php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #49000 PHP CLI in Interactive mode (php -a) crashes when including files from function
Submitted: 2009-07-21 11:30 UTC Modified: 2009-07-30 05:02 UTC
From: shahar dot e at zend dot com Assigned:
Status: Closed Package: Scripting Engine problem
PHP Version: 5.3.0 OS: Mac OS X 10.5
Private report: No CVE-ID:
 [2009-07-21 11:30 UTC] shahar dot e at zend dot com
Description:
------------
When running PHP 5.3 in CLI interactive mode (php -a), PHP will crash in certain situations. 

While I am not 100% clear about the cause, this seems to happen when including a file that defines a function that includes another file. The first function must have a return value, and something must be done (e.g. var_dump() or assignment) with that return value back in the interactive shell. 

Steps to reproduce:
1. Create a file 'a.php' which defines the function test()
2. Function test() should require another file, 'b.php' which must define another function. No need to actually do anything in that function in order to reproduce the crash. Function test() doesn't have to even call that second function.
3. Function test must return something
4. Run php -a
5. Run the following code: "require_once 'a.php'; $a = test();"
6. Crash!

See reproduction code below. 

Some situations in which no crash happens:

- When PHP is 5.2
- When PHP is not in interactive mode
- When the 1st function has no return value
- When nothing is done with the return value in the interactive shell
- When the require / include statement happens outside of the function


Reproduce code:
---------------
----- a.php -----

<?php
function test1() {
	require_once './b.php';
	// You don't even have to call test2();
	return 'a';
}

----- b.php -----

<?php 
function test2() {
	// This function doesn't need to do anything
}

----- In interactive mode (php -a) -----
php > require_once 'a.php';
php > $a = test1();



Expected result:
----------------
No crash, $a == 'a'


Actual result:
--------------
(gdb) r -a
Starting program: /Users/shahar/Build/php5.3/bin/php -a
Reading symbols for shared libraries +++++++... done
Interactive shell

php > require_once 'a.php';
php > $a = test1();

Program received signal EXC_BAD_ACCESS, Could not access memory.
Reason: KERN_PROTECTION_FAILURE at address: 0x0000000c
0x0023545e in _get_zval_ptr_var_string_offset (node=0x7376dc, Ts=0x78f094, should_free=0xbffff5b4, tsrm_ls=0x8002c0) at /Users/shahar/Source/php-5.3.0RC4/Zend/zend_execute.c:191
191             if (T->str_offset.str->type != IS_STRING
(gdb) bt
#0  0x0023545e in _get_zval_ptr_var_string_offset (node=0x7376dc, Ts=0x78f094, should_free=0xbffff5b4, tsrm_ls=0x8002c0) at /Users/shahar/Source/php-5.3.0RC4/Zend/zend_execute.c:191
#1  0x002e32bb in _get_zval_ptr_var [inlined] () at /Users/shahar/Source/php-5.3.0RC4/Zend/zend_execute.c:214
#2  0x002e32bb in ZEND_ASSIGN_SPEC_CV_VAR_HANDLER (execute_data=0x78f044, tsrm_ls=0x8002c0) at /Users/shahar/Source/php-5.3.0RC4/Zend/zend_execute.c:27247
#3  0x00237d48 in execute (op_array=0x736a08, tsrm_ls=0x8002c0) at zend_vm_execute.h:104
#4  0x001f321a in zend_eval_stringl (str=0x734e80 "$a = test1();\n", str_len=14, retval_ptr=0x0, string_name=0x318fce "php shell code", tsrm_ls=0x8002c0) at /Users/shahar/Source/php-5.3.0RC4/Zend/zend_execute_API.c:1159
#5  0x002f5945 in main (argc=2, argv=0xbffff9d4) at /Users/shahar/Source/php-5.3.0RC4/sapi/cli/php_cli.c:1168


Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2009-07-21 13:01 UTC] jani@php.net
See also bug #48682
 [2009-07-27 22:58 UTC] stas@php.net
Analysis: this happens because execute_new_code() resets EG(return_value_ptr_ptr), which means if in interactive mode include happens inside function, parser will run execute_new_code() and it would break EG(return_value_ptr_ptr) and then when this function will try to use it on return, crash would happen. 
The fix would be to make include/require/eval to reset interactive mode flag (they are not interactive anyway).
 [2009-07-30 05:01 UTC] svn@php.net
Automatic comment from SVN on behalf of stas
Revision: http://svn.php.net/viewvc/?view=revision&revision=286541
Log: fix for bug #49000
 [2009-07-30 05:02 UTC] stas@php.net
This bug has been fixed in SVN.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.
 
Thank you for the report, and for helping us make PHP better.

should be fine now, thanks
 [2009-08-31 12:07 UTC] svn@php.net
Automatic comment from SVN on behalf of jani
Revision: http://svn.php.net/viewvc/?view=revision&revision=287915
Log: MF53: - Fixed bug #49000 (PHP CLI in Interactive mode (php -a) crashes when including files from function), see also bug #49405
 
PHP Copyright © 2001-2014 The PHP Group
All rights reserved.
Last updated: Sat Apr 19 09:02:28 2014 UTC