|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #30142 switch() with function and call in it segfaults
Submitted: 2004-09-18 18:35 UTC Modified: 2010-12-20 11:45 UTC
From: toni dot viemero at iki dot fi Assigned:
Status: Not a bug Package: Reproducible crash
PHP Version: 5.0.1 OS: FreeBSD 5.4-BETA4
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.
Block user comment
Status: Assign to:
Bug Type:
From: toni dot viemero at iki dot fi
New email:
PHP Version: OS:


 [2004-09-18 18:35 UTC] toni dot viemero at iki dot fi
I was investigating why Wordpress ( wp-login.php segfaults my apache child and stripped down the code as low as possible to reproduce segfault. 

[toni@shaolin:~]$ php-5.0.1/sapi/cli/php -v
PHP 5.0.1 (cli) (built: Sep 18 2004 02:34:23) (DEBUG)
Copyright (c) 1997-2004 The PHP Group
Zend Engine v2.0.1, Copyright (c) 1998-2004 Zend Technologies

[toni@shaolin:~]$ php-5.0.1/sapi/cli/php -e segfault.php
Segmentation fault (core dumped)

Compiled with:
./configure --enable-versioning --enable-memory-limit --enable-debug --with-layout=GNU --with-config-file-scan-dir=/tmp --disable-all --enable-libxml --enable-spl --with-regex=php --with-apxs2=/usr/local/sbin/apxs --disable-ipv6 --prefix=/tmp --with-bz2=/usr --enable-ctype --with-curl=/usr/local --enable-dba --enable-dom --enable-exif --enable-ftp --with-gd --with-freetype-dir=/usr/local --with-jpeg-dir=/usr/local --with-png-dir=/usr/local --with-gettext=/usr/local --with-iconv=/usr/local --with-imap=/usr/local --enable-mbstring --with-mcrypt=/usr/local --with-mhash=/usr/local --with-mysql=/usr/local --with-openssl=/usr --with-openssl-dir=/usr --with-pcre-regex=yes --with-pgsql=/usr/local --enable-posix --enable-session --enable-simplexml --with-snmp=/usr/local --enable-ucd-snmp-hack --enable-soap --with-libxml-dir=/usr/local --enable-sockets --with-sqlite --with-tidy=/usr/local --enable-tokenizer --enable-wddx --enable-xml --with-xmlrpc --with-expat-dir=/usr/local --with-iconv-dir=/usr/local --with-libxml-dir=/usr/local --with-xsl=/usr/local --with-zlib=/usr --with-zlib-dir=/usr

Reproduce code:
$action = '';

switch ($action) {
        function this_will_segfault() {
            return true;
        if ( (this_will_segfault()) ) {
            print "true\n";

Expected result:
"true" printed.

Actual result:
(gdb) bt
#0  0x08301b9c in _zval_ptr_dtor (zval_ptr=0xbfbfcef4,
    __zend_filename=0x84d5990 "/home/toni/php-5.0.1/Zend/zend_execute.c", __zend_lineno=208)
    at /home/toni/php-5.0.1/Zend/zend_execute_API.c:389
#1  0x0833b202 in zend_switch_free (opline=0x85b0908, Ts=0xbfbfcec0) at /home/toni/php-5.0.1/Zend/zend_execute.c:208
#2  0x0833b44f in zend_switch_free_handler (execute_data=0xbfbfcef0, opline=0x85b0908, op_array=0x865eb00)
    at /home/toni/php-5.0.1/Zend/zend_execute.c:3234
#3  0x08333ae1 in execute (op_array=0x865eb00) at /home/toni/php-5.0.1/Zend/zend_execute.c:1400
#4  0x083395e4 in zend_do_fcall_common_helper (execute_data=0xbfbfd060, opline=0x866644c, op_array=0x8658824)
    at /home/toni/php-5.0.1/Zend/zend_execute.c:2737
#5  0x08339c9c in zend_do_fcall_by_name_handler (execute_data=0xbfbfd060, opline=0x866644c, op_array=0x8658824)
    at /home/toni/php-5.0.1/Zend/zend_execute.c:2822
#6  0x08333ae1 in execute (op_array=0x8658824) at /home/toni/php-5.0.1/Zend/zend_execute.c:1400
#7  0x0830f5b0 in zend_execute_scripts (type=8, retval=0x0, file_count=3) at /home/toni/php-5.0.1/Zend/zend.c:1061
#8  0x082c8b27 in php_execute_script (primary_file=0xbfbfe794) at /home/toni/php-5.0.1/main/main.c:1627
#9  0x0834038c in main (argc=3, argv=0xbfbfe7f4) at /home/toni/php-5.0.1/sapi/cli/php_cli.c:943
(gdb) frame 0
#0  0x08301b9c in _zval_ptr_dtor (zval_ptr=0xbfbfcef4,
    __zend_filename=0x84d5990 "/home/toni/php-5.0.1/Zend/zend_execute.c", __zend_lineno=208)
    at /home/toni/php-5.0.1/Zend/zend_execute_API.c:389
389             (*zval_ptr)->refcount--;
(gdb) print (char *)(executor_globals.function_state_ptr->function)->common.function_name
$1 = 0x865dba4 "this_will_segfault"
(gdb) print (char *)executor_globals.active_op_array->function_name
$2 = 0x865dba4 "this_will_segfault"
(gdb) print (char *)executor_globals.active_op_array->filename
$3 = 0x865db64 "/home/toni/segfault.php"


Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2004-09-18 18:41 UTC]
Please do not submit the same bug more than once. An existing
bug report already describes this very problem. Even if you feel
that your issue is somewhat different, the resolution is likely
to be the same. 

Thank you for your interest in PHP.

Duplicate of #29944.
 [2010-12-20 11:45 UTC]
-Package: Tidy +Package: Reproducible crash
PHP Copyright © 2001-2020 The PHP Group
All rights reserved.
Last updated: Mon Feb 24 03:01:25 2020 UTC