From: dmitry at dot php dot net
Operating system: *
PHP version: 5.2.5
PHP Bug Type: Scripting Engine problem
Bug description: Double free of loop-variable on exception
Description:
------------
See the following code
Reproduce code:
---------------
<?php
function foo() {
$x = array(1,2,3);
foreach ($x as $a) {
while (1) {
throw new Exception();
}
return;
}
}
try {
foo();
} catch (Exception $ex) {
echo "ok\n";
}
Expected result:
----------------
ok
Actual result:
--------------
==31644== Invalid read of size 4
==31644== at 0x83A0310: _zval_ptr_dtor (zend_execute_API.c:412)
==31644== by 0x83D7383: zend_switch_free (zend_execute.c:372)
==31644== by 0x83D712A: ZEND_HANDLE_EXCEPTION_SPEC_HANDLER
(zend_vm_execute.h:580)
==31644== by 0x83D4EA4: execute (zend_vm_execute.h:92)
==31644== by 0x83D54BD: zend_do_fcall_common_helper_SPEC
(zend_vm_execute.h:234)
==31644== by 0x83DABD2: ZEND_DO_FCALL_SPEC_CONST_HANDLER
(zend_vm_execute.h:1681)
==31644== by 0x83D4EA4: execute (zend_vm_execute.h:92)
==31644== by 0x83AFD6A: zend_execute_scripts (zend.c:1134)
==31644== by 0x835D8B6: php_execute_script (main.c:2006)
==31644== by 0x842CB94: main (php_cli.c:1140)
==31644== Address 0x4557F30 is 8 bytes inside a block of size 16 free'd
==31644== at 0x400513F: free (vg_replace_malloc.c:233)
==31644== by 0x8392725: _efree (zend_alloc.c:2290)
==31644== by 0x83A03D7: safe_free_zval_ptr_rel (zend_execute.h:70)
==31644== by 0x83A036C: _zval_ptr_dtor (zend_execute_API.c:415)
==31644== by 0x83D734D: zend_switch_free (zend_execute.c:370)
==31644== by 0x83D712A: ZEND_HANDLE_EXCEPTION_SPEC_HANDLER
(zend_vm_execute.h:580)
==31644== by 0x83D4EA4: execute (zend_vm_execute.h:92)
==31644== by 0x83D54BD: zend_do_fcall_common_helper_SPEC
(zend_vm_execute.h:234)
==31644== by 0x83DABD2: ZEND_DO_FCALL_SPEC_CONST_HANDLER
(zend_vm_execute.h:1681)
==31644== by 0x83D4EA4: execute (zend_vm_execute.h:92)
==31644== by 0x83AFD6A: zend_execute_scripts (zend.c:1134)
==31644== by 0x835D8B6: php_execute_script (main.c:2006)
--
Edit bug report at http://bugs.php.net/?id=44184&edit=1
--
Try a CVS snapshot (PHP 5.2):
http://bugs.php.net/fix.php?id=44184&r=trysnapshot52
Try a CVS snapshot (PHP 5.3):
http://bugs.php.net/fix.php?id=44184&r=trysnapshot53
Try a CVS snapshot (PHP 6.0):
http://bugs.php.net/fix.php?id=44184&r=trysnapshot60
Fixed in CVS: http://bugs.php.net/fix.php?id=44184&r=fixedcvs
Fixed in release:
http://bugs.php.net/fix.php?id=44184&r=alreadyfixed
Need backtrace: http://bugs.php.net/fix.php?id=44184&r=needtrace
Need Reproduce Script: http://bugs.php.net/fix.php?id=44184&r=needscript
Try newer version: http://bugs.php.net/fix.php?id=44184&r=oldversion
Not developer issue: http://bugs.php.net/fix.php?id=44184&r=support
Expected behavior: http://bugs.php.net/fix.php?id=44184&r=notwrong
Not enough info:
http://bugs.php.net/fix.php?id=44184&r=notenoughinfo
Submitted twice:
http://bugs.php.net/fix.php?id=44184&r=submittedtwice
register_globals: http://bugs.php.net/fix.php?id=44184&r=globals
PHP 4 support discontinued: http://bugs.php.net/fix.php?id=44184&r=php4
Daylight Savings: http://bugs.php.net/fix.php?id=44184&r=dst
IIS Stability: http://bugs.php.net/fix.php?id=44184&r=isapi
Install GNU Sed: http://bugs.php.net/fix.php?id=44184&r=gnused
Floating point limitations: http://bugs.php.net/fix.php?id=44184&r=float
No Zend Extensions: http://bugs.php.net/fix.php?id=44184&r=nozend
MySQL Configuration Error: http://bugs.php.net/fix.php?id=44184&r=mysqlcfg
