PHP :: Bug #39297 :: Bus Error during shutdown

Bug #39297

Bus Error during shutdown

Submitted:

2006-10-29 13:50 UTC

Modified:

2006-11-16 01:00 UTC

Votes:	3
Avg. Score:	4.3 ± 0.9
Reproduced:	1 of 3 (33.3%)
Same Version:	0 (0.0%)
Same OS:	0 (0.0%)

From:

jeff at procata dot com

Assigned:

dmitry (profile)

Status:

No Feedback

Package:

Reproducible crash

PHP Version:

5.1.6

OS:

Mac OS X 10.3.9

Private report:

CVE-ID:

None

View Developer Edit

[2006-10-29 13:50 UTC] jeff at procata dot com

Description:
------------
I'm getting a reproducable Bus Error / Segfault with PHP 
CLI.  The same occurs in 5.1.2, 5.1.6 and 5.2.0rc4.

The error is reproducible, but difficult to isolate into 
a small example.

Reproduce code:
---------------
The code that triggers the segfault is similiar to

ByRef($this->obj['test'], $this->obj);

Where

function byRef(&$first, &$second)

and obj implements ArrayAccess with a method

public function offsetGet($offset) {
    $cannonicalName = strtolower($offset);
    return $this->children[$cannonicalName];
}



Expected result:
----------------
PHP Fatal error:  Objects used as arrays in post/pre 
increment/decrement must return values by reference

Actual result:
--------------
Program received signal EXC_BAD_ACCESS, Could not access 
memory.
_zend_is_inconsistent (ht=0xffffffff, file=0x1 <Address 
0x1 out of bounds>, line=112) at /Users/jeff/Downloads/
php-5.1.6/Zend/zend_hash.c:53
53              if (ht->inconsistent==HT_OK) {
(gdb) bt
#0  _zend_is_inconsistent (ht=0xffffffff, file=0x1 
<Address 0x1 out of bounds>, line=112) at /Users/jeff/
Downloads/php-5.1.6/Zend/zend_hash.c:53
#1  0x001b7f68 in zend_hash_destroy (ht=0xffffffff) at /
Users/jeff/Downloads/php-5.1.6/Zend/zend_hash.c:512
#2  0x001c7130 in zend_object_std_dtor 
(object=0x2134c98) at /Users/jeff/Downloads/php-5.1.6/
Zend/zend_objects.c:40
#3  0x001c73c8 in zend_objects_free_object_storage 
(object=0x2134c98) at /Users/jeff/Downloads/php-5.1.6/
Zend/zend_objects.c:111
#4  0x001ca5d8 in zend_objects_store_free_object_storage 
(objects=0xffffffff) at /Users/jeff/Downloads/php-5.1.6/
Zend/zend_objects_API.c:86
#5  0x0019fa74 in shutdown_executor () at /Users/jeff/
Downloads/php-5.1.6/Zend/zend_execute_API.c:281
#6  0x001add74 in zend_deactivate () at /Users/jeff/
Downloads/php-5.1.6/Zend/zend.c:854
#7  0x00169c5c in php_request_shutdown 
(dummy=0xffffffff) at /Users/jeff/Downloads/php-5.1.6/
main/main.c:1292
#8  0x00232284 in main (argc=4, argv=0xbffffde0) at /
Users/jeff/Downloads/php-5.1.6/sapi/cli/php_cli.c:1246

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2006-10-29 13:54 UTC] tony2001@php.net

Please try using this CVS snapshot:

  http://snaps.php.net/php5.2-latest.tar.gz
 
For Windows:
 
  http://snaps.php.net/win32/php5.2-win32-latest.zip

[2006-10-29 16:28 UTC] jeff at procata dot com

From php5.2-200610291330:

Program received signal EXC_BAD_ACCESS, Could not access 
memory.
0x0031a998 in _zval_ptr_dtor (zval_ptr=0x16a46f3, 
__zend_filename=0x407530 "/Users/jeff/Downloads/php5.2
-200610291330/Zend/zend_variables.c", __zend_lineno=175) 
at /Users/jeff/Downloads/php5.2-200610291330/Zend/
zend_execute_API.c:412
412             (*zval_ptr)->refcount--;
(gdb) bt
#0  0x0031a998 in _zval_ptr_dtor (zval_ptr=0x16a46f3, 
__zend_filename=0x407530 "/Users/jeff/Downloads/php5.2
-200610291330/Zend/zend_variables.c", __zend_lineno=175) 
at /Users/jeff/Downloads/php5.2-200610291330/Zend/
zend_execute_API.c:412
#1  0x0032dcf8 in _zval_ptr_dtor_wrapper 
(zval_ptr=0x16a46f3) at /Users/jeff/Downloads/php5.2
-200610291330/Zend/zend_variables.c:175
#2  0x0033fa44 in zend_hash_destroy (ht=0x1654118) at /
Users/jeff/Downloads/php5.2-200610291330/Zend/
zend_hash.c:521
#3  0x0035789c in zend_object_std_dtor 
(object=0x1692628) at /Users/jeff/Downloads/php5.2
-200610291330/Zend/zend_objects.c:45
#4  0x00357d70 in zend_objects_free_object_storage 
(object=0x1692628) at /Users/jeff/Downloads/php5.2
-200610291330/Zend/zend_objects.c:122
#5  0x0035c9a4 in zend_objects_store_free_object_storage 
(objects=0x49e148) at /Users/jeff/Downloads/php5.2
-200610291330/Zend/zend_objects_API.c:86
#6  0x0031a474 in shutdown_executor () at /Users/jeff/
Downloads/php5.2-200610291330/Zend/zend_execute_API.c:
299
#7  0x0032fd34 in zend_deactivate () at /Users/jeff/
Downloads/php5.2-200610291330/Zend/zend.c:840
#8  0x002c1b9c in php_request_shutdown (dummy=0x0) at /
Users/jeff/Downloads/php5.2-200610291330/main/main.c:
1300
#9  0x003d0cb8 in main (argc=4, argv=0xbffffde0) at /
Users/jeff/Downloads/php5.2-200610291330/sapi/cli/
php_cli.c:1259

[2006-10-29 20:21 UTC] jeff at procata dot com

Trying to isolate this further, I now get:

[Sun Oct 29 15:14:13 2006]  Script:  'bootstrap.php'
/Users/jeff/Downloads/php5.2-200610291330/Zend/
zend_vm_execute.h(7451) :  Freeing 0x0158FB60 (16 
bytes), script=bootstrap.php
Last leak repeated 1 time
=== Total 2 memory leaks detected ===

[2006-10-29 22:13 UTC] tony2001@php.net

Thank you for this bug report. To properly diagnose the problem, we
need a short but complete example script to be able to reproduce
this bug ourselves. 

A proper reproducing script starts with <?php and ends with ?>,
is max. 10-20 lines long and does not require any external 
resources such as databases, etc. If the script requires a 
database to demonstrate the issue, please make sure it creates 
all necessary tables, stored procedures etc.

Please avoid embedding huge scripts into the report.

[2006-10-29 23:09 UTC] jeff at procata dot com

Got it.  :)

<?php

function compareByRef(&$first, &$second) {
    return $first === $second;
}

class MyTree implements ArrayAccess {
    public $parent;
    public $children = array();

    public function offsetExists($offset) {}

    public function offsetUnset($offset) {}

    public function offsetSet($offset, $value) {
        $cannonicalName = strtolower($offset);
        $this->children[$cannonicalName] = $value;
        $value->parent = $this;
    }    
    
    public function offsetGet($offset) {
        $cannonicalName = strtolower($offset);
        return $this->children[$cannonicalName];
    }

}

$id = 'Test';

$root = new MyTree();
$child = new MyTree();
$root[$id] = $child;

var_dump(compareByRef($root[$id], $child));

?>

[2006-11-08 21:09 UTC] tony2001@php.net

This code works just fine with PHP 5.2.0.

[2006-11-16 01:00 UTC] php-bugs at lists dot php dot net

No feedback was provided for this bug for over a week, so it is
being suspended automatically. If you are able to provide the
information that was originally requested, please do so and change
the status of the bug back to "Open".

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Thu Nov 21 11:01:29 2024 UTC