Bug #17486 Updated: Segfault with using &= with empty string and references

mfischer Tue, 28 May 2002 10:07:20 -0700

 ID:               17486
 Updated by:       [EMAIL PROTECTED]
-Summary:          Seg Fault
 Reported By:      [EMAIL PROTECTED]
 Status:           Open
-Bug Type:         Class/Object related
+Bug Type:         Scripting Engine problem
 Operating System: Linux
 PHP Version:      4.2.0
 New Comment:


Here simlper example:

<?

$foo = '';

function bar() {
    global $foo;
    $baz = '';
    $baz &= $foo;
}

bar();

?>

It's important that $baz is an empty string and $foo is any kind of
string.


Previous Comments:
------------------------------------------------------------------------

[2002-05-28 13:06:12] [EMAIL PROTECTED]

<?
$testvar = 'TEST';

class foo {
var $x = '';
    function foo() {
        global $testvar;
        $this->x &= $testvar;
        echo $this->x."<br>";
        $testvar = 'asd';
        echo $this->x."<br>";
    }
}

$c &= new foo();
?>

After building with --enable-debug
#0  0x400cc013 in memcpy () at ../sysdeps/generic/memcpy.c:64
No locals.
#1  0x40373223 in buf.108 () at fopen_wrappers.c:289
        fopen_url_wrappers_hash = {nTableSize = 7, nTableMask =
1078735665, nNumOfElements = 23, 
  nNextFreeElement = 1077541536, pInternalPointer = 0x68, pListHead =
0x4052df80, pListTail = 0x0, arBuckets = 0x404c332c, 
  pDestructor = 0x4, persistent = 0 '\000', nApplyCount = 0 '\000',
bApplyProtection = 0 '\000', inconsistent = 0}
#2  0x403731de in buf.108 () at fopen_wrappers.c:289
        fopen_url_wrappers_hash = {nTableSize = 7, nTableMask =
1078735665, nNumOfElements = 23, 
  nNextFreeElement = 1077541536, pInternalPointer = 0x68, pListHead =
0x4052df80, pListTail = 0x0, arBuckets = 0x404c332c, 
  pDestructor = 0x4, persistent = 0 '\000', nApplyCount = 0 '\000',
bApplyProtection = 0 '\000', inconsistent = 0}
#3  0x40371e0c in buf.108 () at main.c:1313
        ini_entries = 0x4049e87c
        module_initialized = -941861495
        short_track_vars_names = 0x4049e848
        short_track_vars_names_length = 0x4049e864
#4  0x4038c468 in buf.108 () at output.c:212
        ref_str = "\000\000\000\000\213\205p���\200x\016\000tD\203"
#5  0x4037d500 in p_ere_exp (p=0x81e0ca4) at regcomp.c:254
        p = (struct parse *) 0xd05cd
        c = -65 '�'
        pos = 4
        count = 0
        count2 = 0
        subno = 183193859
        wascaret = 1078686977
#6  0x4038002f in smatcher (g=0x81da55c, string=0x2 <Address 0x2 out of
bounds>, nmatch=1747936628, pmatch=0x40391c7d, 
    eflags=1078970900) at engine.c:91
        endp = 0x40387e21 "\203� \213E\b�H\f�\024\215t&"
        i = 0
        mv = {g = 0x81da69c, eflags = 136187044, pmatch = 0x81de9b4,
offp = 0x81e03b4 "\b", 
  beginp = 0x81e0ca4 "\002�\035\b", endp = 0x40368690
"U\211�\213E\b\213U\f\212", coldp = 0x403686ec "[\201�(C\031", 
  lastpos = 0x404fca14, dummy = 0, st = 136187044, fresh = 0, tmp =
3221218020, empty = 0}
        m = (struct smat *) 0x403688b0
        dp = 0x4052d7c8 "\200"
        gf = 131331
        gl = 3
        start = 0x81e0420 "\\\016\036\bl\004\036\b"
        stop = 0x960 <Address 0x960 out of bounds>
#7  0x40391d44 in buf.108 () at jewish.c:476
        monthsPerYear = {2105775221, -2079391732, 138, -8616449,
-1115422721, -132, -1960479487, 1300832329, -1672115280, 
  -1994112373, 474622913, -1951642231, 1241755725, -1202878184,
-340507255, 7769433, 11042179, 1435177333, -1673163856}
        yearOffset = {958153259, 58633285, -1951644279, 1300998213,
541131676, 957890819, 58570821, -2085075575, 
  1962976381, -1269462255, 1000097163, 108864592, -1994110837,
1166783565, 675318684, -2136455935, -2062614469, -854, 
  818563}
#8  0x403a5b57 in buf.108 () at gd.c:2420
        le_gd = 0
---Type <return> to continue, or q <return> to quit--- 
        le_gd_font = 0
        le_ps_enc = 0
        le_ps_font = 0
        php_sig_gd2 = "8pu"
#9  0x4039ffd0 in buf.108 () at gd.c:1453
        le_gd = 0
        le_gd_font = 0
        le_ps_enc = 0
        le_ps_font = 0
        php_sig_gd2 = "8pu"
#10 0x403a0f68 in buf.108 () at gd.c:1453
        le_gd = 0
        le_gd_font = 0
        le_ps_enc = 0
        le_ps_font = 0
        php_sig_gd2 = "8pu"
#11 0x403a0ff3 in buf.108 () at gd.c:1453
        le_gd = 0
        le_gd_font = 0
        le_ps_enc = 0
        le_ps_font = 0
        php_sig_gd2 = "8pu"
#12 0x8055ae9 in ap_invoke_handler ()
No symbol table info available.
#13 0x806c1df in process_request_internal ()
No symbol table info available.
#14 0x806c252 in ap_process_request ()
No symbol table info available.
#15 0x8062ae6 in child_main ()
No symbol table info available.
#16 0x8062cc5 in make_child ()
No symbol table info available.
#17 0x8062e46 in startup_children ()
No symbol table info available.
#18 0x80634ed in standalone_main ()
No symbol table info available.
#19 0x8063d6c in main ()
No symbol table info available.
#20 0x4008ca8e in __libc_start_main () at
../sysdeps/generic/libc-start.c:93
No locals.

------------------------------------------------------------------------

[2002-05-28 12:51:52] [EMAIL PROTECTED]

Backtrace without ZendOptimizer:

Program received signal SIGSEGV, Segmentation fault.
0x4036bea7 in buf.108 () at php_variables.c:192
192     }
(gdb) bt
#0  0x4036bea7 in buf.108 () at php_variables.c:192
#1  0x404b0ad4 in pam_strerror () from /lib/libpam.so.0
#2  0x403868d9 in buf.108 () at gd.c:271
#3  0x4037671c in buf.108 () at zlib.c:1050
#4  0x4037a8f5 in buf.108 () at doaddsub.c:231
#5  0x4038adb3 in buf.108 () at gd.c:1453
#6  0x403997a6 in buf.108 () at php_imap.c:864
#7  0x40394d6e in buf.108 () at php_imap.c:864
#8  0x40395930 in buf.108 () at php_imap.c:864
#9  0x403959a5 in buf.108 () at php_imap.c:864
#10 0x8055ae9 in ap_invoke_handler ()
#11 0x806c1df in process_request_internal ()
#12 0x806c252 in ap_process_request ()
#13 0x8062ae6 in child_main ()
#14 0x8062cc5 in make_child ()
#15 0x8062e46 in startup_children ()
#16 0x80634ed in standalone_main ()
#17 0x8063d6c in main ()
#18 0x4008ca8e in __libc_start_main () at
../sysdeps/generic/libc-start.c:93

------------------------------------------------------------------------

[2002-05-28 12:51:40] [EMAIL PROTECTED]

Please post a script whcih makes PHP crash and try without
ZendOptimizer first.

Derick

------------------------------------------------------------------------

[2002-05-28 12:49:50] [EMAIL PROTECTED]

http://bate.de/bug/class.php
http://bate.de/bug/class_source.php


Backtrace:

Program received signal SIGSEGV, Segmentation fault.
0x4036bea7 in buf.108 () at php_variables.c:192
192     }
(gdb) bt
#0  0x4036bea7 in buf.108 () at php_variables.c:192
#1  0x404b0ad4 in pam_strerror () from /lib/libpam.so.0
#2  0x403868d9 in buf.108 () at gd.c:271
#3  0x407d0895 in zend_assign_to_variable_reference () from
/usr/local/Zend/lib/ZendOptimizer.so
#4  0x407d6908 in zend_assign_to_variable_reference () from
/usr/local/Zend/lib/ZendOptimizer.so
#5  0x407e0325 in zend_oe () from /usr/local/Zend/lib/ZendOptimizer.so
#6  0x4038adb3 in buf.108 () at gd.c:1453
#7  0x403997a6 in buf.108 () at php_imap.c:864
#8  0x40394d6e in buf.108 () at php_imap.c:864
#9  0x40395930 in buf.108 () at php_imap.c:864
#10 0x403959a5 in buf.108 () at php_imap.c:864
#11 0x8055ae9 in ap_invoke_handler ()
#12 0x806c1df in process_request_internal ()
#13 0x806c252 in ap_process_request ()
#14 0x8062ae6 in child_main ()
#15 0x8062cc5 in make_child ()
#16 0x8062e46 in startup_children ()
#17 0x80634ed in standalone_main ()
#18 0x8063d6c in main ()
#19 0x4008ca8e in __libc_start_main () at
../sysdeps/generic/libc-start.c:93

------------------------------------------------------------------------


-- 
Edit this bug report at http://bugs.php.net/?id=17486&edit=1

Bug #17486 Updated: Segfault with using &= with empty string and references

Reply via email to