PHP :: Bug #9016 :: PHP/Apache seg fault when serializing complex objects

Bug #9016	PHP/Apache seg fault when serializing complex objects
Submitted:	2001-01-30 18:40 UTC	Modified:	2001-04-28 14:51 UTC
From:	dave dot bonora at frogwerk dot com	Assigned:
Status:	Closed	Package:	Reproducible Crash
PHP Version:	4.0.4pl1	OS:	RedHat 6.1
Private report:	No	CVE-ID:	None

View Developer Edit

[2001-01-30 18:40 UTC] dave dot bonora at frogwerk dot com

I'm getting segmentation faults whenever I use the serialize function to serialize a tree of objects.

Consider the following (these are similar structures to what I'm actually using that are causing the crash):

class TreeNode {
   var $subNodes;
   function &getSubNodes() { return $this->subNodes; }
   function &addSubNode($newSubNode) {
       $this->subNodes[] = $newSubNode;
       return $this->subNodes[count($this->subNodes) - 1];
   }
   function deleteSubNode($pos) {
       array_splice($this->subNodes, $pos, 1);
   }
}

class Data extends TreeNode {
   var $var1;
   var $var2;
   var $var3;
   var $var4;
   var $var5;
   var $var6;
   var $var7;
 
   var $varArray1 = array();  // array of objects
   var $varArray2 = array();  // assoc. array
   var $varArray3 = array();  // assoc. array
   var $varArray4 = array();  // assoc. array
   var $varArray5 = array();  // assoc. array

   // multiple get/set functions for properties
   function getVar1() { return $this->var1; }
   function setVar1($newVal) { $this->var1 = $newVal; }
   ...
   ...
}

Now, imagine starting with a base Data object...
   $base = new Data();
and adding other sub nodes to it...
   $sub1 = &$base->addSubNode(new Data());
   $sub2 = &$base->addSubNode(new Data());
   $sub3 = &$base->addSubNode(new Data());
and adding sub nodes to sub nodes...
   $sub1->addSubNode(new Data());
   $sub1->addSubNode(new Data());
   $sub1->addSubNode(new Data());
   $sub2->addSubNode(new Data());
   $sub3->addSubNode(new Data());
etc, etc... to where you end up with a tree structure.

The segmentation fault is occuring when I'm trying to serialize the tree structure using the 'serialize' function.
   serialize($base);

Here's the error I get while running ./httpd -X in gdb:
Program received signal SIGSEGV, Segmentation fault.
__libc_free (mem=0x54) at malloc.c:3005
3005   malloc.c: No such file or directory

After I get that error, the script continues to execute.  But, sometimes I get the following in different areas where serialize($base) is being used multiple times:

Program received signal SIGSEGV, Segmentation fault.
_efree (ptr=0x0) at zend_alloc.c:211
211         CALCULATE_REAL_SIZE_AND_CACHE_INDEX(p->size);

Here's the gdb backtrace:
#0  _efree (ptr=0x0) at zend_alloc.c:211
#1  0x80c667d in php_var_serialize (buf=0x82ecaf4, struc=0x8314e30,
    var_hash=0xbfff5c5c) at var.c:311
#2  0x80c68ba in php_var_serialize (buf=0x82ecaf4, struc=0x8314e70,
    var_hash=0xbfff5c5c) at var.c:349
#3  0x80c68ba in php_var_serialize (buf=0x82ecaf4, struc=0x8314ea8,
    var_hash=0xbfff5c5c) at var.c:349
#4  0x80c68ba in php_var_serialize (buf=0x82ecaf4, struc=0x8314ee8,
    var_hash=0xbfff5c5c) at var.c:349
#5  0x80c68ba in php_var_serialize (buf=0x82ecaf4, struc=0x82ec0f0,
    var_hash=0xbfff5c5c) at var.c:349
#6  0x80c68ba in php_var_serialize (buf=0x82ecaf4, struc=0x83181a0,
    var_hash=0xbfff5c5c) at var.c:349
#7  0x80c68ba in php_var_serialize (buf=0x82ecaf4, struc=0x8315720,
    var_hash=0xbfff5c5c) at var.c:349
#8  0x80c68ba in php_var_serialize (buf=0x82ecaf4, struc=0x81fd404,
    var_hash=0xbfff5c5c) at var.c:349
#9  0x80c71ec in php_if_serialize (ht=1, return_value=0x82ecaf4,
this_ptr=0x0,
    return_value_used=1) at var.c:631
#10 0x81048bc in execute (op_array=0x82d39c4) at ./zend_execute.c:1519
#11 0x8104aa1 in execute (op_array=0x8208650) at ./zend_execute.c:1559
#12 0x8104aa1 in execute (op_array=0x81ff41c) at ./zend_execute.c:1559
#13 0x80dee38 in zend_execute_scripts (type=8, file_count=3) at zend.c:729
#14 0x807d2d8 in php_execute_script (primary_file=0xbffffa24) at
main.c:1221
#15 0x80ea08e in apache_php_module_main (r=0x81e8144,
display_source_mode=0)
    at sapi_apache.c:89
#16 0x807aed6 in send_php ()
#17 0x807af08 in send_parsed_php ()
#18 0x810ea03 in ap_invoke_handler ()
#19 0x8121f39 in process_request_internal ()
#20 0x8121f9c in ap_process_request ()
#21 0x811983e in child_main ()
#22 0x81199cc in make_child ()
#23 0x8119b29 in startup_children ()
#24 0x811a156 in standalone_main ()
#25 0x811a8e3 in main ()
#26 0x400ad9cb in __libc_start_main (main=0x811a59c <main>, argc=2,
    argv=0xbffffbd4, init=0x8061e04 <_init>, fini=0x8147e7c <_fini>,
    rtld_fini=0x4000ae60 <_dl_fini>, stack_end=0xbffffbcc)
    at ../sysdeps/generic/libc-start.c:92


I'm using RedHat 6.1 / Apache 1.3.12 / PHP 4.0.4pl1
PHP is configured as a DSO
configure options for PHP are " --with-apxs=/usr/local/apache/bin/apxs --with-mysql --with-ftp --with-xml --enable-track-vars

Hope that helps.  I can try to create a script that can recreate the problem, but I've been unsuccessful in the couple of times I've already tried.  Let me know what else you need of me.

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2001-04-28 14:51 UTC] derick@php.net

I could not reproduce this with the latest CVS version. Reopen if you can reproduce this with PHP 4.0.5 when it's released next week. And then please include the script the segfaults for you.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2025 The PHP Group All rights reserved.	Last updated: Mon May 05 22:01:30 2025 UTC