php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #29735 Segfault (11) / Possible stack corruption
Submitted: 2004-08-18 15:24 UTC Modified: 2004-09-06 01:00 UTC
Votes:2
Avg. Score:5.0 ± 0.0
Reproduced:2 of 2 (100.0%)
Same Version:2 (100.0%)
Same OS:1 (50.0%)
From: sparkeh at btinternet dot com Assigned:
Status: No Feedback Package: Reproducible crash
PHP Version: 5.0.1 OS: Linux 2.6.7-gentoo-r9
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.
(description)
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: sparkeh at btinternet dot com
New email:
PHP Version: OS:

 

 [2004-08-18 15:24 UTC] sparkeh at btinternet dot com 
Description:
------------
I've tried to get the code to the minimum required to cause a crash. The combination of the local variable being defined and the global reference seems to be causing stack corruption (the script never returns successfully from the function call:

jelly can # php -f crash.php
About to segfault : Segmentation fault
jelly can # php -v
PHP 5.0.1 (cli) (built: Aug 18 2004 12:39:38)

Reproduce code:
---------------
<?
        switch($t)
        {
                default:
                        $rar = 0;
                        function segfault()
                        {
                                global $moo;
                                echo 'About to segfault : ';
                        }
                        segfault();
        }
?>


Expected result:
----------------
About to segfault : 

Actual result:
--------------
About to segfault : Segmentation fault

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2004-08-18 15:47 UTC] derick@php.net 
Thank you for taking the time to write to us, but this is not
a bug. Please double-check the documentation available at
http://www.php.net/manual/ and the instructions on how to report
a bug at http://bugs.php.net/how-to-report.php

This is expected, PHP does not protect against infinite recursion.
 [2004-08-18 16:17 UTC] sparkeh at btinternet dot com 
There is no recursion. This is a function being called from within a switch block. Surely?
 [2004-08-18 17:05 UTC] derick@php.net 
?
You call the function segfault() in a never ending loop.
 [2004-08-18 17:18 UTC] sparkeh at btinternet dot com 
What loop??

Remove the "global $moo" and the $rar = 0 and it runs as expected:

<?
        switch($t)
        {
                default:
                        function segfault()
                        {
                                echo 'About to segfault : ';
                        }
                        segfault();
        }
        echo 'Or not. Look no loop.';
?>
 [2004-08-18 19:44 UTC] sparkeh at btinternet dot com 
There is no loop here. This is segfaulting because the function is failing to return correctly (stack corruption). Remove the "global" statement, and add an echo '' outside of the switch() braces to see normal (expected) program flow.
 [2004-08-18 20:36 UTC] sparkeh at btinternet dot com 
N.B. Original code tested and works as expected with PHP 4.3.3
 [2004-08-19 18:27 UTC] hip at cs dot okstate dot edu 
I getting a seg. fault on a simple little script that's worked for years and it sure smells like stack corruption.

<?
require_once("config.inc");
require_once("Database.inc");

$db = new Database(USER_ID, USER_PASSWORD);
$db->connect();

$sql  = "select from STUDENT_STATUS ";
$sql .= "where STATUS='APPROVED' ";
?>

On my solaris 9 x86 box this seq. faults. Change the last line it seq faults. Remove the last line it doesn't. After a
hour of playing, I've discovered that I can prevent a seg. fault by place echo statements (or some other random statment) in key positions in the file.  That sure smells
like stack corruption.

I ran gdb on the core dump and the last lines of the backtrace are:

#20 0x81b65da in zend_deactivate () at /usr/local/src/php-5.0.1/Zend/zend.c:819
#21 0x8182007 in php_request_shutdown (dummy=0x0)
    at /usr/local/src/php-5.0.1/main/main.c:1212
#22 0x81db50f in main (argc=2, argv=0x8047a18)
    at /usr/local/src/php-5.0.1/sapi/cli/php_cli.c:1046

and from what little I know of gdb it looks like it's happening when php is trying to shutdown.
 [2004-08-19 20:50 UTC] sparkeh at btinternet dot com 
gdb stack trace from the first script (Ref: 3:24pm CEST)

#0  0x081e74a2 in _zval_ptr_dtor ()
#1  0x08216d9f in zend_switch_free_handler ()
#2  0x08211dff in execute ()
#3  0x0821567d in zend_do_fcall_common_helper ()
#4  0x08215993 in zend_do_fcall_by_name_handler ()
#5  0x08211dff in execute ()
#6  0x081f2b17 in zend_execute_scripts ()
#7  0x081b4d31 in php_execute_script ()
#8  0x00000000 in ?? ()
#9  0x00000003 in ?? ()
#10 0x00000000 in ?? ()
...
#970 0x5f706870 in ?? ()
#971 0x69727473 in ?? ()
#972 0x68775f70 in ?? ()
#973 0x4083a6c4 in mallopt () from /lib/libc.so.6
Previous frame inner to this frame (corrupt stack?)
(gdb)

:o)
 [2004-08-21 03:56 UTC] sparkeh at btinternet dot com 
I've noticed that this is a duplicate of bug #28487
 [2004-08-29 12:59 UTC] tony2001@php.net 
Please try using this CVS snapshot:

  http://snaps.php.net/php5-latest.tar.gz
 
For Windows:
 
  http://snaps.php.net/win32/php5-win32-latest.zip

Seems to be fixed. Please, test it again.
 [2004-09-06 01:00 UTC] php-bugs at lists dot php dot net 
No feedback was provided for this bug for over a week, so it is
being suspended automatically. If you are able to provide the
information that was originally requested, please do so and change
the status of the bug back to "Open".
 [2005-09-04 17:22 UTC] php at kanariepiet dot com 
This is the same as bug #29944, which is fixed as of 
2005-04-25 in CVS
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Fri May 17 04:01:34 2024 UTC