PHP :: Bug #39297 :: Bus Error during shutdown

Bug #39297

Bus Error during shutdown

Submitted:

2006-10-29 13:50 UTC

Modified:

2006-11-16 01:00 UTC

Votes:	3
Avg. Score:	4.3 ± 0.9
Reproduced:	1 of 3 (33.3%)
Same Version:	0 (0.0%)
Same OS:	0 (0.0%)

From:

jeff at procata dot com

Assigned:

dmitry (profile)

Status:

No Feedback

Package:

Reproducible crash

PHP Version:

5.1.6

OS:

Mac OS X 10.3.9

Private report:

CVE-ID:

None

View Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	jeff at procata dot com
New email:
PHP Version:		OS:

New Comment:

[2006-10-29 13:50 UTC] jeff at procata dot com

Description:
------------
I'm getting a reproducable Bus Error / Segfault with PHP 
CLI.  The same occurs in 5.1.2, 5.1.6 and 5.2.0rc4.

The error is reproducible, but difficult to isolate into 
a small example.

Reproduce code:
---------------
The code that triggers the segfault is similiar to

ByRef($this->obj['test'], $this->obj);

Where

function byRef(&$first, &$second)

and obj implements ArrayAccess with a method

public function offsetGet($offset) {
    $cannonicalName = strtolower($offset);
    return $this->children[$cannonicalName];
}



Expected result:
----------------
PHP Fatal error:  Objects used as arrays in post/pre 
increment/decrement must return values by reference

Actual result:
--------------
Program received signal EXC_BAD_ACCESS, Could not access 
memory.
_zend_is_inconsistent (ht=0xffffffff, file=0x1 <Address 
0x1 out of bounds>, line=112) at /Users/jeff/Downloads/
php-5.1.6/Zend/zend_hash.c:53
53              if (ht->inconsistent==HT_OK) {
(gdb) bt
#0  _zend_is_inconsistent (ht=0xffffffff, file=0x1 
<Address 0x1 out of bounds>, line=112) at /Users/jeff/
Downloads/php-5.1.6/Zend/zend_hash.c:53
#1  0x001b7f68 in zend_hash_destroy (ht=0xffffffff) at /
Users/jeff/Downloads/php-5.1.6/Zend/zend_hash.c:512
#2  0x001c7130 in zend_object_std_dtor 
(object=0x2134c98) at /Users/jeff/Downloads/php-5.1.6/
Zend/zend_objects.c:40
#3  0x001c73c8 in zend_objects_free_object_storage 
(object=0x2134c98) at /Users/jeff/Downloads/php-5.1.6/
Zend/zend_objects.c:111
#4  0x001ca5d8 in zend_objects_store_free_object_storage 
(objects=0xffffffff) at /Users/jeff/Downloads/php-5.1.6/
Zend/zend_objects_API.c:86
#5  0x0019fa74 in shutdown_executor () at /Users/jeff/
Downloads/php-5.1.6/Zend/zend_execute_API.c:281
#6  0x001add74 in zend_deactivate () at /Users/jeff/
Downloads/php-5.1.6/Zend/zend.c:854
#7  0x00169c5c in php_request_shutdown 
(dummy=0xffffffff) at /Users/jeff/Downloads/php-5.1.6/
main/main.c:1292
#8  0x00232284 in main (argc=4, argv=0xbffffde0) at /
Users/jeff/Downloads/php-5.1.6/sapi/cli/php_cli.c:1246

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2006-10-29 13:54 UTC] tony2001@php.net

Please try using this CVS snapshot:

  http://snaps.php.net/php5.2-latest.tar.gz
 
For Windows:
 
  http://snaps.php.net/win32/php5.2-win32-latest.zip

[2006-10-29 16:28 UTC] jeff at procata dot com

From php5.2-200610291330:

Program received signal EXC_BAD_ACCESS, Could not access 
memory.
0x0031a998 in _zval_ptr_dtor (zval_ptr=0x16a46f3, 
__zend_filename=0x407530 "/Users/jeff/Downloads/php5.2
-200610291330/Zend/zend_variables.c", __zend_lineno=175) 
at /Users/jeff/Downloads/php5.2-200610291330/Zend/
zend_execute_API.c:412
412             (*zval_ptr)->refcount--;
(gdb) bt
#0  0x0031a998 in _zval_ptr_dtor (zval_ptr=0x16a46f3, 
__zend_filename=0x407530 "/Users/jeff/Downloads/php5.2
-200610291330/Zend/zend_variables.c", __zend_lineno=175) 
at /Users/jeff/Downloads/php5.2-200610291330/Zend/
zend_execute_API.c:412
#1  0x0032dcf8 in _zval_ptr_dtor_wrapper 
(zval_ptr=0x16a46f3) at /Users/jeff/Downloads/php5.2
-200610291330/Zend/zend_variables.c:175
#2  0x0033fa44 in zend_hash_destroy (ht=0x1654118) at /
Users/jeff/Downloads/php5.2-200610291330/Zend/
zend_hash.c:521
#3  0x0035789c in zend_object_std_dtor 
(object=0x1692628) at /Users/jeff/Downloads/php5.2
-200610291330/Zend/zend_objects.c:45
#4  0x00357d70 in zend_objects_free_object_storage 
(object=0x1692628) at /Users/jeff/Downloads/php5.2
-200610291330/Zend/zend_objects.c:122
#5  0x0035c9a4 in zend_objects_store_free_object_storage 
(objects=0x49e148) at /Users/jeff/Downloads/php5.2
-200610291330/Zend/zend_objects_API.c:86
#6  0x0031a474 in shutdown_executor () at /Users/jeff/
Downloads/php5.2-200610291330/Zend/zend_execute_API.c:
299
#7  0x0032fd34 in zend_deactivate () at /Users/jeff/
Downloads/php5.2-200610291330/Zend/zend.c:840
#8  0x002c1b9c in php_request_shutdown (dummy=0x0) at /
Users/jeff/Downloads/php5.2-200610291330/main/main.c:
1300
#9  0x003d0cb8 in main (argc=4, argv=0xbffffde0) at /
Users/jeff/Downloads/php5.2-200610291330/sapi/cli/
php_cli.c:1259

[2006-10-29 20:21 UTC] jeff at procata dot com

Trying to isolate this further, I now get:

[Sun Oct 29 15:14:13 2006]  Script:  'bootstrap.php'
/Users/jeff/Downloads/php5.2-200610291330/Zend/
zend_vm_execute.h(7451) :  Freeing 0x0158FB60 (16 
bytes), script=bootstrap.php
Last leak repeated 1 time
=== Total 2 memory leaks detected ===

[2006-10-29 22:13 UTC] tony2001@php.net

Thank you for this bug report. To properly diagnose the problem, we
need a short but complete example script to be able to reproduce
this bug ourselves. 

A proper reproducing script starts with <?php and ends with ?>,
is max. 10-20 lines long and does not require any external 
resources such as databases, etc. If the script requires a 
database to demonstrate the issue, please make sure it creates 
all necessary tables, stored procedures etc.

Please avoid embedding huge scripts into the report.

[2006-10-29 23:09 UTC] jeff at procata dot com

Got it.  :)

<?php

function compareByRef(&$first, &$second) {
    return $first === $second;
}

class MyTree implements ArrayAccess {
    public $parent;
    public $children = array();

    public function offsetExists($offset) {}

    public function offsetUnset($offset) {}

    public function offsetSet($offset, $value) {
        $cannonicalName = strtolower($offset);
        $this->children[$cannonicalName] = $value;
        $value->parent = $this;
    }    
    
    public function offsetGet($offset) {
        $cannonicalName = strtolower($offset);
        return $this->children[$cannonicalName];
    }

}

$id = 'Test';

$root = new MyTree();
$child = new MyTree();
$root[$id] = $child;

var_dump(compareByRef($root[$id], $child));

?>

[2006-11-08 21:09 UTC] tony2001@php.net

This code works just fine with PHP 5.2.0.

[2006-11-16 01:00 UTC] php-bugs at lists dot php dot net

No feedback was provided for this bug for over a week, so it is
being suspended automatically. If you are able to provide the
information that was originally requested, please do so and change
the status of the bug back to "Open".

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Sat Nov 23 10:01:28 2024 UTC