PHP :: Bug #55339 :: Segfault with allow_call_time_pass

Bug #55339

Segfault with allow_call_time_pass_reference = Off

Submitted:

2011-08-01 19:47 UTC

Modified:

2011-08-02 07:40 UTC

Votes:	1
Avg. Score:	3.0 ± 0.0
Reproduced:	1 of 1 (100.0%)
Same Version:	0 (0.0%)
Same OS:	0 (0.0%)

From:

tomas dot brastavicius at quantum dot lt

Assigned:

dmitry (profile)

Status:

Closed

Package:

Scripting Engine problem

PHP Version:

5.3SVN-2011-08-01 (SVN)

OS:

Linux

Private report:

CVE-ID:

None

View Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	tomas dot brastavicius at quantum dot lt
New email:
PHP Version:		OS:

New Comment:

[2011-08-01 19:47 UTC] tomas dot brastavicius at quantum dot lt

Description:
------------
The scripts that are provided below causes segfault. The following configuration was used to compile PHP:
./configure --disable-all

Test script:
---------------
To reproduce the bug one needs 3 PHP files:

1. index.php
<?php

function error_handler($errno, $errstr, $errfile, $errline)
{
    require_once 'error_handler.php';
}
set_error_handler('error_handler');

require_once('inc.php');

echo 'Never prints';


2. error_handler.php
<?php

// The file may be empty. It's OK.


3. inc.php
<?php

function foo()
{
    $array = array();
    foreach ($array as $key => $value) {
        bar($key, &$value);
    }
}

function bar()
{

}

Before running index.php be sure allow_call_time_pass_reference is Off

Expected result:
----------------
Never prints

Actual result:
--------------
Program terminated with signal 11, Segmentation fault.
#0  0x00000000006210e7 in ?? ()
(gdb) bt
#0  0x00000000006210e7 in ?? ()
#1  0x0000000100000000 in ?? ()
#2  0x00007f3a4a29d390 in ?? ()
#3  0x0000000000000000 in ?? ()

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2011-08-01 20:09 UTC] tony2001@php.net

-Status: Open +Status: Assigned -Assigned To: +Assigned To: dmitry

[2011-08-01 20:31 UTC] pajoye@php.net

-Status: Assigned +Status: Feedback

[2011-08-01 20:31 UTC] pajoye@php.net

The symbols are missing so the backtrace is rather useless. Compile php with --
enable-debug to get them.

[2011-08-01 20:50 UTC] tomas dot brastavicius at quantum dot lt

@pajoye@php.net

I did. I have made a mistake in a bug report. The following configuration was used: ./configure --disable-all --enable-debug.
I was able to reproduce this issue on 3 separate servers.

[2011-08-01 20:58 UTC] pajoye@php.net

Program terminated with signal 11, Segmentation fault.
#0  0x00000000006210e7 in ?? ()
(gdb) bt
#0  0x00000000006210e7 in ?? ()


No, the debug mode was not used sorry. the ?? are here to say that gdb has no 
idea about the symbols.

[2011-08-01 21:25 UTC] tomas dot brastavicius at quantum dot lt

Oops, here is the backtrace.

Program terminated with signal 11, Segmentation fault.
#0  0x00000000006210e7 in zval_delref_p (T=0x7f91d9630390, extended_value=1)
    at /home/tomas/php-5.3/Zend/zend.h:385
385		return --pz->refcount__gc;
(gdb) bt
#0  0x00000000006210e7 in zval_delref_p (T=0x7f91d9630390, extended_value=1)
    at /home/tomas/php-5.3/Zend/zend.h:385
#1  zend_pzval_unlock_free_func (T=0x7f91d9630390, extended_value=1) at /home/tomas/php-5.3/Zend/zend_execute.c:86
#2  zend_switch_free (T=0x7f91d9630390, extended_value=1) at /home/tomas/php-5.3/Zend/zend_execute.c:382
#3  0x00000000006459b6 in ZEND_SWITCH_FREE_SPEC_VAR_HANDLER (execute_data=0x7f91d96302a8)
    at /home/tomas/php-5.3/Zend/zend_vm_execute.h:8453
#4  0x0000000000624a36 in execute (op_array=0x29be158) at /home/tomas/php-5.3/Zend/zend_vm_execute.h:107
#5  0x00000000005e16b7 in zend_call_function (fci=0x7fff63d50ae0, fci_cache=0x7fff63d50970)
    at /home/tomas/php-5.3/Zend/zend_execute_API.c:968
#6  0x00000000005e089c in call_user_function_ex (function_table=0x28b7bd0, object_pp=0x0, function_name=0x29ba828, 
    retval_ptr_ptr=0x7fff63d50be8, param_count=5, params=0x29bedb0, no_separation=1, symbol_table=0x0)
    at /home/tomas/php-5.3/Zend/zend_execute_API.c:758
#7  0x00000000005f0d2a in zend_error (type=8192, format=0x794ad8 "Call-time pass-by-reference has been deprecated")
    at /home/tomas/php-5.3/Zend/zend.c:1102
#8  0x00000000005d2f9d in zend_do_pass_param (param=0x7fff63d51110, op=67 'C', offset=2)
    at /home/tomas/php-5.3/Zend/zend_compile.c:2093
#9  0x00000000005aae3b in zendparse () at /home/tomas/php-5.3/Zend/zend_language_parser.y:483
#10 0x00000000005af8cb in compile_file (file_handle=0x7fff63d52bc0, type=8) at Zend/zend_language_scanner.l:364
#11 0x000000000062a236 in ZEND_INCLUDE_OR_EVAL_SPEC_CONST_HANDLER (execute_data=0x7f91d9630090)
    at /home/tomas/php-5.3/Zend/zend_vm_execute.h:1946
#12 0x0000000000624a36 in execute (op_array=0x29ba5b0) at /home/tomas/php-5.3/Zend/zend_vm_execute.h:107
#13 0x00000000005f11ec in zend_execute_scripts (type=8, retval=0x0, file_count=3)
    at /home/tomas/php-5.3/Zend/zend.c:1195
#14 0x000000000057a60c in php_execute_script (primary_file=0x7fff63d552a0) at /home/tomas/php-5.3/main/main.c:2284
#15 0x00000000006d5061 in main (argc=4, argv=0x7fff63d55508) at /home/tomas/php-5.3/sapi/cli/php_cli.c:1184

[2011-08-02 07:38 UTC] dmitry@php.net

Automatic comment from SVN on behalf of dmitry
Revision: http://svn.php.net/viewvc/?view=revision&amp;revision=314086
Log: Fixed bug #55339 (Segfault with allow_call_time_pass_reference = Off)

[2011-08-02 07:40 UTC] dmitry@php.net

-Status: Feedback +Status: Closed

[2011-08-02 07:40 UTC] dmitry@php.net

This bug has been fixed in SVN.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.

 For Windows:

http://windows.php.net/snapshots/
 
Thank you for the report, and for helping us make PHP better.

[2012-04-18 09:49 UTC] laruence@php.net

Automatic comment on behalf of dmitry
Revision: http://git.php.net/?p=php-src.git;a=commit;h=6803a389284d8ae29d3d8e00d3e62ba8106362f1
Log: Fixed bug #55339 (Segfault with allow_call_time_pass_reference = Off)

[2012-07-24 23:40 UTC] rasmus@php.net

Automatic comment on behalf of dmitry
Revision: http://git.php.net/?p=php-src.git;a=commit;h=6803a389284d8ae29d3d8e00d3e62ba8106362f1
Log: Fixed bug #55339 (Segfault with allow_call_time_pass_reference = Off)

[2013-11-17 09:37 UTC] laruence@php.net

Automatic comment on behalf of dmitry
Revision: http://git.php.net/?p=php-src.git;a=commit;h=6803a389284d8ae29d3d8e00d3e62ba8106362f1
Log: Fixed bug #55339 (Segfault with allow_call_time_pass_reference = Off)

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Thu Nov 21 13:01:29 2024 UTC