php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #46753 crash when calling is_subclass_of () (works with PHP 5.3 and above!)
Submitted: 2008-12-05 00:23 UTC Modified: 2009-04-09 01:00 UTC
Votes:5
Avg. Score:4.2 ± 0.7
Reproduced:5 of 5 (100.0%)
Same Version:0 (0.0%)
Same OS:1 (20.0%)
From: essen at dev-extend dot eu Assigned:
Status: No Feedback Package: Scripting Engine problem
PHP Version: 5.2CVS-2009-02-15 OS: Linux Ubuntu 8.10
Private report: No CVE-ID: None
View Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
If you reported this bug, you can edit this bug over here.
(description)
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: essen at dev-extend dot eu
New email:
PHP Version: OS:

 

 [2008-12-05 00:23 UTC] essen at dev-extend dot eu
Description:
------------
I encountered a strange crash. I can reproduce it, it always happens, but only under very specific conditions. It first happened when I changed a completely unrelated part of my code in a different file of the project.

PHP crash on an is_subclass_of call. This call worked correctly before my changes, and still works correctly on the other pages. Other is_subclass_of works fine too. I'm not sure what trigger this, as I've only changed a few methods, nothing changing the outcome of the script...

Another thing. If I add a require_once before the is_subclass_of call, there is no crash. The crash only happens when the class isn't defined in the current script, which should and does trigger the autoload callback to load the class. The class is successfully loaded by the callback, the crash happens only after.

I'm not sure what more can I say. If you need further details, feel free to ask.

Actual result:
--------------
Core was generated by `/usr/sbin/apache2 -k start'.
Program terminated with signal 11, Segmentation fault.
[New process 19175]
#0  0xb72c372a in is_a_impl (ht=-47466807, return_value=0xb9a602b0, 
    return_value_ptr=0x0, this_ptr=0x0, return_value_used=1, 
    only_subclass=1 '\001')
    at /build/buildd/php5-5.2.6/Zend/zend_builtin_functions.c:657
657	/build/buildd/php5-5.2.6/Zend/zend_builtin_functions.c: No such file or directory.
	in /build/buildd/php5-5.2.6/Zend/zend_builtin_functions.c
(gdb) bt
#0  0xb72c372a in is_a_impl (ht=-47466807, return_value=0xb9a602b0, 
    return_value_ptr=0x0, this_ptr=0x0, return_value_used=1, 
    only_subclass=1 '\001')
    at /build/buildd/php5-5.2.6/Zend/zend_builtin_functions.c:657
#1  0xb72ecba3 in zend_do_fcall_common_helper_SPEC (execute_data=0xbf854fd8)
    at /build/buildd/php5-5.2.6/Zend/zend_vm_execute.h:200
#2  0xb72d803b in execute (op_array=0xb9a5c364)
    at /build/buildd/php5-5.2.6/Zend/zend_vm_execute.h:92
#3  0xb72ec466 in zend_do_fcall_common_helper_SPEC (execute_data=0xbf8552b8)
    at /build/buildd/php5-5.2.6/Zend/zend_vm_execute.h:234
#4  0xb72d803b in execute (op_array=0xb9a5bb8c)
    at /build/buildd/php5-5.2.6/Zend/zend_vm_execute.h:92
#5  0xb72ec466 in zend_do_fcall_common_helper_SPEC (execute_data=0xbf8555c8)
    at /build/buildd/php5-5.2.6/Zend/zend_vm_execute.h:234
#6  0xb72d803b in execute (op_array=0xb99d71b0)
    at /build/buildd/php5-5.2.6/Zend/zend_vm_execute.h:92
#7  0xb72ec466 in zend_do_fcall_common_helper_SPEC (execute_data=0xbf855e18)
    at /build/buildd/php5-5.2.6/Zend/zend_vm_execute.h:234
#8  0xb72d803b in execute (op_array=0xb9a17614)
    at /build/buildd/php5-5.2.6/Zend/zend_vm_execute.h:92
#9  0xb72ec466 in zend_do_fcall_common_helper_SPEC (execute_data=0xbf856248)
    at /build/buildd/php5-5.2.6/Zend/zend_vm_execute.h:234
#10 0xb72d803b in execute (op_array=0xb9a17d94)
---Type <return> to continue, or q <return> to quit---
    at /build/buildd/php5-5.2.6/Zend/zend_vm_execute.h:92
#11 0xb72ec466 in zend_do_fcall_common_helper_SPEC (execute_data=0xbf8565d8)
    at /build/buildd/php5-5.2.6/Zend/zend_vm_execute.h:234
#12 0xb72d803b in execute (op_array=0xb9a06ca0)
    at /build/buildd/php5-5.2.6/Zend/zend_vm_execute.h:92
#13 0xb72ec466 in zend_do_fcall_common_helper_SPEC (execute_data=0xbf856a08)
    at /build/buildd/php5-5.2.6/Zend/zend_vm_execute.h:234
#14 0xb72d803b in execute (op_array=0xb9a0d344)
    at /build/buildd/php5-5.2.6/Zend/zend_vm_execute.h:92
#15 0xb72ec466 in zend_do_fcall_common_helper_SPEC (execute_data=0xbf856cf8)
    at /build/buildd/php5-5.2.6/Zend/zend_vm_execute.h:234
#16 0xb72d803b in execute (op_array=0xb99f1c8c)
    at /build/buildd/php5-5.2.6/Zend/zend_vm_execute.h:92
#17 0xb72ec466 in zend_do_fcall_common_helper_SPEC (execute_data=0xbf856ef8)
    at /build/buildd/php5-5.2.6/Zend/zend_vm_execute.h:234
#18 0xb72d803b in execute (op_array=0xb99f2968)
    at /build/buildd/php5-5.2.6/Zend/zend_vm_execute.h:92
#19 0xb72ec466 in zend_do_fcall_common_helper_SPEC (execute_data=0xbf857328)
    at /build/buildd/php5-5.2.6/Zend/zend_vm_execute.h:234
#20 0xb72d803b in execute (op_array=0xb9a04ab4)
    at /build/buildd/php5-5.2.6/Zend/zend_vm_execute.h:92
#21 0xb72ec466 in zend_do_fcall_common_helper_SPEC (execute_data=0xbf857568)
    at /build/buildd/php5-5.2.6/Zend/zend_vm_execute.h:234
---Type <return> to continue, or q <return> to quit---
#22 0xb72d803b in execute (op_array=0xb99e5de0)
    at /build/buildd/php5-5.2.6/Zend/zend_vm_execute.h:92
#23 0xb72ec466 in zend_do_fcall_common_helper_SPEC (execute_data=0xbf857998)
    at /build/buildd/php5-5.2.6/Zend/zend_vm_execute.h:234
#24 0xb72d803b in execute (op_array=0xb99e60b0)
    at /build/buildd/php5-5.2.6/Zend/zend_vm_execute.h:92
#25 0xb72ec466 in zend_do_fcall_common_helper_SPEC (execute_data=0xbf857bb8)
    at /build/buildd/php5-5.2.6/Zend/zend_vm_execute.h:234
#26 0xb72d803b in execute (op_array=0xb9974038)
    at /build/buildd/php5-5.2.6/Zend/zend_vm_execute.h:92
#27 0xb72ec466 in zend_do_fcall_common_helper_SPEC (execute_data=0xbf8581e8)
    at /build/buildd/php5-5.2.6/Zend/zend_vm_execute.h:234
#28 0xb72d803b in execute (op_array=0xb97c5384)
    at /build/buildd/php5-5.2.6/Zend/zend_vm_execute.h:92
#29 0xb72ec466 in zend_do_fcall_common_helper_SPEC (execute_data=0xbf858468)
    at /build/buildd/php5-5.2.6/Zend/zend_vm_execute.h:234
#30 0xb72d803b in execute (op_array=0xb97abbe8)
    at /build/buildd/php5-5.2.6/Zend/zend_vm_execute.h:92
#31 0xb72b26e0 in zend_execute_scripts (type=8, retval=0x0, file_count=3)
    at /build/buildd/php5-5.2.6/Zend/zend.c:1215
#32 0xb726704a in php_execute_script (primary_file=0xbf85a728)
    at /build/buildd/php5-5.2.6/main/main.c:2026
#33 0xb732a7f0 in php_handler (r=0xb98dd238)
---Type <return> to continue, or q <return> to quit---
    at /build/buildd/php5-5.2.6/sapi/apache2handler/sapi_apache2.c:648
#34 0xb803730d in ap_run_handler () from /usr/sbin/apache2
#35 0xb803af2f in ap_invoke_handler () from /usr/sbin/apache2
#36 0xb804a190 in ap_internal_redirect () from /usr/sbin/apache2
#37 0xb6ff6743 in ?? () from /usr/lib/apache2/modules/mod_rewrite.so
#38 0xb803730d in ap_run_handler () from /usr/sbin/apache2
#39 0xb803af2f in ap_invoke_handler () from /usr/sbin/apache2
#40 0xb804a361 in ap_process_request () from /usr/sbin/apache2
#41 0xb8046f78 in ?? () from /usr/sbin/apache2
#42 0xb803f6fd in ap_run_process_connection () from /usr/sbin/apache2
#43 0xb804f781 in ?? () from /usr/sbin/apache2
#44 0xb804fb23 in ?? () from /usr/sbin/apache2
#45 0xb8050442 in ap_mpm_run () from /usr/sbin/apache2
#46 0xb80220e9 in main () from /usr/sbin/apache2
(gdb) print (char *)(executor_globals.function_state_ptr->function)->common.function_name
$1 = 0xb74f294f "is_subclass_of"
(gdb) frame 30
#30 0xb72d803b in execute (op_array=0xb97abbe8)
    at /build/buildd/php5-5.2.6/Zend/zend_vm_execute.h:92
92	/build/buildd/php5-5.2.6/Zend/zend_vm_execute.h: No such file or directory.
	in /build/buildd/php5-5.2.6/Zend/zend_vm_execute.h
(gdb) print (char *)(executor_globals.function_state_ptr->function)->common.function_name
$2 = 0xb74f294f "is_subclass_of"

(All the execute returns is_subclass_of.)

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2008-12-08 17:31 UTC] essen at dev-extend dot eu
Exactly the same problem using the snapshot. The problem also occurs from the command line (both on 5.2.6 and using the snapshot).

The "bt full" made using this snapshot is available at the following address:
http://blog.extend.ws/~essen/bug46753btfull.txt

I can try to isolate the code leading to the segfault if you need it, but it's not going to be an easy task as it crashes inside classes querying metadata information from a MySQL database, and also because the same code works without problem for a different page.
 [2008-12-08 22:35 UTC] jani@php.net
Please try isolate the code. As short as possible script. You should 
also try the PHP 5.3 snapshot: http://snaps.php.net/php5.3-
latest.tar.gz just in case this same issue is already fixed there..
 [2008-12-17 01:12 UTC] essen at dev-extend dot eu
Okay I've narrowed down the bug a bit.

First, the crash do not happen in PHP 5.3 using the latest snapshot.

Second, I've tried to make a small example and failed. So I made all the files involved available here: http://blog.extend.ws/~essen/bug46753.tar.gz

I've changed a few things in the code to make it more friendly to an environment without some specific extensions, all you need is mysql and xsl. You need however to create a database (a script is available in app/sql). The configuration for the database can be changed in app/conf/wee.cnf.

There is a hack in the index.php file to make it usable from the command line. If you want to use it from a browser, remove the line and point your browser to index.php/toppage/add instead.

If everything goes well, you should have an error message instead of nothing and a segfault.

One last thing. I've let the .svn directory in wee/db/meta/mysql in the archive. The crash doesn't happen if you remove this specific directory. Other directories were removed for this archive.
 [2008-12-17 01:19 UTC] essen at dev-extend dot eu
It also crashes on NetBSD running PHP 5.2.4.
 [2009-02-15 15:30 UTC] essen at dev-extend dot eu
Still crashing, with a similar output pasted below.

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0xb79dc6b0 (LWP 7735)]
0x0829fc6a in is_a_impl (ht=<value optimized out>, return_value=0x9b841d0, 
    return_value_ptr=<value optimized out>, this_ptr=0x0, return_value_used=1, 
    only_subclass=1 '\001')
    at /home/essen/tmp/php5.2-200902151330/Zend/zend_builtin_functions.c:645
645		if (Z_TYPE_PP(obj) == IS_OBJECT && !HAS_CLASS_ENTRY(**obj)) {
(gdb) bt
#0  0x0829fc6a in is_a_impl (ht=<value optimized out>, return_value=0x9b841d0, 
    return_value_ptr=<value optimized out>, this_ptr=0x0, return_value_used=1, 
    only_subclass=1 '\001')
    at /home/essen/tmp/php5.2-200902151330/Zend/zend_builtin_functions.c:645
#1  0x082c3d79 in zend_do_fcall_common_helper_SPEC (execute_data=0xbf80527c)
    at /home/essen/tmp/php5.2-200902151330/Zend/zend_vm_execute.h:200
#2  0x082b18a0 in execute (op_array=0x9b7e18c)
    at /home/essen/tmp/php5.2-200902151330/Zend/zend_vm_execute.h:92
#3  0x082c36e6 in zend_do_fcall_common_helper_SPEC (execute_data=0xbf80552c)
    at /home/essen/tmp/php5.2-200902151330/Zend/zend_vm_execute.h:234
#4  0x082b18a0 in execute (op_array=0x9b84418)
    at /home/essen/tmp/php5.2-200902151330/Zend/zend_vm_execute.h:92

It continues repeating the last 2 for a while just like before.
 [2009-04-01 11:17 UTC] jani@php.net
Thank you for this bug report. To properly diagnose the problem, we
need a short but complete example script to be able to reproduce
this bug ourselves. 

A proper reproducing script starts with <?php and ends with ?>,
is max. 10-20 lines long and does not require any external 
resources such as databases, etc. If the script requires a 
database to demonstrate the issue, please make sure it creates 
all necessary tables, stored procedures etc.

Please avoid embedding huge scripts into the report.

And it HAS to be self-contained single file, not some huge package 
downloadadable somewhere (the one you provided earlier is no longer 
there!)
 [2009-04-09 01:00 UTC] php-bugs at lists dot php dot net
No feedback was provided for this bug for over a week, so it is
being suspended automatically. If you are able to provide the
information that was originally requested, please do so and change
the status of the bug back to "Open".
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Sat Dec 21 15:01:29 2024 UTC