php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #29566 foreach/string handling strangeness (crash)
Submitted: 2004-08-08 00:01 UTC Modified: 2004-09-22 09:16 UTC
From: stefan at hotpaenz dot de Assigned:
Status: Closed Package: Reproducible crash
PHP Version: 5.0.1 OS: Linux 2.6.3
Private report: No CVE-ID:
 [2004-08-08 00:01 UTC] stefan at hotpaenz dot de
Description:
------------
Consider the following code. Of course it isn't useful,  
but nevertheless it shouldn't crash PHP.  
 
Perhaps this is related to bug 28487 (another crash,  
affecting real-world scripts) because the same function  
zend_switch_free_handler is involved.  
 
Perhaps this is the same bug as 28574, which was closed as 
the problem went away. The crash I am reporting now occurs 
with a current snapshot (200408071830). 
 

Reproduce code:
---------------
<?
$var="This is a string";

$dummy="";
unset($dummy);

foreach($var['nosuchkey'] as $v) {
}


Expected result:
----------------
Warning:  Invalid argument supplied for foreach() in 
crash.php on line 7 
 
[no crash of course] 
 

Actual result:
--------------
Warning:  Invalid argument supplied for foreach() in 
crash.php on line 7 
Segmentation fault (core dumped) 
 
[backtrace follows] 
 
#0  _efree (ptr=0x75736f6e) 
at /root/php/200408071830/php5-5.0.0/Zend/zend_alloc.c:285 
285  CALCULATE_REAL_SIZE_AND_CACHE_INDEX(p->size); 
 
(gdb) bt 
 
#0  _efree (ptr=0x75736f6e) 
at /root/php/200408071830/php5-5.0.0/Zend/zend_alloc.c:285 
 
#1  0x082424f8 in _zval_ptr_dtor (zval_ptr=0xbfffd698) 
at /root/php/200408071830/php5-5.0.0/Zend/zend_execute_API.c:396 
 
#2  0x0827288b in zend_switch_free_handler 
(execute_data=0xbfffd710, opline=0x872749c, 
op_array=0x8722f24, tsrm_ls=0x8431018) 
at /root/php/200408071830/php5-5.0.0/Zend/zend_execute.c:210 
 
#3  0x0826ce85 in execute (op_array=0x8722f24, 
tsrm_ls=0x8431018) 
at /root/php/200408071830/php5-5.0.0/Zend/zend_execute.c:1400 
 
#4  0x0824d971 in zend_execute_scripts (type=8, 
tsrm_ls=0x8431018, retval=0x0, file_count=3) 
at /root/php/200408071830/php5-5.0.0/Zend/zend.c:1068 
 
#5  0x08210ab4 in php_execute_script 
(primary_file=0xbffffae0, tsrm_ls=0x8431018) 
at /root/php/200408071830/php5-5.0.0/main/main.c:1631 
 
#6  0x08279bec in main (argc=2, argv=0xbffffba4) 
at /root/php/200408071830/php5-5.0.0/sapi/cgi/cgi_main.c:1568 
 

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2004-08-08 23:03 UTC] iliaa@php.net
Please try using this CVS snapshot:

  http://snaps.php.net/php4-STABLE-latest.tar.gz
 
For Windows:
 
  http://snaps.php.net/win32/php4-win32-STABLE-latest.zip

Works fine with latest CVS. 
 [2004-08-24 01:00 UTC] php-bugs at lists dot php dot net
No feedback was provided for this bug for over a week, so it is
being suspended automatically. If you are able to provide the
information that was originally requested, please do so and change
the status of the bug back to "Open".
 [2004-08-24 09:40 UTC] stefan at hotpaenz dot de
Indeed it works fine with the latest PHP4 snapshot  
(200408232230 tested), but this is a PHP5 bug. For the  
record: It still crashes with the 200408232230 PHP5  
snapshot (unstable)
 [2004-08-24 09:46 UTC] tony2001@php.net
No crash with latest HEAD (Linux 2.6.8.1, glibc 2.3.2).
 [2004-08-24 10:32 UTC] stefan at hotpaenz dot de
I use Linux 2.6.3 and glibc 2.3.2. 
 
PHP crashes _after_ printing the warning "Invalid argument 
supplied for foreach()" at the end of the script (perhaps 
when cleaning up?). I tested again with the 200408240630 
snapshots (stable and HEAD). This is the HEAD backtrace: 
 
#0  _efree (ptr=0x75736f6e) 
at /root/php/test/php5-200408240630/Zend/zend_alloc.c:285 
285             
CALCULATE_REAL_SIZE_AND_CACHE_INDEX(p->size); 
 
(gdb) bt 
 
#0  _efree (ptr=0x75736f6e) 
at /root/php/test/php5-200408240630/Zend/zend_alloc.c:285 
 
#1  0x08178298 in _zval_ptr_dtor (zval_ptr=0xbfffd6a8) 
at /root/php/test/php5-200408240630/Zend/zend_execute_API.c:390 
 
#2  0x081a3407 in zend_switch_free_handler 
(execute_data=0xbfffd710) 
at /root/php/test/php5-200408240630/Zend/zend_execute.c:245 
 
#3  0x0819eb48 in execute (op_array=0x8274014) 
at /root/php/test/php5-200408240630/Zend/zend_execute.c:1498 
 
#4  0x08181f95 in zend_execute_scripts (type=8, 
retval=0x0, file_count=3) 
at /root/php/test/php5-200408240630/Zend/zend.c:1052 
 
#5  0x0814d5ad in php_execute_script 
(primary_file=0xbffffaa0) 
at /root/php/test/php5-200408240630/main/main.c:1633 
 
#6  0x081a9c81 in main (argc=2, argv=0xbffffb64) 
at /root/php/test/php5-200408240630/sapi/cgi/cgi_main.c:1568 
 
 
The backtrace of stable is slightly different: 
 
 
#0  _efree (ptr=0x75736f6e) 
at /root/php/test/php5-STABLE-200408240630/Zend/zend_alloc.c:263 
263             
CALCULATE_REAL_SIZE_AND_CACHE_INDEX(p->size); 
 
(gdb) bt 
 
#0  _efree (ptr=0x75736f6e) 
at /root/php/test/php5-STABLE-200408240630/Zend/zend_alloc.c:263 
 
#1  0x081764b8 in _zval_ptr_dtor (zval_ptr=0xbfffd678) 
at /root/php/test/php5-STABLE-200408240630/Zend/zend_execute_API.c:391 
 
#2  0x081a0632 in zend_switch_free_handler 
(execute_data=0xbfffd6f0, opline=0x8272464, 
op_array=0x826deec) 
at /root/php/test/php5-STABLE-200408240630/Zend/zend_execute.c:210 
 
#3  0x0819c0a9 in execute (op_array=0x826deec) 
at /root/php/test/php5-STABLE-200408240630/Zend/zend_execute.c:1400 
 
#4  0x081802b5 in zend_execute_scripts (type=8, 
retval=0x0, file_count=3) 
at /root/php/test/php5-STABLE-200408240630/Zend/zend.c:1061 
 
#5  0x0814b99d in php_execute_script 
(primary_file=0xbffffa80) 
at /root/php/test/php5-STABLE-200408240630/main/main.c:1629 
 
#6  0x081a68c7 in main (argc=2, argv=0xbffffb44) 
at /root/php/test/php5-STABLE-200408240630/sapi/cgi/cgi_main.c:1568
 [2004-08-24 23:43 UTC] helly@php.net
Please try using this CVS snapshot:

  http://snaps.php.net/php5-STABLE-latest.tar.gz
 
For Windows:
 
  http://snaps.php.net/win32/php5.0-win32-latest.zip


 [2004-08-25 09:13 UTC] stefan at hotpaenz dot de
It still crashes with stable PHP5 snapshot 200408250430 
and HEAD snapshot 200408250630. 
 
Is there anything else I could do beside testing again and 
again? I would like to help you making PHP better, and I 
have some C knowledge, but I don't really understand the 
inner workings of Zend/PHP. Is there anything I could add 
to the code to reveal what leads to the crash?
 [2004-08-25 09:21 UTC] stefan at hotpaenz dot de
Okay, I just discovered PHP only crashes with a non-debug 
build. My configure line is: 
 
./configure --disable-cli --enable-cgi --without-pear
 [2004-09-22 09:16 UTC] dmitry@php.net
Fixed in CVS HEAD and PHP_5_0.
 
PHP Copyright © 2001-2014 The PHP Group
All rights reserved.
Last updated: Wed Apr 23 18:01:55 2014 UTC