#44184 [Opn->Asn]: Double free of loop-variable on exception

dmitry Wed, 20 Feb 2008 03:53:37 -0800

 ID:               44184
 Updated by:       [EMAIL PROTECTED]
 Reported By:      dmitry at  dot php dot net
-Status:           Open
+Status:           Assigned
 Bug Type:         Scripting Engine problem
 Operating System: *
 PHP Version:      5.2.5
-Assigned To:      
+Assigned To:      dmitry



Previous Comments:
------------------------------------------------------------------------

[2008-02-20 11:51:48] dmitry at  dot php dot net

Description:
------------
See the following code

Reproduce code:
---------------
<?php
function foo() {
        $x = array(1,2,3);
        foreach ($x as $a) {
                while (1) {
                        throw new Exception();
                }
            return;
        }
}
try {
        foo();
} catch (Exception $ex) {
        echo "ok\n";
}


Expected result:
----------------
ok

Actual result:
--------------
==31644== Invalid read of size 4
==31644==    at 0x83A0310: _zval_ptr_dtor (zend_execute_API.c:412)
==31644==    by 0x83D7383: zend_switch_free (zend_execute.c:372)
==31644==    by 0x83D712A: ZEND_HANDLE_EXCEPTION_SPEC_HANDLER
(zend_vm_execute.h:580)
==31644==    by 0x83D4EA4: execute (zend_vm_execute.h:92)
==31644==    by 0x83D54BD: zend_do_fcall_common_helper_SPEC
(zend_vm_execute.h:234)
==31644==    by 0x83DABD2: ZEND_DO_FCALL_SPEC_CONST_HANDLER
(zend_vm_execute.h:1681)
==31644==    by 0x83D4EA4: execute (zend_vm_execute.h:92)
==31644==    by 0x83AFD6A: zend_execute_scripts (zend.c:1134)
==31644==    by 0x835D8B6: php_execute_script (main.c:2006)
==31644==    by 0x842CB94: main (php_cli.c:1140)
==31644==  Address 0x4557F30 is 8 bytes inside a block of size 16
free'd
==31644==    at 0x400513F: free (vg_replace_malloc.c:233)
==31644==    by 0x8392725: _efree (zend_alloc.c:2290)
==31644==    by 0x83A03D7: safe_free_zval_ptr_rel (zend_execute.h:70)
==31644==    by 0x83A036C: _zval_ptr_dtor (zend_execute_API.c:415)
==31644==    by 0x83D734D: zend_switch_free (zend_execute.c:370)
==31644==    by 0x83D712A: ZEND_HANDLE_EXCEPTION_SPEC_HANDLER
(zend_vm_execute.h:580)
==31644==    by 0x83D4EA4: execute (zend_vm_execute.h:92)
==31644==    by 0x83D54BD: zend_do_fcall_common_helper_SPEC
(zend_vm_execute.h:234)
==31644==    by 0x83DABD2: ZEND_DO_FCALL_SPEC_CONST_HANDLER
(zend_vm_execute.h:1681)
==31644==    by 0x83D4EA4: execute (zend_vm_execute.h:92)
==31644==    by 0x83AFD6A: zend_execute_scripts (zend.c:1134)
==31644==    by 0x835D8B6: php_execute_script (main.c:2006)



------------------------------------------------------------------------


-- 
Edit this bug report at http://bugs.php.net/?id=44184&edit=1

#44184 [Opn->Asn]: Double free of loop-variable on exception

Reply via email to