php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #67497 eval with parse error causes segmentation fault in generator
Submitted: 2014-06-23 02:54 UTC Modified: 2014-06-26 05:42 UTC
Votes:1
Avg. Score:2.0 ± 0.0
Reproduced:1 of 1 (100.0%)
Same Version:1 (100.0%)
Same OS:0 (0.0%)
From: ryan dot brothers at gmail dot com Assigned: nikic
Status: Closed Package: Reproducible crash
PHP Version: 5.5.13 OS: Linux
Private report: No CVE-ID:
 [2014-06-23 02:54 UTC] ryan dot brothers at gmail dot com
Description:
------------
In the below script, the eval line has a parse error.  The script continues as expected, but exits with a segmentation fault in the generator.


Test script:
---------------
<?php
@eval('abc');

class t1
{
    public function test()
    {
        $values = array(1, 2);

        foreach ($values as $value)
        {
            yield $value;
        }
    }
}

$t1 = new t1;
$values = $t1->test();

foreach ($values as $value)
{

}


Expected result:
----------------
No output

Actual result:
--------------
Segmentation fault

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2014-06-23 22:01 UTC] aharvey@php.net
-Status: Open +Status: Feedback
 [2014-06-23 22:01 UTC] aharvey@php.net
Thank you for this bug report. To properly diagnose the problem, we
need a backtrace to see what is happening behind the scenes. To
find out how to generate a backtrace, please read
http://bugs.php.net/bugs-generating-backtrace.php for *NIX and
http://bugs.php.net/bugs-generating-backtrace-win32.php for Win32

Once you have generated a backtrace, please submit it to this bug
report and change the status back to "Open". Thank you for helping
us make PHP better.

I'm unable to reproduce this at present.

We may also need some more details on your environment: what distribution are you running, what architecture, and how did you get PHP — did you compile it from source or install from a package?
 [2014-06-24 00:25 UTC] ryan dot brothers at gmail dot com
-Status: Feedback +Status: Open
 [2014-06-24 00:25 UTC] ryan dot brothers at gmail dot com
Thanks, I am running CentOS 6.5 64-bit.  I compiled PHP from source and I was able to reproduce the issue with an empty configure line of "./configure".

It seems this issue is only present when PHP is not compiled with --enable-debug.  When I compiled with --enable-debug, I cannot reproduce this issue.  Can you please try against a non-debug version of PHP to see if you can reproduce it?

Here is the backtrace when running against a non-debug version of PHP:

(gdb) run test.php
Starting program: /usr/local/src/php-5.5.13-nodebug/sapi/cli/php a.php
[Thread debugging using libthread_db enabled]

Program received signal SIGSEGV, Segmentation fault.
0x00000000006c8371 in gc_zval_possible_root (zv=0x7ffff7fe0ec8) at /usr/local/src/php-5.5.13-nodebug/Zend/zend_gc.c:143
143                     GC_ZOBJ_CHECK_POSSIBLE_ROOT(zv);
(gdb) bt
#0  0x00000000006c8371 in gc_zval_possible_root (zv=0x7ffff7fe0ec8)
    at /usr/local/src/php-5.5.13-nodebug/Zend/zend_gc.c:143
#1  0x00000000006cac4c in zend_generator_close (generator=0x7ffff7fda5b0, finished_execution=0 '\000')
    at /usr/local/src/php-5.5.13-nodebug/Zend/zend_generators.c:122
#2  0x00000000006cae5b in zend_generator_free_storage (generator=0x7ffff7fda5b0)
    at /usr/local/src/php-5.5.13-nodebug/Zend/zend_generators.c:208
#3  0x00000000006d1228 in zend_objects_store_del_ref_by_handle_ex (handle=2, handlers=<value optimized out>)
    at /usr/local/src/php-5.5.13-nodebug/Zend/zend_objects_API.c:226
#4  0x00000000006d1243 in zend_objects_store_del_ref (zobject=0x7ffff7fe0b30)
    at /usr/local/src/php-5.5.13-nodebug/Zend/zend_objects_API.c:178
#5  0x0000000000699570 in _zval_dtor (zval_ptr=<value optimized out>)
    at /usr/local/src/php-5.5.13-nodebug/Zend/zend_variables.h:35
#6  i_zval_ptr_dtor (zval_ptr=<value optimized out>) at /usr/local/src/php-5.5.13-nodebug/Zend/zend_execute.h:81
#7  _zval_ptr_dtor (zval_ptr=<value optimized out>) at /usr/local/src/php-5.5.13-nodebug/Zend/zend_execute_API.c:426
#8  0x00000000006b50d5 in zend_hash_apply_deleter (ht=0xdb8188, p=0x7ffff7fda7e8)
    at /usr/local/src/php-5.5.13-nodebug/Zend/zend_hash.c:650
#9  0x00000000006b51e9 in zend_hash_reverse_apply (ht=0xdb8188, apply_func=0x698810 <zval_call_destructor>)
    at /usr/local/src/php-5.5.13-nodebug/Zend/zend_hash.c:804
#10 0x000000000069c1f5 in shutdown_destructors () at /usr/local/src/php-5.5.13-nodebug/Zend/zend_execute_API.c:217
#11 0x00000000006a84f4 in zend_call_destructors () at /usr/local/src/php-5.5.13-nodebug/Zend/zend.c:919
#12 0x0000000000649cb5 in php_request_shutdown (dummy=<value optimized out>)
    at /usr/local/src/php-5.5.13-nodebug/main/main.c:1750
#13 0x000000000075724f in do_cli (argc=2, argv=0xdb9a80) at /usr/local/src/php-5.5.13-nodebug/sapi/cli/php_cli.c:1177
#14 0x00000000007586b8 in main (argc=2, argv=0xdb9a80) at /usr/local/src/php-5.5.13-nodebug/sapi/cli/php_cli.c:1378
 [2014-06-24 00:34 UTC] aharvey@php.net
-Status: Open +Status: Verified
 [2014-06-24 00:34 UTC] aharvey@php.net
Yep; good catch. I get the same segfault with a non-debug build.
 [2014-06-24 05:34 UTC] laruence@php.net
-Assigned To: +Assigned To: nikic
 [2014-07-02 15:38 UTC] nikic@php.net
Automatic comment on behalf of nikic
Revision: http://git.php.net/?p=php-src.git;a=commit;h=d9ebd0f3d696e42d7c7bd2b0176414534aed0ef1
Log: Fix bug #67497: eval with parse error causes segfault in generator
 [2014-07-02 15:38 UTC] nikic@php.net
-Status: Verified +Status: Closed
 [2014-07-07 15:22 UTC] dmitry@php.net
Automatic comment on behalf of nikic
Revision: http://git.php.net/?p=php-src.git;a=commit;h=d9ebd0f3d696e42d7c7bd2b0176414534aed0ef1
Log: Fix bug #67497: eval with parse error causes segfault in generator
 [2014-07-21 09:31 UTC] ab@php.net
Automatic comment on behalf of nikic
Revision: http://git.php.net/?p=php-src.git;a=commit;h=d9ebd0f3d696e42d7c7bd2b0176414534aed0ef1
Log: Fix bug #67497: eval with parse error causes segfault in generator
 [2014-07-21 10:02 UTC] ab@php.net
Automatic comment on behalf of nikic
Revision: http://git.php.net/?p=php-src.git;a=commit;h=d9ebd0f3d696e42d7c7bd2b0176414534aed0ef1
Log: Fix bug #67497: eval with parse error causes segfault in generator
 [2014-07-30 09:52 UTC] tyrael@php.net
Automatic comment on behalf of nikic
Revision: http://git.php.net/?p=php-src.git;a=commit;h=d9ebd0f3d696e42d7c7bd2b0176414534aed0ef1
Log: Fix bug #67497: eval with parse error causes segfault in generator
 
PHP Copyright © 2001-2017 The PHP Group
All rights reserved.
Last updated: Fri Jul 21 02:01:34 2017 UTC