ID: 39304
Updated by: [EMAIL PROTECTED]
Reported By: dave at ramenlabs dot com
-Status: Open
+Status: Assigned
-Bug Type: Reproducible crash
+Bug Type: Scripting Engine problem
Operating System: Linux
PHP Version: 5CVS-2006-10-30 (CVS)
-Assigned To:
+Assigned To: dmitry
Previous Comments:
------------------------------------------------------------------------
[2006-10-30 08:09:09] dave at ramenlabs dot com
I accidentally generated that backtrace using my system-installed
version of PHP. Here's a correct backtrace:
[EMAIL PROTECTED]:~/tmp/php5/sapi/cli$ echo '<?php $s = ""; list($a, $b) =
$s[0]; ?>' | ./php
Segmentation fault (core dumped)
[EMAIL PROTECTED]:~/tmp/php5/sapi/cli$ gdb ./php ./core
GNU gdb 6.4.90-debian
Copyright (C) 2006 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and
you are
welcome to change it and/or distribute copies of it under certain
conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB. Type "show warranty" for
details.
This GDB was configured as "i486-linux-gnu"...Using host libthread_db
library "/lib/tls/libthread_db.so.1".
warning: Can't read pathname for load map: Input/output error.
Reading symbols from /lib/tls/libcrypt.so.1...done.
Loaded symbols for /lib/tls/libcrypt.so.1
Reading symbols from /lib/tls/librt.so.1...done.
Loaded symbols for /lib/tls/librt.so.1
Reading symbols from /lib/tls/libresolv.so.2...done.
Loaded symbols for /lib/tls/libresolv.so.2
Reading symbols from /lib/tls/libm.so.6...done.
Loaded symbols for /lib/tls/libm.so.6
Reading symbols from /lib/tls/libdl.so.2...done.
Loaded symbols for /lib/tls/libdl.so.2
Reading symbols from /lib/tls/libnsl.so.1...done.
Loaded symbols for /lib/tls/libnsl.so.1
Reading symbols from /usr/lib/libicui18n.so.34...done.
Loaded symbols for /usr/lib/libicui18n.so.34
Reading symbols from /usr/lib/libicuuc.so.34...done.
Loaded symbols for /usr/lib/libicuuc.so.34
Reading symbols from /usr/lib/libicudata.so.34...
warning: Lowest section in /usr/lib/libicudata.so.34 is .hash at
00000094
done.
Loaded symbols for /usr/lib/libicudata.so.34
Reading symbols from /usr/lib/libicuio.so.34...done.
Loaded symbols for /usr/lib/libicuio.so.34
Reading symbols from /usr/lib/libxml2.so.2...done.
Loaded symbols for /usr/lib/libxml2.so.2
Reading symbols from /lib/tls/libc.so.6...done.
Loaded symbols for /lib/tls/libc.so.6
Reading symbols from /lib/tls/libpthread.so.0...done.
Loaded symbols for /lib/tls/libpthread.so.0
Reading symbols from /lib/ld-linux.so.2...done.
Loaded symbols for /lib/ld-linux.so.2
Reading symbols from /usr/lib/libstdc++.so.6...done.
Loaded symbols for /usr/lib/libstdc++.so.6
Reading symbols from /lib/libgcc_s.so.1...done.
Loaded symbols for /lib/libgcc_s.so.1
Reading symbols from /usr/lib/libz.so.1...done.
Loaded symbols for /usr/lib/libz.so.1
Core was generated by `./php'.
Program terminated with signal 11, Segmentation fault.
#0 0x082c6839 in ZEND_FETCH_DIM_R_SPEC_VAR_CONST_HANDLER (
execute_data=0xbfb6e090)
at /home/ramen/tmp/php5/Zend/zend_vm_execute.h:9034
9034
PZVAL_LOCK(*EX_T(opline->op1.u.var).var.ptr_ptr);
(gdb) bt
#0 0x082c6839 in ZEND_FETCH_DIM_R_SPEC_VAR_CONST_HANDLER (
execute_data=0xbfb6e090)
at /home/ramen/tmp/php5/Zend/zend_vm_execute.h:9034
#1 0x082b0308 in execute (op_array=0xb70904fc)
at /home/ramen/tmp/php5/Zend/zend_vm_execute.h:92
#2 0x0828b5dc in zend_execute_scripts (type=8, retval=<value optimized
out>,
file_count=3) at /home/ramen/tmp/php5/Zend/zend.c:1616
#3 0x0823f4c0 in php_execute_script (primary_file=0xbfb704d0)
at /home/ramen/tmp/php5/main/main.c:1922
#4 0x08312a95 in main (argc=1, argv=0xbfb705d4)
at /home/ramen/tmp/php5/sapi/cli/php_cli.c:1119
(gdb)
------------------------------------------------------------------------
[2006-10-30 08:03:04] dave at ramenlabs dot com
Description:
------------
In a function expecting an array parameter, I accidentally passed in a
string instead. For some reason related to the particular way I used
list unpacking of an array offset, it caused PHP to crash with a
segmentation fault.
I have observed this problem in PHP 4.4.2 as well as PHP 5, freshly
downloaded and compiled from CVS.
Reproduce code:
---------------
<?php $s = ""; list($a, $b) = $s[0]; ?>
Expected result:
----------------
Fatal error: Cannot use string offset as an array
Actual result:
--------------
Segmentation fault
[EMAIL PROTECTED]:~/tmp/php5/sapi/cli$ echo '<?php $s = ""; list($a, $b) =
$s[0]; ?>' | php
Segmentation fault (core dumped)
[EMAIL PROTECTED]:~/tmp/php5/sapi/cli$ gdb ./php core
GNU gdb 6.4.90-debian
Copyright (C) 2006 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and
you are
welcome to change it and/or distribute copies of it under certain
conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB. Type "show warranty" for
details.
This GDB was configured as "i486-linux-gnu"...Using host libthread_db
library "/lib/tls/libthread_db.so.1".
Core was generated by `php'.
Program terminated with signal 11, Segmentation fault.
#0 0x082b8429 in ZEND_SR_SPEC_VAR_VAR_HANDLER
(execute_data=0xbfcf925c)
at /home/ramen/tmp/php5/Zend/zend_vm_execute.h:11516
11516
shift_right_function(&EX_T(opline->result.u.var).tmp_var,
(gdb) bt
#0 0x082b8429 in ZEND_SR_SPEC_VAR_VAR_HANDLER
(execute_data=0xbfcf925c)
at /home/ramen/tmp/php5/Zend/zend_vm_execute.h:11516
#1 0x082a1a98 in zif_each (ht=140604596, return_value=0x851b960,
return_value_ptr=0x20, this_ptr=0xbfcf9370, return_value_used=4)
at /home/ramen/tmp/php5/Zend/zend_builtin_functions.c:417
#2 0x082821ee in zend_u_str_tolower_dup (type=0 '\0', source=
{s = 0xbfcfb674 "\002", u = 0xbfcfb674, v = 0xbfcfb674},
length=139127824) at
/home/ramen/tmp/php5/Zend/zend_operators.c:2384
#3 0x08240352 in php_module_startup (sf=0xbfcfb674,
additional_modules=0x83112d0, num_additional_modules=139120832)
at /home/ramen/tmp/php5/main/main.c:1554
#4 0x08311219 in ZEND_SL_SPEC_CONST_VAR_HANDLER (execute_data=0x0)
at /home/ramen/tmp/php5/Zend/zend_execute.c:78
#5 0xb79ceea8 in ?? ()
#6 0x00000000 in ?? ()
(gdb)
------------------------------------------------------------------------
--
Edit this bug report at http://bugs.php.net/?id=39304&edit=1
