#40185 [NEW]: PHP Crashes with a SegFault trying to zend_execute() some simple PHP scripts
From: darkwinter at tiscali dot es
Operating system: Linux - Ubuntu Dapper 6.06 LTS
PHP version: 5.2.0
PHP Bug Type: Reproducible crash
Bug description: PHP Crashes with a SegFault trying to zend_execute() some
simple PHP scripts
Description:
Let's see... I'm trying to write an extension module for PHP (shared
extension, ie: myext.so) that compiles and executes some PHP code that I
will pass to it.
Extension is working already but crashes on zend_execute() call depending
on what PHP code I give to it.
Trying to pin down the problem, I've found that it crashes trying to
execute ANY code that declares a variable (ie $a=1;) BEFORE any function
declaration. Weird.
I can reproduce the crash (Segmentation Fault (11) in Apache error.log)
anytime. See the Reproduce Code for tips.
Also, I could fix the problem in lab somewhat: I have to create and call
a function (even a dummy one works) BEFORE the first variable use, ON EVERY
PHP CODE SNIPPET/SCRIPT I want to use, which will (might?) overflow the
global function table over time (I guess :m), as every function have to
have different names (so I don't try to redeclare a function twice,
AFAIK).
As you can see, this is not a long term soluction I guess... :( but it
works for testing and may give you a clue to what's going on.
Tested with the Following Env.
Ubuntu Dapper 6.06 LTS (Linux)
Apache 2.2.3
PHP 5.2.0
- myext.so
Reproduce code:
---
--- PHP CODE ---
?php
$a=1;
?
--- END OF PHP CODE
--- EXTENSION CODE THAT I'M TRYING TO USE: ---
myext.so
/* FAULTY CODE */
char faulty_code[] = echo 'Hi allbr';??php $a = 5; echo $a;
?;// this code crashes.
char faulty_code2[] = ??php $a = 5; echo $a; ?;
// this code
crashes.
char working_code[] = function foo() {}; foo(); echo 'Hi
allbr';??php $a = 5; echo $a; ?; // this code works. Prepending a
function declaration AND a function call works (¿?)...
zend_op_array *op_array = NULL;
zval *new_string;
char *buf = (char *)emalloc(20 * 1024); // have plenty of space
for this
test.
strcpy(buf, faulty_code); // replace faulty_code with
working_code to
see the difference.
MAKE_STD_ZVAL(new_string);
ZVAL_STRING(new_string, buf, 0);
op_array = zend_compile_string(new_string, test);
if (op_array != NULL)
{
zend_execute(op_array); // this crashes.
}
/* END OF FAULTY CODE */
--- END OF EXTENSION CODE THAT I'M TRYING TO USE: ---
Expected result:
It is expected for the PHP code to be executed: faulty_code[] arrays
contain valid PHP code and should execute, not give a segfault.
char faulty_code[] = echo 'Hi allbr';??php $a = 5; echo $a; ?;
//
this code crashes.
Actual result:
--
faulty_code[] crashes with a SegFault #11 in apache logs.
working_code[] fix works flawless but need to create a function on every
snippet of code.
Of course, that would be a different problem and requires different names
each time, but that is not the real problem here.
// this code crashes and should work. Works in php -r
char faulty_code2[] = ??php $a = 5; echo $a; ?;
Note that i *require* to close and open PHP tags as I might have in
between some HTML code, for example:
// this code crashes and should work. Works in php -r
char faulty_code3[] = ?centerHello World from HTML/center?php $a =
5; echo $a; ?;
In few words:
A. Trying to execute faulty_code[] below from my PHP extension (or loading
the PHP CODE snippet (without the --- PHP CODE lines) from a .php
file crashes on zend_execute()
B. Trying to execute working_code[] or adding a function foo() {}; foo();
line before the line $a = 1 in the PHP CODE script works too.
C. Might be useful to know, so I remark it: I've tried also to execute
this code trough the PHP CLI successfully:
# php -r $a = 1; echo $a;
and it works.
Even with tags leave on it:
# php -r ?? $a = 1; echo $a; ?
also works.
Hope all of this helps. Please contact me for any issue you might have.
Thank you.
--
Edit bug report at http://bugs.php.net/?id=40185edit=1
--
Try a CVS snapshot (PHP 4.4):
http://bugs.php.net/fix.php?id=40185r=trysnapshot44
Try a CVS snapshot (PHP 5.2):
http://bugs.php.net/fix.php?id=40185r=trysnapshot52
Try a CVS snapshot (PHP 6.0):
http://bugs.php.net/fix.php?id=40185r=trysnapshot60
Fixed in CVS: http://bugs.php.net/fix.php?id=40185r=fixedcvs
Fixed in release:
http://bugs.php.net/fix.php?id=40185r=alreadyfixed
Need backtrace: http://bugs.php.net/fix.php?id=40185r=needtrace
Need Reproduce Script:http://bugs.php.net/fix.php?id=40185r=needscript
Try newer version:http://bugs.php.net/fix.php?id=40185r=oldversion
Not developer issue: http://bugs.php.net/fix.php?id=40185r=support
Expected
#40185 [Bgs]: PHP Crashes with a SegFault trying to zend_execute() some simple PHP scripts
ID: 40185
User updated by: darkwinter at tiscali dot es
Reported By: darkwinter at tiscali dot es
Status: Bogus
Bug Type: Reproducible crash
Operating System: Linux - Ubuntu Dapper 6.06 LTS
PHP Version: 5.2.0
New Comment:
Thank you for your quick reply.
I will report this issue to pecl or internals mailing list and see what
they tell me. Will leave this open for now just in case they ask me to
continue here.
About the backtrace, I've tried to compile PHP 5.2.0 with debugging
information, and also Latest CVS (as of 21-Jan-07) with no success.
Sorry, but I keep getting compilation errors so I can't put the debug
apache2 module and therefore can't get a core dump and a back trace.
I've tried it but I guess I have not enough knowledge to do it without
further help.
Previous Comments:
[2007-01-21 12:13:40] [EMAIL PROTECTED]
.
[2007-01-21 12:13:16] [EMAIL PROTECTED]
This is no forum for questions about API usage, if you need help
contact pecl-dev (or internals) mailing list. I didn't check your code
in detail but I guess you missed to initialized some variables.
Therefore you should use zend_eval_string() instead of calling
zend_compile_string() and zend_execute() directly. For any further help
one would also need a backtrace...
[2007-01-21 11:10:19] darkwinter at tiscali dot es
Description:
Let's see... I'm trying to write an extension module for PHP (shared
extension, ie: myext.so) that compiles and executes some PHP code that
I will pass to it.
Extension is working already but crashes on zend_execute() call
depending on what PHP code I give to it.
Trying to pin down the problem, I've found that it crashes trying to
execute ANY code that declares a variable (ie $a=1;) BEFORE any
function declaration. Weird.
I can reproduce the crash (Segmentation Fault (11) in Apache error.log)
anytime. See the Reproduce Code for tips.
Also, I could fix the problem in lab somewhat: I have to create and
call a function (even a dummy one works) BEFORE the first variable use,
ON EVERY PHP CODE SNIPPET/SCRIPT I want to use, which will (might?)
overflow the global function table over time (I guess :m), as every
function have to have different names (so I don't try to redeclare a
function twice, AFAIK).
As you can see, this is not a long term soluction I guess... :( but it
works for testing and may give you a clue to what's going on.
Tested with the Following Env.
Ubuntu Dapper 6.06 LTS (Linux)
Apache 2.2.3
PHP 5.2.0
- myext.so
Reproduce code:
---
--- PHP CODE ---
?php
$a=1;
?
--- END OF PHP CODE
--- EXTENSION CODE THAT I'M TRYING TO USE: ---
myext.so
/* FAULTY CODE */
char faulty_code[] = echo 'Hi allbr';??php $a = 5; echo $a;
?;// this code crashes.
char faulty_code2[] = ??php $a = 5; echo $a; ?;
// this code
crashes.
char working_code[] = function foo() {}; foo(); echo 'Hi
allbr';??php $a = 5; echo $a; ?; // this code works. Prepending a
function declaration AND a function call works (¿?)...
zend_op_array *op_array = NULL;
zval *new_string;
char *buf = (char *)emalloc(20 * 1024); // have plenty of space
for
this test.
strcpy(buf, faulty_code); // replace faulty_code with
working_code to
see the difference.
MAKE_STD_ZVAL(new_string);
ZVAL_STRING(new_string, buf, 0);
op_array = zend_compile_string(new_string, test);
if (op_array != NULL)
{
zend_execute(op_array); // this crashes.
}
/* END OF FAULTY CODE */
--- END OF EXTENSION CODE THAT I'M TRYING TO USE: ---
Expected result:
It is expected for the PHP code to be executed: faulty_code[] arrays
contain valid PHP code and should execute, not give a segfault.
char faulty_code[] = echo 'Hi allbr';??php $a = 5; echo $a;
?;// this code crashes.
Actual result:
--
faulty_code[] crashes with a SegFault #11 in apache logs.
working_code[] fix works flawless but need to create a function on
every snippet of code.
Of course, that would be a different problem and requires different
names each time, but that is not the real problem here.
// this code crashes and should work. Works in php -r
char faulty_code2[] = ??php $a = 5; echo $a; ?;
Note that i *require* to close and open PHP tags as I might have in
between some HTML code, for example:
// this code crashes and should work. Works in php -r
char faulty_code3[] = ?centerHello World from HTML/center?php $a
= 5; echo $a; ?;
In few words:
A. Trying to execute faulty_code[] below from my PHP extension (or
loading the PHP CODE snippet
