From: phpbugs at colin dot guthr dot ie
Operating system: Linux
PHP version: 5.2.7RC3
PHP Bug Type: Reproducible crash
Bug description: Segfault on 64bit when chaining function calls that generate
exceptions
Description:
------------
I seem to have uncovered a bug that has been affecting me for a while
(e.g. it affects 5.2.6 as well) but that, until now, I have been able to
work around.
I have confirmed this bug on both 5.2.6 and 5.2.7RC3 on x86_64. I have
confirmed this bug does *not* occur on i586 with these same versions.
The reproduce code has two examples. It should be obvious which is which
;)
I compiled up a fresh 5.2.7RC3 to produce the below backtrace.
Please remember that this bug affects x86_64 only.
I discovered this when using code in the Zend Framework in which this
scenario crops up in the natural flow of code.
Reproduce code:
---------------
<?php
class foo
{
private function bar($x)
{
echo $x;
}
private function wibble()
{
throw new Exception("Wibble");
}
public function bug()
{
$this->bar($this->wibble());
}
public function nobug()
{
$wibble = $this->wibble();
$this->bar($wibble);
}
}
$foo = new foo;
$foo->bug();
//$foo->nobug();
Expected result:
----------------
PHP Fatal error: Uncaught exception 'Exception' with message 'Wibble' in
/home/colin/bug.php:10
Stack trace:
#0 /home/colin/bug.php(14): foo->wibble()
#1 /home/colin/bug.php(23): foo->bug()
#2 {main}
thrown in /home/colin/bug.php on line 10
Actual result:
--------------
[EMAIL PROTECTED] pfx]$ gdb bin/php
GNU gdb 6.8-2mdv2009.0 (Mandriva Linux release 2009.0)
Copyright (C) 2008 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later
<http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law. Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-mandriva-linux-gnu"...
(gdb) set args bug.php
(gdb) run
Starting program: /home/colin/php/pfx/bin/php bug.php
[Thread debugging using libthread_db enabled]
[New Thread 0x7f75d9a056f0 (LWP 18074)]
Program received signal SIGSEGV, Segmentation fault.
zend_do_fcall_common_helper_SPEC (execute_data=0x7fffe1a4fbd0) at
/home/colin/php/php-5.2.7RC3/Zend/zend_vm_execute.h:289
289 if (RETURN_VALUE_USED(ctor_opline)) {
Missing debug package(s), you should install: glibc-debug libxml2-debug
zlib-debug
(gdb) thread apply all bt full
Thread 1 (Thread 0x7f75d9a056f0 (LWP 18074)):
#0 zend_do_fcall_common_helper_SPEC (execute_data=0x7fffe1a4fbd0) at
/home/colin/php/php-5.2.7RC3/Zend/zend_vm_execute.h:289
opline = (zend_op *) 0x7f75d9a2a770
original_return_value = (zval **) 0x7fffe1a4fcd0
current_scope = (zend_class_entry *) 0x0
current_this = (zval *) 0x0
return_value_used = 0
should_change_scope = 1 '\001'
#1 0x000000000064b8a4 in execute (op_array=0x7f75d9a2a108) at
/home/colin/php/php-5.2.7RC3/Zend/zend_vm_execute.h:92
execute_data = {opline = 0x7f75d9a2a770, function_state =
{function_symbol_table = 0x7f75d9a2d470,
function = 0x7f75d9a2a108, reserved = {0x0, 0x7f75d9a2a200, 0x0,
0x7f75d9a2a210}}, fbc = 0x7f75d9a2cb90,
op_array = 0x7f75d9a2a108, object = 0x7f75d9a29928, Ts = 0x7fffe1a4fa80,
CVs = 0x7fffe1a4fa60, original_in_execution = 0 '\0',
symbol_table = 0x9db608, prev_execute_data = 0x0, old_error_reporting =
0x0}
#2 0x00000000006290d1 in zend_execute_scripts (type=8, retval=0x51,
file_count=3)
at /home/colin/php/php-5.2.7RC3/Zend/zend.c:1134
files = {{gp_offset = 40, fp_offset = 0, overflow_arg_area =
0x7fffe1a4fdd0, reg_save_area = 0x7fffe1a4fce0}}
i = 1
file_handle = (zend_file_handle *) 0x7fffe1a52240
orig_op_array = (zend_op_array *) 0x0
orig_retval_ptr_ptr = (zval **) 0x0
local_retval = (zval *) 0x0
#3 0x00000000005e741f in php_execute_script (primary_file=0x7fffe1a52240)
at /home/colin/php/php-5.2.7RC3/main/main.c:2023
realfile =
"/home/colin/php/pfx/bug.php\000\000\000\000\0000�%�u\177\000\000\000p��u\177\000\000\000\000\000\000\000\000\000\000����",
'\0' <repeats 12 times>,
"�U\232\000\000\000\000\000gister_an\000\000\000\000\000\000\000html_errH>\235",
'\0' <repeats 13 times>, "�P\204�u\177\000\000\001", '\0'
<repeats 15 times>,
"�\001&�u\177\000\000\020�5\000\000\000\000\0000�%�u\177",
'\0' <repeats 18 times>, "r�\204�u\177\000\000�\227i",
'\0' <repeats 13 times>, "\t:r\000\000\000\000\000�2c\000\000"...
__orig_bailout = (jmp_buf *) 0x7fffe1a52000
__bailout = {{__jmpbuf = {140736979084336, -6156957097008169452,
140736979086864, 0, 140736979086864, 0,
-6156957080977539564, 6156943864853954068}, __mask_was_saved = 0,
__saved_mask = {__val = {206158430215, 140736979082960,
0, 140736979082960, 22266960, 0, 140144139213016, 140144139214560,
6402516, 140144139213376, 140144139213096,
140144139213056, 140144139213968, 140144139213016, 6921410, 3}}}}
prepend_file_p = (zend_file_handle *) 0x0
append_file_p = <value optimized out>
prepend_file = {type = 0 '\0', filename = 0x0, opened_path = 0x0,
handle = {fd = 0, fp = 0x0, stream = {handle = 0x0,
reader = 0, closer = 0, fteller = 0, interactive = 0}},
free_filename = 0 '\0'}
append_file = {type = 0 '\0', filename = 0x0, opened_path = 0x0,
handle = {fd = 0, fp = 0x0, stream = {handle = 0x0,
reader = 0, closer = 0, fteller = 0, interactive = 0}},
free_filename = 0 '\0'}
retval = 0
#4 0x000000000069b0ce in main (argc=2, argv=0x7fffe1a52428) at
/home/colin/php/php-5.2.7RC3/sapi/cli/php_cli.c:1134
__bailout = {{__jmpbuf = {0, -5642054132341337382,
7016452524537506151, 110, 8246765328184210536, 10305096,
-6156957097001877996, 6156943771903458836}, __mask_was_saved = 0,
__saved_mask = {__val = {140144137211684,
140144114257068, 23, 46448516, 140736979083392, 140736979083784,
140144114264912, 0, 140144139068736, 140144139071488,
140144112053138, 140144114315624, 140144112046240, 4294967296,
4294967449, 140144114744752}}}}
exit_status = 0
c = <value optimized out>
file_handle = {type = 2 '\002', filename = 0x7fffe1a52e10
"bug.php", opened_path = 0x0, handle = {fd = 22265984,
fp = 0x153c080, stream = {handle = 0x153c080, reader = 0x63d0f0
<zend_stream_stdio_reader>,
closer = 0x63d0d0 <zend_stream_stdio_closer>, fteller = 0x63d0c0
<zend_stream_stdio_fteller>, interactive = 0}},
free_filename = 0 '\0'}
behavior = <value optimized out>
reflection_what = 0x0
orig_optind = 1
orig_optarg = 0x0
arg_free = 0x7fffe1a52e10 "bug.php"
arg_excp = (char **) 0x7fffe1a52430
script_file = 0x7fffe1a52e10 "bug.php"
interactive = 0
module_started = 1
request_started = 1
lineno = 1
exec_direct = 0x0
exec_run = 0x0
exec_begin = 0x0
exec_end = 0x0
param_error = <value optimized out>
hide_argv = 0
ini_entries_len = <value optimized out>
(gdb)
--
Edit bug report at http://bugs.php.net/?id=46568&edit=1
--
Try a CVS snapshot (PHP 5.2):
http://bugs.php.net/fix.php?id=46568&r=trysnapshot52
Try a CVS snapshot (PHP 5.3):
http://bugs.php.net/fix.php?id=46568&r=trysnapshot53
Try a CVS snapshot (PHP 6.0):
http://bugs.php.net/fix.php?id=46568&r=trysnapshot60
Fixed in CVS:
http://bugs.php.net/fix.php?id=46568&r=fixedcvs
Fixed in CVS and need be documented:
http://bugs.php.net/fix.php?id=46568&r=needdocs
Fixed in release:
http://bugs.php.net/fix.php?id=46568&r=alreadyfixed
Need backtrace:
http://bugs.php.net/fix.php?id=46568&r=needtrace
Need Reproduce Script:
http://bugs.php.net/fix.php?id=46568&r=needscript
Try newer version:
http://bugs.php.net/fix.php?id=46568&r=oldversion
Not developer issue:
http://bugs.php.net/fix.php?id=46568&r=support
Expected behavior:
http://bugs.php.net/fix.php?id=46568&r=notwrong
Not enough info:
http://bugs.php.net/fix.php?id=46568&r=notenoughinfo
Submitted twice:
http://bugs.php.net/fix.php?id=46568&r=submittedtwice
register_globals:
http://bugs.php.net/fix.php?id=46568&r=globals
PHP 4 support discontinued: http://bugs.php.net/fix.php?id=46568&r=php4
Daylight Savings: http://bugs.php.net/fix.php?id=46568&r=dst
IIS Stability:
http://bugs.php.net/fix.php?id=46568&r=isapi
Install GNU Sed:
http://bugs.php.net/fix.php?id=46568&r=gnused
Floating point limitations:
http://bugs.php.net/fix.php?id=46568&r=float
No Zend Extensions:
http://bugs.php.net/fix.php?id=46568&r=nozend
MySQL Configuration Error:
http://bugs.php.net/fix.php?id=46568&r=mysqlcfg
