PHP :: Bug #63830 :: Segfault on undefined function call in nested generator

Bug #63830	Segfault on undefined function call in nested generator
Submitted:	2012-12-21 17:23 UTC	Modified:	2013-01-05 05:38 UTC
From:	[email protected]	Assigned:	nikic (profile)
Status:	Closed	Package:	Scripting Engine problem
PHP Version:	5.5.0alpha2	OS:
Private report:	No	CVE-ID:	None

View Developer Edit

[2012-12-21 17:23 UTC] [email protected]

Description:
------------
In the given test script PHP will crash during destruction of the outer generator:

#0  0x08251d6f in zval_delref_p (pz=0x4)
    at /home/nikic/dev/php-src/Zend/zend.h:406
#1  i_zval_ptr_dtor (__zend_lineno=132, 
    __zend_filename=0x84ad810 "/home/nikic/dev/php-src/Zend/zend_generators.c", zval_ptr=0x4) at /home/nikic/dev/php-src/Zend/zend_execute.h:76
#2  _zval_ptr_dtor (zval_ptr=0xb7fc4cd4, 
    __zend_filename=0x84ad810 "/home/nikic/dev/php-src/Zend/zend_generators.c", __zend_lineno=132) at /home/nikic/dev/php-src/Zend/zend_execute_API.c:428
#3  0x082924a4 in zend_generator_close (generator=0xb7fc41d0, 
    finished_execution=0 '\000', tsrm_ls=0x850a050)
    at /home/nikic/dev/php-src/Zend/zend_generators.c:132
#4  0x0829265c in zend_generator_free_storage (generator=0xb7fc41d0, 
    tsrm_ls=0x850a050) at /home/nikic/dev/php-src/Zend/zend_generators.c:180
#5  0x0829e57b in zend_objects_store_free_object_storage (objects=0x850bcb8, 
    tsrm_ls=0x850a050) at /home/nikic/dev/php-src/Zend/zend_objects_API.c:92
#6  0x082515d2 in shutdown_executor (tsrm_ls=0x850a050)
    at /home/nikic/dev/php-src/Zend/zend_execute_API.c:295
#7  0x082669cd in zend_deactivate (tsrm_ls=0x850a050)
    at /home/nikic/dev/php-src/Zend/zend.c:938
#8  0x081c7755 in php_request_shutdown (dummy=0x0)
    at /home/nikic/dev/php-src/main/main.c:1789
#9  0x083c8384 in do_cli (argc=2, argv=0xbffff394, tsrm_ls=0x850a050)
    at /home/nikic/dev/php-src/sapi/cli/php_cli.c:1171

The reason is that the argument stack has the argument number pushed at the end, so the code tries to zval_ptr_dtor the pointer 0x4.

I'm not yet sure how to best fix this. One would need some way to know whether the last argument is actually the argument count.

Test script:
---------------
<?php

function gen() {
    i_totally_dont_exist();
    yield; // force generator
}

function function_with_4_args() {
    $gen = gen();
    $gen->rewind();
}

function outerGen() {
    function_with_4_args(0, 1, 2, 3);
    yield; // force generator
}

$outerGen = outerGen();
$outerGen->rewind();

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2013-01-05 05:38 UTC] [email protected]

assign to you, in case we forget it

[2013-01-05 05:38 UTC] [email protected]

-Assigned To: +Assigned To: nikic

[2013-02-01 18:54 UTC] [email protected]

Automatic comment on behalf of nikic
Revision: http://git.php.net/?p=php-src.git;a=commit;h=114245c1b9cf153583c918e130faccc1f61d3ba5
Log: Fix bug #63830: Segfault on undefined function call in nested generator

[2013-02-01 18:54 UTC] [email protected]

-Status: Assigned +Status: Closed

[2013-11-17 09:31 UTC] [email protected]

Automatic comment on behalf of nikic
Revision: http://git.php.net/?p=php-src.git;a=commit;h=114245c1b9cf153583c918e130faccc1f61d3ba5
Log: Fix bug #63830: Segfault on undefined function call in nested generator

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2025 The PHP Group All rights reserved.	Last updated: Tue Aug 12 01:00:03 2025 UTC