#38268 [NEW]: zend_hash_find segfault

marc dot dassonneville at gmail dot com Mon, 31 Jul 2006 07:40:26 -0700

From:             marc dot dassonneville at gmail dot com
Operating system: linux
PHP version:      5.1.4
PHP Bug Type:     Reproducible crash
Bug description:  zend_hash_find segfault


Description:
------------
zend_hash_find segfault when calling property of null object

I can reproduce the SEGFAULT, but can't reduce the code (code of
7KLines).

It seems that the bug occurs when an object A returns null instead of an
object B,  + try to access a property of B.

Exemple :
$foo->give_me_A()->property_of_B = $bar; // crash when give_me_A() return
null.

If I test that $foo->give_me_A() don't return null before doing this call,
it doesn't segfault.

BUT .. I can't manage to reproduce this bug in a smaller code :/


I gave below some GDB debug.

Segfault tested on : PHP 5.1.4 (cli) (built: Jul 19 2006 12:36:47) on an
old linux box (2.4.20)
It also segfault on : PHP 5.1.2 (cgi-fcgi) (built: Jul 19 2006 00:02:34)
on the last KUbuntu (2.6.15)



Actual result:
--------------
GDB Result on the old linux box :

0x081e0098 in zend_std_get_method (object_ptr=0xbfffbe98,
method_name=0x8374b64 "get_client", method_len=10) at
/home/marc/tmp/PHP/php-5.1.4/Zend/zend_object_handlers.c:738
738             if (zend_hash_find(&zobj->ce->function_table,
lc_method_name, method_len+1, (void **)&fbc) == FAILURE) {
(gdb) where
#0  0x081e0098 in zend_std_get_method (object_ptr=0xbfffbe98,
method_name=0x8374b64 "get_client", method_len=10) at
/home/marc/tmp/PHP/php-5.1.4/Zend/zend_object_handlers.c:738
#1  0x08218f6a in ZEND_INIT_METHOD_CALL_SPEC_CV_CONST_HANDLER
(execute_data=0xbfffc9e0) at
/home/marc/tmp/PHP/php-5.1.4/Zend/zend_vm_execute.h:20875
#2  0x081e28f8 in execute (op_array=0x83701b4) at
/home/marc/tmp/PHP/php-5.1.4/Zend/zend_vm_execute.h:92
#3  0x081ca270 in zend_execute_scripts (type=8, retval=0x0, file_count=3)
at /home/marc/tmp/PHP/php-5.1.4/Zend/zend.c:1109
#4  0x08190dc3 in php_execute_script (primary_file=0xbfffee10) at
/home/marc/tmp/PHP/php-5.1.4/main/main.c:1732
#5  0x0822eea3 in main (argc=3, argv=0xbfffeec4) at
/home/marc/tmp/PHP/php-5.1.4/sapi/cli/php_cli.c:1092
#6  0x400a45d9 in __libc_start_main () from /lib/libc.so.6



Some valgrind info on KUbuntu :

==32660==
==32660== Invalid read of size 4
==32660==    at 0x8282B54: (within /usr/bin/php5-cgi)
==32660==    by 0x82B5896: (within /usr/bin/php5-cgi)
==32660==    by 0x8286381: execute (in /usr/bin/php5-cgi)
==32660==    by 0x826B814: zend_execute_scripts (in /usr/bin/php5-cgi)
==32660==    by 0x822D2F7: php_execute_script (in /usr/bin/php5-cgi)
==32660==    by 0x8300285: main (in /usr/bin/php5-cgi)
==32660==  Address 0xA is not stack'd, malloc'd or (recently) free'd
==32660==
==32660== Process terminating with default action of signal 11 (SIGSEGV)
==32660==  Access not within mapped region at address 0xA
==32660==    at 0x8282B54: (within /usr/bin/php5-cgi)
==32660==    by 0x82B5896: (within /usr/bin/php5-cgi)
==32660==    by 0x8286381: execute (in /usr/bin/php5-cgi)
==32660==    by 0x826B814: zend_execute_scripts (in /usr/bin/php5-cgi)
==32660==    by 0x822D2F7: php_execute_script (in /usr/bin/php5-cgi)
==32660==    by 0x8300285: main (in /usr/bin/php5-cgi)






-- 
Edit bug report at http://bugs.php.net/?id=38268&edit=1
-- 
Try a CVS snapshot (PHP 4.4): 
http://bugs.php.net/fix.php?id=38268&r=trysnapshot44
Try a CVS snapshot (PHP 5.2): 
http://bugs.php.net/fix.php?id=38268&r=trysnapshot52
Try a CVS snapshot (PHP 6.0): 
http://bugs.php.net/fix.php?id=38268&r=trysnapshot60
Fixed in CVS:                 http://bugs.php.net/fix.php?id=38268&r=fixedcvs
Fixed in release:             
http://bugs.php.net/fix.php?id=38268&r=alreadyfixed
Need backtrace:               http://bugs.php.net/fix.php?id=38268&r=needtrace
Need Reproduce Script:        http://bugs.php.net/fix.php?id=38268&r=needscript
Try newer version:            http://bugs.php.net/fix.php?id=38268&r=oldversion
Not developer issue:          http://bugs.php.net/fix.php?id=38268&r=support
Expected behavior:            http://bugs.php.net/fix.php?id=38268&r=notwrong
Not enough info:              
http://bugs.php.net/fix.php?id=38268&r=notenoughinfo
Submitted twice:              
http://bugs.php.net/fix.php?id=38268&r=submittedtwice
register_globals:             http://bugs.php.net/fix.php?id=38268&r=globals
PHP 3 support discontinued:   http://bugs.php.net/fix.php?id=38268&r=php3
Daylight Savings:             http://bugs.php.net/fix.php?id=38268&r=dst
IIS Stability:                http://bugs.php.net/fix.php?id=38268&r=isapi
Install GNU Sed:              http://bugs.php.net/fix.php?id=38268&r=gnused
Floating point limitations:   http://bugs.php.net/fix.php?id=38268&r=float
No Zend Extensions:           http://bugs.php.net/fix.php?id=38268&r=nozend
MySQL Configuration Error:    http://bugs.php.net/fix.php?id=38268&r=mysqlcfg

#38268 [NEW]: zend_hash_find segfault

Reply via email to