php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #43136 possible crash on script execution timeout
Submitted: 2007-10-30 08:45 UTC Modified: 2007-11-20 09:57 UTC
From: tony2001@php.net Assigned: dmitry (profile)
Status: Closed Package: Scripting Engine problem
PHP Version: 4.4.7 OS: Linux 64bit
Private report: No CVE-ID: None
 [2007-10-30 08:45 UTC] tony2001@php.net
Description:
------------
The crash is really rare, but seems to be possible.
According to the core, it happened when script execution timed out and active_opline pointer was NULL at that moment, so zend_get_executed_lineno() tried to dereference NULL ptr.
Even though the backtrace mentions Zend Opimizer, it doesn't seem to be required to reproduce the crash and it is not PHP4 specific.

Reproduce code:
---------------
.

Expected result:
----------------
.

Actual result:
--------------
(gdb) bt
#0  0x000000000052d7d1 in zend_get_executed_lineno () at /shared/misc/standard/php.src/php-4.4.7/Zend/zend_execute_API.c:269
#1  0x0000000000536c4b in zend_error (type=1, format=0x6ce4b8 "Maximum execution time of %d second%s exceeded")
    at /shared/misc/standard/php.src/php-4.4.7/Zend/zend.c:760
#2  <signal handler called>
#3  0x0000002a97194f2b in zend_optimizer_set_oe_ex () from /local/Zend/lib/php-4.4.x/ZendOptimizer.so
#4  0x0000002a97194f16 in zend_optimizer_set_oe_ex () from /local/Zend/lib/php-4.4.x/ZendOptimizer.so
#5  0x0000002a97194f16 in zend_optimizer_set_oe_ex () from /local/Zend/lib/php-4.4.x/ZendOptimizer.so
#6  0x0000002a97194f16 in zend_optimizer_set_oe_ex () from /local/Zend/lib/php-4.4.x/ZendOptimizer.so
#7  0x0000002a97194f16 in zend_optimizer_set_oe_ex () from /local/Zend/lib/php-4.4.x/ZendOptimizer.so
#8  0x00000000005365bf in zend_execute_scripts (type=8, retval=0x0, file_count=3) at /shared/misc/standard/php.src/php-4.4.7/Zend/zend.c:939
#9  0x00000000004fe699 in php_execute_script (primary_file=0x7fbffffb20) at /shared/misc/standard/php.src/php-4.4.7/main/main.c:1784
#10 0x0000000000557bfd in main (argc=5, argv=0x7fbffffc78) at /shared/misc/standard/php.src/php-4.4.7/sapi/cgi/cgi_main.c:2236

Further investigation has shown that active_opline is NULL:
(gdb) f 0
#0  0x000000000052d7d1 in zend_get_executed_lineno () at /shared/misc/standard/php.src/php-4.4.7/Zend/zend_execute_API.c:269
269     /shared/misc/standard/php.src/php-4.4.7/Zend/zend_execute_API.c: No such file or directory.
        in /shared/misc/standard/php.src/php-4.4.7/Zend/zend_execute_API.c
(gdb) p executor_globals.opline_ptr
$3 = (zend_op **) 0x7fbfff9510
(gdb) p *executor_globals.opline_ptr
$4 = (zend_op *) 0x0


Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2007-10-30 08:47 UTC] tony2001@php.net
Assigning to Dmitry at his request.
 [2007-11-08 12:54 UTC] dmitry@php.net
Probably the crash occurs because of wrong value in EG(opline_ptr).

In zend_do_fcall_common_helper() EG(opline_ptr) is inconsistent after call to zend_execute() and restoring it by EG(opline_ptr) = &EX(opline);

If the timeout occurs while EG(opline_ptr) is inconsistent, it may crash php.

EG(active_op_array) has exactly the same problem.

 [2007-11-20 09:57 UTC] dmitry@php.net
Fixed in CVS HEAD and PHP_5_3.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Tue Mar 19 08:01:29 2024 UTC