ID: 45751
Comment by: basant dot kukreja at sun dot com
Reported By: basant dot kukreja at sun dot com
Status: Open
Bug Type: Reproducible crash
Operating System: Solaris 10
PHP Version: 5.2.6
New Comment:
Here is the test plugin :
#ifdef HAVE_CONFIG_H
#include "config.h"
#endif
#include "php.h"
#include "php_ini.h"
#include "ext/standard/info.h"
#include "zend_execute.h"
/* {{{ test_functions[] */
function_entry test_functions[] = {
{NULL, NULL, NULL}
};
/* }}} */
static void (*ye_olde_execute)(zend_op_array *op_array TSRMLS_DC);
void php_test_execute(zend_op_array *op_array TSRMLS_DC)
{
zend_get_executed_lineno(TSRMLS_C);
ye_olde_execute(op_array TSRMLS_CC);
}
/* {{{ PHP_MINIT_FUNCTION */
PHP_MINIT_FUNCTION(test)
{
ye_olde_execute = zend_execute;
zend_execute = php_test_execute;
return SUCCESS;
}
/* }}} */
/* {{{ PHP_MSHUTDOWN_FUNCTION */
PHP_MSHUTDOWN_FUNCTION(test)
{
zend_execute = ye_olde_execute;
return SUCCESS;
}
/* }}} */
/* {{{ PHP_MINFO_FUNCTION */
PHP_MINFO_FUNCTION(test)
{
php_info_print_table_start();
php_info_print_table_header(2, "test support", "enabled");
php_info_print_table_end();
}
/* }}} */
/* {{{ test_module_entry */
zend_module_entry test_module_entry = {
#if ZEND_MODULE_API_NO >= 20010901
STANDARD_MODULE_HEADER,
#endif
"test",
test_functions,
PHP_MINIT(test),
PHP_MSHUTDOWN(test),
NULL,
NULL,
PHP_MINFO(test),
"1.0.3",
STANDARD_MODULE_PROPERTIES
};
/* }}} */
#ifdef COMPILE_DL_TEST
ZEND_GET_MODULE(test)
#endif
Previous Comments:
------------------------------------------------------------------------
[2008-08-08 04:36:46] basant dot kukreja at sun dot com
The issue was that we are saving stack address execute_data.opline
into
EG(opline_ptr) in execute function in zend_vm_execute.h (line 74).
EG(opline_ptr) = &EX(opline);
After function execute is finished, EG(opline_ptr) is not reset to
NULL. This
point to previously used stack. Fix is that before we return we should
set
EG(opline_ptr) to NULL.
Suggested Patch :
--- Zend/zend_vm_execute_ORIG.h 2008-08-07 18:42:47.876727000 -0700
+++ Zend/zend_vm_execute.h 2008-08-07 18:44:40.481725000 -0700
@@ -90,6 +90,7 @@
#endif
if (EX(opline)->handler(&execute_data TSRMLS_CC) > 0) {
+ EG(opline_ptr) = NULL;
return;
}
------------------------------------------------------------------------
[2008-08-08 04:35:06] basant dot kukreja at sun dot com
Description:
------------
Stack pointer &execute_data.opline (&EG(opline)) is used beyond the
scope and hence crashes php with auto_preprend_file.
I wrote a small test plugin : test.c and then loaded the plugin into
php using php.ini
extension=test.so
$ ./sapi/cli/php -d "auto_prepend_file=inc.inc" -d
"include_path=/opt2/coolstackbld/svn/CoolStackDev/src/php5/php-5.2.6/tests/lang"
-f /tmp/test.php
Included!
Segmentation Fault (core dumped)
Reproduce code:
---------------
Test plugin location : (skydrive) :
http://yqaghq.blu.livefilestore.com/y1phzvjT69U9PiUNjW9NjakZZ5It3VOAEhADJusnkoorLiwGfeVlK6zTz-8AprvloPplXlNkaHUYD9sS9idFWZhcg/test.c?download
Expected result:
----------------
Normal behaviour
Actual result:
--------------
php crashes
$ pstack core
core 'core' of 23827: ./sapi/cli/php -d auto_prepend_file=inc.inc -d
include_path=/opt2/cool
003b8e4c zend_get_executed_lineno (5be8a0, 5897c, ffe39448, 55570c,
ff1531c0, 57400) + 3c
003d9f78 zend_execute_scripts (8, 0, 3, 1, 2, 5763c) + 11c
0032d9bc php_execute_script (ffffffff, ffbff2cd, 5be3e0, ffbfefe0, 0,
5ae3a0) + 2b0
0048e5e4 main (10000, 5addc8, 2d, 2f, 48cac0, 1ac0) + 1ae4
000a8f28 _start (0, 0, 0, 0, 0, 0) + 108
Debugger showed that it was crashing in line 394 of zend_execute_API.c
:
391 ZEND_API uint zend_get_executed_lineno(TSRMLS_D)
392 {
393 if (EG(opline_ptr)) {
394 return active_opline->lineno;
EG(online_ptr) points to arbitrary value ( a pointer value in stack)
and it
crashes in active_opline->lineno.
active_opline->lineno is *EG(opline_ptr)
We found this issue when php was crashing while dtrace plugin was
loaded :
$ ./sapi/cli/php -d "auto_prepend_file=inc.inc" -d
"include_path=/opt2/coolstackbld/svn/CoolStackDev/src/php5/php-5.2.6/tests/lang"
-f /tmp/test.php
To simpilfy thing, I wrote my test plugin and reproduced the crash.
------------------------------------------------------------------------
--
Edit this bug report at http://bugs.php.net/?id=45751&edit=1
