php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #31106 4.3.10 - crashes with overloaded objects
Submitted: 2004-12-16 01:36 UTC Modified: 2004-12-24 07:29 UTC
Votes:10
Avg. Score:5.0 ± 0.0
Reproduced:10 of 10 (100.0%)
Same Version:8 (80.0%)
Same OS:7 (70.0%)
From: alan at akbkhome dot com Assigned: stas (profile)
Status: Closed Package: Reproducible crash
PHP Version: 4.3.10 OS: linux
Private report: No CVE-ID: None
 [2004-12-16 01:36 UTC] alan at akbkhome dot com
Description:
------------
config with apache2 fork
I need to isolate the code causing this, - but it appears to be a common segfault, on more than just one page.

php4.3.7 runs fine. - exactly the same config

  './configure' '--with-apxs2=/usr/bin/apxs2' '--prefix=/usr' '--with-regex=php' '--with-config-file-path=/etc/php4/apache' '--disable-rpath' '--disable-debug' '--enable-memory-limit' '--with-layout=GNU' '--enable-calendar' '--enable-sysvsem' '--enable-sysvshm' '--enable-track-vars' '--enable-trans-sid' '--enable-bcmath' '--with-bz2' '--with-db4' '--with-iconv' '--enable-exif' '--enable-filepro' '--enable-ftp' '--with-gettext' '--enable-mbstring' '--with-pcre-regex=/usr' '--enable-shmop' '--enable-sockets' '--enable-wddx' '--with-expat-dir=/usr' '--enable-yp' '--with-zlib' '--without-pgsql' '--with-openssl=/usr' '--disable-static' '--with-zlib-dir=/usr' '--with-mysql=/usr' '--with-ming=/usr'

full backtrace:

#0  0x4040a264 in mallopt () from /lib/libc.so.6
#1  0x4040907f in free () from /lib/libc.so.6
#2  0x40726d7f in _efree (ptr=0x84726ac) at /usr/src/php-4.3.10/Zend/zend_alloc.c:265
#3  0x4073b3df in zend_hash_destroy (ht=0x843b0cc) at /usr/src/php-4.3.10/Zend/zend_hash.c:566
#4  0x40735084 in _zval_dtor (zvalue=0x8437774) at /usr/src/php-4.3.10/Zend/zend_variables.c:60
#5  0x4072e23c in _zval_ptr_dtor (zval_ptr=0x408e0df0) at /usr/src/php-4.3.10/Zend/zend_execute_API.c:289
#6  0x40744748 in execute (op_array=0x82f3a7c) at zend_execute_locks.h:26
#7  0x407468c4 in execute (op_array=0x82f3a14) at /usr/src/php-4.3.10/Zend/zend_execute.c:1686
#8  0x407468c4 in execute (op_array=0x824799c) at /usr/src/php-4.3.10/Zend/zend_execute.c:1686
#9  0x407468c4 in execute (op_array=0x8247344) at /usr/src/php-4.3.10/Zend/zend_execute.c:1686
#10 0x407468c4 in execute (op_array=0x82419e4) at /usr/src/php-4.3.10/Zend/zend_execute.c:1686
#11 0x40736971 in zend_execute_scripts (type=8, retval=0x0, file_count=3) at /usr/src/php-4.3.10/Zend/zend.c:900
#12 0x40708a1f in php_execute_script (primary_file=0xbffffa50) at /usr/src/php-4.3.10/main/main.c:1736
#13 0x4074bb8c in php_handler (r=0x8235478) at /usr/src/php-4.3.10/sapi/apache2handler/sapi_apache2.c:542
#14 0x080782b5 in ap_run_handler ()
#15 0x08189a68 in ?? ()
(gdb) bt full
#0  0x4040a264 in mallopt () from /lib/libc.so.6
No symbol table info available.
#1  0x4040907f in free () from /lib/libc.so.6
No symbol table info available.
#2  0x40726d7f in _efree (ptr=0x84726ac) at /usr/src/php-4.3.10/Zend/zend_alloc.c:265
        p = (zend_mem_header *) 0x8472698
        real_size = 138880672
        cache_index = 138880664
#3  0x4073b3df in zend_hash_destroy (ht=0x843b0cc) at /usr/src/php-4.3.10/Zend/zend_hash.c:566
        p = (Bucket *) 0x0
        q = (Bucket *) 0x84727bc
#4  0x40735084 in _zval_dtor (zvalue=0x8437774) at /usr/src/php-4.3.10/Zend/zend_variables.c:60
No locals.
#5  0x4072e23c in _zval_ptr_dtor (zval_ptr=0x408e0df0) at /usr/src/php-4.3.10/Zend/zend_execute_API.c:289
No locals.
#6  0x40744748 in execute (op_array=0x82f3a7c) at zend_execute_locks.h:26
        execute_data = {opline = 0x8307708, function_state = {function_symbol_table = 0x82481fc, function = 0x82f3a7c,
    reserved = {0x408d8678, 0x408a085b, 0x82432f4, 0xbfffb358}}, fbc = 0x0, ce = 0x0, object = {ptr = 0x0},
  Ts = 0xbfff914c, original_in_execution = 1 '\001', op_array = 0x82f3a7c, prev_execute_data = 0xbfffb760}
#7  0x407468c4 in execute (op_array=0x82f3a14) at /usr/src/php-4.3.10/Zend/zend_execute.c:1686
        calling_symbol_table = (HashTable *) 0x82c2644
        original_return_value = (zval **) 0xbfffc554
        execute_data = {opline = 0x827d480, function_state = {function_symbol_table = 0x82432f4, function = 0x82f3a7c,
    reserved = {0x408d8678, 0x408a085b, 0x82c2644, 0xbfffb7b8}}, fbc = 0x82f3a7c, ce = 0x0, object = {
    ptr = 0x82fcf5c}, Ts = 0xbfffb37c, original_in_execution = 1 '\001', op_array = 0x82f3a14,
  prev_execute_data = 0xbfffcdb0}
#8  0x407468c4 in execute (op_array=0x824799c) at /usr/src/php-4.3.10/Zend/zend_execute.c:1686
        calling_symbol_table = (HashTable *) 0x8247df4
        original_return_value = (zval **) 0xbfffd204
        execute_data = {opline = 0x824df60, function_state = {function_symbol_table = 0x82c2644, function = 0x82f3a14,
    reserved = {0x408d8678, 0x408a085b, 0x8247df4, 0xbfffce08}}, fbc = 0x82f3a14, ce = 0x0, object = {
    ptr = 0x82fcf5c}, Ts = 0xbfffb7dc, original_in_execution = 1 '\001', op_array = 0x824799c,
---Type <return> to continue, or q <return> to quit---
  prev_execute_data = 0xbfffd3e0}
#9  0x407468c4 in execute (op_array=0x8247344) at /usr/src/php-4.3.10/Zend/zend_execute.c:1686
        calling_symbol_table = (HashTable *) 0x82d86a4
        original_return_value = (zval **) 0xbfffd5cc
        execute_data = {opline = 0x8249734, function_state = {function_symbol_table = 0x8247df4, function = 0x824799c,
    reserved = {0x40726df3, 0x82a1584, 0x0, 0x20}}, fbc = 0x824799c, ce = 0x0, object = {ptr = 0x82d877c},
  Ts = 0xbfffce2c, original_in_execution = 1 '\001', op_array = 0x8247344, prev_execute_data = 0xbfffd7b0}
#10 0x407468c4 in execute (op_array=0x82419e4) at /usr/src/php-4.3.10/Zend/zend_execute.c:1686
        calling_symbol_table = (HashTable *) 0x408e0c6c
        original_return_value = (zval **) 0xbfffd828
        execute_data = {opline = 0x8246300, function_state = {function_symbol_table = 0x82d86a4, function = 0x8247344,
    reserved = {0x408d8678, 0x8241b24, 0x0, 0xbfffd7e8}}, fbc = 0x8247344, ce = 0x827b9f8, object = {ptr = 0x0},
  Ts = 0xbfffd45c, original_in_execution = 0 '\0', op_array = 0x82419e4, prev_execute_data = 0x0}
#11 0x40736971 in zend_execute_scripts (type=8, retval=0x0, file_count=3) at /usr/src/php-4.3.10/Zend/zend.c:900
        files = 0xbfffd854 ""
        i = 1
        file_handle = (zend_file_handle *) 0xbffffa50
        orig_op_array = (zend_op_array *) 0x0
        local_retval = (zval *) 0x0
#12 0x40708a1f in php_execute_script (primary_file=0xbffffa50) at /usr/src/php-4.3.10/main/main.c:1736
        orig_bailout = {{__jmpbuf = {1083016824, 1083051352, -1073743060, -1073743032, -1073743488, 1081391400},
    __mask_was_saved = 0, __saved_mask = {__val = {0 <repeats 32 times>}}}}
        orig_bailout_set = 1 '\001'
        prepend_file_p = (zend_file_handle *) 0x0
        append_file_p = (zend_file_handle *) 0x0
        prepend_file = {type = 0 '\0', filename = 0x0, opened_path = 0x0, handle = {fd = 0, fp = 0x0},
  free_filename = 0 '\0'}
---Type <return> to continue, or q <return> to quit---
        append_file = {type = 0 '\0', filename = 0x0, opened_path = 0x0, handle = {fd = 0, fp = 0x0},
  free_filename = 0 '\0'}
        old_cwd = 0xbfffd85c "/usr/src/php-4.3.10"
        old_primary_file_path = 0x0
        retval = 0
#13 0x4074bb8c in php_handler (r=0x8235478) at /usr/src/php-4.3.10/sapi/apache2handler/sapi_apache2.c:542
        zfd = {type = 1 '\001', filename = 0x8236690 "/mnt/svn_live/FlexyWiki/spam.php",
  opened_path = 0x8241aec "??x|\004", handle = {fd = 20, fp = 0x14}, free_filename = 0 '\0'}
        ctx = (php_struct *) 0x823d8e8
        conf = <value optimized out>
        brigade = (apr_bucket_brigade *) 0x823d960
        bucket = <value optimized out>
        rv = <value optimized out>
        parent_req = (request_rec *) 0x0
#14 0x080782b5 in ap_run_handler ()


Reproduce code:
---------------
To follow later.


Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2004-12-16 08:04 UTC] alan at akbkhome dot com
This fixes it.

--- zend_execute.c      2004-12-16 15:18:16.000000000 +0800
+++ zend_execute.c.fixed        2004-12-16 15:18:28.000000000 +0800
@@ -996,7 +996,6 @@
        }
        zend_llist_destroy(T->EA.data.overloaded_element.elements_list);
        efree(T->EA.data.overloaded_element.elements_list);
-       PZVAL_UNLOCK(T->EA.data.overloaded_element.object);
 }
 [2004-12-16 08:12 UTC] alan_k@php.net
change title to be more precise..
 [2004-12-16 09:57 UTC] alan_k@php.net
Actually both changes in this commit cause big problems with overloaded objects

http://cvs.php.net/diff.php/Zend/Attic/zend_execute.c?sa=1&r1=1.316.2.41&r2=1.316.2.42&ty=u

removing 1st fixes crashes
removing 2nd fixes object properties getting destroyed/lost? when calling methods of overloaded objects.
 [2004-12-17 11:23 UTC] stas@php.net
Can you provide some example of the code that crashes? Of course I'd prefer the code that I could run, so that I can check what's the problem.

Removing unlock won't do good - it would just cause a memory leak.
 [2004-12-17 13:00 UTC] alan_k@php.net
I'll try and get a test case done over the weekend..

should be quite simple - create a overloaded object (with __call) - and assign some vars's then set it so something else.. (based on a rough guess)..

The real code is a bit to complex for a simple test case - but it broke both my devel servers. ;)
 [2004-12-17 17:58 UTC] alan at akbkhome dot com
nice simple test case .. - causes segfault

<?php
class DBO {
   function factory() {
        $x = new DBO;
        return $x;
   }
   var $x;
   function w($s) {
        $this->x = $s;
   }
   function __call($a,$b,&$c) {
        echo "$a";
        return FALSE;
   }
}
overload('DBO');

$a = DBO::factory();
$a->w('test');
$a->bbb = 0;
 [2004-12-18 03:10 UTC] alan_k@php.net
nope - it affects cgi/cli/apache/apache2 all the same - segfault..
'connection lost' is the end user experience of the apache process segfaulting.
 [2004-12-21 11:38 UTC] stas@php.net
This bug has been fixed in CVS.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.
 
Thank you for the report, and for helping us make PHP better.

Thanks for the test case. I believe I have fixed it.
 [2004-12-24 07:29 UTC] alan_k@php.net
Yeap - confirmed - this is fixed
 
PHP Copyright © 2001-2019 The PHP Group
All rights reserved.
Last updated: Thu Sep 19 23:01:27 2019 UTC