#48668 [Ctl->Ver]: foreach with array will coredump php

[dsp]

 ID:               48668
 Updated by:       d...@php.net
 Reported By:      dmda at yandex dot ru
-Status:           Critical
+Status:           Verified
 Bug Type:         Reproducible crash
-Operating System: solaris 8
+Operating System: Solaris
 PHP Version:      5.3.0RC4
-Assigned To:      dmitry
+Assigned To:      dsp
 New Comment:

It looks like this is a memalign issue. PHP 5.3.0 is now build with 
flags to avoid the crash. I assign the bug to me to provide a proper
fix 
for the issue for 5.3.1


Previous Comments:
------------------------------------------------------------------------

[2009-06-24 12:21:10] johan...@php.net

When using --enable-dbug the code works, without --enable-debug the
code fails, maybe that's the reason why I didn't see this before.

uname -a
SunOS techra46 5.8 Generic_117350-54 sun4u sparc SUNW,Sun-Fire-V210

The issue seems to be independent from the compiler but in some way
system dependent, another similar box worked for me.

------------------------------------------------------------------------

[2009-06-24 06:49:42] dmda at yandex dot ru

to me it looks like bogus pointer appeared in the heap's cache first,
then it was returned by the allocator, called by ALLOC_ZVAL(). I see no
other reasons for the tmp pointer to have this strange value.

------------------------------------------------------------------------

[2009-06-24 00:32:54] scott...@php.net

Don't think its endian specific, PPC chip works.

Will test with another sparc box shortly.

------------------------------------------------------------------------

[2009-06-23 22:16:22] dmda at yandex dot ru

Description:
------------
$uname -a
SunOS qu1 5.8 Generic_108528-11 sun4u sparc
SUNW,UltraSPARC-IIi-cEngine
$ sapi/cli/php ./1.php
Bus Error (core dumped)
$gdb --core core sapi/cli/php
....
Core was generated by `./php 1.php'.
Program terminated with signal 10, Bus error.
#0  0x002e7d80 in ZEND_FE_RESET_SPEC_TMP_HANDLER
(execute_data=0x861cc0)
    at 
/export/home/jvlad/php/php5.3-200906221030/Zend/zend_vm_execute.h:5371
5371                            INIT_PZVAL_COPY(tmp, array_ptr);
(gdb) bt
#0  0x002e7d80 in ZEND_FE_RESET_SPEC_TMP_HANDLER
(execute_data=0x861cc0)
    at 
/export/home/jvlad/php/php5.3-200906221030/Zend/zend_vm_execute.h:5371
#1  0x002d92a0 in execute (op_array=0x70bd90)
    at
/export/home/jvlad/php/php5.3-200906221030/Zend/zend_vm_execute.h:104
#2  0x002b8d48 in zend_execute_scripts (type=8, retval=0x0,
file_count=3)
    at /export/home/jvlad/php/php5.3-200906221030/Zend/zend.c:1188
#3  0x00266444 in php_execute_script (primary_file=0xffbefbf0)
    at /export/home/jvlad/php/php5.3-200906221030/main/main.c:2196
#4  0x003447d4 in main (argc=2, argv=0xffbefcac)
    at
/export/home/jvlad/php/php5.3-200906221030/sapi/cli/php_cli.c:1188
(gdb) p array_ptr
$1 = (zval *) 0x861d14
(gdb) p *array_ptr
$2 = {value = {lval = 7458416, dval = 1.5848218932638939e-306, str =
{val = 
0x71ce70 "",
      len = 0}, ht = 0x71ce70, obj = {handle = 7458416, handlers =
0x0}}, 
refcount__gc = 0,
  type = 4 '\004', is_ref__gc = 0 '\0'}
(gdb) p tmp
Cannot access memory at address 0xfffffff0
(gdb) dump_bt executor_globals.current_execute_data
[0x00861cc0] ???
/export/home/jvlad/php/php5.3-200906221030/sapi/cli/1.php:2



Reproduce code:
---------------
$cat 1.php
<?php
foreach (array("SPL", "Reflection", "Phar") as $ext) {
    if (!extension_loaded($ext)) {
        echo "$argv[0] requires PHP extension $ext.\n";
        exit(1);
    }
}
?> 




------------------------------------------------------------------------


-- 
Edit this bug report at http://bugs.php.net/?id=48668&edit=1