php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #43426 dmitry
Submitted: 2007-11-27 13:45 UTC Modified: 2008-01-24 11:01 UTC
From: cweiske@php.net Assigned: dmitry (profile)
Status: Closed Package: Scripting Engine problem
PHP Version: 5.2.5 OS: Gentoo Linux 2.6.23
Private report: No CVE-ID: None
View Developer Edit
 [2007-11-27 13:45 UTC] cweiske@php.net 
Description:
------------
I get a reproducible crash when running a file in the pear-core test suite against a pear 1.7.0 installation.
The test is pear-core/tests/PEAR_DependencyDB/test_assertDepsDB_fail.phpt

The problem seems to be some nested call_user_func.
PEAR_ErrorStack::push calls
$context = call_user_func($this->_contextCallback, $code, $params, $backtrace);

which in return calls push() again, which calls the same _contextCallback again. This time, php crashes.

The contextcallback is PEAR_ErrorStack::getFileLine() - it is reached the first time, but not the second.

Reproduce code:
---------------
1. checkout pear-core from cvs
2. install pear, install xml_rpc
3. cd pear-core/tests
4. pear run-tests PEAR_DependencyDB/test_assertDepsDB_fail.phpt


Expected result:
----------------
no crash.

Actual result:
--------------
Program received signal SIGSEGV, Segmentation fault.
0x00000000006e1491 in zend_call_function (fci=0x7fff35552e90, fci_cache=0x0) at /home/cweiske/compilethings/php-5.2.5/Zend/zend_execute_API.c:911
911                             (*fci->params[i])->refcount++;
(gdb)
(gdb) bt
#0  0x00000000006e1491 in zend_call_function (fci=0x7fff35552e90, fci_cache=0x0) at /home/cweiske/compilethings/php-5.2.5/Zend/zend_execute_API.c:911
#1  0x00000000006e0024 in call_user_function_ex (function_table=0xacfbc0, object_pp=0x0, function_name=0xf874b8, retval_ptr_ptr=0x7fff35552f30,
    param_count=3, params=0xc2df00, no_separation=0, symbol_table=0x0) at /home/cweiske/compilethings/php-5.2.5/Zend/zend_execute_API.c:617
#2  0x00000000005fe639 in zif_call_user_func (ht=4, return_value=0x1862c08, return_value_ptr=0x0, this_ptr=0x0, return_value_used=1)
    at /home/cweiske/compilethings/php-5.2.5/ext/standard/basic_functions.c:5083
#3  0x0000000000719216 in zend_do_fcall_common_helper_SPEC (execute_data=0x7fff35554030) at /home/cweiske/compilethings/php-5.2.5/Zend/zend_vm_execute.h:200
#4  0x000000000071f35f in ZEND_DO_FCALL_SPEC_CONST_HANDLER (execute_data=0x7fff35554030)
    at /home/cweiske/compilethings/php-5.2.5/Zend/zend_vm_execute.h:1681
#5  0x0000000000718cb9 in execute (op_array=0xf99ba0) at /home/cweiske/compilethings/php-5.2.5/Zend/zend_vm_execute.h:92
#6  0x00000000007193a5 in zend_do_fcall_common_helper_SPEC (execute_data=0x7fff355543d0) at /home/cweiske/compilethings/php-5.2.5/Zend/zend_vm_execute.h:234
#7  0x0000000000719f81 in ZEND_DO_FCALL_BY_NAME_SPEC_HANDLER (execute_data=0x7fff355543d0)
    at /home/cweiske/compilethings/php-5.2.5/Zend/zend_vm_execute.h:322
#8  0x0000000000718cb9 in execute (op_array=0xf9c608) at /home/cweiske/compilethings/php-5.2.5/Zend/zend_vm_execute.h:92
#9  0x00000000007193a5 in zend_do_fcall_common_helper_SPEC (execute_data=0x7fff35554bc0) at /home/cweiske/compilethings/php-5.2.5/Zend/zend_vm_execute.h:234
#10 0x0000000000719f81 in ZEND_DO_FCALL_BY_NAME_SPEC_HANDLER (execute_data=0x7fff35554bc0)
    at /home/cweiske/compilethings/php-5.2.5/Zend/zend_vm_execute.h:322
#11 0x0000000000718cb9 in execute (op_array=0xfb9ad8) at /home/cweiske/compilethings/php-5.2.5/Zend/zend_vm_execute.h:92
#12 0x00000000006e1888 in zend_call_function (fci=0x7fff35554f30, fci_cache=0x0) at /home/cweiske/compilethings/php-5.2.5/Zend/zend_execute_API.c:990
#13 0x00000000006e0024 in call_user_function_ex (function_table=0xacfbc0, object_pp=0x0, function_name=0x1814fb0, retval_ptr_ptr=0x7fff35554fd8,
    param_count=2, params=0x1859308, no_separation=0, symbol_table=0x0) at /home/cweiske/compilethings/php-5.2.5/Zend/zend_execute_API.c:617
#14 0x00000000005ff092 in zif_call_user_func_array (ht=2, return_value=0x1858d08, return_value_ptr=0x0, this_ptr=0x0, return_value_used=1)
    at /home/cweiske/compilethings/php-5.2.5/ext/standard/basic_functions.c:5153
#15 0x0000000000719216 in zend_do_fcall_common_helper_SPEC (execute_data=0x7fff355560e0) at /home/cweiske/compilethings/php-5.2.5/Zend/zend_vm_execute.h:200
---Type <return> to continue, or q <return> to quit---
#16 0x000000000071f35f in ZEND_DO_FCALL_SPEC_CONST_HANDLER (execute_data=0x7fff355560e0)
    at /home/cweiske/compilethings/php-5.2.5/Zend/zend_vm_execute.h:1681
#17 0x0000000000718cb9 in execute (op_array=0xf99ba0) at /home/cweiske/compilethings/php-5.2.5/Zend/zend_vm_execute.h:92
#18 0x00000000007193a5 in zend_do_fcall_common_helper_SPEC (execute_data=0x7fff35556480) at /home/cweiske/compilethings/php-5.2.5/Zend/zend_vm_execute.h:234
#19 0x0000000000719f81 in ZEND_DO_FCALL_BY_NAME_SPEC_HANDLER (execute_data=0x7fff35556480)
    at /home/cweiske/compilethings/php-5.2.5/Zend/zend_vm_execute.h:322
#20 0x0000000000718cb9 in execute (op_array=0xf9c608) at /home/cweiske/compilethings/php-5.2.5/Zend/zend_vm_execute.h:92
#21 0x00000000007193a5 in zend_do_fcall_common_helper_SPEC (execute_data=0x7fff35556750) at /home/cweiske/compilethings/php-5.2.5/Zend/zend_vm_execute.h:234
#22 0x0000000000719f81 in ZEND_DO_FCALL_BY_NAME_SPEC_HANDLER (execute_data=0x7fff35556750)
    at /home/cweiske/compilethings/php-5.2.5/Zend/zend_vm_execute.h:322
#23 0x0000000000718cb9 in execute (op_array=0xcbaf00) at /home/cweiske/compilethings/php-5.2.5/Zend/zend_vm_execute.h:92
#24 0x00000000006e1888 in zend_call_function (fci=0x7fff35556ac0, fci_cache=0x0) at /home/cweiske/compilethings/php-5.2.5/Zend/zend_execute_API.c:990
#25 0x00000000006e0024 in call_user_function_ex (function_table=0xacfbc0, object_pp=0x0, function_name=0xd00150, retval_ptr_ptr=0x7fff35556b60,
    param_count=1, params=0x17fef50, no_separation=0, symbol_table=0x0) at /home/cweiske/compilethings/php-5.2.5/Zend/zend_execute_API.c:617
#26 0x00000000005fe639 in zif_call_user_func (ht=2, return_value=0x18134d8, return_value_ptr=0x0, this_ptr=0x0, return_value_used=0)
    at /home/cweiske/compilethings/php-5.2.5/ext/standard/basic_functions.c:5083
#27 0x0000000000719216 in zend_do_fcall_common_helper_SPEC (execute_data=0x7fff35557980) at /home/cweiske/compilethings/php-5.2.5/Zend/zend_vm_execute.h:200
#28 0x000000000071f35f in ZEND_DO_FCALL_SPEC_CONST_HANDLER (execute_data=0x7fff35557980)
    at /home/cweiske/compilethings/php-5.2.5/Zend/zend_vm_execute.h:1681
#29 0x0000000000718cb9 in execute (op_array=0xcf5f28) at /home/cweiske/compilethings/php-5.2.5/Zend/zend_vm_execute.h:92
#30 0x00000000007193a5 in zend_do_fcall_common_helper_SPEC (execute_data=0x7fff35558670) at /home/cweiske/compilethings/php-5.2.5/Zend/zend_vm_execute.h:234
#31 0x0000000000719f81 in ZEND_DO_FCALL_BY_NAME_SPEC_HANDLER (execute_data=0x7fff35558670)
    at /home/cweiske/compilethings/php-5.2.5/Zend/zend_vm_execute.h:322
---Type <return> to continue, or q <return> to quit---
#32 0x0000000000718cb9 in execute (op_array=0xcd8dd0) at /home/cweiske/compilethings/php-5.2.5/Zend/zend_vm_execute.h:92
#33 0x00000000007193a5 in zend_do_fcall_common_helper_SPEC (execute_data=0x7fff35558c60) at /home/cweiske/compilethings/php-5.2.5/Zend/zend_vm_execute.h:234
#34 0x0000000000719f81 in ZEND_DO_FCALL_BY_NAME_SPEC_HANDLER (execute_data=0x7fff35558c60)
    at /home/cweiske/compilethings/php-5.2.5/Zend/zend_vm_execute.h:322
#35 0x0000000000718cb9 in execute (op_array=0xc7dcd8) at /home/cweiske/compilethings/php-5.2.5/Zend/zend_vm_execute.h:92
#36 0x00000000007193a5 in zend_do_fcall_common_helper_SPEC (execute_data=0x7fff3555b9c0) at /home/cweiske/compilethings/php-5.2.5/Zend/zend_vm_execute.h:234
#37 0x0000000000719f81 in ZEND_DO_FCALL_BY_NAME_SPEC_HANDLER (execute_data=0x7fff3555b9c0)
    at /home/cweiske/compilethings/php-5.2.5/Zend/zend_vm_execute.h:322
#38 0x0000000000718cb9 in execute (op_array=0xc2b740) at /home/cweiske/compilethings/php-5.2.5/Zend/zend_vm_execute.h:92
#39 0x00000000006f05bf in zend_execute_scripts (type=8, retval=0x0, file_count=3) at /home/cweiske/compilethings/php-5.2.5/Zend/zend.c:1134
#40 0x00000000006978cd in php_execute_script (primary_file=0x7fff3555e020) at /home/cweiske/compilethings/php-5.2.5/main/main.c:2004
#41 0x00000000007731ab in main (argc=2, argv=0x7fff3555e258) at /home/cweiske/compilethings/php-5.2.5/sapi/cli/php_cli.c:1140

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2007-11-27 13:54 UTC] cweiske@php.net 
Simple reproduce script:
<?php
$c = 1; // doesn't matter
call_user_func("foo2", $c, $c, $c, $c, $c, $c, $c, $c, $c, $c, $c, $c, $c,
 $c, $c, $c, $c, $c, $c, $c, $c, $c, $c, $c, $c, $c, $c, $c, $c, $c, $c,
 $c, $c, $c, $c, $c, $c, $c, $c, $c, $c, $c, $c, $c, $c, $c, $c, $c, $c,
 $c, $c, $c, $c, $c, $c, $c, $c, $c, $c, $c, $c, $c, $c, $c, $c, $c, $c,
 $c, $c, $c, $c, $c, $c, $c, $c, $c, $c, $c, $c, $c, $c, $c, $c, $c, $c,
 $c, $c, $c, $c, $c, $c, $c, $c, $c, $c, $c, $c, $c, $c, $c, $c, $c, $c,
 $c, $c, $c, $c, $c, $c, $c, $c, $c, $c, $c, $c, $c, $c, $c, $c, $c, $c,
 $c, $c, $c, $c, $c, $c, $c, $c, $c, $c, $c, $c, $c, $c, $c, $c, $c, $c,
 $c, $c, $c, $c, $c, $c, $c, $c, $c, $c, $c, $c, $c, $c, $c, $c, $c, $c,
 $c, $c, $c, $c, $c, $c, $c, $c, $c, $c, $c, $c, $c, $c, $c, $c, $c, $c,
 $c, $c, $c, $c, $c, $c, $c, $c, $c, $c, $c, $c, $c, $c, $c, $c, $c, $c,
 $c, $c, $c, $c, $c, $c, $c, $c, $c, $c, $c, $c, $c, $c, $c, $c, $c, $c,
 $c, $c, $c, $c, $c, $c, $c, $c, $c, $c, $c, $c, $c, $c, $c, $c, $c, $c,
 $c, $c, $c, $c, $c, $c, $c, $c, $c, $c, $c, $c, $c, $c, $c, $c, $c, $c,
 $c, $c, $c, $c, $c, $c, $c, $c, $c, $c, $c, $c);
function foo2($d) {}      
?>


backtrace:

Program received signal SIGSEGV, Segmentation fault.
0x00000000006e1491 in zend_call_function (fci=0x7fff00628800, fci_cache=0x0) at /home/cweiske/compilethings/php-5.2.5/Zend/zend_execute_API.c:911
911                             (*fci->params[i])->refcount++;
(gdb) bt
#0  0x00000000006e1491 in zend_call_function (fci=0x7fff00628800, fci_cache=0x0) at /home/cweiske/compilethings/php-5.2.5/Zend/zend_execute_API.c:911
#1  0x00000000006e0024 in call_user_function_ex (function_table=0xacfb80, object_pp=0x0, function_name=0xc2a828, retval_ptr_ptr=0x7fff006288a0,
    param_count=259, params=0xc2de60, no_separation=0, symbol_table=0x0) at /home/cweiske/compilethings/php-5.2.5/Zend/zend_execute_API.c:617
#2  0x00000000005fe639 in zif_call_user_func (ht=260, return_value=0xc2a7b8, return_value_ptr=0x0, this_ptr=0x0, return_value_used=0)
    at /home/cweiske/compilethings/php-5.2.5/ext/standard/basic_functions.c:5083
#3  0x0000000000719216 in zend_do_fcall_common_helper_SPEC (execute_data=0x7fff00628ab0) at /home/cweiske/compilethings/php-5.2.5/Zend/zend_vm_execute.h:200
#4  0x000000000071f35f in ZEND_DO_FCALL_SPEC_CONST_HANDLER (execute_data=0x7fff00628ab0)
    at /home/cweiske/compilethings/php-5.2.5/Zend/zend_vm_execute.h:1681
#5  0x0000000000718cb9 in execute (op_array=0xc2b5f0) at /home/cweiske/compilethings/php-5.2.5/Zend/zend_vm_execute.h:92
#6  0x00000000006f05bf in zend_execute_scripts (type=8, retval=0x0, file_count=3) at /home/cweiske/compilethings/php-5.2.5/Zend/zend.c:1134
#7  0x00000000006978cd in php_execute_script (primary_file=0x7fff0062b110) at /home/cweiske/compilethings/php-5.2.5/main/main.c:2004
#8  0x00000000007731ab in main (argc=2, argv=0x7fff0062b348) at /home/cweiske/compilethings/php-5.2.5/sapi/cli/php_cli.c:1140
 [2007-11-27 14:02 UTC] tony2001@php.net 
Dmitry, could you plz take a look at this?

The problem is reproducible with a lot of nested function calls passing lots of parameters or with just one call_user_func() call passing 64+ parameters.

Each time EG(argument_stack) is resized, previously fetched argument pointers are left pointing to nowhere.

See Zend/zend_API.c:773 (in 5_3), this is the place where we fetch the pointers:
zval **p = (zval **) (EG(argument_stack).top_element - 2 - (arg_count - i));

but it becomes wild later.
 [2008-01-24 11:01 UTC] dmitry@php.net 
This bug has been fixed in CVS.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.
 
Thank you for the report, and for helping us make PHP better.
 
PHP Copyright © 2001-2025 The PHP Group
All rights reserved. 		Last updated: Wed Jul 16 21:01:33 2025 UTC