php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #41130 PHP crashes in infinite loop (zend_vm_execute.h)
Submitted: 2007-04-18 12:42 UTC Modified: 2007-04-18 13:18 UTC
From: mumu at seznam dot cz Assigned:
Status: Not a bug Package: Reproducible crash
PHP Version: 5CVS-2007-04-18 (snap) OS: FreeBSD
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.
(description)
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: mumu at seznam dot cz
New email:
PHP Version: OS:

 

 [2007-04-18 12:42 UTC] mumu at seznam dot cz 
Description:
------------
The PHP Zend engine falls into the infinite loop and crashes. Moreover, the last stable version PHP 5.2.1 is also affected by the crash.

Configure Command
'./configure' '--enable-versioning' '--with-layout=GNU' '--with-config-file-scan-dir=/usr/local/etc/php' '--disable-all' '--enable-libxml' '--with-libxml-dir=/usr/local' '--enable-reflection' '--program-prefix=' '--disable-cgi' '--with-apxs2=/usr/local/sbin/apxs' '--with-regex=php' '--with-zend-vm=CALL' '--enable-debug' '--enable-zend-multibyte' '--disable-ipv6' '--prefix=/usr/local/php-dev' '--with-mysql' '--with-pcre-regex'

Reproduce code:
---------------
The simple reproduce code is not available; however, the following was discovered.

The PHP crashes on the line where the value assignement is made.  There was no crash in the previous version, even the both McSession and current file, where the crash probably occures, have not been changed from the previous version of the web site. Therefore, the code would be without problems.

Moreover, the following three circumstances has been debugged.

I. Original (crashes)
---
    $GLOBALS['McSession']->data['authorization']['user'] = $id;
---

II. Exit before (ok)
---
    echo 1;
    exit;
    $GLOBALS['McSession']->data['authorization']['user'] = $id;
---

III. Exit after (crashes)
---
    $GLOBALS['McSession']->data['authorization']['user'] = $id;
    echo 1;
    exit;
---


Expected result:
----------------
No crash ;)

Actual result:
--------------
The following backtrace has been retrieved using php CLI interface; however, the crash occures also while the PHP is used as an Apache module. The first 10 and last 10 items of the backtrace are included in the list (the rest cca 230000 rows is the infinite cycle). The code lines are valid for php5.2-200704180630 source snapshot.

Program received signal SIGSEGV, Segmentation fault.
0x081aac97 in execute (op_array=0x84a846c) at zend_vm_execute.h:53
53       memset(EX(CVs), 0, sizeof(zval**) * op_array->last_var);

(gdb) bt 10
#0  0x081aac97 in execute (op_array=0x84a846c) at zend_vm_execute.h:53
#1  0x081ab291 in zend_do_fcall_common_helper_SPEC (execute_data=0xbbc00e70) at zend_vm_execute.h:234
#2  0x081abb81 in ZEND_DO_FCALL_BY_NAME_SPEC_HANDLER (execute_data=0xbbc00e70) at zend_vm_execute.h:322
#3  0x081aad6e in execute (op_array=0x84a0254) at zend_vm_execute.h:92
#4  0x081ab291 in zend_do_fcall_common_helper_SPEC (execute_data=0xbbc01390) at zend_vm_execute.h:234
#5  0x081abb81 in ZEND_DO_FCALL_BY_NAME_SPEC_HANDLER (execute_data=0xbbc01390) at zend_vm_execute.h:322
#6  0x081aad6e in execute (op_array=0x84d6020) at zend_vm_execute.h:92
#7  0x081ab291 in zend_do_fcall_common_helper_SPEC (execute_data=0xbbc01530) at zend_vm_execute.h:234
#8  0x081abb81 in ZEND_DO_FCALL_BY_NAME_SPEC_HANDLER (execute_data=0xbbc01530) at zend_vm_execute.h:322
#9  0x081aad6e in execute (op_array=0x8566e70) at zend_vm_execute.h:92
#10 0x081ab291 in zend_do_fcall_common_helper_SPEC (execute_data=0xbbc016b0) at zend_vm_execute.h:234

(gdb) bt -10
#234680 0x081abb81 in ZEND_DO_FCALL_BY_NAME_SPEC_HANDLER (execute_data=0xbfbfbe00) at zend_vm_execute.h:322
#234681 0x081aad6e in execute (op_array=0x855d874) at zend_vm_execute.h:92
#234682 0x081ab291 in zend_do_fcall_common_helper_SPEC (execute_data=0xbfbfc870) at zend_vm_execute.h:234
#234683 0x081abb81 in ZEND_DO_FCALL_BY_NAME_SPEC_HANDLER (execute_data=0xbfbfc870) at zend_vm_execute.h:322
#234684 0x081aad6e in execute (op_array=0x82ac748) at zend_vm_execute.h:92
#234685 0x081b59b7 in ZEND_INCLUDE_OR_EVAL_SPEC_TMP_HANDLER (execute_data=0xbfbfd430) at zend_vm_execute.h:4600
#234686 0x081aad6e in execute (op_array=0x82aafd4) at zend_vm_execute.h:92
#234687 0x0818a515 in zend_execute_scripts (type=8, retval=0x0, file_count=3)
    at /usr/local/src/php5.2-200704180630/Zend/zend.c:1134
#234688 0x0814154b in php_execute_script (primary_file=0xbfbfeb10)
    at /usr/local/src/php5.2-200704180630/main/main.c:1790
#234689 0x081f1c80 in main (argc=3, argv=0xbfbfebac)
    at /usr/local/src/php5.2-200704180630/sapi/cli/php_cli.c:1130

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2007-04-18 12:47 UTC] derick@php.net 
Thank you for taking the time to write to us, but this is not
a bug. Please double-check the documentation available at
http://www.php.net/manual/ and the instructions on how to report
a bug at http://bugs.php.net/how-to-report.php

Your code has infinite recursion...
 [2007-04-18 12:54 UTC] mumu at seznam dot cz 
Please double-check the information provided in the Reproduce code section. From my point of view it does not seem to be the infinite loop in my code. The provided executed command is assignement a simple variable to another variable without any loop.

Moreover, please provide me with the information, how to get the place in my code where the infinite loop occurs. I could not find it in the manual or web. Thank you.
 [2007-04-18 12:59 UTC] tony2001@php.net 
Infinite recursion in the code is expected to eat the stack and that might result in crash.
 [2007-04-18 13:13 UTC] mumu at seznam dot cz 
I am still not convinced that I have an infinite loop in my very code.

Please follow with me the following. The PHP crashes in the infinite loop; presume, that I have the infinite loop in the code. Now, I am moving with the "exit;" inside the same loop (you can see, there is no loop on command "$a = $b"). Therefore, the server would either crash everytime nor anytime, because whenever the interpret reaches the "exit;" command it ends whole the script, not depending on the cycles. However, the server crashes after, but not before the command. Therefore, the only one line which would cause the infinite loop might in my code is the "$a = $b;" line; unfortunately, this command does not make any cycle. This is the contradiction to the presumption.

Let me give you the summary of the contradiction:
The infinite loop is caused by an assignement command from a variable to another variable, which would not cause any cycle.
 [2007-04-18 13:18 UTC] tony2001@php.net 
>I am still not convinced that I have an infinite loop in my very code.

It's obvious looking at the backtrace.

>The infinite loop is caused by an assignement command from a
>variable to another variable, which would not cause any cycle.

You showed use only 1 (one) line of your code and we have now idea how it is supposed to work without having all the missing code.
Though, looking at the backtrace I can guarantee that the cause it an infinite loop inside your code, whether you see it or not.

Please reopen the report when/if you have a short but complete reproduce case (without an infinite loop) which demonstrates the problem. Until then please keep this report closed. 
Thank you.
 [2010-10-12 12:05 UTC] mm at mxs dot de 
That's no infinite recursion. There's a different op_array each time.

#0  0x081aac97 in execute (op_array=0x84a846c) at zend_vm_execute.h:53
#3  0x081aad6e in execute (op_array=0x84a0254) at zend_vm_execute.h:92
#6  0x081aad6e in execute (op_array=0x84d6020) at zend_vm_execute.h:92
#9  0x081aad6e in execute (op_array=0x8566e70) at zend_vm_execute.h:92
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Tue Apr 16 05:01:29 2024 UTC