From: feldgendler at mail dot ru
Operating system: Debian GNU/Linux
PHP version: 5.0.4
PHP Bug Type: Reproducible crash
Bug description: Crash in catch block when many arguments are used
Description:
------------
PHP crashes in a catch block. It happened in a real program, and I've
gradually reduced its complexity until I came to the simple testcase I'm
posting below. Both mod_php5 for Apache 2 and php5-cli crash on this
testcase.
Here is what I found during research:
In the beginning, I had multiple functions calling each other, like this:
catch (Exception $e) {
function f2() { f3(0, 0); }
}
function f3() { f4(0, 0, 0); }
function f4() { f5(0, 0); }
...up to a quite deep nesting. I found that I can keep PHP crashing if I
carry the zeros from one function call to another, as long as their total
number does not decrese. I could even carry the zeros between the catch
block and the try block. Also I could exchange one level of nesting for
two additional zeros. So I collapsed them all in the argument list of
max(). The max() function was chosen arbitararily, any function that takes
unlimited number of arguments will do. The zeros can also be replaced with
values of any type. The crash can also be reproduced using
set_exception_handler() instead of a catch block.
Reproduce code:
---------------
<?
function f1() { throw new Exception; }
function f2() { echo "here\n"; }
try {
// Currently it's the minimum required number of zeros
// If you remove one, it won't crash
max(0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, f1());
} catch (Exception $e) {
echo "(((\n";
f2(0, 0, 0); // Won't crash if less than 3 zeros here
echo ")))\n";
}
?>
Expected result:
----------------
(((
here
)))
Actual result:
--------------
(((
here
Segmentation fault
Here is the stack dump (obtained from php-cli):
#0 0x081fb0b6 in _zval_ptr_dtor ()
#1 0x0822b47c in zend_do_fcall_common_helper ()
#2 0x0823bb73 in zend_do_fcall_handler ()
#3 0x08228c39 in execute ()
#4 0x08208414 in zend_execute_scripts ()
#5 0x081ce03d in php_execute_script ()
#6 0x0824c284 in main ()
--
Edit bug report at http://bugs.php.net/?id=34062&edit=1
--
Try a CVS snapshot (php4): http://bugs.php.net/fix.php?id=34062&r=trysnapshot4
Try a CVS snapshot (php5.0):
http://bugs.php.net/fix.php?id=34062&r=trysnapshot50
Try a CVS snapshot (php5.1):
http://bugs.php.net/fix.php?id=34062&r=trysnapshot51
Fixed in CVS: http://bugs.php.net/fix.php?id=34062&r=fixedcvs
Fixed in release: http://bugs.php.net/fix.php?id=34062&r=alreadyfixed
Need backtrace: http://bugs.php.net/fix.php?id=34062&r=needtrace
Need Reproduce Script: http://bugs.php.net/fix.php?id=34062&r=needscript
Try newer version: http://bugs.php.net/fix.php?id=34062&r=oldversion
Not developer issue: http://bugs.php.net/fix.php?id=34062&r=support
Expected behavior: http://bugs.php.net/fix.php?id=34062&r=notwrong
Not enough info:
http://bugs.php.net/fix.php?id=34062&r=notenoughinfo
Submitted twice:
http://bugs.php.net/fix.php?id=34062&r=submittedtwice
register_globals: http://bugs.php.net/fix.php?id=34062&r=globals
PHP 3 support discontinued: http://bugs.php.net/fix.php?id=34062&r=php3
Daylight Savings: http://bugs.php.net/fix.php?id=34062&r=dst
IIS Stability: http://bugs.php.net/fix.php?id=34062&r=isapi
Install GNU Sed: http://bugs.php.net/fix.php?id=34062&r=gnused
Floating point limitations: http://bugs.php.net/fix.php?id=34062&r=float
No Zend Extensions: http://bugs.php.net/fix.php?id=34062&r=nozend
MySQL Configuration Error: http://bugs.php.net/fix.php?id=34062&r=mysqlcfg
