[PHP-DEV] Bug #11970 Updated: SEPARATE_ZVAL_TO_MAKE_IS_REF doesn't like 0x0

Wed, 12 Dec 2001 05:35:46 -0800 

ID: 11970
Updated by: yohgaki
Reported By: [EMAIL PROTECTED]
Status: Open
Bug Type: Scripting Engine problem
Old Operating System: SuSE7.0
Operating System: Linux 2.4.4/glibc 2.2.2
Old PHP Version: 4.0.6
PHP Version: 4.1.0
New Comment:

Problem does exist in 4.1.0 :(

Previous Comments:
------------------------------------------------------------------------

[2001-07-19 14:33:12] [EMAIL PROTECTED]

The fixes so far were bad;  They were reverted, and this bug is no reopened.

------------------------------------------------------------------------

[2001-07-19 12:05:04] [EMAIL PROTECTED]

My initial fix was bogus, as I misdiagnosed what was going on.  The current fix is to 
allow returning of plain variables only (i.e., you can return $arr[$key], but you 
can't return @$arr[$key]).  This means that your script will not work (it'll error 
out), but won't crash either...

------------------------------------------------------------------------

[2001-07-15 12:48:52] [EMAIL PROTECTED]

Fixed in CVS - thanks for the tiny reproducing script!

------------------------------------------------------------------------

[2001-07-09 06:27:49] [EMAIL PROTECTED]

function &erm($key) { 
  return @$arr[$key];
}

$foo = erm('foo');
$bar = erm('bar');

(gdb) run bug3.php
Starting program: /usr/local/bin/php bug3.php

Program received signal SIGSEGV, Segmentation fault.
0x80a29e9 in execute (op_array=0x81d3348) at ./zend_execute.c:1592
1592     SEPARATE_ZVAL_TO_MAKE_IS_REF(retval_ptr_ptr);
(gdb) p retval_ptr_ptr
$1 = (zval **) 0x0
(gdb) bt
#0  0x80a29e9 in execute (op_array=0x81d3348) at ./zend_execute.c:1592
#1  0x80a26a8 in execute (op_array=0x81cdf5c) at ./zend_execute.c:1544
#2  0x8097234 in zend_execute_scripts (type=8, file_count=3) at zend.c:752
#3  0x8065b4f in php_execute_script (primary_file=0xbffff694) at main.c:1206
#4  0x8061173 in main (argc=2, argv=0xbffff724) at cgi_main.c:718
(gdb) list
1587    (opline->op1.op_type != IS_CONST) && 
1588    (opline->op1.op_type != IS_TMP_VAR)) {
1589              
1590    retval_ptr_ptr = get_zval_ptr_ptr(&opline->op1, Ts, BP_VAR_W);
1591    
1592    SEPARATE_ZVAL_TO_MAKE_IS_REF(retval_ptr_ptr);
1593                                                    
1594    (*retval_ptr_ptr)->refcount++;
1595    (*EG(return_value_ptr_ptr)) = (*retval_ptr_ptr);
1596     } else {

notice that the second call [ erm('bar')] actually trigger the segfault.

patch: I dunno, Zeev somebody? :)



------------------------------------------------------------------------



Edit this bug report at http://bugs.php.net/?id=11970&edit=1


-- 
PHP Development Mailing List <http://www.php.net/>
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]

Reply via email to