php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #36071 Engine Crash related with 'clone'
Submitted: 2006-01-18 19:33 UTC Modified: 2006-01-19 08:28 UTC
From: kaien at sparcs dot org Assigned: dmitry
Status: Closed Package: Scripting Engine problem
PHP Version: 5CVS-2006-01-18 (snap) OS: Linux
Private report: No CVE-ID:
 [2006-01-18 19:33 UTC] kaien at sparcs dot org
Description:
------------
2 line of php code crash latest engine.
configure --disable-all

/*
We want immediate fix.
We are scheduled for migration of our service from
php4 to php5 next week.
*/

Reproduce code:
---------------
<?
$a = clone 0;
$a[0]->b = 0;
?>


Expected result:
----------------
NO seg fault.

Actual result:
--------------
Warning: __clone method called on non-object in - on line 2

Segmentation fault (core dumped)


Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2006-01-18 19:47 UTC] kaien at sparcs dot org
Sorry. The comment part (/* */) was just an attempt at humor, which I thought I had omitted.

Same problem with 5.1.1, 5.1.2.
No crash with 5.0.3.
 [2006-01-18 20:08 UTC] tony2001@php.net
Dmitry, please take a look at it.
 [2006-01-18 23:38 UTC] kaien at sparcs dot org
make_real_object() in ZEND_ASSIGN_OBJ separates EG(error_zval_ptr)
Thanks to SEGV, or modification on EG(error_zval_ptr) could be harder to figure out.
<?
$a = clone 0;
$a[0]->b = 0;
print_r(clone 1);
?>
Warning: __clone method called on non-object in - on line 2

Warning: __clone method called on non-object in - on line 4
stdClass Object
(
    [b] => 0
)
Segmentation fault (core dumped)
 [2006-01-19 00:40 UTC] judas dot iscariote at gmail dot com
Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 46912513283232 (LWP 19283)]
0x000000000051b72b in _efree (ptr=0x7ae228) at /usr/src/debug/php-5.1.2/Zend/zend_alloc.c:303
303             REMOVE_POINTER_FROM_LIST(p);
(gdb) bt
#0  0x000000000051b72b in _efree (ptr=0x7ae228) at /usr/src/debug/php-5.1.2/Zend/zend_alloc.c:303
#1  0x000000000053c9ca in zend_hash_apply_deleter (ht=0x7ae388, p=0x8f15d8)
    at /usr/src/debug/php-5.1.2/Zend/zend_hash.c:574
#2  0x000000000053cb48 in zend_hash_graceful_reverse_destroy (ht=0x7ae388)
    at /usr/src/debug/php-5.1.2/Zend/zend_hash.c:640
#3  0x00000000005276e9 in shutdown_executor () at /usr/src/debug/php-5.1.2/Zend/zend_execute_API.c:217
#4  0x0000000000534437 in zend_deactivate () at /usr/src/debug/php-5.1.2/Zend/zend.c:846
#5  0x00000000004f631a in php_request_shutdown (dummy=<value optimized out>) at /usr/src/debug/php-5.1.2/main/main.c:1282
#6  0x00000000005c3446 in main (argc=2, argv=0x7fffffd7fdc8) at /usr/src/debug/php-5.1.2/sapi/cli/php_cli.c:1234

php -v 
PHP 5.1.3-dev (cli) (built: Jan 18 2006 13:45:20)
 [2006-01-19 08:28 UTC] dmitry@php.net
Fixed in CVS HEAD, PHP_5_1 and PHP_5_0.
 
PHP Copyright © 2001-2014 The PHP Group
All rights reserved.
Last updated: Wed Apr 23 07:02:14 2014 UTC