ID: 49000
Updated by: s...@php.net
Reported By: shahar dot e at zend dot com
-Status: Open
+Status: Analyzed
Bug Type: Scripting Engine problem
Operating System: Mac OS X 10.5
PHP Version: 5.3.0
Previous Comments:
------------------------------------------------------------------------
[2009-07-27 22:58:11] s...@php.net
Analysis: this happens because execute_new_code() resets
EG(return_value_ptr_ptr), which means if in interactive mode include
happens inside function, parser will run execute_new_code() and it would
break EG(return_value_ptr_ptr) and then when this function will try to
use it on return, crash would happen.
The fix would be to make include/require/eval to reset interactive mode
flag (they are not interactive anyway).
------------------------------------------------------------------------
[2009-07-21 13:01:25] j...@php.net
See also bug #48682
------------------------------------------------------------------------
[2009-07-21 11:30:09] shahar dot e at zend dot com
Description:
------------
When running PHP 5.3 in CLI interactive mode (php -a), PHP will crash
in certain situations.
While I am not 100% clear about the cause, this seems to happen when
including a file that defines a function that includes another file. The
first function must have a return value, and something must be done
(e.g. var_dump() or assignment) with that return value back in the
interactive shell.
Steps to reproduce:
1. Create a file 'a.php' which defines the function test()
2. Function test() should require another file, 'b.php' which must
define another function. No need to actually do anything in that
function in order to reproduce the crash. Function test() doesn't have
to even call that second function.
3. Function test must return something
4. Run php -a
5. Run the following code: "require_once 'a.php'; $a = test();"
6. Crash!
See reproduction code below.
Some situations in which no crash happens:
- When PHP is 5.2
- When PHP is not in interactive mode
- When the 1st function has no return value
- When nothing is done with the return value in the interactive shell
- When the require / include statement happens outside of the function
Reproduce code:
---------------
----- a.php -----
<?php
function test1() {
require_once './b.php';
// You don't even have to call test2();
return 'a';
}
----- b.php -----
<?php
function test2() {
// This function doesn't need to do anything
}
----- In interactive mode (php -a) -----
php > require_once 'a.php';
php > $a = test1();
Expected result:
----------------
No crash, $a == 'a'
Actual result:
--------------
(gdb) r -a
Starting program: /Users/shahar/Build/php5.3/bin/php -a
Reading symbols for shared libraries +++++++... done
Interactive shell
php > require_once 'a.php';
php > $a = test1();
Program received signal EXC_BAD_ACCESS, Could not access memory.
Reason: KERN_PROTECTION_FAILURE at address: 0x0000000c
0x0023545e in _get_zval_ptr_var_string_offset (node=0x7376dc,
Ts=0x78f094, should_free=0xbffff5b4, tsrm_ls=0x8002c0) at
/Users/shahar/Source/php-5.3.0RC4/Zend/zend_execute.c:191
191 if (T->str_offset.str->type != IS_STRING
(gdb) bt
#0 0x0023545e in _get_zval_ptr_var_string_offset (node=0x7376dc,
Ts=0x78f094, should_free=0xbffff5b4, tsrm_ls=0x8002c0) at
/Users/shahar/Source/php-5.3.0RC4/Zend/zend_execute.c:191
#1 0x002e32bb in _get_zval_ptr_var [inlined] () at
/Users/shahar/Source/php-5.3.0RC4/Zend/zend_execute.c:214
#2 0x002e32bb in ZEND_ASSIGN_SPEC_CV_VAR_HANDLER
(execute_data=0x78f044, tsrm_ls=0x8002c0) at
/Users/shahar/Source/php-5.3.0RC4/Zend/zend_execute.c:27247
#3 0x00237d48 in execute (op_array=0x736a08, tsrm_ls=0x8002c0) at
zend_vm_execute.h:104
#4 0x001f321a in zend_eval_stringl (str=0x734e80 "$a = test1();\n",
str_len=14, retval_ptr=0x0, string_name=0x318fce "php shell code",
tsrm_ls=0x8002c0) at
/Users/shahar/Source/php-5.3.0RC4/Zend/zend_execute_API.c:1159
#5 0x002f5945 in main (argc=2, argv=0xbffff9d4) at
/Users/shahar/Source/php-5.3.0RC4/sapi/cli/php_cli.c:1168
------------------------------------------------------------------------
--
Edit this bug report at http://bugs.php.net/?id=49000&edit=1
