PHP :: Bug #24394 :: Serializing xref'd objects segfaults.

Bug #24394

Serializing xref'd objects segfaults.

Submitted:

2003-06-29 19:37 UTC

Modified:

2003-11-04 11:08 UTC

Votes:	7
Avg. Score:	4.4 ± 1.4
Reproduced:	2 of 3 (66.7%)
Same Version:	1 (50.0%)
Same OS:	1 (50.0%)

From:

hoesh at dorsum dot hu

Assigned:

Status:

Closed

Package:

Scripting Engine problem

PHP Version:

5.0.0 Beta 2

OS:

Private report:

CVE-ID:

None

View Developer Edit

[2003-06-29 19:37 UTC] hoesh at dorsum dot hu

Description:
------------
On request shutdown session file is created, but stay locked with zero size. CPU have no load, and nothing happens. No crash. I've tried older 5CVS bins, and it seems to be an older bug. Serialization and anything else works well for me. 5.0.0-Beta1 also contains this bug. Leaving out session_start & session_register. :)

Reproduce code:
---------------
<?
session_start();
if (!isset($HTTP_SESSION_VARS["count"]))
{
    session_register("count");
    $count = &$HTTP_SESSION_VARS["count"];
    $count = 1;
} else
    $count = &$HTTP_SESSION_VARS["count"];
echo $count++;
?>


Expected result:
----------------
1, 2, 3... by refreshing the page.

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2003-07-06 06:56 UTC] hos dot endre at axelero dot hu

Okay: The subjected problem was solved by un-double-quoting the session.save_path and remove the backslash from the end of line. Anyway, until this the engine was able to create the file. After that I had to get familiar with the new php_dom exension, which I think is great, but not documented yet. So then comes a serialization problem: objects in my project held reference to each other, and the last-time-workin-good serialization crashed on this extra. Right now I solved the problem by unbuilding theese references before serialization, and rebuilding them on wakeup. Now I can test the ZE2 editions new features, thank you for the help!

Also, here is a sample script that doesn't work for me:

<?

class a
{
	var $b;

	function a()
	{
		$this->b = new b;
	}

	function setupb()
	{
		$this->b->setupa($this);
	}
}

class b
{
	var $a;

	function setupa($a)
	{
		$this->a = $a;
	}
}

$a = new a;
$a->setupb();
echo "<pre>This workx!\r\n";
echo serialize($a);

?>

[2003-07-07 08:24 UTC] sniper@php.net

Works 'fine' in PHP_4_3 branch, segfaults with PHP 5:

#0  0x813de25 in fast_call_user_function (function_table=0x81c3338, object_pp=0x4029b688, function_name=0xbfe021a8, 
    retval_ptr_ptr=0xbfe02178, param_count=0, params=0x0, no_separation=1, symbol_table=0x0, 
    function_pointer=0xbfe020b4) at /usr/src/web/php/php5/Zend/zend_execute_API.c:477
#1  0x813de10 in call_user_function_ex (function_table=0x81c3338, object_pp=0x4029b688, function_name=0xbfe021a8, 
    retval_ptr_ptr=0xbfe02178, param_count=0, params=0x0, no_separation=1, symbol_table=0x0)
    at /usr/src/web/php/php5/Zend/zend_execute_API.c:476
#2  0x80fdd63 in php_var_serialize_intern (buf=0xbfffd024, struc=0x4029b688, var_hash=0xbfffd030)
    at /usr/src/web/php/php5/ext/standard/var.c:555
#3  0x80fe90e in php_var_serialize_intern (buf=0xbfffd024, struc=0x4029b5a0, var_hash=0xbfffd030)
    at /usr/src/web/php/php5/ext/standard/var.c:620
#4  0x80fe90e in php_var_serialize_intern (buf=0xbfffd024, struc=0x4029b688, var_hash=0xbfffd030)
    at /usr/src/web/php/php5/ext/standard/var.c:620
#5  0x80fe90e in php_var_serialize_intern (buf=0xbfffd024, struc=0x4029b5a0, var_hash=0xbfffd030)
    at /usr/src/web/php/php5/ext/standard/var.c:620
#6  0x80fe90e in php_var_serialize_intern (buf=0xbfffd024, struc=0x4029b688, var_hash=0xbfffd030)
    at /usr/src/web/php/php5/ext/standard/var.c:620
.
.
.
.
Frame #6 is repeated couple of thousand times.. :)

[2003-11-03 18:35 UTC] sniper@php.net

In addition to the crash, when the serialize call is commented out, these leaks are reported:

/usr/src/web/php/php5/Zend/zend_hash.c(236) :  Freeing 0x40E46D10 (37 bytes), script=t.php
Last leak repeated 1 time
/usr/src/web/php/php5/Zend/zend_execute.c(3098) :  Freeing 0x40E46CAC (44 bytes), script=t.php
/usr/src/web/php/php5/Zend/zend_API.c(713) : Actual location (location was relayed)
Last leak repeated 1 time
/usr/src/web/php/php5/Zend/zend_objects.c(106) :  Freeing 0x40E46C68 (12 bytes), script=t.php
Last leak repeated 1 time
/usr/src/web/php/php5/Zend/zend_execute.c(3097) :  Freeing 0x40E46C24 (16 bytes), script=t.php
Last leak repeated 1 time
/usr/src/web/php/php5/Zend/zend_API.c(714) :  Freeing 0x40E469B8 (32 bytes), script=t.php
/usr/src/web/php/php5/Zend/zend_hash.c(157) : Actual location (location was relayed)
Last leak repeated 1 time

[2003-11-04 09:42 UTC] moriyoshi@php.net

The leaks have nothing to do with the serialization function. That's due to circular references between two objects.

[2003-11-04 11:08 UTC] moriyoshi@php.net

This bug has been fixed in CVS.

In case this was a PHP problem, snapshots of the sources are packaged
every three hours; this change will be in the next snapshot. You can
grab the snapshot at http://snaps.php.net/.
 
In case this was a documentation problem, the fix will show up soon at
http://www.php.net/manual/.

In case this was a PHP.net website problem, the change will show
up on the PHP.net site and on the mirror sites in short time.
 
Thank you for the report, and for helping us make PHP better.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2025 The PHP Group All rights reserved.	Last updated: Tue Mar 04 06:01:27 2025 UTC