php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #46749 Crash when repeatedly attempting to assign to property of non-object.
Submitted: 2008-12-04 15:26 UTC Modified: 2008-12-04 15:51 UTC
From: robin_fernandes at uk dot ibm dot com Assigned:
Status: Closed Package: Reproducible crash
PHP Version: 6CVS-2008-12-04 (snap) OS: *
Private report: No CVE-ID: None
View Developer Edit
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: robin_fernandes at uk dot ibm dot com
New email:
PHP Version: OS:

 

 [2008-12-04 15:26 UTC] robin_fernandes at uk dot ibm dot com 
Description:
------------
The script below crashes consistently on Windows and Linux on the latest php6 snap.

This seems to be specific to HEAD: I could NOT recreate the crash on the latest 5_2 and 5_3 snaps.

Reproduce code:
---------------
<?php
Class C {
	public $nonEmptyString = 'hello';
}

$c = new C;
$i=0;
while ($i++<10) {
	echo "$i...";
	@$c->nonEmptyString->prop = "Will eventually cause crash";
}
echo "Done."
?>

Expected result:
----------------
1...2...3...4...5...6...7...8...9...10...Done.

Actual result:
--------------
1...2...[crash]

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2008-12-04 15:30 UTC] robin_fernandes at uk dot ibm dot com 
In fact, the class C above is not necessary to get the crash; here is a shorter reproduce script. Expected and actual output as above.

<?php
$nonEmptyString = 'hello';
$i=0;
while ($i++<10) {
	echo "$i...";
	@$nonEmptyString->prop = 'Will eventually cause crash';
}
echo "Done."
?>
 [2008-12-04 15:32 UTC] felipe@php.net 
I can reproduce it.

1...2...
Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread -1225472304 (LWP 8923)]
0x0846bc91 in gc_remove_zval_from_buffer (zv=0x895149c, tsrm_ls=0x87a9050) at /home/felipe/dev/php6/Zend/zend_gc.h:189
189             root->next->prev = root->prev;
(gdb) bt
#0  0x0846bc91 in gc_remove_zval_from_buffer (zv=0x895149c, tsrm_ls=0x87a9050) at /home/felipe/dev/php6/Zend/zend_gc.h:189
#1  0x0841beaf in _zval_ptr_dtor (zval_ptr=0xbfcf97e8, __zend_filename=0x878582c "/home/felipe/dev/php6/Zend/zend_execute.c", __zend_lineno=604)
    at /home/felipe/dev/php6/Zend/zend_execute_API.c:455
#2  0x0849ca24 in zend_assign_to_object (result=0x8951438, object_ptr=0x8951720, property_name=0x8951464, value_op=0x8951498, Ts=0x8984188, opcode=136, tsrm_ls=0x87a9050)
    at /home/felipe/dev/php6/Zend/zend_execute.c:604
#3  0x0849c652 in ZEND_ASSIGN_OBJ_SPEC_VAR_CONST_HANDLER (execute_data=0x8984134, tsrm_ls=0x87a9050) at /home/felipe/dev/php6/Zend/zend_vm_execute.h:10561
#4  0x08477033 in execute (op_array=0x8950c9c, tsrm_ls=0x87a9050) at /home/felipe/dev/php6/Zend/zend_vm_execute.h:104
#5  0x084372bf in zend_execute_scripts (type=8, tsrm_ls=0x87a9050, retval=0x0, file_count=3) at /home/felipe/dev/php6/Zend/zend.c:1723
#6  0x083935e8 in php_execute_script (primary_file=0xbfcfbc98, tsrm_ls=0x87a9050) at /home/felipe/dev/php6/main/main.c:2216
#7  0x084edc28 in main (argc=2, argv=0xbfcfbe14) at /home/felipe/dev/php6/sapi/cli/php_cli.c:1141
 [2008-12-04 15:51 UTC] felipe@php.net 
This bug has been fixed in CVS.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.
 
Thank you for the report, and for helping us make PHP better.
 
PHP Copyright © 2001-2025 The PHP Group
All rights reserved. 		Last updated: Tue Jul 01 19:01:37 2025 UTC