#29566 [NEW]: foreach/string handling strangeness (crash)

[stefan at hotpaenz dot de]

From:             stefan at hotpaenz dot de
Operating system: Linux 2.6.3
PHP version:      5CVS-2004-08-07 (dev)
PHP Bug Type:     Reproducible crash
Bug description:  foreach/string handling strangeness (crash)

Description:
------------
Consider the following code. Of course it isn't useful,  
but nevertheless it shouldn't crash PHP.  
 
Perhaps this is related to bug 28487 (another crash,  
affecting real-world scripts) because the same function  
zend_switch_free_handler is involved.  
 
Perhaps this is the same bug as 28574, which was closed as 
the problem went away. The crash I am reporting now occurs 
with a current snapshot (200408071830). 
 

Reproduce code:
---------------
<?
$var="This is a string";

$dummy="";
unset($dummy);

foreach($var['nosuchkey'] as $v) {
}


Expected result:
----------------
Warning:  Invalid argument supplied for foreach() in 
crash.php on line 7 
 
[no crash of course] 
 

Actual result:
--------------
Warning:  Invalid argument supplied for foreach() in 
crash.php on line 7 
Segmentation fault (core dumped) 
 
[backtrace follows] 
 
#0  _efree (ptr=0x75736f6e) 
at /root/php/200408071830/php5-5.0.0/Zend/zend_alloc.c:285 
285  CALCULATE_REAL_SIZE_AND_CACHE_INDEX(p->size); 
 
(gdb) bt 
 
#0  _efree (ptr=0x75736f6e) 
at /root/php/200408071830/php5-5.0.0/Zend/zend_alloc.c:285 
 
#1  0x082424f8 in _zval_ptr_dtor (zval_ptr=0xbfffd698) 
at /root/php/200408071830/php5-5.0.0/Zend/zend_execute_API.c:396 
 
#2  0x0827288b in zend_switch_free_handler 
(execute_data=0xbfffd710, opline=0x872749c, 
op_array=0x8722f24, tsrm_ls=0x8431018) 
at /root/php/200408071830/php5-5.0.0/Zend/zend_execute.c:210 
 
#3  0x0826ce85 in execute (op_array=0x8722f24, 
tsrm_ls=0x8431018) 
at /root/php/200408071830/php5-5.0.0/Zend/zend_execute.c:1400 
 
#4  0x0824d971 in zend_execute_scripts (type=8, 
tsrm_ls=0x8431018, retval=0x0, file_count=3) 
at /root/php/200408071830/php5-5.0.0/Zend/zend.c:1068 
 
#5  0x08210ab4 in php_execute_script 
(primary_file=0xbffffae0, tsrm_ls=0x8431018) 
at /root/php/200408071830/php5-5.0.0/main/main.c:1631 
 
#6  0x08279bec in main (argc=2, argv=0xbffffba4) 
at /root/php/200408071830/php5-5.0.0/sapi/cgi/cgi_main.c:1568 
 

-- 
Edit bug report at http://bugs.php.net/?id=29566&edit=1
-- 
Try a CVS snapshot (php4):  http://bugs.php.net/fix.php?id=29566&r=trysnapshot4
Try a CVS snapshot (php5):  http://bugs.php.net/fix.php?id=29566&r=trysnapshot5
Fixed in CVS:               http://bugs.php.net/fix.php?id=29566&r=fixedcvs
Fixed in release:           http://bugs.php.net/fix.php?id=29566&r=alreadyfixed
Need backtrace:             http://bugs.php.net/fix.php?id=29566&r=needtrace
Need Reproduce Script:      http://bugs.php.net/fix.php?id=29566&r=needscript
Try newer version:          http://bugs.php.net/fix.php?id=29566&r=oldversion
Not developer issue:        http://bugs.php.net/fix.php?id=29566&r=support
Expected behavior:          http://bugs.php.net/fix.php?id=29566&r=notwrong
Not enough info:            http://bugs.php.net/fix.php?id=29566&r=notenoughinfo
Submitted twice:            http://bugs.php.net/fix.php?id=29566&r=submittedtwice
register_globals:           http://bugs.php.net/fix.php?id=29566&r=globals
PHP 3 support discontinued: http://bugs.php.net/fix.php?id=29566&r=php3
Daylight Savings:           http://bugs.php.net/fix.php?id=29566&r=dst
IIS Stability:              http://bugs.php.net/fix.php?id=29566&r=isapi
Install GNU Sed:            http://bugs.php.net/fix.php?id=29566&r=gnused
Floating point limitations: http://bugs.php.net/fix.php?id=29566&r=float