php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #34712 zend.ze1_compatibility_mode = on segfault
Submitted: 2005-10-03 10:05 UTC Modified: 2005-10-20 10:56 UTC
From: jason at jasonjustman dot com Assigned: dmitry (profile)
Status: Closed Package: Reproducible crash
PHP Version: 5CVS-2005-10-03 (snap) OS: *
Private report: No CVE-ID: None
 [2005-10-03 10:05 UTC] jason at jasonjustman dot com
Description:
------------
segfault in solaris 10, using php-5.0.6-dev - php5-STABLE-200510030637


Program received signal SIGSEGV, Segmentation fault.
0xff019b38 in zend_objects_clone_obj (zobject=0xff3fffd8) at /export/apache/php5-STABLE-200510030637/Zend/zend_objects.c:181
181             new_obj_val = zend_objects_new(&new_object, old_object->ce TSRMLS_CC);

(gdb) backtrace
#0  0xff019b38 in zend_objects_clone_obj (zobject=0xff3fffd8) at /export/apache/php5-STABLE-200510030637/Zend/zend_objects.c:181
#1  0xff019970 in zval_add_ref_or_clone (p=0x0) at /export/apache/php5-STABLE-200510030637/Zend/zend_objects.c:127


Reproduce code:
---------------
can't exactly pin down reproduceable code, but it seems to be something similar to the following:

class aggrevator {
 function aggrevator(&$obj) {
   $this->obj = &$obj;
   $this->_call();
 }
 function _call()
 {
  $this->obj->callback();
 }
}

class helper {
function helper(&$obj)
 {
  $this->obj_ref = &$obj;
 }
}

class parent { }
class child extends parent {
 function callback() {
   $this->_helper = new helper($this);
 }
}
  
$c = new child;
$h = new helper($c);


Expected result:
----------------
not to crash...


Actual result:
--------------
f'd in the a, segfault

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2005-10-03 10:29 UTC] jason at jasonjustman dot com
last two lines of sample code should be:

$c = new child;
$a = new aggrevator($c);
 [2005-10-03 12:13 UTC] dmitry@php.net
This test case must not work at all.

$ php -d "zend.ze1_compatibility_mode=1" bug34712.php

Fatal error: Cannot use 'parent' as class name as it is reserved in /home/dmitry/php/test/bug34712.php on line 20

Without "parent" it works fine on Linux/i386.

Try to make full rebuild.
 [2005-10-03 18:02 UTC] jason at jasonjustman dot com
Like i said before, i can't track down the exact sequence (stacktrace of the .php script code shows its in the 12-14th depth), and for full debug - only after parsing about 15kloc of code. 

When adding in debugging php source code in the new call ( $this->_helper = new helper($this);), it prevents the crash but in one case a print_r($this) in the aggrevator:: scope resulted in an empty object. 

This testcase is more pseudocode of the segfault pattern than actual instance.  If you'd like I can privately attach the application source - but again, its not an application problem - as turning off ze1_compat doesn't cause a segfault , but is required for implicit clone.

This happens in the same spot for the 5.0.5, 5.0.6-dev and 5.0.6-latest - even after building in seperate directories with no caching enabled.
 [2005-10-03 22:23 UTC] sniper@php.net
We really need a reproducing script. Please try come up with one.

 [2005-10-04 08:44 UTC] jason at jasonjustman dot com
http://www.jasonjustman.com/crash.phps

line 114 is what causes the segfault:

$this->_transform_actions = new base_object_meta_transform_actions($this);

its not clean nor tight, but an example of the pattern that causes it to crash
 [2005-10-04 09:18 UTC] sniper@php.net
Dmitry, with the provided script I can reproduce this.

 [2005-10-18 22:16 UTC] jason at jasonjustman dot com
still present in:

PHP 5.1.0RC3 (cli) (built: Oct 18 2005 08:28:41)
Copyright (c) 1997-2005 The PHP Group
Zend Engine v2.1.0-dev, Copyright (c) 1998-2005 Zend Technologies
 [2005-10-20 10:56 UTC] dmitry@php.net
Fixed in CVS HEAD and PHP_5_1 together with bug #34767
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Tue Mar 19 05:01:29 2024 UTC