ID: 39304 Updated by: [EMAIL PROTECTED] Reported By: dave at ramenlabs dot com -Status: Open +Status: Assigned -Bug Type: Reproducible crash +Bug Type: Scripting Engine problem Operating System: Linux PHP Version: 5CVS-2006-10-30 (CVS) -Assigned To: +Assigned To: dmitry
Previous Comments: ------------------------------------------------------------------------ [2006-10-30 08:09:09] dave at ramenlabs dot com I accidentally generated that backtrace using my system-installed version of PHP. Here's a correct backtrace: [EMAIL PROTECTED]:~/tmp/php5/sapi/cli$ echo '<?php $s = ""; list($a, $b) = $s[0]; ?>' | ./php Segmentation fault (core dumped) [EMAIL PROTECTED]:~/tmp/php5/sapi/cli$ gdb ./php ./core GNU gdb 6.4.90-debian Copyright (C) 2006 Free Software Foundation, Inc. GDB is free software, covered by the GNU General Public License, and you are welcome to change it and/or distribute copies of it under certain conditions. Type "show copying" to see the conditions. There is absolutely no warranty for GDB. Type "show warranty" for details. This GDB was configured as "i486-linux-gnu"...Using host libthread_db library "/lib/tls/libthread_db.so.1". warning: Can't read pathname for load map: Input/output error. Reading symbols from /lib/tls/libcrypt.so.1...done. Loaded symbols for /lib/tls/libcrypt.so.1 Reading symbols from /lib/tls/librt.so.1...done. Loaded symbols for /lib/tls/librt.so.1 Reading symbols from /lib/tls/libresolv.so.2...done. Loaded symbols for /lib/tls/libresolv.so.2 Reading symbols from /lib/tls/libm.so.6...done. Loaded symbols for /lib/tls/libm.so.6 Reading symbols from /lib/tls/libdl.so.2...done. Loaded symbols for /lib/tls/libdl.so.2 Reading symbols from /lib/tls/libnsl.so.1...done. Loaded symbols for /lib/tls/libnsl.so.1 Reading symbols from /usr/lib/libicui18n.so.34...done. Loaded symbols for /usr/lib/libicui18n.so.34 Reading symbols from /usr/lib/libicuuc.so.34...done. Loaded symbols for /usr/lib/libicuuc.so.34 Reading symbols from /usr/lib/libicudata.so.34... warning: Lowest section in /usr/lib/libicudata.so.34 is .hash at 00000094 done. Loaded symbols for /usr/lib/libicudata.so.34 Reading symbols from /usr/lib/libicuio.so.34...done. Loaded symbols for /usr/lib/libicuio.so.34 Reading symbols from /usr/lib/libxml2.so.2...done. Loaded symbols for /usr/lib/libxml2.so.2 Reading symbols from /lib/tls/libc.so.6...done. Loaded symbols for /lib/tls/libc.so.6 Reading symbols from /lib/tls/libpthread.so.0...done. Loaded symbols for /lib/tls/libpthread.so.0 Reading symbols from /lib/ld-linux.so.2...done. Loaded symbols for /lib/ld-linux.so.2 Reading symbols from /usr/lib/libstdc++.so.6...done. Loaded symbols for /usr/lib/libstdc++.so.6 Reading symbols from /lib/libgcc_s.so.1...done. Loaded symbols for /lib/libgcc_s.so.1 Reading symbols from /usr/lib/libz.so.1...done. Loaded symbols for /usr/lib/libz.so.1 Core was generated by `./php'. Program terminated with signal 11, Segmentation fault. #0 0x082c6839 in ZEND_FETCH_DIM_R_SPEC_VAR_CONST_HANDLER ( execute_data=0xbfb6e090) at /home/ramen/tmp/php5/Zend/zend_vm_execute.h:9034 9034 PZVAL_LOCK(*EX_T(opline->op1.u.var).var.ptr_ptr); (gdb) bt #0 0x082c6839 in ZEND_FETCH_DIM_R_SPEC_VAR_CONST_HANDLER ( execute_data=0xbfb6e090) at /home/ramen/tmp/php5/Zend/zend_vm_execute.h:9034 #1 0x082b0308 in execute (op_array=0xb70904fc) at /home/ramen/tmp/php5/Zend/zend_vm_execute.h:92 #2 0x0828b5dc in zend_execute_scripts (type=8, retval=<value optimized out>, file_count=3) at /home/ramen/tmp/php5/Zend/zend.c:1616 #3 0x0823f4c0 in php_execute_script (primary_file=0xbfb704d0) at /home/ramen/tmp/php5/main/main.c:1922 #4 0x08312a95 in main (argc=1, argv=0xbfb705d4) at /home/ramen/tmp/php5/sapi/cli/php_cli.c:1119 (gdb) ------------------------------------------------------------------------ [2006-10-30 08:03:04] dave at ramenlabs dot com Description: ------------ In a function expecting an array parameter, I accidentally passed in a string instead. For some reason related to the particular way I used list unpacking of an array offset, it caused PHP to crash with a segmentation fault. I have observed this problem in PHP 4.4.2 as well as PHP 5, freshly downloaded and compiled from CVS. Reproduce code: --------------- <?php $s = ""; list($a, $b) = $s[0]; ?> Expected result: ---------------- Fatal error: Cannot use string offset as an array Actual result: -------------- Segmentation fault [EMAIL PROTECTED]:~/tmp/php5/sapi/cli$ echo '<?php $s = ""; list($a, $b) = $s[0]; ?>' | php Segmentation fault (core dumped) [EMAIL PROTECTED]:~/tmp/php5/sapi/cli$ gdb ./php core GNU gdb 6.4.90-debian Copyright (C) 2006 Free Software Foundation, Inc. GDB is free software, covered by the GNU General Public License, and you are welcome to change it and/or distribute copies of it under certain conditions. Type "show copying" to see the conditions. There is absolutely no warranty for GDB. Type "show warranty" for details. This GDB was configured as "i486-linux-gnu"...Using host libthread_db library "/lib/tls/libthread_db.so.1". Core was generated by `php'. Program terminated with signal 11, Segmentation fault. #0 0x082b8429 in ZEND_SR_SPEC_VAR_VAR_HANDLER (execute_data=0xbfcf925c) at /home/ramen/tmp/php5/Zend/zend_vm_execute.h:11516 11516 shift_right_function(&EX_T(opline->result.u.var).tmp_var, (gdb) bt #0 0x082b8429 in ZEND_SR_SPEC_VAR_VAR_HANDLER (execute_data=0xbfcf925c) at /home/ramen/tmp/php5/Zend/zend_vm_execute.h:11516 #1 0x082a1a98 in zif_each (ht=140604596, return_value=0x851b960, return_value_ptr=0x20, this_ptr=0xbfcf9370, return_value_used=4) at /home/ramen/tmp/php5/Zend/zend_builtin_functions.c:417 #2 0x082821ee in zend_u_str_tolower_dup (type=0 '\0', source= {s = 0xbfcfb674 "\002", u = 0xbfcfb674, v = 0xbfcfb674}, length=139127824) at /home/ramen/tmp/php5/Zend/zend_operators.c:2384 #3 0x08240352 in php_module_startup (sf=0xbfcfb674, additional_modules=0x83112d0, num_additional_modules=139120832) at /home/ramen/tmp/php5/main/main.c:1554 #4 0x08311219 in ZEND_SL_SPEC_CONST_VAR_HANDLER (execute_data=0x0) at /home/ramen/tmp/php5/Zend/zend_execute.c:78 #5 0xb79ceea8 in ?? () #6 0x00000000 in ?? () (gdb) ------------------------------------------------------------------------ -- Edit this bug report at http://bugs.php.net/?id=39304&edit=1