ID: 26053
Updated by: [email][/email]
Reported By: ikaraszi at prim dot hu
-Status: Open
+Status: Wont fix
Bug Type: Scripting Engine problem
Operating System: Debian GNU/Linux unstable
PHP Version: 4.3.3
New Comment:

Related to bug #22836, bug #22510, or whatever.
Do not return a scalar that is not a variable by reference.

Previous Comments:

[2003-10-31 07:04:35] ikaraszi at prim dot hu

Our scripts (both mod_php and CGI/command line version) segfaulted.
Tracing the problem showed that the errors occured after a return()
statement. (The program ran ok until the return statement, but it never
did return into the function calling it.)

We have been able to reproduce the possible basis of the problem, see
the attached code. This code doesn't segfault, but does display an
error. We think that more complex usage leads to segfaults.

The following backtrace has been produced with one of our complex
scripts, not the one attached, so it's only provided for reference.
Program received signal SIGSEGV, Segmentation fault.
0x081455c9 in _mem_block_check (ptr=0x81ceaa4, silent=0,
__zend_filename=0x81aff00 "/root/php4-4.3.3/Zend/zend_execute.c",
__zend_orig_filename=0x0, __zend_orig_lineno=0) at
675 memcpy(&end_magic, (((char *)
p)+sizeof(zend_mem_header)+MEM_HEADER_PADDING+p->size), sizeof(long));
(gdb) bt
#0 0x081455c9 in _mem_block_check (ptr=0x81ceaa4, silent=0,
__zend_filename=0x81aff00 "/root/php4-4.3.3/Zend/zend_execute.c",
__zend_orig_filename=0x0, __zend_orig_lineno=0) at
#1 0x081456ce in _mem_block_check (ptr=0x81ceaa4, silent=1,
__zend_filename=0x81aff00 "/root/php4-4.3.3/Zend/zend_execute.c",
__zend_orig_filename=0x0, __zend_orig_lineno=0) at
#2 0x08144b42 in _efree (ptr=0x81ceaa4,
__zend_filename=0x3ffff038 <Address 0x3ffff038 out of bounds>,
__zend_orig_filename=0x3ffff038 <Address 0x3ffff038 out of
__zend_orig_lineno=1073737784) at
#3 0x081609f0 in zend_assign_to_variable_reference (result=0x83cfa18,
value_ptr_ptr=0x83d95e0, Ts=0xbfffe6cc) at
#4 0x08162845 in execute (op_array=0x83cdfa8) at
#5 0x0814c72f in call_user_function_ex (function_table=0x0,
object_pp=0x0, function_name=0x0,
retval_ptr_ptr=0xbffff038, param_count=0, params=0x8344c7c,
no_separation=1, symbol_table=0x0)
at /root/php4-4.3.3/Zend/zend_execute_API.c:567
#6 0x0814c152 in call_user_function (function_table=0x3ffff038,
function_name=0x3ffff038, retval_ptr=0xbffff070, param_count=0,
at /root/php4-4.3.3/Zend/zend_execute_API.c:409
#7 0x080bd610 in user_shutdown_function_call
at /root/php4-4.3.3/ext/standard/basic_functions.c:2007
#8 0x08159c88 in zend_hash_apply (ht=0x833be3c, apply_func=0x80bd5d0
at /root/php4-4.3.3/Zend/zend_hash.c:698
#9 0x080bd929 in php_call_shutdown_functions ()
at /root/php4-4.3.3/ext/standard/basic_functions.c:2088
#10 0x08124da2 in php_request_shutdown (dummy=0x0) at
#11 0x08168bf0 in main (argc=4, argv=0xbffff804) at

Reproduce code:
class Test {
var $testarray = array();

function testCase() {
$x =& $this->getNull();
if (is_object($x['element'])) {

function &getNull() {
* uncomment following (two) lines to work around the
//if (isset($testarray['test']))


$t = new Test();

Expected result:

Actual result:
/root/php4-4.3.3/Zend/zend_execute.c(1711) : Freeing 0x0820E0C4 (12
bytes), script=test-case2.php


Edit this bug report at [url][/url]