php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #26698 Thrown exceptions while evaluting argument to pass as parameter crash PHP
Submitted: 2003-12-22 16:51 UTC Modified: 2004-02-10 11:55 UTC
Votes:1
Avg. Score:5.0 ± 0.0
Reproduced:1 of 1 (100.0%)
Same Version:1 (100.0%)
Same OS:1 (100.0%)
From: davidc at bLesys dot com Assigned:
Status: Closed Package: Scripting Engine problem
PHP Version: 5CVS-2004-02-10 OS: *
Private report: No CVE-ID:
 [2003-12-22 16:51 UTC] davidc at bLesys dot com
Description:
------------
(bug was not fixed in beta3 also)

While evaluting argument 3 to pass to method setProperties, an exception is thrown but any attempt to rethrow this exception/new exception or return from the method crashes PHP.
Strangely, no problem is encountered if this exception is thrown while evaluting the first two arguments.
The solution for now is to create a local variable that holds the contents of the argument. Then, we simply pass the local variable to the method, but this creates additional work for the programmer.

Reproduce code:
---------------
<?php
class x
{ function getFirst(){ throw ( new Exception( "No rows present"));} }
class Proxy
{
 function setProperties($c){}
   /* public void*/function setObject( $b, $obj, $res){
     try
   {
       $res=new x();
    $this->setProperties($a,$b,$res->getFirst());
   }
   catch(Exception $e)
   {
        throw new Exception("Failed to get it!");
   }
  }
}
$p =( new Proxy());
 $p->setObject($this,$o,$ret);?>

Expected result:
----------------
Thrown exception caught by PHP5's default handler (stack output, etc)

Actual result:
--------------
Apache2 dies

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2003-12-25 01:04 UTC] magnus@php.net
Using CLI:
0x0832ba22 in _zval_ptr_dtor (zval_ptr=0x55e78c0c, __zend_filename=0x856c820 "/opt/dev/php/php5/Zend/zend_execute.h",
    __zend_lineno=114) at /opt/dev/php/php5/Zend/zend_execute_API.c:353
353             (*zval_ptr)->refcount--;

#0  0x0832ba22 in _zval_ptr_dtor (zval_ptr=0x55e78c0c, __zend_filename=0x856c820 "/opt/dev/php/php5/Zend/zend_execute.h",
    __zend_lineno=114) at /opt/dev/php/php5/Zend/zend_execute_API.c:353
No locals.
#1  0x08361ef9 in zend_ptr_stack_clear_multiple () at zend_execute.h:114
        p = (void **) 0x55e78c0c
        delete_count = 1441317091
#2  0x0835d7ed in zend_do_fcall_common_helper (execute_data=0xfeffd3c0, op_array=0x55e88f30)
    at /opt/dev/php/php5/Zend/zend_execute.c:2630
        original_return_value = (zval **) 0xfeffd4dc
        current_scope = (zend_class_entry *) 0x0
        current_this = (zval *) 0x0
        return_value_used = 0
        should_change_scope = 1 '\001'
#3  0x0835d8cc in zend_do_fcall_by_name_handler (execute_data=0xfeffd3c0, op_array=0x55e88f30)
    at /opt/dev/php/php5/Zend/zend_execute.c:2651
No locals.
#4  0x0835998d in execute (op_array=0x55e88f30) at /opt/dev/php/php5/Zend/zend_execute.c:1260
        execute_data = {opline = 0x55e89790, function_state = {function_symbol_table = 0x55e8be80, function = 0x55e88f30,
    reserved = {0x0, 0x0, 0x55e88f30, 0x0}}, fbc = 0x0, fbc_constructor = 0x0, op_array = 0x55e88f30, object = 0x0,
  Ts = 0xfeffd2a4, original_in_execution = 0 '\0', calling_scope = 0x9d, prev_execute_data = 0x0}
#5  0x08337624 in zend_execute_scripts (type=8, retval=0x0, file_count=3) at /opt/dev/php/php5/Zend/zend.c:1049
        files = 0xfeffd514 ""
        i = 1
        file_handle = (zend_file_handle *) 0xfefff800
        orig_op_array = (zend_op_array *) 0x0
        local_retval = (zval *) 0x0

 [2004-02-04 20:29 UTC] sniper@php.net
Crash still exists, but the backtrace has changed:

0x082c94b5 in zend_fetch_debug_backtrace (return_value=0x40e44a50, skip_last=0)
    at /usr/src/web/php/php5/Zend/zend_builtin_functions.c:1568
1568                    ptr = ptr->prev_execute_data;
(gdb) bt
#0  0x082c94b5 in zend_fetch_debug_backtrace (return_value=0x40e44a50, skip_last=0)
    at /usr/src/web/php/php5/Zend/zend_builtin_functions.c:1568
#1  0x082cee5d in zend_default_exception_new (class_type=0x8617e48)
    at /usr/src/web/php/php5/Zend/zend_default_classes.c:48
#2  0x082be361 in _object_and_properties_init (arg=0x40e446a8, class_type=0x8617e48, properties=0x0, 
    __zend_filename=0x84059a0 "/usr/src/web/php/php5/Zend/zend_execute.c", __zend_lineno=3107)
    at /usr/src/web/php/php5/Zend/zend_API.c:725
#3  0x082be38a in _object_init_ex (arg=0x40e446a8, class_type=0x8617e48, 
    __zend_filename=0x84059a0 "/usr/src/web/php/php5/Zend/zend_execute.c", __zend_lineno=3107)
    at /usr/src/web/php/php5/Zend/zend_API.c:732
#4  0x082deb96 in zend_new_handler (execute_data=0xbfffcd20, opline=0x40e451c0, op_array=0x40e4650c)
    at /usr/src/web/php/php5/Zend/zend_execute.c:3107
#5  0x082da46c in execute (op_array=0x40e4650c) at /usr/src/web/php/php5/Zend/zend_execute.c:1272
#6  0x082dd779 in zend_do_fcall_common_helper (execute_data=0xbfffcfb0, opline=0x40e46df0, op_array=0x40e45bbc)
    at /usr/src/web/php/php5/Zend/zend_execute.c:2587
#7  0x082ddb83 in zend_do_fcall_by_name_handler (execute_data=0xbfffcfb0, opline=0x40e46df0, op_array=0x40e45bbc)
    at /usr/src/web/php/php5/Zend/zend_execute.c:2669
#8  0x082da46c in execute (op_array=0x40e45bbc) at /usr/src/web/php/php5/Zend/zend_execute.c:1272
#9  0x082dd779 in zend_do_fcall_common_helper (execute_data=0xbfffd1b0, opline=0x40e43f60, op_array=0x40e437a0)
    at /usr/src/web/php/php5/Zend/zend_execute.c:2587
#10 0x082ddb83 in zend_do_fcall_by_name_handler (execute_data=0xbfffd1b0, opline=0x40e43f60, op_array=0x40e437a0)
    at /usr/src/web/php/php5/Zend/zend_execute.c:2669
#11 0x082da46c in execute (op_array=0x40e437a0) at /usr/src/web/php/php5/Zend/zend_execute.c:1272
#12 0x082bcaa7 in zend_execute_scripts (type=8, retval=0x0, file_count=3) at /usr/src/web/php/php5/Zend/zend.c:1051
#13 0x08285fd8 in php_execute_script (primary_file=0xbffff5b0) at /usr/src/web/php/php5/main/main.c:1641

 [2004-02-09 11:49 UTC] sniper@php.net
See also #27186
 [2004-02-10 11:55 UTC] zeev@php.net
This bug has been fixed in CVS.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.
 
Thank you for the report, and for helping us make PHP better.


 
PHP Copyright © 2001-2014 The PHP Group
All rights reserved.
Last updated: Fri Apr 25 07:02:14 2014 UTC