#38268 [NEW]: zend_hash_find segfault :: ASPN Mail Archive

Recent Messages
List Archives
About the List
List Leaders
Subscription Options

View Subscriptions
Help

View by Topic
ActiveState
.NET Framework
Open Source
Perl
PHP
Python
Tcl
Web Services
XML & XSLT

View by Category
Database
General
SOAP
System Administration
Tools
User Interfaces
Web Programming
XML Programming

MyASPN >> Mail Archive >> php-dev

php-dev

#38268 [NEW]: zend_hash_find segfault
by Marc Dot Dassonneville At Gmail Dot Com other posts by this author
Jul 31 2006 9:11AM messages near this date

#38271 [Opn->Fbk]: Type Hint with Array nulls given argument | #38268 [Opn->Fbk]: zend_hash_find segfault

From:             marc dot dassonneville at gmail dot com
Operating system: linux
PHP version:      5.1.4
PHP Bug Type:     Reproducible crash
Bug description:  zend_hash_find segfault 

Description:
------------
zend_hash_find segfault when calling property of null object

I can reproduce the SEGFAULT, but can't reduce the code (code of
7KLines).

It seems that the bug occurs when an object A returns null instead of an
object B,  + try to access a property of B.

Exemple :
$foo-> give_me_A()->property_of_B = $bar; // crash when give_me_A() return
null.

If I test that $foo-> give_me_A() don't return null before doing this call,
it doesn't segfault.

BUT .. I can't manage to reproduce this bug in a smaller code :/


I gave below some GDB debug.

Segfault tested on : PHP 5.1.4 (cli) (built: Jul 19 2006 12:36:47) on an
old linux box (2.4.20)
It also segfault on : PHP 5.1.2 (cgi-fcgi) (built: Jul 19 2006 00:02:34)
on the last KUbuntu (2.6.15)



Actual result:
--------------
GDB Result on the old linux box :

0x081e0098 in zend_std_get_method (object_ptr=0xbfffbe98,
method_name=0x8374b64 "get_client", method_len=10) at
/home/marc/tmp/PHP/php-5.1.4/Zend/zend_object_handlers.c:738
738             if (zend_hash_find(&zobj-> ce->function_table,
lc_method_name, method_len+1, (void **)&fbc) == FAILURE) {
(gdb) where
#0  0x081e0098 in zend_std_get_method (object_ptr=0xbfffbe98,
method_name=0x8374b64 "get_client", method_len=10) at
/home/marc/tmp/PHP/php-5.1.4/Zend/zend_object_handlers.c:738
#1  0x08218f6a in ZEND_INIT_METHOD_CALL_SPEC_CV_CONST_HANDLER
(execute_data=0xbfffc9e0) at
/home/marc/tmp/PHP/php-5.1.4/Zend/zend_vm_execute.h:20875
#2  0x081e28f8 in execute (op_array=0x83701b4) at
/home/marc/tmp/PHP/php-5.1.4/Zend/zend_vm_execute.h:92
#3  0x081ca270 in zend_execute_scripts (type=8, retval=0x0, file_count=3)
at /home/marc/tmp/PHP/php-5.1.4/Zend/zend.c:1109
#4  0x08190dc3 in php_execute_script (primary_file=0xbfffee10) at
/home/marc/tmp/PHP/php-5.1.4/main/main.c:1732
#5  0x0822eea3 in main (argc=3, argv=0xbfffeec4) at
/home/marc/tmp/PHP/php-5.1.4/sapi/cli/php_cli.c:1092
#6  0x400a45d9 in __libc_start_main () from /lib/libc.so.6



Some valgrind info on KUbuntu :

==32660==
==32660== Invalid read of size 4
==32660==    at 0x8282B54: (within /usr/bin/php5-cgi)
==32660==    by 0x82B5896: (within /usr/bin/php5-cgi)
==32660==    by 0x8286381: execute (in /usr/bin/php5-cgi)
==32660==    by 0x826B814: zend_execute_scripts (in /usr/bin/php5-cgi)
==32660==    by 0x822D2F7: php_execute_script (in /usr/bin/php5-cgi)
==32660==    by 0x8300285: main (in /usr/bin/php5-cgi)
==32660==  Address 0xA is not stack'd, malloc'd or (recently) free'd
==32660==
==32660== Process terminating with default action of signal 11 (SIGSEGV)
==32660==  Access not within mapped region at address 0xA
==32660==    at 0x8282B54: (within /usr/bin/php5-cgi)
==32660==    by 0x82B5896: (within /usr/bin/php5-cgi)
==32660==    by 0x8286381: execute (in /usr/bin/php5-cgi)
==32660==    by 0x826B814: zend_execute_scripts (in /usr/bin/php5-cgi)
==32660==    by 0x822D2F7: php_execute_script (in /usr/bin/php5-cgi)
==32660==    by 0x8300285: main (in /usr/bin/php5-cgi)






-- 
Edit bug report at http://bugs.php.net/?id=38268&edit=1
-- 
Try a CVS snapshot (PHP 4.4): http://bugs.php.net/fix.php?id=38268&r=trysnapshot44
Try a CVS snapshot (PHP 5.2): http://bugs.php.net/fix.php?id=38268&r=trysnapshot52
Try a CVS snapshot (PHP 6.0): http://bugs.php.net/fix.php?id=38268&r=trysnapshot60
Fixed in CVS:                 http://bugs.php.net/fix.php?id=38268&r=fixedcvs
Fixed in release:             http://bugs.php.net/fix.php?id=38268&r=alreadyfixed
Need backtrace:               http://bugs.php.net/fix.php?id=38268&r=needtrace
Need Reproduce Script:        http://bugs.php.net/fix.php?id=38268&r=needscript
Try newer version:            http://bugs.php.net/fix.php?id=38268&r=oldversion
Not developer issue:          http://bugs.php.net/fix.php?id=38268&r=support
Expected behavior:            http://bugs.php.net/fix.php?id=38268&r=notwrong
Not enough info:              http://bugs.php.net/fix.php?id=38268&r=notenoughinfo
Submitted twice:              http://bugs.php.net/fix.php?id=38268&r=submittedtwice
register_globals:             http://bugs.php.net/fix.php?id=38268&r=globals
PHP 3 support discontinued:   http://bugs.php.net/fix.php?id=38268&r=php3
Daylight Savings:             http://bugs.php.net/fix.php?id=38268&r=dst
IIS Stability:                http://bugs.php.net/fix.php?id=38268&r=isapi
Install GNU Sed:              http://bugs.php.net/fix.php?id=38268&r=gnused
Floating point limitations:   http://bugs.php.net/fix.php?id=38268&r=float
No Zend Extensions:           http://bugs.php.net/fix.php?id=38268&r=nozend
MySQL Configuration Error:    http://bugs.php.net/fix.php?id=38268&r=mysqlcfg

Thread:

Marc Dot Dassonneville At Gmail Dot Com

tony2001

Marc Dot Dassonneville At Gmail Dot Com