|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #35017 PHP crashes Apache
Submitted: 2005-10-29 10:56 UTC Modified: 2005-10-31 20:40 UTC
Avg. Score:4.5 ± 0.9
Reproduced:1 of 1 (100.0%)
Same Version:0 (0.0%)
Same OS:0 (0.0%)
From: assen dot todorov at onvista dot de Assigned: dmitry (profile)
Status: Closed Package: Scripting Engine problem
PHP Version: 5CVS-2005-10-29 (cvs) OS: Linux
Private report: No CVE-ID: None
 [2005-10-29 10:56 UTC] assen dot todorov at onvista dot de
The code below was tested on WindowsXP + PHP(5.0.5) + Apache(1.3.33) AND Linux + PHP(5.0.5) + Apache(Apache/2.0.53).In both cases this code leads to crash in Apache.The message is "Segmentation fault ......."

Reproduce code:
$crashApache = new crashApache;
try {
	$a = array('test'); $result = array();
	foreach($a as $b) {
		$result[] = $b; $nullValue = null;
		foreach($nullValue as $c) {
			$result[] = $c;
catch(Exception $e) { echo 'This Exception should be catched'; }
class crashApache {
	public $someVar = array();
	public function start(&$crashParam) {
		$this->someVar = $crashParam;
function errorHandler($errno, $errstr, $errfile, $errline, $vars) {
	throw new Exception('Some Exception');

Expected result:
I expect to see the the message "This Exception should be catched"

Actual result:
Apache crashes with "segmentation fault" message.


Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2005-10-29 11:07 UTC] assen dot todorov at onvista dot de
On the seccond "foreach" the error handler is called and an exception is thrown.In spite of this the line "$crashApache->start($result);" is executed and the exception is newer catched
 [2005-10-29 12:57 UTC]
With PHP 5.1.0RC4-dev I get:

Fatal error: Invalid opcode 137/16/8. in - on line 18

And on PHP 5.0.6-dev I get:
Segmentation fault

And the following backtrace:
#0  0x00000000 in ?? ()
#1  0x08320690 in execute (op_array=0x860e42c)
    at /dat/dev/php/php-5.0dev/Zend/zend_execute.c:1438
#2  0x08323ef0 in zend_do_fcall_common_helper (execute_data=0xbfffd4a0,
    opline=0x860bca4, op_array=0x8606cbc)
    at /dat/dev/php/php-5.0dev/Zend/zend_execute.c:2790
#3  0x0832439d in zend_do_fcall_by_name_handler (execute_data=0xbfffd4a0,
    opline=0x860bca4, op_array=0x8606cbc)
    at /dat/dev/php/php-5.0dev/Zend/zend_execute.c:2877
#4  0x08320690 in execute (op_array=0x8606cbc)
    at /dat/dev/php/php-5.0dev/Zend/zend_execute.c:1438
#5  0x082f7726 in zend_execute_scripts (type=8, retval=0x0, file_count=3)
    at /dat/dev/php/php-5.0dev/Zend/zend.c:1064
#6  0x082af0d5 in php_execute_script (primary_file=0xbffff8e0)
    at /dat/dev/php/php-5.0dev/main/main.c:1643
#7  0x0832dbc0 in main (argc=1, argv=0xbffff9a4)
    at /dat/dev/php/php-5.0dev/sapi/cli/php_cli.c:946

Some more info:
(gdb) frame 1
#1  0x08320690 in execute (op_array=0x860e42c)
    at /dat/dev/php/php-5.0dev/Zend/zend_execute.c:1438
warning: Source file is more recent than executable.

1438                    if (EX(opline)->handler(&execute_data, EX(opline), op_array TSRMLS_CC)) {
(gdb) print executor_globals.current_execute_data.opline
$1 = (struct _zend_op *) 0x860d1cc
(gdb) print executor_globals.current_execute_data.opline.handler
$2 = 0

 [2005-10-31 20:40 UTC]
Fixed in CVS HEAD and PHP 5.1.

The reason if memory leaks in the given test after fix - is bug #34065
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Fri Jun 14 05:01:34 2024 UTC