php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #36376 Segfault when using clone '$this>test2' notation in __clone method
Submitted: 2006-02-13 11:01 UTC Modified: 2006-02-13 16:59 UTC
From: jaco at welnet dot nl Assigned: dmitry (profile)
Status: Not a bug Package: Reproducible crash
PHP Version: 5.1.2 OS: CentOS 4.2
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.
(description)
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: jaco at welnet dot nl
New email:
PHP Version: OS:

 

 [2006-02-13 11:01 UTC] jaco at welnet dot nl 
Description:
------------
PHP segfaults when there is code like '$this->object = clone $this>object' in __clone method. note the '>' syntax which is faulty ofcourse but produces the segfault.

tested with latest cvs:
PHP 5.1.3-dev (cli) (built: Feb 13 2006 10:52:02)


Reproduce code:
---------------
class test2 {}

class test {
	public $test2;
	
	public function __construct() {
		$this->test2 = new test2();
	}
	
	public function __clone() {
		$test2 = clone $this>test2;
	}
}

$test = new test();
$test2 = clone $test; 

Expected result:
----------------
Notice: Use of undefined constant test2 - assumed 'test2' in FILE on line XX

Notice: Object of class test could not be converted to int in FILE on line XX


Actual result:
--------------
[Mon Feb 13 10:38:40 2006] [notice] child pid 12798 exit signal Segmentation fault (11)

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2006-02-13 11:11 UTC] derick@php.net 
Thank you for this bug report. To properly diagnose the problem, we
need a backtrace to see what is happening behind the scenes. To
find out how to generate a backtrace, please read
http://bugs.php.net/bugs-generating-backtrace.php for *NIX and
http://bugs.php.net/bugs-generating-backtrace-win32.php for Win32

Once you have generated a backtrace, please submit it to this bug
report and change the status back to "Open". Thank you for helping
us make PHP better.
 [2006-02-13 11:52 UTC] jaco at welnet dot nl 
backtrace from latest cvs cli version:

(gdb) bt
#0  0x00979f1f in _int_malloc () from /lib/tls/libc.so.6
#1  0x0097bf81 in malloc () from /lib/tls/libc.so.6
#2  0x08204a69 in _emalloc (size=10745888, __zend_filename=0xfffffff0 <Address 0xfffffff0 out of bounds>,
    __zend_lineno=904, __zend_orig_filename=0x0, __zend_orig_lineno=0) at /usr/src/php5.1-200602130930/Zend/zend_alloc.c:182
#3  0x0820f848 in zend_call_function (fci=0xbf4001d0, fci_cache=0xbf4001b0)
    at /usr/src/php5.1-200602130930/Zend/zend_execute_API.c:904
#4  0x0822aa1b in zend_call_method (object_pp=0xbf400250, obj_ce=0x99d01a4, fn_proxy=0x99d02ac,
    function_name=0x82a885a "__clone", function_name_len=7, retval_ptr_ptr=0x0, param_count=88, arg1=0x0, arg2=0x0)
    at /usr/src/php5.1-200602130930/Zend/zend_interfaces.c:88
#5  0x0822ed8e in zend_objects_clone_members (new_object=0xa30dadc, new_obj_val={handle = 0, handlers = 0xbf400250},
    old_object=0xa30d804, handle=13367) at /usr/src/php5.1-200602130930/Zend/zend_objects.c:152
#6  0x0822ee2f in zend_objects_clone_obj (zobject=0x58) at /usr/src/php5.1-200602130930/Zend/zend_objects.c:173
#7  0x0824724a in ZEND_CLONE_SPEC_VAR_HANDLER (execute_data=0xbf4003a0)
    at /usr/src/php5.1-200602130930/Zend/zend_vm_execute.h:7198
#8  0x08234785 in execute (op_array=0x99d096c) at /usr/src/php5.1-200602130930/Zend/zend_vm_execute.h:92
#9  0x0820f1fc in zend_call_function (fci=0xbf4004f0, fci_cache=0xbf4004d0)
    at /usr/src/php5.1-200602130930/Zend/zend_execute_API.c:913
#10 0x0822aa1b in zend_call_method (object_pp=0xbf400570, obj_ce=0x99d01a4, fn_proxy=0x99d02ac,
    function_name=0x82a885a "__clone", function_name_len=7, retval_ptr_ptr=0x0, param_count=88, arg1=0x0, arg2=0x0)
    at /usr/src/php5.1-200602130930/Zend/zend_interfaces.c:88
#11 0x0822ed8e in zend_objects_clone_members (new_object=0xa30d804, new_obj_val={handle = 0, handlers = 0xbf400570},
    old_object=0xa30d52c, handle=13366) at /usr/src/php5.1-200602130930/Zend/zend_objects.c:152
#12 0x0822ee2f in zend_objects_clone_obj (zobject=0x58) at /usr/src/php5.1-200602130930/Zend/zend_objects.c:173
#13 0x0824724a in ZEND_CLONE_SPEC_VAR_HANDLER (execute_data=0xbf4006c0)
    at /usr/src/php5.1-200602130930/Zend/zend_vm_execute.h:7198
#14 0x08234785 in execute (op_array=0x99d096c) at /usr/src/php5.1-200602130930/Zend/zend_vm_execute.h:92
#15 0x0820f1fc in zend_call_function (fci=0xbf400810, fci_cache=0xbf4007f0)
    at /usr/src/php5.1-200602130930/Zend/zend_execute_API.c:913
#16 0x0822aa1b in zend_call_method (object_pp=0xbf400890, obj_ce=0x99d01a4, fn_proxy=0x99d02ac,
    function_name=0x82a885a "__clone", function_name_len=7, retval_ptr_ptr=0x0, param_count=88, arg1=0x0, arg2=0x0)
    at /usr/src/php5.1-200602130930/Zend/zend_interfaces.c:88
#17 0x0822ed8e in zend_objects_clone_members (new_object=0xa30d52c, new_obj_val={handle = 0, handlers = 0xbf400890},
    old_object=0xa30d254, handle=13365) at /usr/src/php5.1-200602130930/Zend/zend_objects.c:152

---
These are the last 17 frames (?) of the backtrace. Is this enough or do you need more?
 [2006-02-13 13:51 UTC] tony2001@php.net 
Assigned to Dmitry, he'll take a look at it.
 [2006-02-13 16:59 UTC] dmitry@php.net 
This is not a bug.

Note  that you have typo inside the _clone() method. You wrote "clone $this>test2", but probably liked "clone $this->test2". So you do recursive calls to clone, and PHP crashes because of stack overflow.

You can do the same with more simple script, without clone :)

<?php
function foo() {
  foo();
}
foo();
?>
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Thu Apr 25 16:01:28 2024 UTC