#23925 [NEW]: ZE2 crashes when switch() is used on the result of an assignment

dave at codewhore dot org Sun, 01 Jun 2003 04:38:56 -0700

From:             dave at codewhore dot org
Operating system: Linux 2.4
PHP version:      5CVS-2003-05-31 (dev)
PHP Bug Type:     Zend Engine 2 problem
Bug description:  ZE2 crashes when switch() is used on the result of an assignment


Hi:

When switching on the result of an assignment to a member variable, and
the switch statement has more than one non-default case, ZE2 crashes in
compare_function. Here's a test script:

<?php

  class grim_reaper
  {
    function slaughter($val)
    {
      switch ($this->foo = $val)
      {
        case 'foo':
          break;
        case "Remove this case and I don't crash":
          break;
      }
    }
  }


  $r = new grim_reaper();
  $r->slaughter('ze2');

?>


Here's some valgrind output:

==3548== Conditional jump or move depends on uninitialised value(s)
==3548==    at 0x8175234: zend_case_handler
(/archive/Sources/web-server/php-5.0-cvs/Zend/zend_execute.c:3101)
==3548==    by 0x816EC54: execute
(/archive/Sources/web-server/php-5.0-cvs/Zend/zend_execute.c:1247)
==3548==    by 0x8173AE8: zend_do_fcall_common_helper
(/archive/Sources/web-server/php-5.0-cvs/Zend/zend_execute.c:2654)
==3548==    by 0x8173F3E: zend_do_fcall_by_name_handler
(/archive/Sources/web-server/php-5.0-cvs/Zend/zend_execute.c:2725)
==3548== 
==3548== Conditional jump or move depends on uninitialised value(s)
==3548==    at 0x8178DF8: _get_zval_ptr
(/archive/Sources/web-server/php-5.0-cvs/Zend/zend_execute.c:73)
==3548==    by 0x8175295: zend_case_handler
(/archive/Sources/web-server/php-5.0-cvs/Zend/zend_execute.c:3106)
==3548==    by 0x816EC54: execute
(/archive/Sources/web-server/php-5.0-cvs/Zend/zend_execute.c:1247)
==3548==    by 0x8173AE8: zend_do_fcall_common_helper
(/archive/Sources/web-server/php-5.0-cvs/Zend/zend_execute.c:2654)
==3548== 
==3548== Invalid read of size 1
==3548==    at 0x81557BD: compare_function
(/archive/Sources/web-server/php-5.0-cvs/Zend/zend_operators.c:1189)
==3548==    by 0x8156173: is_equal_function
(/archive/Sources/web-server/php-5.0-cvs/Zend/zend_operators.c:1346)
==3548==    by 0x81752AD: zend_case_handler
(/archive/Sources/web-server/php-5.0-cvs/Zend/zend_execute.c:3106)
==3548==    by 0x816EC54: execute
(/archive/Sources/web-server/php-5.0-cvs/Zend/zend_execute.c:1247)
==3548==    Address 0xC is not stack'd, malloc'd or free'd


Here's a gdb backtrace:

#0  0x081557bd in compare_function (result=0xbfffd47c, op1=0x0,
op2=0x821d398) at
/archive/Sources/web-server/php-5.0-cvs/Zend/zend_operators.c:1189
#1  0x08156174 in is_equal_function (result=0xbfffd47c, op1=0x0,
op2=0x821d398) at
/archive/Sources/web-server/php-5.0-cvs/Zend/zend_operators.c:1346
#2  0x081752ae in zend_case_handler (execute_data=0xbfffd4a0,
op_array=0x821e67c) at
/archive/Sources/web-server/php-5.0-cvs/Zend/zend_execute.c:3106
#3  0x0816ec55 in execute (op_array=0x821e67c) at
/archive/Sources/web-server/php-5.0-cvs/Zend/zend_execute.c:1247
#4  0x08173ae9 in zend_do_fcall_common_helper (execute_data=0xbfffd6b0,
op_array=0x82172fc)
    at /archive/Sources/web-server/php-5.0-cvs/Zend/zend_execute.c:2654
#5  0x08173f3f in zend_do_fcall_by_name_handler (execute_data=0xbfffd6b0,
op_array=0x82172fc)
    at /archive/Sources/web-server/php-5.0-cvs/Zend/zend_execute.c:2725
#6  0x0816ec55 in execute (op_array=0x82172fc) at
/archive/Sources/web-server/php-5.0-cvs/Zend/zend_execute.c:1247
#7  0x08159c1d in zend_execute_scripts (type=8, retval=0x0, file_count=3)
at /archive/Sources/web-server/php-5.0-cvs/Zend/zend.c:1008
#8  0x0811a3de in php_execute_script (primary_file=0xbffffab0) at
/archive/Sources/web-server/php-5.0-cvs/main/main.c:1678
#9  0x0817d574 in main (argc=2, argv=0xbffffb54) at
/archive/Sources/web-server/php-5.0-cvs/sapi/cli/php_cli.c:909
#10 0x401aabb4 in __libc_start_main () from /lib/libc.so.6

Let me know if there's anything else I can do.

Thanks,

- Dave
  [EMAIL PROTECTED]


-- 
Edit bug report at http://bugs.php.net/?id=23925&edit=1
-- 
Try a CVS snapshot:         http://bugs.php.net/fix.php?id=23925&r=trysnapshot
Fixed in CVS:               http://bugs.php.net/fix.php?id=23925&r=fixedcvs
Fixed in release:           http://bugs.php.net/fix.php?id=23925&r=alreadyfixed
Need backtrace:             http://bugs.php.net/fix.php?id=23925&r=needtrace
Try newer version:          http://bugs.php.net/fix.php?id=23925&r=oldversion
Not developer issue:        http://bugs.php.net/fix.php?id=23925&r=support
Expected behavior:          http://bugs.php.net/fix.php?id=23925&r=notwrong
Not enough info:            http://bugs.php.net/fix.php?id=23925&r=notenoughinfo
Submitted twice:            http://bugs.php.net/fix.php?id=23925&r=submittedtwice
register_globals:           http://bugs.php.net/fix.php?id=23925&r=globals
PHP 3 support discontinued: http://bugs.php.net/fix.php?id=23925&r=php3
Daylight Savings:           http://bugs.php.net/fix.php?id=23925&r=dst
IIS Stability:              http://bugs.php.net/fix.php?id=23925&r=isapi
Install GNU Sed:            http://bugs.php.net/fix.php?id=23925&r=gnused

#23925 [NEW]: ZE2 crashes when switch() is used on the result of an assignment

Reply via email to