ID: 29944
Comment by: tingle at virtuanews dot co dot uk
Reported By: norxh at binnews dot com
Status: Assigned
Bug Type: Reproducible crash
Operating System: *
PHP Version: 5CVS-2005-03-07
Assigned To: andi
New Comment:
I have just tried this with the latest CVS (after spending 4 hours bug
finding!). This bug is still in CVS.
Exactly the same as is shown here, the following will crash apache:
<?php
$do = 1;
switch ($do) {
default:
function test_function()
{
return 'Hello World';
}
echo test_function();
}
?>
This crashes both apache 1 and apache 2 on windows xp, macosx and linux
based systems. I was testing on the CVS from 23/04/05.
Previous Comments:
------------------------------------------------------------------------
[2005-04-02 12:05:10] dmhouse at gmail dot com
I have a reduced test case for this bug.
<?php
$foo = 'bar';
switch ($foo) {
case 'bar':
function foobar() {
$variable = 1;
}
foobar();
break;
}
?>
Things necessary for Apache to segfault:
* The function must be defined inside a case statement that is
executed.
* A variable must be set to a value within the function.
* The function must be called.
I'm running PHP 5.0.3 (built from source, but I doubt that matters) on
Apache 2. Bug is reproducible through Apache and through CLI.
------------------------------------------------------------------------
[2005-03-04 15:17:24] kameshj at fastmail dot fm
Problem is in CG(switch_cond_stack) that is shared by two op_arrays(One
which has original switch and another one being the function declararion
inside a case).
Case 1
----------------
<?php
function foo()
{
echo "hi";
}
?>
op_array of foo
ZEND_ECHO
ZEND_FETCH_CONSTANT
ZEND_RETURN
ZEND_HANDLE_EXCEPTION
Case 2(Segfault case)
----------------
<?php
$a=1;
switch($a)
{
case 1:
function foo()
{
echo "hi";
}
}
?>
op_array of foo
ZEND_ECHO
ZEND_FETCH_CONSTANT
ZEND_SWITCH_FREE
ZEND_RETURN
ZEND_HANDLE_EXCEPTION
In Case 2
ZEND_SWITCH_FREE opcode is getting included in the function foo's
op_array.
This is done by zend_do_return in zend_compile.c with the following
code
zend_stack_apply(&CG(switch_cond_stack), ZEND_STACK_APPLY_TOPDOWN, (int
(*)(void *element)) generate_free_switch_expr);
In zend_do_return of foo of Case 2,
While executing zend_stack_apply,
CG(switch_cond_stack) has 2 entries as follows,
foo's seperator dummy switch_cond(at top)
main op_array's switch case(at bottom)
"main op_array's switch case(at bottom)" is generating ZEND_SWITCH_FREE
opcode.
I feel the switch_cond_stack to be op_array specific rather than
keeping it at compiler_globals as it is now.
------------------------------------------------------------------------
[2004-12-16 21:18:18] edwin at phpfreakz dot nl
I didn't have any problems with declaring functions in a switch
statement with Apache 2/PHP 5.0.1, but after installing PHP 5.0.3 php
crashes. You don't get any errors, it just doesn't work.
I'm using Windows XP Pro with SP2.
------------------------------------------------------------------------
[2004-11-10 15:53:24] sami at sipponen dot com
<?
switch ($_GET["test"]) {
default:
function testfunc() {
}
}
testfunc();
?>
This code crashes PHP 5.1.0-DEV Windows Version.
------------------------------------------------------------------------
[2004-09-02 08:36:55] [EMAIL PROTECTED]
This is only a problem in PHP 5.0.x (and not PHP 5.1.x-dev).
------------------------------------------------------------------------
The remainder of the comments for this report are too long. To view
the rest of the comments, please view the bug report online at
http://bugs.php.net/29944
--
Edit this bug report at http://bugs.php.net/?id=29944&edit=1
