PHP :: Bug #29566 :: foreach/string handling strangeness (crash)

Bug #29566	foreach/string handling strangeness (crash)
Submitted:	2004-08-08 00:01 UTC	Modified:	2004-09-22 09:16 UTC
From:	stefan at hotpaenz dot de	Assigned:
Status:	Closed	Package:	Reproducible crash
PHP Version:	5.0.1	OS:	Linux 2.6.3
Private report:	No	CVE-ID:	None

[2004-08-08 00:01 UTC] stefan at hotpaenz dot de

Description:
------------
Consider the following code. Of course it isn't useful,  
but nevertheless it shouldn't crash PHP.  
 
Perhaps this is related to bug 28487 (another crash,  
affecting real-world scripts) because the same function  
zend_switch_free_handler is involved.  
 
Perhaps this is the same bug as 28574, which was closed as 
the problem went away. The crash I am reporting now occurs 
with a current snapshot (200408071830). 
 

Reproduce code:
---------------
<?
$var="This is a string";

$dummy="";
unset($dummy);

foreach($var['nosuchkey'] as $v) {
}


Expected result:
----------------
Warning:  Invalid argument supplied for foreach() in 
crash.php on line 7 
 
[no crash of course] 
 

Actual result:
--------------
Warning:  Invalid argument supplied for foreach() in 
crash.php on line 7 
Segmentation fault (core dumped) 
 
[backtrace follows] 
 
#0  _efree (ptr=0x75736f6e) 
at /root/php/200408071830/php5-5.0.0/Zend/zend_alloc.c:285 
285  CALCULATE_REAL_SIZE_AND_CACHE_INDEX(p->size); 
 
(gdb) bt 
 
#0  _efree (ptr=0x75736f6e) 
at /root/php/200408071830/php5-5.0.0/Zend/zend_alloc.c:285 
 
#1  0x082424f8 in _zval_ptr_dtor (zval_ptr=0xbfffd698) 
at /root/php/200408071830/php5-5.0.0/Zend/zend_execute_API.c:396 
 
#2  0x0827288b in zend_switch_free_handler 
(execute_data=0xbfffd710, opline=0x872749c, 
op_array=0x8722f24, tsrm_ls=0x8431018) 
at /root/php/200408071830/php5-5.0.0/Zend/zend_execute.c:210 
 
#3  0x0826ce85 in execute (op_array=0x8722f24, 
tsrm_ls=0x8431018) 
at /root/php/200408071830/php5-5.0.0/Zend/zend_execute.c:1400 
 
#4  0x0824d971 in zend_execute_scripts (type=8, 
tsrm_ls=0x8431018, retval=0x0, file_count=3) 
at /root/php/200408071830/php5-5.0.0/Zend/zend.c:1068 
 
#5  0x08210ab4 in php_execute_script 
(primary_file=0xbffffae0, tsrm_ls=0x8431018) 
at /root/php/200408071830/php5-5.0.0/main/main.c:1631 
 
#6  0x08279bec in main (argc=2, argv=0xbffffba4) 
at /root/php/200408071830/php5-5.0.0/sapi/cgi/cgi_main.c:1568

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2004-08-24 01:00 UTC] php-bugs at lists dot php dot net

No feedback was provided for this bug for over a week, so it is
being suspended automatically. If you are able to provide the
information that was originally requested, please do so and change
the status of the bug back to "Open".

[2004-08-24 09:40 UTC] stefan at hotpaenz dot de

Indeed it works fine with the latest PHP4 snapshot  
(200408232230 tested), but this is a PHP5 bug. For the  
record: It still crashes with the 200408232230 PHP5  
snapshot (unstable)

[2004-08-24 09:46 UTC] tony2001@php.net

No crash with latest HEAD (Linux 2.6.8.1, glibc 2.3.2).

[2004-08-24 10:32 UTC] stefan at hotpaenz dot de

I use Linux 2.6.3 and glibc 2.3.2. 
 
PHP crashes _after_ printing the warning "Invalid argument 
supplied for foreach()" at the end of the script (perhaps 
when cleaning up?). I tested again with the 200408240630 
snapshots (stable and HEAD). This is the HEAD backtrace: 
 
#0  _efree (ptr=0x75736f6e) 
at /root/php/test/php5-200408240630/Zend/zend_alloc.c:285 
285             
CALCULATE_REAL_SIZE_AND_CACHE_INDEX(p->size); 
 
(gdb) bt 
 
#0  _efree (ptr=0x75736f6e) 
at /root/php/test/php5-200408240630/Zend/zend_alloc.c:285 
 
#1  0x08178298 in _zval_ptr_dtor (zval_ptr=0xbfffd6a8) 
at /root/php/test/php5-200408240630/Zend/zend_execute_API.c:390 
 
#2  0x081a3407 in zend_switch_free_handler 
(execute_data=0xbfffd710) 
at /root/php/test/php5-200408240630/Zend/zend_execute.c:245 
 
#3  0x0819eb48 in execute (op_array=0x8274014) 
at /root/php/test/php5-200408240630/Zend/zend_execute.c:1498 
 
#4  0x08181f95 in zend_execute_scripts (type=8, 
retval=0x0, file_count=3) 
at /root/php/test/php5-200408240630/Zend/zend.c:1052 
 
#5  0x0814d5ad in php_execute_script 
(primary_file=0xbffffaa0) 
at /root/php/test/php5-200408240630/main/main.c:1633 
 
#6  0x081a9c81 in main (argc=2, argv=0xbffffb64) 
at /root/php/test/php5-200408240630/sapi/cgi/cgi_main.c:1568 
 
 
The backtrace of stable is slightly different: 
 
 
#0  _efree (ptr=0x75736f6e) 
at /root/php/test/php5-STABLE-200408240630/Zend/zend_alloc.c:263 
263             
CALCULATE_REAL_SIZE_AND_CACHE_INDEX(p->size); 
 
(gdb) bt 
 
#0  _efree (ptr=0x75736f6e) 
at /root/php/test/php5-STABLE-200408240630/Zend/zend_alloc.c:263 
 
#1  0x081764b8 in _zval_ptr_dtor (zval_ptr=0xbfffd678) 
at /root/php/test/php5-STABLE-200408240630/Zend/zend_execute_API.c:391 
 
#2  0x081a0632 in zend_switch_free_handler 
(execute_data=0xbfffd6f0, opline=0x8272464, 
op_array=0x826deec) 
at /root/php/test/php5-STABLE-200408240630/Zend/zend_execute.c:210 
 
#3  0x0819c0a9 in execute (op_array=0x826deec) 
at /root/php/test/php5-STABLE-200408240630/Zend/zend_execute.c:1400 
 
#4  0x081802b5 in zend_execute_scripts (type=8, 
retval=0x0, file_count=3) 
at /root/php/test/php5-STABLE-200408240630/Zend/zend.c:1061 
 
#5  0x0814b99d in php_execute_script 
(primary_file=0xbffffa80) 
at /root/php/test/php5-STABLE-200408240630/main/main.c:1629 
 
#6  0x081a68c7 in main (argc=2, argv=0xbffffb44) 
at /root/php/test/php5-STABLE-200408240630/sapi/cgi/cgi_main.c:1568

[2004-08-25 09:13 UTC] stefan at hotpaenz dot de

It still crashes with stable PHP5 snapshot 200408250430 
and HEAD snapshot 200408250630. 
 
Is there anything else I could do beside testing again and 
again? I would like to help you making PHP better, and I 
have some C knowledge, but I don't really understand the 
inner workings of Zend/PHP. Is there anything I could add 
to the code to reveal what leads to the crash?

[2004-08-25 09:21 UTC] stefan at hotpaenz dot de

Okay, I just discovered PHP only crashes with a non-debug 
build. My configure line is: 
 
./configure --disable-cli --enable-cgi --without-pear