PHP :: Bug #34712 :: zend.ze1_compatibility

Bug #34712	zend.ze1_compatibility_mode = on segfault
Submitted:	2005-10-03 10:05 UTC	Modified:	2005-10-20 10:56 UTC
From:	jason at jasonjustman dot com	Assigned:	dmitry (profile)
Status:	Closed	Package:	Reproducible crash
PHP Version:	5CVS-2005-10-03 (snap)	OS:	*
Private report:	No	CVE-ID:	None

View Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	jason at jasonjustman dot com
New email:
PHP Version:		OS:

New Comment:

[2005-10-03 10:05 UTC] jason at jasonjustman dot com

Description:
------------
segfault in solaris 10, using php-5.0.6-dev - php5-STABLE-200510030637


Program received signal SIGSEGV, Segmentation fault.
0xff019b38 in zend_objects_clone_obj (zobject=0xff3fffd8) at /export/apache/php5-STABLE-200510030637/Zend/zend_objects.c:181
181             new_obj_val = zend_objects_new(&new_object, old_object->ce TSRMLS_CC);

(gdb) backtrace
#0  0xff019b38 in zend_objects_clone_obj (zobject=0xff3fffd8) at /export/apache/php5-STABLE-200510030637/Zend/zend_objects.c:181
#1  0xff019970 in zval_add_ref_or_clone (p=0x0) at /export/apache/php5-STABLE-200510030637/Zend/zend_objects.c:127


Reproduce code:
---------------
can't exactly pin down reproduceable code, but it seems to be something similar to the following:

class aggrevator {
 function aggrevator(&$obj) {
   $this->obj = &$obj;
   $this->_call();
 }
 function _call()
 {
  $this->obj->callback();
 }
}

class helper {
function helper(&$obj)
 {
  $this->obj_ref = &$obj;
 }
}

class parent { }
class child extends parent {
 function callback() {
   $this->_helper = new helper($this);
 }
}
  
$c = new child;
$h = new helper($c);


Expected result:
----------------
not to crash...


Actual result:
--------------
f'd in the a, segfault

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2005-10-03 10:29 UTC] jason at jasonjustman dot com

last two lines of sample code should be:

$c = new child;
$a = new aggrevator($c);

[2005-10-03 12:13 UTC] dmitry@php.net

This test case must not work at all.

$ php -d "zend.ze1_compatibility_mode=1" bug34712.php

Fatal error: Cannot use 'parent' as class name as it is reserved in /home/dmitry/php/test/bug34712.php on line 20

Without "parent" it works fine on Linux/i386.

Try to make full rebuild.

[2005-10-03 18:02 UTC] jason at jasonjustman dot com

Like i said before, i can't track down the exact sequence (stacktrace of the .php script code shows its in the 12-14th depth), and for full debug - only after parsing about 15kloc of code. 

When adding in debugging php source code in the new call ( $this->_helper = new helper($this);), it prevents the crash but in one case a print_r($this) in the aggrevator:: scope resulted in an empty object. 

This testcase is more pseudocode of the segfault pattern than actual instance.  If you'd like I can privately attach the application source - but again, its not an application problem - as turning off ze1_compat doesn't cause a segfault , but is required for implicit clone.

This happens in the same spot for the 5.0.5, 5.0.6-dev and 5.0.6-latest - even after building in seperate directories with no caching enabled.

[2005-10-03 22:23 UTC] sniper@php.net

We really need a reproducing script. Please try come up with one.

[2005-10-04 08:44 UTC] jason at jasonjustman dot com

http://www.jasonjustman.com/crash.phps

line 114 is what causes the segfault:

$this->_transform_actions = new base_object_meta_transform_actions($this);

its not clean nor tight, but an example of the pattern that causes it to crash

[2005-10-04 09:18 UTC] sniper@php.net

Dmitry, with the provided script I can reproduce this.

[2005-10-18 22:16 UTC] jason at jasonjustman dot com

still present in:

PHP 5.1.0RC3 (cli) (built: Oct 18 2005 08:28:41)
Copyright (c) 1997-2005 The PHP Group
Zend Engine v2.1.0-dev, Copyright (c) 1998-2005 Zend Technologies

[2005-10-20 10:56 UTC] dmitry@php.net

Fixed in CVS HEAD and PHP_5_1 together with bug #34767

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2025 The PHP Group All rights reserved.	Last updated: Fri Jan 31 08:01:30 2025 UTC