php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #31106 4.3.10 - crashes with overloaded objects
Submitted: 2004-12-16 01:36 UTC Modified: 2004-12-24 07:29 UTC
Votes:10
Avg. Score:5.0 ± 0.0
Reproduced:10 of 10 (100.0%)
Same Version:8 (80.0%)
Same OS:7 (70.0%)
From: alan at akbkhome dot com Assigned: stas (profile)
Status: Closed Package: Reproducible crash
PHP Version: 4.3.10 OS: linux
Private report: No CVE-ID: None
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: alan at akbkhome dot com
New email:
PHP Version: OS:

 

 [2004-12-16 01:36 UTC] alan at akbkhome dot com
Description:
------------
config with apache2 fork
I need to isolate the code causing this, - but it appears to be a common segfault, on more than just one page.

php4.3.7 runs fine. - exactly the same config

  './configure' '--with-apxs2=/usr/bin/apxs2' '--prefix=/usr' '--with-regex=php' '--with-config-file-path=/etc/php4/apache' '--disable-rpath' '--disable-debug' '--enable-memory-limit' '--with-layout=GNU' '--enable-calendar' '--enable-sysvsem' '--enable-sysvshm' '--enable-track-vars' '--enable-trans-sid' '--enable-bcmath' '--with-bz2' '--with-db4' '--with-iconv' '--enable-exif' '--enable-filepro' '--enable-ftp' '--with-gettext' '--enable-mbstring' '--with-pcre-regex=/usr' '--enable-shmop' '--enable-sockets' '--enable-wddx' '--with-expat-dir=/usr' '--enable-yp' '--with-zlib' '--without-pgsql' '--with-openssl=/usr' '--disable-static' '--with-zlib-dir=/usr' '--with-mysql=/usr' '--with-ming=/usr'

full backtrace:

#0  0x4040a264 in mallopt () from /lib/libc.so.6
#1  0x4040907f in free () from /lib/libc.so.6
#2  0x40726d7f in _efree (ptr=0x84726ac) at /usr/src/php-4.3.10/Zend/zend_alloc.c:265
#3  0x4073b3df in zend_hash_destroy (ht=0x843b0cc) at /usr/src/php-4.3.10/Zend/zend_hash.c:566
#4  0x40735084 in _zval_dtor (zvalue=0x8437774) at /usr/src/php-4.3.10/Zend/zend_variables.c:60
#5  0x4072e23c in _zval_ptr_dtor (zval_ptr=0x408e0df0) at /usr/src/php-4.3.10/Zend/zend_execute_API.c:289
#6  0x40744748 in execute (op_array=0x82f3a7c) at zend_execute_locks.h:26
#7  0x407468c4 in execute (op_array=0x82f3a14) at /usr/src/php-4.3.10/Zend/zend_execute.c:1686
#8  0x407468c4 in execute (op_array=0x824799c) at /usr/src/php-4.3.10/Zend/zend_execute.c:1686
#9  0x407468c4 in execute (op_array=0x8247344) at /usr/src/php-4.3.10/Zend/zend_execute.c:1686
#10 0x407468c4 in execute (op_array=0x82419e4) at /usr/src/php-4.3.10/Zend/zend_execute.c:1686
#11 0x40736971 in zend_execute_scripts (type=8, retval=0x0, file_count=3) at /usr/src/php-4.3.10/Zend/zend.c:900
#12 0x40708a1f in php_execute_script (primary_file=0xbffffa50) at /usr/src/php-4.3.10/main/main.c:1736
#13 0x4074bb8c in php_handler (r=0x8235478) at /usr/src/php-4.3.10/sapi/apache2handler/sapi_apache2.c:542
#14 0x080782b5 in ap_run_handler ()
#15 0x08189a68 in ?? ()
(gdb) bt full
#0  0x4040a264 in mallopt () from /lib/libc.so.6
No symbol table info available.
#1  0x4040907f in free () from /lib/libc.so.6
No symbol table info available.
#2  0x40726d7f in _efree (ptr=0x84726ac) at /usr/src/php-4.3.10/Zend/zend_alloc.c:265
        p = (zend_mem_header *) 0x8472698
        real_size = 138880672
        cache_index = 138880664
#3  0x4073b3df in zend_hash_destroy (ht=0x843b0cc) at /usr/src/php-4.3.10/Zend/zend_hash.c:566
        p = (Bucket *) 0x0
        q = (Bucket *) 0x84727bc
#4  0x40735084 in _zval_dtor (zvalue=0x8437774) at /usr/src/php-4.3.10/Zend/zend_variables.c:60
No locals.
#5  0x4072e23c in _zval_ptr_dtor (zval_ptr=0x408e0df0) at /usr/src/php-4.3.10/Zend/zend_execute_API.c:289
No locals.
#6  0x40744748 in execute (op_array=0x82f3a7c) at zend_execute_locks.h:26
        execute_data = {opline = 0x8307708, function_state = {function_symbol_table = 0x82481fc, function = 0x82f3a7c,
    reserved = {0x408d8678, 0x408a085b, 0x82432f4, 0xbfffb358}}, fbc = 0x0, ce = 0x0, object = {ptr = 0x0},
  Ts = 0xbfff914c, original_in_execution = 1 '\001', op_array = 0x82f3a7c, prev_execute_data = 0xbfffb760}
#7  0x407468c4 in execute (op_array=0x82f3a14) at /usr/src/php-4.3.10/Zend/zend_execute.c:1686
        calling_symbol_table = (HashTable *) 0x82c2644
        original_return_value = (zval **) 0xbfffc554
        execute_data = {opline = 0x827d480, function_state = {function_symbol_table = 0x82432f4, function = 0x82f3a7c,
    reserved = {0x408d8678, 0x408a085b, 0x82c2644, 0xbfffb7b8}}, fbc = 0x82f3a7c, ce = 0x0, object = {
    ptr = 0x82fcf5c}, Ts = 0xbfffb37c, original_in_execution = 1 '\001', op_array = 0x82f3a14,
  prev_execute_data = 0xbfffcdb0}
#8  0x407468c4 in execute (op_array=0x824799c) at /usr/src/php-4.3.10/Zend/zend_execute.c:1686
        calling_symbol_table = (HashTable *) 0x8247df4
        original_return_value = (zval **) 0xbfffd204
        execute_data = {opline = 0x824df60, function_state = {function_symbol_table = 0x82c2644, function = 0x82f3a14,
    reserved = {0x408d8678, 0x408a085b, 0x8247df4, 0xbfffce08}}, fbc = 0x82f3a14, ce = 0x0, object = {
    ptr = 0x82fcf5c}, Ts = 0xbfffb7dc, original_in_execution = 1 '\001', op_array = 0x824799c,
---Type <return> to continue, or q <return> to quit---
  prev_execute_data = 0xbfffd3e0}
#9  0x407468c4 in execute (op_array=0x8247344) at /usr/src/php-4.3.10/Zend/zend_execute.c:1686
        calling_symbol_table = (HashTable *) 0x82d86a4
        original_return_value = (zval **) 0xbfffd5cc
        execute_data = {opline = 0x8249734, function_state = {function_symbol_table = 0x8247df4, function = 0x824799c,
    reserved = {0x40726df3, 0x82a1584, 0x0, 0x20}}, fbc = 0x824799c, ce = 0x0, object = {ptr = 0x82d877c},
  Ts = 0xbfffce2c, original_in_execution = 1 '\001', op_array = 0x8247344, prev_execute_data = 0xbfffd7b0}
#10 0x407468c4 in execute (op_array=0x82419e4) at /usr/src/php-4.3.10/Zend/zend_execute.c:1686
        calling_symbol_table = (HashTable *) 0x408e0c6c
        original_return_value = (zval **) 0xbfffd828
        execute_data = {opline = 0x8246300, function_state = {function_symbol_table = 0x82d86a4, function = 0x8247344,
    reserved = {0x408d8678, 0x8241b24, 0x0, 0xbfffd7e8}}, fbc = 0x8247344, ce = 0x827b9f8, object = {ptr = 0x0},
  Ts = 0xbfffd45c, original_in_execution = 0 '\0', op_array = 0x82419e4, prev_execute_data = 0x0}
#11 0x40736971 in zend_execute_scripts (type=8, retval=0x0, file_count=3) at /usr/src/php-4.3.10/Zend/zend.c:900
        files = 0xbfffd854 ""
        i = 1
        file_handle = (zend_file_handle *) 0xbffffa50
        orig_op_array = (zend_op_array *) 0x0
        local_retval = (zval *) 0x0
#12 0x40708a1f in php_execute_script (primary_file=0xbffffa50) at /usr/src/php-4.3.10/main/main.c:1736
        orig_bailout = {{__jmpbuf = {1083016824, 1083051352, -1073743060, -1073743032, -1073743488, 1081391400},
    __mask_was_saved = 0, __saved_mask = {__val = {0 <repeats 32 times>}}}}
        orig_bailout_set = 1 '\001'
        prepend_file_p = (zend_file_handle *) 0x0
        append_file_p = (zend_file_handle *) 0x0
        prepend_file = {type = 0 '\0', filename = 0x0, opened_path = 0x0, handle = {fd = 0, fp = 0x0},
  free_filename = 0 '\0'}
---Type <return> to continue, or q <return> to quit---
        append_file = {type = 0 '\0', filename = 0x0, opened_path = 0x0, handle = {fd = 0, fp = 0x0},
  free_filename = 0 '\0'}
        old_cwd = 0xbfffd85c "/usr/src/php-4.3.10"
        old_primary_file_path = 0x0
        retval = 0
#13 0x4074bb8c in php_handler (r=0x8235478) at /usr/src/php-4.3.10/sapi/apache2handler/sapi_apache2.c:542
        zfd = {type = 1 '\001', filename = 0x8236690 "/mnt/svn_live/FlexyWiki/spam.php",
  opened_path = 0x8241aec "??x|\004", handle = {fd = 20, fp = 0x14}, free_filename = 0 '\0'}
        ctx = (php_struct *) 0x823d8e8
        conf = <value optimized out>
        brigade = (apr_bucket_brigade *) 0x823d960
        bucket = <value optimized out>
        rv = <value optimized out>
        parent_req = (request_rec *) 0x0
#14 0x080782b5 in ap_run_handler ()


Reproduce code:
---------------
To follow later.


Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2004-12-16 08:04 UTC] alan at akbkhome dot com
This fixes it.

--- zend_execute.c      2004-12-16 15:18:16.000000000 +0800
+++ zend_execute.c.fixed        2004-12-16 15:18:28.000000000 +0800
@@ -996,7 +996,6 @@
        }
        zend_llist_destroy(T->EA.data.overloaded_element.elements_list);
        efree(T->EA.data.overloaded_element.elements_list);
-       PZVAL_UNLOCK(T->EA.data.overloaded_element.object);
 }
 [2004-12-16 08:12 UTC] alan_k@php.net
change title to be more precise..
 [2004-12-16 09:57 UTC] alan_k@php.net
Actually both changes in this commit cause big problems with overloaded objects

http://cvs.php.net/diff.php/Zend/Attic/zend_execute.c?sa=1&r1=1.316.2.41&r2=1.316.2.42&ty=u

removing 1st fixes crashes
removing 2nd fixes object properties getting destroyed/lost? when calling methods of overloaded objects.
 [2004-12-17 11:23 UTC] stas@php.net
Can you provide some example of the code that crashes? Of course I'd prefer the code that I could run, so that I can check what's the problem.

Removing unlock won't do good - it would just cause a memory leak.
 [2004-12-17 13:00 UTC] alan_k@php.net
I'll try and get a test case done over the weekend..

should be quite simple - create a overloaded object (with __call) - and assign some vars's then set it so something else.. (based on a rough guess)..

The real code is a bit to complex for a simple test case - but it broke both my devel servers. ;)
 [2004-12-17 17:58 UTC] alan at akbkhome dot com
nice simple test case .. - causes segfault

<?php
class DBO {
   function factory() {
        $x = new DBO;
        return $x;
   }
   var $x;
   function w($s) {
        $this->x = $s;
   }
   function __call($a,$b,&$c) {
        echo "$a";
        return FALSE;
   }
}
overload('DBO');

$a = DBO::factory();
$a->w('test');
$a->bbb = 0;
 [2004-12-18 03:10 UTC] alan_k@php.net
nope - it affects cgi/cli/apache/apache2 all the same - segfault..
'connection lost' is the end user experience of the apache process segfaulting.
 [2004-12-21 11:38 UTC] stas@php.net
This bug has been fixed in CVS.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.
 
Thank you for the report, and for helping us make PHP better.

Thanks for the test case. I believe I have fixed it.
 [2004-12-24 07:29 UTC] alan_k@php.net
Yeap - confirmed - this is fixed
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Sat Nov 02 21:01:28 2024 UTC