php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #67801 PHPNG: SIGSEGV in zend_hash_index_find_bucket (assigning values w/o key)
Submitted: 2014-08-06 21:32 UTC Modified: 2014-08-15 11:52 UTC
Votes:1
Avg. Score:3.0 ± 0.0
Reproduced:1 of 1 (100.0%)
Same Version:0 (0.0%)
Same OS:0 (0.0%)
From: bugs dot php dot net at majkl578 dot cz Assigned:
Status: Closed Package: Reproducible crash
PHP Version: master-Git-2014-08-06 (Git) OS: Debian
Private report: No CVE-ID: None
 [2014-08-06 21:32 UTC] bugs dot php dot net at majkl578 dot cz
Description:
------------
While trying PHPNG, I encountered a strange segmentation fault while appending entries to an array. I'm providing full reproduce case as I was unable to isolate it in a smaller script.

The crash occurs in file Tester/Runner/Runner.php on line 83:
$running[] = $job = array_shift($this->jobs);

PHPNG built from 414762fc12 using clang.

Test script:
---------------
$ git clone git://github.com/nette/tester.git
$ cd tester/
$ git checkout 5d7e2b4f4
$ gdb --args /path/to/sapi/cli/php -n tests/Runner.annotations.phpt
(gdb) run

Expected result:
----------------
No segmentation fault.

Actual result:
--------------
#0  0x0000000000cc0fed in zend_hash_index_find_bucket (ht=0x7fffed034a30, h=8) at Zend/zend_hash.c:239
#1  0x0000000000cbd700 in _zend_hash_index_update_or_next_insert_i (ht=0x7fffed034a30, h=8, pData=0x15c6db0 <executor_globals>, flag=4, __zend_filename=0x12259ce "/build/php/php-src/Zend/zend_execute.c", 
    __zend_lineno=1124) at Zend/zend_hash.c:479
#2  0x0000000000cbdb2b in _zend_hash_next_index_insert (ht=0x7fffed034a30, pData=0x15c6db0 <executor_globals>, __zend_filename=0x12259ce "/build/php/php-src/Zend/zend_execute.c", __zend_lineno=1124)
    at Zend/zend_hash.c:543
#3  0x0000000000d5d32b in zend_fetch_dimension_address (result=0x7ffff7e88be0, container_ptr=0x7ffff7e88860, dim=0x0, dim_type=8, type=1, is_ref=0) at Zend/zend_execute.c:1124
#4  0x0000000000d5c037 in zend_fetch_dimension_address_W (result=0x7ffff7e88be0, container_ptr=0x7ffff7e88860, dim=0x0, dim_type=8) at Zend/zend_execute.c:1253
#5  0x0000000000d4ac64 in ZEND_ASSIGN_DIM_SPEC_CV_UNUSED_HANDLER (execute_data=0x7ffff7e887d0) at Zend/zend_vm_execute.h:38691
#6  0x0000000000cf659c in execute_ex (execute_data=0x7ffff7e887d0) at Zend/zend_vm_execute.h:354
#7  0x0000000000cf673b in zend_execute (op_array=0x7ffff7f83318, return_value=0x0) at Zend/zend_vm_execute.h:383
#8  0x0000000000ca7655 in zend_execute_scripts (type=8, retval=0x0, file_count=3) at Zend/zend.c:1322
#9  0x0000000000bea53e in php_execute_script (primary_file=0x7fffffffe028) at main/main.c:2564
#10 0x0000000000d7f4f9 in do_cli (argc=2, argv=0x15cbce0) at sapi/cli/php_cli.c:980
#11 0x0000000000d7e369 in main (argc=2, argv=0x15cbce0) at sapi/cli/php_cli.c:1358

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2014-08-15 11:52 UTC] bugs dot php dot net at majkl578 dot cz
-Status: Open +Status: Closed
 [2014-08-15 11:52 UTC] bugs dot php dot net at majkl578 dot cz
Seems to be fixed.
 
PHP Copyright © 2001-2020 The PHP Group
All rights reserved.
Last updated: Wed Jan 22 17:01:25 2020 UTC