php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #39297 Bus Error during shutdown
Submitted: 2006-10-29 13:50 UTC Modified: 2006-11-16 01:00 UTC
Votes:3
Avg. Score:4.3 ± 0.9
Reproduced:1 of 3 (33.3%)
Same Version:0 (0.0%)
Same OS:0 (0.0%)
From: jeff at procata dot com Assigned: dmitry (profile)
Status: No Feedback Package: Reproducible crash
PHP Version: 5.1.6 OS: Mac OS X 10.3.9
Private report: No CVE-ID: None
 [2006-10-29 13:50 UTC] jeff at procata dot com
Description:
------------
I'm getting a reproducable Bus Error / Segfault with PHP 
CLI.  The same occurs in 5.1.2, 5.1.6 and 5.2.0rc4.

The error is reproducible, but difficult to isolate into 
a small example.

Reproduce code:
---------------
The code that triggers the segfault is similiar to

ByRef($this->obj['test'], $this->obj);

Where

function byRef(&$first, &$second)

and obj implements ArrayAccess with a method

public function offsetGet($offset) {
    $cannonicalName = strtolower($offset);
    return $this->children[$cannonicalName];
}



Expected result:
----------------
PHP Fatal error:  Objects used as arrays in post/pre 
increment/decrement must return values by reference

Actual result:
--------------
Program received signal EXC_BAD_ACCESS, Could not access 
memory.
_zend_is_inconsistent (ht=0xffffffff, file=0x1 <Address 
0x1 out of bounds>, line=112) at /Users/jeff/Downloads/
php-5.1.6/Zend/zend_hash.c:53
53              if (ht->inconsistent==HT_OK) {
(gdb) bt
#0  _zend_is_inconsistent (ht=0xffffffff, file=0x1 
<Address 0x1 out of bounds>, line=112) at /Users/jeff/
Downloads/php-5.1.6/Zend/zend_hash.c:53
#1  0x001b7f68 in zend_hash_destroy (ht=0xffffffff) at /
Users/jeff/Downloads/php-5.1.6/Zend/zend_hash.c:512
#2  0x001c7130 in zend_object_std_dtor 
(object=0x2134c98) at /Users/jeff/Downloads/php-5.1.6/
Zend/zend_objects.c:40
#3  0x001c73c8 in zend_objects_free_object_storage 
(object=0x2134c98) at /Users/jeff/Downloads/php-5.1.6/
Zend/zend_objects.c:111
#4  0x001ca5d8 in zend_objects_store_free_object_storage 
(objects=0xffffffff) at /Users/jeff/Downloads/php-5.1.6/
Zend/zend_objects_API.c:86
#5  0x0019fa74 in shutdown_executor () at /Users/jeff/
Downloads/php-5.1.6/Zend/zend_execute_API.c:281
#6  0x001add74 in zend_deactivate () at /Users/jeff/
Downloads/php-5.1.6/Zend/zend.c:854
#7  0x00169c5c in php_request_shutdown 
(dummy=0xffffffff) at /Users/jeff/Downloads/php-5.1.6/
main/main.c:1292
#8  0x00232284 in main (argc=4, argv=0xbffffde0) at /
Users/jeff/Downloads/php-5.1.6/sapi/cli/php_cli.c:1246


Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2006-10-29 13:54 UTC] tony2001@php.net
Please try using this CVS snapshot:

  http://snaps.php.net/php5.2-latest.tar.gz
 
For Windows:
 
  http://snaps.php.net/win32/php5.2-win32-latest.zip


 [2006-10-29 16:28 UTC] jeff at procata dot com
From php5.2-200610291330:

Program received signal EXC_BAD_ACCESS, Could not access 
memory.
0x0031a998 in _zval_ptr_dtor (zval_ptr=0x16a46f3, 
__zend_filename=0x407530 "/Users/jeff/Downloads/php5.2
-200610291330/Zend/zend_variables.c", __zend_lineno=175) 
at /Users/jeff/Downloads/php5.2-200610291330/Zend/
zend_execute_API.c:412
412             (*zval_ptr)->refcount--;
(gdb) bt
#0  0x0031a998 in _zval_ptr_dtor (zval_ptr=0x16a46f3, 
__zend_filename=0x407530 "/Users/jeff/Downloads/php5.2
-200610291330/Zend/zend_variables.c", __zend_lineno=175) 
at /Users/jeff/Downloads/php5.2-200610291330/Zend/
zend_execute_API.c:412
#1  0x0032dcf8 in _zval_ptr_dtor_wrapper 
(zval_ptr=0x16a46f3) at /Users/jeff/Downloads/php5.2
-200610291330/Zend/zend_variables.c:175
#2  0x0033fa44 in zend_hash_destroy (ht=0x1654118) at /
Users/jeff/Downloads/php5.2-200610291330/Zend/
zend_hash.c:521
#3  0x0035789c in zend_object_std_dtor 
(object=0x1692628) at /Users/jeff/Downloads/php5.2
-200610291330/Zend/zend_objects.c:45
#4  0x00357d70 in zend_objects_free_object_storage 
(object=0x1692628) at /Users/jeff/Downloads/php5.2
-200610291330/Zend/zend_objects.c:122
#5  0x0035c9a4 in zend_objects_store_free_object_storage 
(objects=0x49e148) at /Users/jeff/Downloads/php5.2
-200610291330/Zend/zend_objects_API.c:86
#6  0x0031a474 in shutdown_executor () at /Users/jeff/
Downloads/php5.2-200610291330/Zend/zend_execute_API.c:
299
#7  0x0032fd34 in zend_deactivate () at /Users/jeff/
Downloads/php5.2-200610291330/Zend/zend.c:840
#8  0x002c1b9c in php_request_shutdown (dummy=0x0) at /
Users/jeff/Downloads/php5.2-200610291330/main/main.c:
1300
#9  0x003d0cb8 in main (argc=4, argv=0xbffffde0) at /
Users/jeff/Downloads/php5.2-200610291330/sapi/cli/
php_cli.c:1259
 [2006-10-29 20:21 UTC] jeff at procata dot com
Trying to isolate this further, I now get:

[Sun Oct 29 15:14:13 2006]  Script:  'bootstrap.php'
/Users/jeff/Downloads/php5.2-200610291330/Zend/
zend_vm_execute.h(7451) :  Freeing 0x0158FB60 (16 
bytes), script=bootstrap.php
Last leak repeated 1 time
=== Total 2 memory leaks detected ===
 [2006-10-29 22:13 UTC] tony2001@php.net
Thank you for this bug report. To properly diagnose the problem, we
need a short but complete example script to be able to reproduce
this bug ourselves. 

A proper reproducing script starts with <?php and ends with ?>,
is max. 10-20 lines long and does not require any external 
resources such as databases, etc. If the script requires a 
database to demonstrate the issue, please make sure it creates 
all necessary tables, stored procedures etc.

Please avoid embedding huge scripts into the report.


 [2006-10-29 23:09 UTC] jeff at procata dot com
Got it.  :)

<?php

function compareByRef(&$first, &$second) {
    return $first === $second;
}

class MyTree implements ArrayAccess {
    public $parent;
    public $children = array();

    public function offsetExists($offset) {}

    public function offsetUnset($offset) {}

    public function offsetSet($offset, $value) {
        $cannonicalName = strtolower($offset);
        $this->children[$cannonicalName] = $value;
        $value->parent = $this;
    }    
    
    public function offsetGet($offset) {
        $cannonicalName = strtolower($offset);
        return $this->children[$cannonicalName];
    }

}

$id = 'Test';

$root = new MyTree();
$child = new MyTree();
$root[$id] = $child;

var_dump(compareByRef($root[$id], $child));

?>
 [2006-11-08 21:09 UTC] tony2001@php.net
This code works just fine with PHP 5.2.0.
 [2006-11-16 01:00 UTC] php-bugs at lists dot php dot net
No feedback was provided for this bug for over a week, so it is
being suspended automatically. If you are able to provide the
information that was originally requested, please do so and change
the status of the bug back to "Open".
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Sun Dec 22 06:01:30 2024 UTC