php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #12049 Crash in Zend Engine
Submitted: 2001-07-11 09:28 UTC Modified: 2001-10-02 18:25 UTC
From: nassar at wpi dot edu Assigned:
Status: Closed Package: Reproducible crash
PHP Version: 4.0.6 OS: Debian GNU/Linux
Private report: No CVE-ID: None
 [2001-07-11 09:28 UTC] nassar at wpi dot edu
PHP is crashing on a call to an object method.  Currently,
the code is too complex to paste here. Will try to create
simpler example. Here's a gdb backtrace:

# gdb /usr/sbin/apache.dbg
GNU gdb 19990928
Copyright 1998 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public
License, and you are
welcome to change it and/or distribute copies of it under
certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show
warranty" for details.
This GDB was configured as "i686-pc-linux-gnu"...
(gdb) run -X
Starting program: /usr/sbin/apache.dbg -X

Program received signal SIGSEGV, Segmentation fault.
0x40267713 in execute (op_array=0x8237f04) at
../../Zend/zend_execute.c:1140
1140
				zend_fetch_var_address(&opline->result, &opline->op1,
&opline->op2, Ts, BP_VAR_W ELS_CC);
(gdb) bt
#0  0x40267713 in execute (op_array=0x8237f04)
    at ../../Zend/zend_execute.c:1140
#1  0x40269f0f in execute (op_array=0x8237f04)
    at ../../Zend/zend_execute.c:1544
#2  0x40269f0f in execute (op_array=0x8237f04)
    at ../../Zend/zend_execute.c:1544
#3  0x40269f0f in execute (op_array=0x8237f04)
    at ../../Zend/zend_execute.c:1544
#4  0x40269f0f in execute (op_array=0x8237f04)
    at ../../Zend/zend_execute.c:1544
#5  0x40269f0f in execute (op_array=0x8237f04)
    at ../../Zend/zend_execute.c:1544
#6  0x40269f0f in execute (op_array=0x8237f04)
    at ../../Zend/zend_execute.c:1544
#7  0x40269f0f in execute (op_array=0x8237f04)
    at ../../Zend/zend_execute.c:1544
#8  0x40269f0f in execute (op_array=0x8237f04)
    at ../../Zend/zend_execute.c:1544
#9  0x40269f0f in execute (op_array=0x8237f04)
    at ../../Zend/zend_execute.c:1544
#10 0x40269f0f in execute (op_array=0x8237f04)
    at ../../Zend/zend_execute.c:1544
#11 0x40269f0f in execute (op_array=0x8237f04)
---Type <return> to continue, or q <return> to quit---q
 at ../../Zend/zend_execute.c:1544Quit
(gdb) p opline
$1 = (zend_op *) 0x823de5c
(gdb) p *optline
$2 = {opcode = 83 'S', result = {op_type = 4, u = {constant
= {value = {
          lval = 0, dval = 0, str = {val = 0x0, len = 0}, ht
= 0x0, obj = {
            ce = 0x0, properties = 0x0}}, type = 0 '\000',
is_ref = 0 '\000', 
        refcount = 0}, var = 0, opline_num = 0, fetch_type = 0, 
      op_array = 0x0, EA = {var = 0, type = 0}}}, op1 =
{op_type = 1, u = {
      constant = {value = {lval = 136544148, dval =
1.0677440727493824e-313, 
          str = {val = 0x8237f94 "other", len = 5}, ht =
0x8237f94, obj = {
            ce = 0x8237f94, properties = 0x5}}, type = 3
'\003', 
        is_ref = 1 '\001', refcount = 2}, var = 136544148, 
      opline_num = 136544148, fetch_type = 136544148,
op_array = 0x8237f94, 
      EA = {var = 136544148, type = 5}}}, op2 = {op_type =
8, u = {constant = {
        value = {lval = 1, dval = 4.9406564584124654e-324,
str = {
            val = 0x1 <Address 0x1 out of bounds>, len = 0},
ht = 0x1, obj = {
            ce = 0x1, properties = 0x0}}, type = 0 '\000',
is_ref = 0 '\000', 
        refcount = 0}, var = 1, opline_num = 1, fetch_type = 1, 
      op_array = 0x1, EA = {var = 1, type = 0}}},
extended_value = 0, 
  lineno = 1056}
(gdb) 

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2001-07-11 10:32 UTC] nassar at wpi dot edu
This code reproduces the crash:


class A{}
class B extends A {}
class D extends C
{
    function zoom()
      {
	return (parent::zoom());
      }
}
class E extends D {}
class C extends B
{
  function C()
    {
      $this->x = 5;
    }
}

class Storage
{
  var $items; 
  function Storage()
    {
      $this->items=array();
    }
  function add()
    {
      $foo = new E();
      $this->items[] = $foo;
      end($this->items);
      return key($this->items);
    }
  function get($who)
    {
	return $this->items[$who];
    }
}

$Store = new Storage();
$ID = $Store->add();
$Obj = $Store->get($ID);

//Segfaults here
$Obj->zoom();


 [2001-07-11 13:56 UTC] zeev@php.net
The code snippet you supplied doesn't work - it dies with 
<b>Fatal error</b>:  Call to undefined function:  zoom() in <b>test.php</b> on line <b>9</b><br>
test.php(9) : Fatal error - Call to undefined function:  zoom()

At any rate - the backtrace appears to suggest you have some endless recursive call.  This is most probably the problem.
 [2001-07-11 14:38 UTC] nassar at wpi dot edu
Hmmmm...

That code snippet crashes on my system before it has even
given the error message.

It's a very strange bug. Things that shouldn't make a
difference, such as taking out empty class definitions or
changing the order of the class definitions, will stop the
code from crashing. I'm sure that there isn't an endless
recursive call anywhere because just changing the order of
the class definitions prevents it from crashing.

Generating the error messages that you recieved is the
correct behavior for the code I gave. :)

Originally, I had a zoom() function in the A class, so that
the code would actually work if there was not a segfault,
but I found that the code segfaulted with or without it, so
I just left it out to save space.

I'd be glad to give you any other information that might
help you reproduce the crash.

I'm using a Debian GNU/Linux i386 2.2 (potato) system with
Ximian Gnome packages and the PHP 4.0.6 packages and apache
1.3.20 packages from Debian woody.
 [2001-08-19 04:48 UTC] sniper@php.net
Does this happen with latest CVS snapshot:

http://snaps.php.net/


 [2001-10-02 18:25 UTC] sniper@php.net
No feedback.

 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Thu Mar 28 23:01:26 2024 UTC