php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #32252 Segfault when offsetSet throws an Exception (only without debug)
Submitted: 2005-03-09 14:38 UTC Modified: 2005-06-07 10:23 UTC
From: shulmanb at il dot ibm dot com Assigned:
Status: Closed Package: Scripting Engine problem
PHP Version: 5.* OS: *
Private report: No CVE-ID: None
 [2005-03-09 14:38 UTC] shulmanb at il dot ibm dot com
Description:
------------
In some cases, when offsetSet throws an exception a segfault occurs.

This does not happen when compiled with --enable-debug.

Note that if the index passed to $list is positive or a string, not segfault occurs.

Reproduce code:
---------------
class a implements ArrayAccess
{
    function offsetExists ($offset) { return false; }
    function offsetGet ($offset) { return null; }
 	function offsetSet ($offset, $value) { throw new Exception ("Ooops"); }
 	function offsetUnset ($offset) {}
}
function test()
{
    $list = new a();
    try {
        $list[-1] = 123;
    } catch (Exception $e) { }
    return true;
}
print test();


Expected result:
----------------
The output should be "1".

Actual result:
--------------
Segmentation fault.

The stack trace reported in Visual Studio, using the latest snapshot and debug pack is:

php5ts.dll!shutdown_memory_manager(int silent=0, int full_shutdown=0, void * * * tsrm_ls=0x00364b38)  Line 490 + 0xb	C
php5ts.dll!php_request_shutdown(void * dummy=0x00000000)  Line 1225 + 0x2f	C
msvcrt.dll!77c37bbe() 	
user32.dll!77d5f160() 	


Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2005-03-09 15:13 UTC] helly@php.net
The first problem here is that the negative key results in incomplete initialized zvals internally *before* even calling offsetSet().
 [2005-03-13 19:22 UTC] helly@php.net
Related to http://bugs.php.net/30346
 [2005-05-03 14:55 UTC] helly@php.net
Runs in php 5.1 now.
 [2005-05-11 11:44 UTC] shulmanb at il dot ibm dot com
Tested with the latest snapshot (200505110630) on Windows XP, and it is still crashing.
 [2005-05-14 12:40 UTC] tony2001@php.net
Please try using this CVS snapshot:

  http://snaps.php.net/php5-STABLE-latest.tar.gz
 
For Windows:
 
  http://snaps.php.net/win32/php5.0-win32-latest.zip

Can't reproduce it on Linux with latest CVS of 5.0 & 5.1 without debug.
Make sure that you're trying the right binary.
 [2005-05-15 09:15 UTC] shulmanb at il dot ibm dot com
Works fine on Linux.

Still crashes on Windows, even using the snapshot you provided.
 [2005-05-18 14:38 UTC] tony2001@php.net
Reproducible on Windows.
 [2005-06-07 10:11 UTC] derick@php.net
Can't reproduce this on Linux with 4.4 and 5.1 give all no errors with valgrind.
PHP 5.0 gives the following valgrind errors:
==4039== Invalid free() / delete / delete[]
==4039==    at 0x1B904B04: free (vg_replace_malloc.c:152)
==4039==    by 0x8248660: php_stdiop_close (plain_wrapper.c:396)
==4039==    by 0x82420AB: _php_stream_free (streams.c:331)
==4039==    by 0x8244032: stream_resource_regular_dtor (streams.c:1362)
==4039==    by 0x827D23A: list_entry_destructor (zend_list.c:178)
==4039==    by 0x827B3C7: zend_hash_del_key_or_index (zend_hash.c:490)
==4039==    by 0x827CF75: _zend_list_delete (zend_list.c:58)
==4039==    by 0x827250A: _zval_dtor (zend_variables.c:69)
==4039==    by 0x82666F5: free_zend_constant (zend_constants.c:33)
==4039==    by 0x827B3C7: zend_hash_del_key_or_index (zend_hash.c:490)
==4039==    by 0x827BAA6: zend_hash_reverse_apply (zend_hash.c:736)
==4039==    by 0x8266C05: clean_non_persistent_constants (zend_constants.c:158)
==4039==  Address 0x1C04644C is 36 bytes inside a block of size 160 alloc'd
==4039==    at 0x1B90459D: malloc (vg_replace_malloc.c:130)
==4039==    by 0x825BEE5: _emalloc (zend_alloc.c:182)
==4039==    by 0x8247E46: _php_stream_fopen_from_fd (plain_wrapper.c:179)
==4039==    by 0x8203D14: php_stream_url_wrap_php (php_fopen_wrapper.c:221)
==4039==    by 0x8244DA4: _php_stream_open_wrapper_ex (streams.c:1701)
==4039==    by 0x82A439E: cli_register_file_handles (php_cli.c:446)
==4039==    by 0x82A5124: main (php_cli.c:944)
==4039==
==4039== Invalid free() / delete / delete[]
==4039==    at 0x1B904B04: free (vg_replace_malloc.c:152)
==4039==    by 0x82422F1: _php_stream_free (streams.c:394)
==4039==    by 0x8244032: stream_resource_regular_dtor (streams.c:1362)
==4039==    by 0x827D23A: list_entry_destructor (zend_list.c:178)
==4039==    by 0x827B3C7: zend_hash_del_key_or_index (zend_hash.c:490)
==4039==    by 0x827CF75: _zend_list_delete (zend_list.c:58)
==4039==    by 0x827250A: _zval_dtor (zend_variables.c:69)
==4039==    by 0x82666F5: free_zend_constant (zend_constants.c:33)
==4039==    by 0x827B3C7: zend_hash_del_key_or_index (zend_hash.c:490)
==4039==    by 0x827BAA6: zend_hash_reverse_apply (zend_hash.c:736)
==4039==    by 0x8266C05: clean_non_persistent_constants (zend_constants.c:158)
==4039==    by 0x8267AFF: shutdown_executor (zend_execute_API.c:285)
==4039==  Address 0x1C04651C is 36 bytes inside a block of size 168 alloc'd
==4039==    at 0x1B90459D: malloc (vg_replace_malloc.c:130)
==4039==    by 0x825BEE5: _emalloc (zend_alloc.c:182)
==4039==    by 0x8241E05: _php_stream_alloc (streams.c:216)
==4039==    by 0x8247F9C: _php_stream_fopen_from_fd (plain_wrapper.c:204)
==4039==    by 0x8203D14: php_stream_url_wrap_php (php_fopen_wrapper.c:221)
==4039==    by 0x8244DA4: _php_stream_open_wrapper_ex (streams.c:1701)
==4039==    by 0x82A439E: cli_register_file_handles (php_cli.c:446)
==4039==    by 0x82A5124: main (php_cli.c:944)
/dat/dev/php/php-5.0dev/main/streams/streams.c(216) :  Freeing 0x1C04651C (128 bytes), script=bug32252.php
/dat/dev/php/php-5.0dev/ext/standard/php_fopen_wrapper.c(221) : Actual location (location was relayed)
Last leak repeated 2 times
/dat/dev/php/php-5.0dev/main/streams/plain_wrapper.c(179) :  Freeing 0x1C04644C (116 bytes), script=bug32252.php
/dat/dev/php/php-5.0dev/ext/standard/php_fopen_wrapper.c(221) : Actual location (location was relayed)
Last leak repeated 2 times

 [2005-06-07 10:23 UTC] derick@php.net
Ok, those memory errors where caused due to streams in non-zend alloc mode. Those are fixed in CVS now. Everything else works fine. Closing report.
 
PHP Copyright © 2001-2022 The PHP Group
All rights reserved.
Last updated: Sat Aug 13 17:03:33 2022 UTC