PHP :: Bug #43136 :: possible crash on script execution timeout

Bug #43136	possible crash on script execution timeout
Submitted:	2007-10-30 08:45 UTC	Modified:	2007-11-20 09:57 UTC
From:	tony2001@php.net	Assigned:	dmitry (profile)
Status:	Closed	Package:	Scripting Engine problem
PHP Version:	4.4.7	OS:	Linux 64bit
Private report:	No	CVE-ID:	None

View Developer Edit

[2007-10-30 08:45 UTC] tony2001@php.net

Description:
------------
The crash is really rare, but seems to be possible.
According to the core, it happened when script execution timed out and active_opline pointer was NULL at that moment, so zend_get_executed_lineno() tried to dereference NULL ptr.
Even though the backtrace mentions Zend Opimizer, it doesn't seem to be required to reproduce the crash and it is not PHP4 specific.

Reproduce code:
---------------
.

Expected result:
----------------
.

Actual result:
--------------
(gdb) bt
#0  0x000000000052d7d1 in zend_get_executed_lineno () at /shared/misc/standard/php.src/php-4.4.7/Zend/zend_execute_API.c:269
#1  0x0000000000536c4b in zend_error (type=1, format=0x6ce4b8 "Maximum execution time of %d second%s exceeded")
    at /shared/misc/standard/php.src/php-4.4.7/Zend/zend.c:760
#2  <signal handler called>
#3  0x0000002a97194f2b in zend_optimizer_set_oe_ex () from /local/Zend/lib/php-4.4.x/ZendOptimizer.so
#4  0x0000002a97194f16 in zend_optimizer_set_oe_ex () from /local/Zend/lib/php-4.4.x/ZendOptimizer.so
#5  0x0000002a97194f16 in zend_optimizer_set_oe_ex () from /local/Zend/lib/php-4.4.x/ZendOptimizer.so
#6  0x0000002a97194f16 in zend_optimizer_set_oe_ex () from /local/Zend/lib/php-4.4.x/ZendOptimizer.so
#7  0x0000002a97194f16 in zend_optimizer_set_oe_ex () from /local/Zend/lib/php-4.4.x/ZendOptimizer.so
#8  0x00000000005365bf in zend_execute_scripts (type=8, retval=0x0, file_count=3) at /shared/misc/standard/php.src/php-4.4.7/Zend/zend.c:939
#9  0x00000000004fe699 in php_execute_script (primary_file=0x7fbffffb20) at /shared/misc/standard/php.src/php-4.4.7/main/main.c:1784
#10 0x0000000000557bfd in main (argc=5, argv=0x7fbffffc78) at /shared/misc/standard/php.src/php-4.4.7/sapi/cgi/cgi_main.c:2236

Further investigation has shown that active_opline is NULL:
(gdb) f 0
#0  0x000000000052d7d1 in zend_get_executed_lineno () at /shared/misc/standard/php.src/php-4.4.7/Zend/zend_execute_API.c:269
269     /shared/misc/standard/php.src/php-4.4.7/Zend/zend_execute_API.c: No such file or directory.
        in /shared/misc/standard/php.src/php-4.4.7/Zend/zend_execute_API.c
(gdb) p executor_globals.opline_ptr
$3 = (zend_op **) 0x7fbfff9510
(gdb) p *executor_globals.opline_ptr
$4 = (zend_op *) 0x0

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2007-10-30 08:47 UTC] tony2001@php.net

Assigning to Dmitry at his request.

[2007-11-08 12:54 UTC] dmitry@php.net

Probably the crash occurs because of wrong value in EG(opline_ptr).

In zend_do_fcall_common_helper() EG(opline_ptr) is inconsistent after call to zend_execute() and restoring it by EG(opline_ptr) = &EX(opline);

If the timeout occurs while EG(opline_ptr) is inconsistent, it may crash php.

EG(active_op_array) has exactly the same problem.

[2007-11-20 09:57 UTC] dmitry@php.net

Fixed in CVS HEAD and PHP_5_3.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2025 The PHP Group All rights reserved.	Last updated: Fri Oct 31 08:00:01 2025 UTC