php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #30142 switch() with function and call in it segfaults
Submitted: 2004-09-18 18:35 UTC Modified: 2010-12-20 11:45 UTC
From: toni dot viemero at iki dot fi Assigned:
Status: Not a bug Package: Reproducible crash
PHP Version: 5.0.1 OS: FreeBSD 5.4-BETA4
Private report: No CVE-ID: None
 [2004-09-18 18:35 UTC] toni dot viemero at iki dot fi
Description:
------------
I was investigating why Wordpress (www.wordpress.org) wp-login.php segfaults my apache child and stripped down the code as low as possible to reproduce segfault. 

[toni@shaolin:~]$ php-5.0.1/sapi/cli/php -v
PHP 5.0.1 (cli) (built: Sep 18 2004 02:34:23) (DEBUG)
Copyright (c) 1997-2004 The PHP Group
Zend Engine v2.0.1, Copyright (c) 1998-2004 Zend Technologies

[toni@shaolin:~]$ php-5.0.1/sapi/cli/php -e segfault.php
Segmentation fault (core dumped)

Compiled with:
./configure --enable-versioning --enable-memory-limit --enable-debug --with-layout=GNU --with-config-file-scan-dir=/tmp --disable-all --enable-libxml --enable-spl --with-regex=php --with-apxs2=/usr/local/sbin/apxs --disable-ipv6 --prefix=/tmp --with-bz2=/usr --enable-ctype --with-curl=/usr/local --enable-dba --enable-dom --enable-exif --enable-ftp --with-gd --with-freetype-dir=/usr/local --with-jpeg-dir=/usr/local --with-png-dir=/usr/local --with-gettext=/usr/local --with-iconv=/usr/local --with-imap=/usr/local --enable-mbstring --with-mcrypt=/usr/local --with-mhash=/usr/local --with-mysql=/usr/local --with-openssl=/usr --with-openssl-dir=/usr --with-pcre-regex=yes --with-pgsql=/usr/local --enable-posix --enable-session --enable-simplexml --with-snmp=/usr/local --enable-ucd-snmp-hack --enable-soap --with-libxml-dir=/usr/local --enable-sockets --with-sqlite --with-tidy=/usr/local --enable-tokenizer --enable-wddx --enable-xml --with-xmlrpc --with-expat-dir=/usr/local --with-iconv-dir=/usr/local --with-libxml-dir=/usr/local --with-xsl=/usr/local --with-zlib=/usr --with-zlib-dir=/usr

Reproduce code:
---------------
<?php
$action = '';

switch ($action) {
    default:
        function this_will_segfault() {
            return true;
        }
        if ( (this_will_segfault()) ) {
            print "true\n";
        }
        break;
}
?>

Expected result:
----------------
"true" printed.

Actual result:
--------------
(gdb) bt
#0  0x08301b9c in _zval_ptr_dtor (zval_ptr=0xbfbfcef4,
    __zend_filename=0x84d5990 "/home/toni/php-5.0.1/Zend/zend_execute.c", __zend_lineno=208)
    at /home/toni/php-5.0.1/Zend/zend_execute_API.c:389
#1  0x0833b202 in zend_switch_free (opline=0x85b0908, Ts=0xbfbfcec0) at /home/toni/php-5.0.1/Zend/zend_execute.c:208
#2  0x0833b44f in zend_switch_free_handler (execute_data=0xbfbfcef0, opline=0x85b0908, op_array=0x865eb00)
    at /home/toni/php-5.0.1/Zend/zend_execute.c:3234
#3  0x08333ae1 in execute (op_array=0x865eb00) at /home/toni/php-5.0.1/Zend/zend_execute.c:1400
#4  0x083395e4 in zend_do_fcall_common_helper (execute_data=0xbfbfd060, opline=0x866644c, op_array=0x8658824)
    at /home/toni/php-5.0.1/Zend/zend_execute.c:2737
#5  0x08339c9c in zend_do_fcall_by_name_handler (execute_data=0xbfbfd060, opline=0x866644c, op_array=0x8658824)
    at /home/toni/php-5.0.1/Zend/zend_execute.c:2822
#6  0x08333ae1 in execute (op_array=0x8658824) at /home/toni/php-5.0.1/Zend/zend_execute.c:1400
#7  0x0830f5b0 in zend_execute_scripts (type=8, retval=0x0, file_count=3) at /home/toni/php-5.0.1/Zend/zend.c:1061
#8  0x082c8b27 in php_execute_script (primary_file=0xbfbfe794) at /home/toni/php-5.0.1/main/main.c:1627
#9  0x0834038c in main (argc=3, argv=0xbfbfe7f4) at /home/toni/php-5.0.1/sapi/cli/php_cli.c:943
(gdb) frame 0
#0  0x08301b9c in _zval_ptr_dtor (zval_ptr=0xbfbfcef4,
    __zend_filename=0x84d5990 "/home/toni/php-5.0.1/Zend/zend_execute.c", __zend_lineno=208)
    at /home/toni/php-5.0.1/Zend/zend_execute_API.c:389
389             (*zval_ptr)->refcount--;
(gdb) print (char *)(executor_globals.function_state_ptr->function)->common.function_name
$1 = 0x865dba4 "this_will_segfault"
(gdb) print (char *)executor_globals.active_op_array->function_name
$2 = 0x865dba4 "this_will_segfault"
(gdb) print (char *)executor_globals.active_op_array->filename
$3 = 0x865db64 "/home/toni/segfault.php"

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2004-09-18 18:41 UTC] tony2001@php.net
Please do not submit the same bug more than once. An existing
bug report already describes this very problem. Even if you feel
that your issue is somewhat different, the resolution is likely
to be the same. 

Thank you for your interest in PHP.

Duplicate of #29944.
 [2010-12-20 11:45 UTC] jani@php.net
-Package: Tidy +Package: Reproducible crash
 
PHP Copyright © 2001-2020 The PHP Group
All rights reserved.
Last updated: Mon Feb 24 12:01:25 2020 UTC