PHP :: Bug #36071 :: Engine Crash related with 'clone'

Bug #36071	Engine Crash related with 'clone'
Submitted:	2006-01-18 19:33 UTC	Modified:	2006-01-19 08:28 UTC
From:	kaien at sparcs dot org	Assigned:	dmitry (profile)
Status:	Closed	Package:	Scripting Engine problem
PHP Version:	5CVS-2006-01-18 (snap)	OS:	Linux
Private report:	No	CVE-ID:	None

View Developer Edit

[2006-01-18 19:33 UTC] kaien at sparcs dot org

Description:
------------
2 line of php code crash latest engine.
configure --disable-all

/*
We want immediate fix.
We are scheduled for migration of our service from
php4 to php5 next week.
*/

Reproduce code:
---------------
<?
$a = clone 0;
$a[0]->b = 0;
?>


Expected result:
----------------
NO seg fault.

Actual result:
--------------
Warning: __clone method called on non-object in - on line 2

Segmentation fault (core dumped)

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2006-01-18 19:47 UTC] kaien at sparcs dot org

Sorry. The comment part (/* */) was just an attempt at humor, which I thought I had omitted.

Same problem with 5.1.1, 5.1.2.
No crash with 5.0.3.

[2006-01-18 20:08 UTC] tony2001@php.net

Dmitry, please take a look at it.

[2006-01-18 23:38 UTC] kaien at sparcs dot org

make_real_object() in ZEND_ASSIGN_OBJ separates EG(error_zval_ptr)
Thanks to SEGV, or modification on EG(error_zval_ptr) could be harder to figure out.
<?
$a = clone 0;
$a[0]->b = 0;
print_r(clone 1);
?>
Warning: __clone method called on non-object in - on line 2

Warning: __clone method called on non-object in - on line 4
stdClass Object
(
    [b] => 0
)
Segmentation fault (core dumped)

[2006-01-19 00:40 UTC] judas dot iscariote at gmail dot com

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 46912513283232 (LWP 19283)]
0x000000000051b72b in _efree (ptr=0x7ae228) at /usr/src/debug/php-5.1.2/Zend/zend_alloc.c:303
303             REMOVE_POINTER_FROM_LIST(p);
(gdb) bt
#0  0x000000000051b72b in _efree (ptr=0x7ae228) at /usr/src/debug/php-5.1.2/Zend/zend_alloc.c:303
#1  0x000000000053c9ca in zend_hash_apply_deleter (ht=0x7ae388, p=0x8f15d8)
    at /usr/src/debug/php-5.1.2/Zend/zend_hash.c:574
#2  0x000000000053cb48 in zend_hash_graceful_reverse_destroy (ht=0x7ae388)
    at /usr/src/debug/php-5.1.2/Zend/zend_hash.c:640
#3  0x00000000005276e9 in shutdown_executor () at /usr/src/debug/php-5.1.2/Zend/zend_execute_API.c:217
#4  0x0000000000534437 in zend_deactivate () at /usr/src/debug/php-5.1.2/Zend/zend.c:846
#5  0x00000000004f631a in php_request_shutdown (dummy=<value optimized out>) at /usr/src/debug/php-5.1.2/main/main.c:1282
#6  0x00000000005c3446 in main (argc=2, argv=0x7fffffd7fdc8) at /usr/src/debug/php-5.1.2/sapi/cli/php_cli.c:1234

php -v 
PHP 5.1.3-dev (cli) (built: Jan 18 2006 13:45:20)

[2006-01-19 08:28 UTC] dmitry@php.net

Fixed in CVS HEAD, PHP_5_1 and PHP_5_0.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Thu Nov 21 12:01:29 2024 UTC