PHP :: Bug #36071 :: Engine Crash related with 'clone'

Bug #36071	Engine Crash related with 'clone'
Submitted:	2006-01-18 19:33 UTC	Modified:	2006-01-19 08:28 UTC
From:	kaien at sparcs dot org	Assigned:	dmitry (profile)
Status:	Closed	Package:	Scripting Engine problem
PHP Version:	5CVS-2006-01-18 (snap)	OS:	Linux
Private report:	No	CVE-ID:	None

View Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	kaien at sparcs dot org
New email:
PHP Version:		OS:

New Comment:

[2006-01-18 19:33 UTC] kaien at sparcs dot org

Description:
------------
2 line of php code crash latest engine.
configure --disable-all

/*
We want immediate fix.
We are scheduled for migration of our service from
php4 to php5 next week.
*/

Reproduce code:
---------------
<?
$a = clone 0;
$a[0]->b = 0;
?>


Expected result:
----------------
NO seg fault.

Actual result:
--------------
Warning: __clone method called on non-object in - on line 2

Segmentation fault (core dumped)

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2006-01-18 19:47 UTC] kaien at sparcs dot org

Sorry. The comment part (/* */) was just an attempt at humor, which I thought I had omitted.

Same problem with 5.1.1, 5.1.2.
No crash with 5.0.3.

[2006-01-18 20:08 UTC] tony2001@php.net

Dmitry, please take a look at it.

[2006-01-18 23:38 UTC] kaien at sparcs dot org

make_real_object() in ZEND_ASSIGN_OBJ separates EG(error_zval_ptr)
Thanks to SEGV, or modification on EG(error_zval_ptr) could be harder to figure out.
<?
$a = clone 0;
$a[0]->b = 0;
print_r(clone 1);
?>
Warning: __clone method called on non-object in - on line 2

Warning: __clone method called on non-object in - on line 4
stdClass Object
(
    [b] => 0
)
Segmentation fault (core dumped)

[2006-01-19 00:40 UTC] judas dot iscariote at gmail dot com

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 46912513283232 (LWP 19283)]
0x000000000051b72b in _efree (ptr=0x7ae228) at /usr/src/debug/php-5.1.2/Zend/zend_alloc.c:303
303             REMOVE_POINTER_FROM_LIST(p);
(gdb) bt
#0  0x000000000051b72b in _efree (ptr=0x7ae228) at /usr/src/debug/php-5.1.2/Zend/zend_alloc.c:303
#1  0x000000000053c9ca in zend_hash_apply_deleter (ht=0x7ae388, p=0x8f15d8)
    at /usr/src/debug/php-5.1.2/Zend/zend_hash.c:574
#2  0x000000000053cb48 in zend_hash_graceful_reverse_destroy (ht=0x7ae388)
    at /usr/src/debug/php-5.1.2/Zend/zend_hash.c:640
#3  0x00000000005276e9 in shutdown_executor () at /usr/src/debug/php-5.1.2/Zend/zend_execute_API.c:217
#4  0x0000000000534437 in zend_deactivate () at /usr/src/debug/php-5.1.2/Zend/zend.c:846
#5  0x00000000004f631a in php_request_shutdown (dummy=<value optimized out>) at /usr/src/debug/php-5.1.2/main/main.c:1282
#6  0x00000000005c3446 in main (argc=2, argv=0x7fffffd7fdc8) at /usr/src/debug/php-5.1.2/sapi/cli/php_cli.c:1234

php -v 
PHP 5.1.3-dev (cli) (built: Jan 18 2006 13:45:20)

[2006-01-19 08:28 UTC] dmitry@php.net

Fixed in CVS HEAD, PHP_5_1 and PHP_5_0.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Sat Nov 23 08:01:28 2024 UTC