php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #41691 ArrayObject::exchangeArray hangs Apache
Submitted: 2007-06-14 14:57 UTC Modified: 2007-07-20 10:54 UTC
From: killgec at gmail dot com Assigned: tony2001
Status: Closed Package: SPL related
PHP Version: 5.2.3 OS: winXP
Private report: No CVE-ID:
 [2007-06-14 14:57 UTC] killgec at gmail dot com
Description:
------------
I use a descendant of ArrayObject to have public properties quickly transformed to and back an array. So this object is an ArrayObject initiated with itself. Then Apache hangs when I try to load an array into the props by exchangeArray().

Apache says "child process exited with status 3221225477 -- Restarting."

Maybe I'm misusing ArrayObject, but I think it shouldn't hang Apache in any case. (Anyway, is there any howto or sg for ArrayObject beyond the reference?)

THX!

Reproduce code:
---------------
		class A extends ArrayObject {
			public function __construct($dummy, $flags) {
				parent::__construct($this, $flags);
			}
			public $a;
			public $b;
			public $c;
		}
		
		$a = new A(null, ArrayObject::ARRAY_AS_PROPS );
		$a->exchangeArray(array('a'=>1,'b'=>1,'c'=>1));


Expected result:
----------------
Array loaded or error or exception.

Actual result:
--------------
Apache restarts.

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2007-06-16 11:01 UTC] judas dot iscariote at gmail dot com
Yup, it crashes

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 47885183253760 (LWP 9176)]
0x000000000072c50c in zend_object_store_get_object (zobject=0xc81970) at /home/cristian/php5/Zend/zend_objects_API.c:255
255             return EG(objects_store).object_buckets[handle].bucket.obj.object;
(gdb) bt full
#0  0x000000000072c50c in zend_object_store_get_object (zobject=0xc81970) at /home/cristian/php5/Zend/zend_objects_API.c:255
        handle = 13113824
#1  0x0000000000581522 in spl_array_get_hash_table (intern=0xc80bf0, check_std_props=0) at /home/cristian/php5/ext/spl/spl_array.c:76
        other = (spl_array_object *) 0x800000048
#2  0x0000000000584035 in spl_array_rewind (intern=0xc80bf0) at /home/cristian/php5/ext/spl/spl_array.c:829
        aht = (HashTable *) 0xc80c08
#3  0x00000000005849b7 in zim_spl_Array_exchangeArray (ht=1, return_value=0xc820c8, return_value_ptr=0x0, this_ptr=0xc7fdf8, return_value_used=0)
    at /home/cristian/php5/ext/spl/spl_array.c:1063
        object = (zval *) 0xc7fdf8
        tmp = (zval *) 0x0
        array = (zval **) 0xc67a80
        intern = (spl_array_object *) 0xc80bf0
#4  0x000000000072ea64 in zend_do_fcall_common_helper_SPEC (execute_data=0x7fff88edf210) at /home/cristian/php5/Zend/zend_vm_execute.h:200
        return_reference = 0 '\0'
        opline = (zend_op *) 0xc814c0
        original_return_value = (zval **) 0xc81970
        current_scope = (zend_class_entry *) 0x0
        current_this = (zval *) 0x0
        return_value_used = 0
        should_change_scope = 1 '\001'
        ctor_opline = (zend_op *) 0x111088edefb0
#5  0x000000000072f931 in ZEND_DO_FCALL_BY_NAME_SPEC_HANDLER (execute_data=0x7fff88edf210) at /home/cristian/php5/Zend/zend_vm_execute.h:322
No locals.
#6  0x000000000072e4ac in execute (op_array=0xc80ab0) at /home/cristian/php5/Zend/zend_vm_execute.h:92
        execute_data = {opline = 0xc814c0, function_state = {function_symbol_table = 0xc81bf8, function = 0xc86d98, reserved = {0x63006d4ae9, 0x836ec0, 0xc80bf0,
      0x7fff88edf280}}, fbc = 0xc86d98, op_array = 0xc80ab0, object = 0xc7fdf8, Ts = 0x7fff88edf020, CVs = 0x7fff88edf000, original_in_execution = 0 '\0',
  symbol_table = 0xad7c68, prev_execute_data = 0x0, old_error_reporting = 0x0}
#7  0x0000000000704794 in zend_execute_scripts (type=8, retval=0x0, file_count=3) at /home/cristian/php5/Zend/zend.c:1134
---Type <return> to continue, or q <return> to quit---
        files = {{gp_offset = 40, fp_offset = 48, overflow_arg_area = 0x7fff88edf420, reg_save_area = 0x7fff88edf360}}
        i = 1
        file_handle = (zend_file_handle *) 0x7fff88ee1840
        orig_op_array = (zend_op_array *) 0x0
        orig_retval_ptr_ptr = (zval **) 0x0
        local_retval = (zval *) 0x0
#8  0x00000000006a45aa in php_execute_script (primary_file=0x7fff88ee1840) at /home/cristian/php5/main/main.c:1852
        realfile = "/home/cristian/arr.php\000\000g&#65533;p\000\000\000\000\000rpl_query_type\000\000&#65533;\006\000\000&#65533;\177\000\000g&#65533;p\000\000\000\000\000rpl_probe\000\203\000\000\000\000\000&#65533;\006\000\000\000\000\000\000&#65533;\006&#65533;\210\017\000\000\000rpl_parse_enabled\000\000\000\000\000\000\000\b{\203\000\000\000\000\000&#65533;\006\000\000&#65533;\177\000\000g&#65533;p\000\000\000\000\000rollback\000{\203\000\000\000\000\000&#65533;\006\000\000&#65533;\177\000\000g&#65533;p\000\000\000\000\000real_query\000\000\000\000\000\000&#65533;\006\000\000&#65533;\177\000\000"...
        __orig_bailout = (jmp_buf *) 0x7fff88ee16f0
        __bailout = {{__jmpbuf = {47885158587360, -68790275682680777, 0, 140735490693760, 0, 0, -68790275682786761, -68710249578982193}, __mask_was_saved = 0, __saved_mask = {
      __val = {0, 0, 47885156425589, 1, 0, 140733193389738, 7388775, 47885177639976, 47885158587360, 140735490688352, 47885156447202, 47885181017424, 8496384, 11427264,
        7406588, 47885181015904}}}}
        prepend_file_p = (zend_file_handle *) 0x0
        append_file_p = (zend_file_handle *) 0x0
        prepend_file = {type = 0 '\0', filename = 0x0, opened_path = 0x0, handle = {fd = 0, fp = 0x0, stream = {handle = 0x0, reader = 0, closer = 0, fteller = 0,
      interactive = 0}}, free_filename = 0 '\0'}
        append_file = {type = 0 '\0', filename = 0x0, opened_path = 0x0, handle = {fd = 0, fp = 0x0, stream = {handle = 0x0, reader = 0, closer = 0, fteller = 0,
      interactive = 0}}, free_filename = 0 '\0'}
        old_cwd = 0x7fff88edf440 ""
        retval = 0
#9  0x000000000078b7e6 in main (argc=2, argv=0x7fff88ee1a88) at /home/cristian/php5/sapi/cli/php_cli.c:1151
        __orig_bailout = (jmp_buf *) 0x0
        __bailout = {{__jmpbuf = {47885158587360, -68790275682676809, 0, 140735490693760, 0, 0, -68790275682680793, -68710249578071107}, __mask_was_saved = 0, __saved_mask = {
      __val = {47885156409919, 0, 47885183250696, 1, 0, 1, 0, 0, 0, 47885183253760, 47885158590016, 140735490693144, 4294967296, 47885181039472, 140735490693248,
        47885181038592}}}}
        exit_status = 0
---Type <return> to continue, or q <return> to quit---
        c = -1
        file_handle = {type = 2 '\002', filename = 0x7fff88ee2fcc "arr.php", opened_path = 0x0, handle = {fd = 13256160, fp = 0xca45e0, stream = {handle = 0xca45e0,
      reader = 0x71e994 <zend_stream_stdio_reader>, closer = 0x71e9c0 <zend_stream_stdio_closer>, fteller = 0x71e9ea <zend_stream_stdio_fteller>, interactive = 0}},
  free_filename = 0 '\0'}
        behavior = 1
        reflection_what = 0x0
        orig_optind = 1
        orig_optarg = 0x0
        arg_free = 0x7fff88ee2fcc "arr.php"
        arg_excp = (char **) 0x7fff88ee1a90
        script_file = 0x7fff88ee2fcc "arr.php"
        interactive = 0
        module_started = 1
        request_started = 1
        lineno = 1
        exec_direct = 0x0
        exec_run = 0x0
        exec_begin = 0x0
        exec_end = 0x0
        param_error = 0x0
        hide_argv = 0
        ini_entries_len = 110
 [2007-06-25 19:33 UTC] tony2001@php.net
Marcus, please take a look at it.
It seems to be easy to fix, but I don't quite understand the code, so I can only guess.
The patch should look either like this:
http://dev.daylessday.org/diff/bug41691_1.diff
or like this:
http://dev.daylessday.org/diff/bug41691_2.diff
and I tend to think the latter is better.
 [2007-07-20 10:54 UTC] tony2001@php.net
This bug has been fixed in CVS.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.
 
Thank you for the report, and for helping us make PHP better.


 
PHP Copyright © 2001-2014 The PHP Group
All rights reserved.
Last updated: Fri Apr 18 23:01:58 2014 UTC