#30142 [NEW]: switch() with function and call in it segfaults

toni dot viemero at iki dot fi Sat, 18 Sep 2004 09:35:46 -0700

From:             toni dot viemero at iki dot fi
Operating system: FreeBSD 5.4-BETA4
PHP version:      5.0.1
PHP Bug Type:     Reproducible crash
Bug description:  switch() with function and call in it segfaults


Description:
------------
I was investigating why Wordpress (www.wordpress.org) wp-login.php
segfaults my apache child and stripped down the code as low as possible to
reproduce segfault. 

[EMAIL PROTECTED]:~]$ php-5.0.1/sapi/cli/php -v
PHP 5.0.1 (cli) (built: Sep 18 2004 02:34:23) (DEBUG)
Copyright (c) 1997-2004 The PHP Group
Zend Engine v2.0.1, Copyright (c) 1998-2004 Zend Technologies

[EMAIL PROTECTED]:~]$ php-5.0.1/sapi/cli/php -e segfault.php
Segmentation fault (core dumped)

Compiled with:
./configure --enable-versioning --enable-memory-limit --enable-debug
--with-layout=GNU --with-config-file-scan-dir=/tmp --disable-all
--enable-libxml --enable-spl --with-regex=php
--with-apxs2=/usr/local/sbin/apxs --disable-ipv6 --prefix=/tmp
--with-bz2=/usr --enable-ctype --with-curl=/usr/local --enable-dba
--enable-dom --enable-exif --enable-ftp --with-gd
--with-freetype-dir=/usr/local --with-jpeg-dir=/usr/local
--with-png-dir=/usr/local --with-gettext=/usr/local
--with-iconv=/usr/local --with-imap=/usr/local --enable-mbstring
--with-mcrypt=/usr/local --with-mhash=/usr/local --with-mysql=/usr/local
--with-openssl=/usr --with-openssl-dir=/usr --with-pcre-regex=yes
--with-pgsql=/usr/local --enable-posix --enable-session --enable-simplexml
--with-snmp=/usr/local --enable-ucd-snmp-hack --enable-soap
--with-libxml-dir=/usr/local --enable-sockets --with-sqlite
--with-tidy=/usr/local --enable-tokenizer --enable-wddx --enable-xml
--with-xmlrpc --with-expat-dir=/usr/local --with-iconv-dir=/usr/local
--with-libxml-dir=/usr/local --with-xsl=/usr/local --with-zlib=/usr
--with-zlib-dir=/usr

Reproduce code:
---------------
<?php
$action = '';

switch ($action) {
    default:
        function this_will_segfault() {
            return true;
        }
        if ( (this_will_segfault()) ) {
            print "true\n";
        }
        break;
}
?>

Expected result:
----------------
"true" printed.

Actual result:
--------------
(gdb) bt
#0  0x08301b9c in _zval_ptr_dtor (zval_ptr=0xbfbfcef4,
    __zend_filename=0x84d5990 "/home/toni/php-5.0.1/Zend/zend_execute.c",
__zend_lineno=208)
    at /home/toni/php-5.0.1/Zend/zend_execute_API.c:389
#1  0x0833b202 in zend_switch_free (opline=0x85b0908, Ts=0xbfbfcec0) at
/home/toni/php-5.0.1/Zend/zend_execute.c:208
#2  0x0833b44f in zend_switch_free_handler (execute_data=0xbfbfcef0,
opline=0x85b0908, op_array=0x865eb00)
    at /home/toni/php-5.0.1/Zend/zend_execute.c:3234
#3  0x08333ae1 in execute (op_array=0x865eb00) at
/home/toni/php-5.0.1/Zend/zend_execute.c:1400
#4  0x083395e4 in zend_do_fcall_common_helper (execute_data=0xbfbfd060,
opline=0x866644c, op_array=0x8658824)
    at /home/toni/php-5.0.1/Zend/zend_execute.c:2737
#5  0x08339c9c in zend_do_fcall_by_name_handler (execute_data=0xbfbfd060,
opline=0x866644c, op_array=0x8658824)
    at /home/toni/php-5.0.1/Zend/zend_execute.c:2822
#6  0x08333ae1 in execute (op_array=0x8658824) at
/home/toni/php-5.0.1/Zend/zend_execute.c:1400
#7  0x0830f5b0 in zend_execute_scripts (type=8, retval=0x0, file_count=3)
at /home/toni/php-5.0.1/Zend/zend.c:1061
#8  0x082c8b27 in php_execute_script (primary_file=0xbfbfe794) at
/home/toni/php-5.0.1/main/main.c:1627
#9  0x0834038c in main (argc=3, argv=0xbfbfe7f4) at
/home/toni/php-5.0.1/sapi/cli/php_cli.c:943
(gdb) frame 0
#0  0x08301b9c in _zval_ptr_dtor (zval_ptr=0xbfbfcef4,
    __zend_filename=0x84d5990 "/home/toni/php-5.0.1/Zend/zend_execute.c",
__zend_lineno=208)
    at /home/toni/php-5.0.1/Zend/zend_execute_API.c:389
389             (*zval_ptr)->refcount--;
(gdb) print (char
*)(executor_globals.function_state_ptr->function)->common.function_name
$1 = 0x865dba4 "this_will_segfault"
(gdb) print (char *)executor_globals.active_op_array->function_name
$2 = 0x865dba4 "this_will_segfault"
(gdb) print (char *)executor_globals.active_op_array->filename
$3 = 0x865db64 "/home/toni/segfault.php"

-- 
Edit bug report at http://bugs.php.net/?id=30142&edit=1
-- 
Try a CVS snapshot (php4):   http://bugs.php.net/fix.php?id=30142&r=trysnapshot4
Try a CVS snapshot (php5.0): http://bugs.php.net/fix.php?id=30142&r=trysnapshot50
Try a CVS snapshot (php5.1): http://bugs.php.net/fix.php?id=30142&r=trysnapshot51
Fixed in CVS:                http://bugs.php.net/fix.php?id=30142&r=fixedcvs
Fixed in release:            http://bugs.php.net/fix.php?id=30142&r=alreadyfixed
Need backtrace:              http://bugs.php.net/fix.php?id=30142&r=needtrace
Need Reproduce Script:       http://bugs.php.net/fix.php?id=30142&r=needscript
Try newer version:           http://bugs.php.net/fix.php?id=30142&r=oldversion
Not developer issue:         http://bugs.php.net/fix.php?id=30142&r=support
Expected behavior:           http://bugs.php.net/fix.php?id=30142&r=notwrong
Not enough info:             http://bugs.php.net/fix.php?id=30142&r=notenoughinfo
Submitted twice:             http://bugs.php.net/fix.php?id=30142&r=submittedtwice
register_globals:            http://bugs.php.net/fix.php?id=30142&r=globals
PHP 3 support discontinued:  http://bugs.php.net/fix.php?id=30142&r=php3
Daylight Savings:            http://bugs.php.net/fix.php?id=30142&r=dst
IIS Stability:               http://bugs.php.net/fix.php?id=30142&r=isapi
Install GNU Sed:             http://bugs.php.net/fix.php?id=30142&r=gnused
Floating point limitations:  http://bugs.php.net/fix.php?id=30142&r=float
MySQL Configuration Error:   http://bugs.php.net/fix.php?id=30142&r=mysqlcfg

#30142 [NEW]: switch() with function and call in it segfaults

Reply via email to