7fff35556750)
    at /home/cweiske/compilethings/php-5.2.5/Zend/zend_vm_execute.h:322
#23 0x0000000000718cb9 in execute (op_array=0xcbaf00) at /home/cweiske/compilethings/php-5.2.5/Zend/zend_vm_execute.h:92
#24 0x00000000006e1888 in zend_call_function (fci=0x7fff35556ac0, fci_cache=0x0) at /home/cweiske/compilethings/php-5.2.5/Zend/zend_execute_API.c:990
#25 0x00000000006e0024 in call_user_function_ex (function_table=0xacfbc0, object_pp=0x0, function_name=0xd00150, retval_ptr_ptr=0x7fff35556b60,
    param_count=1, params=0x17fef50, no_separation=0, symbol_table=0x0) at /home/cweiske/compilethings/php-5.2.5/Zend/zend_execute_API.c:617
#26 0x00000000005fe639 in zif_call_user_func (ht=2, return_value=0x18134d8, return_value_ptr=0x0, this_ptr=0x0, return_value_used=0)
    at /home/cweiske/compilethings/php-5.2.5/ext/standard/basic_functions.c:5083
#27 0x0000000000719216 in zend_do_fcall_common_helper_SPEC (execute_data=0x7fff35557980) at /home/cweiske/compilethings/php-5.2.5/Zend/zend_vm_execute.h:200
#28 0x000000000071f35f in ZEND_DO_FCALL_SPEC_CONST_HANDLER (execute_data=0x7fff35557980)
    at /home/cweiske/compilethings/php-5.2.5/Zend/zend_vm_execute.h:1681
#29 0x0000000000718cb9 in execute (op_array=0xcf5f28) at /home/cweiske/compilethings/php-5.2.5/Zend/zend_vm_execute.h:92
#30 0x00000000007193a5 in zend_do_fcall_common_helper_SPEC (execute_data=0x7fff35558670) at /home/cweiske/compilethings/php-5.2.5/Zend/zend_vm_execute.h:234
#31 0x0000000000719f81 in ZEND_DO_FCALL_BY_NAME_SPEC_HANDLER (execute_data=0x7fff35558670)
    at /home/cweiske/compilethings/php-5.2.5/Zend/zend_vm_execute.h:322
---Type <return> to continue, or q <return> to quit---
#32 0x0000000000718cb9 in execute (op_array=0xcd8dd0) at /home/cweiske/compilethings/php-5.2.5/Zend/zend_vm_execute.h:92
#33 0x00000000007193a5 in zend_do_fcall_common_helper_SPEC (execute_data=0x7fff35558c60) at /home/cweiske/compilethings/php-5.2.5/Zend/zend_vm_execute.h:234
#34 0x0000000000719f81 in ZEND_DO_FCALL_BY_NAME_SPEC_HANDLER (execute_data=0x7fff35558c60)
    at /home/cweiske/compilethings/php-5.2.5/Zend/zend_vm_execute.h:322
#35 0x0000000000718cb9 in execute (op_array=0xc7dcd8) at /home/cweiske/compilethings/php-5.2.5/Zend/zend_vm_execute.h:92
#36 0x00000000007193a5 in zend_do_fcall_common_helper_SPEC (execute_data=0x7fff3555b9c0) at /home/cweiske/compilethings/php-5.2.5/Zend/zend_vm_execute.h:234
#37 0x0000000000719f81 in ZEND_DO_FCALL_BY_NAME_SPEC_HANDLER (execute_data=0x7fff3555b9c0)
    at /home/cweiske/compilethings/php-5.2.5/Zend/zend_vm_execute.h:322
#38 0x0000000000718cb9 in execute (op_array=0xc2b740) at /home/cweiske/compilethings/php-5.2.5/Zend/zend_vm_execute.h:92
#39 0x00000000006f05bf in zend_execute_scripts (type=8, retval=0x0, file_count=3) at /home/cweiske/compilethings/php-5.2.5/Zend/zend.c:1134
#40 0x00000000006978cd in php_execute_script (primary_file=0x7fff3555e020) at /home/cweiske/compilethings/php-5.2.5/main/main.c:2004
#41 0x00000000007731ab in main (argc=2, argv=0x7fff3555e258) at /home/cweiske/compilethings/php-5.2.5/sapi/cli/php_cli.c:1140

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2007-11-27 13:54 UTC] cweiske@php.net 
Simple reproduce script:
<?php
$c = 1; // doesn't matter
call_user_func("foo2", $c, $c, $c, $c, $c, $c, $c, $c, $c, $c, $c, $c, $c,
 $c, $c, $c, $c, $c, $c, $c, $c, $c, $c, $c, $c, $c, $c, $c, $c, $c, $c,
 $c, $c, $c, $c, $c, $c, $c, $c, $c, $c, $c, $c, $c, $c, $c, $c, $c, $c,
 $c, $c, $c, $c, $c, $c, $c, $c, $c, $c, $c, $c, $c, $c, $c, $c, $c, $c,
 $c, $c, $c, $c, $c, $c, $c, $c, $c, $c, $c, $c, $c, $c, $c, $c, $c, $c,
 $c, $c, $c, $c, $c, $c, $c, $c, $c, $c, $c, $c, $c, $c, $c, $c, $c, $c,
 $c, $c, $c, $c, $c, $c, $c, $c, $c, $c, $c, $c, $c, $c, $c, $c, $c, $c,
 $c, $c, $c, $c, $c, $c, $c, $c, $c, $c, $c, $c, $c, $c, $c, $c, $c, $c,
 $c, $c, $c, $c, $c, $c, $c, $c, $c, $c, $c, $c, $c, $c, $c, $c, $c, $c,
 $c, $c, $c, $c, $c, $c, $c, $c, $c, $c, $c, $c, $c, $c, $c, $c, $c, $c,
 $c, $c, $c, $c, $c, $c, $c, $c, $c, $c, $c, $c, $c, $c, $c, $c, $c, $c,
 $c, $c, $c, $c, $c, $c, $c, $c, $c, $c, $c, $c, $c, $c, $c, $c, $c, $c,
 $c, $c, $c, $c, $c, $c, $c, $c, $c, $c, $c, $c, $c, $c, $c, $c, $c, $c,
 $c, $c, $c, $c, $c, $c, $c, $c, $c, $c, $c, $c, $c, $c, $c, $c, $c, $c,
 $c, $c, $c, $c, $c, $c, $c, $c, $c, $c, $c, $c);
function foo2($d) {}      
?>


backtrace:

Program received signal SIGSEGV, Segmentation fault.
0x00000000006e1491 in zend_call_function (fci=0x7fff00628800, fci_cache=0x0) at /home/cweiske/compilethings/php-5.2.5/Zend/zend_execute_API.c:911
911                             (*fci->params[i])->refcount++;
(gdb) bt
#0  0x00000000006e1491 in zend_call_function (fci=0x7fff00628800, fci_cache=0x0) at /home/cweiske/compilethings/php-5.2.5/Zend/zend_execute_API.c:911
#1  0x00000000006e0024 in call_user_function_ex (function_table=0xacfb80, object_pp=0x0, function_name=0xc2a828, retval_ptr_ptr=0x7fff006288a0,
    param_count=259, params=0xc2de60, no_separation=0, symbol_table=0x0) at /home/cweiske/compilethings/php-5.2.5/Zend/zend_execute_API.c:617
#2  0x00000000005fe639 in zif_call_user_func (ht=260, return_value=0xc2a7b8, return_value_ptr=0x0, this_ptr=0x0, return_value_used=0)
    at /home/cweiske/compilethings/php-5.2.5/ext/standard/basic_functions.c:5083
#3  0x0000000000719216 in zend_do_fcall_common_helper_SPEC (execute_data=0x7fff00628ab0) at /home/cweiske/compilethings/php-5.2.5/Zend/zend_vm_execute.h:200
#4  0x000000000071f35f in ZEND_DO_FCALL_SPEC_CONST_HANDLER (execute_data=0x7fff00628ab0)
    at /home/cweiske/compilethings/php-5.2.5/Zend/zend_vm_execute.h:1681
#5  0x0000000000718cb9 in execute (op_array=0xc2b5f0) at /home/cweiske/compilethings/php-5.2.5/Zend/zend_vm_execute.h:92
#6  0x00000000006f05bf in zend_execute_scripts (type=8, retval=0x0, file_count=3) at /home/cweiske/compilethings/php-5.2.5/Zend/zend.c:1134
#7  0x00000000006978cd in php_execute_script (primary_file=0x7fff0062b110) at /home/cweiske/compilethings/php-5.2.5/main/main.c:2004
#8  0x00000000007731ab in main (argc=2, argv=0x7fff0062b348) at /home/cweiske/compilethings/php-5.2.5/sapi/cli/php_cli.c:1140
 [2007-11-27 14:02 UTC] tony2001@php.net 
Dmitry, could you plz take a look at this?

The problem is reproducible with a lot of nested function calls passing lots of parameters or with just one call_user_func() call passing 64+ parameters.

Each time EG(argument_stack) is resized, previously fetched argument pointers are left pointing to nowhere.

See Zend/zend_API.c:773 (in 5_3), this is the place where we fetch the pointers:
zval **p = (zval **) (EG(argument_stack).top_element - 2 - (arg_count - i));

but it becomes wild later.
 [2008-01-24 11:01 UTC] dmitry@php.net 
This bug has been fixed in CVS.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.
 
Thank you for the report, and for helping us make PHP better.
 
PHP Copyright © 2001-2025 The PHP Group
All rights reserved. 		Last updated: Wed Jul 16 11:01:33 2025 UTC