php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #49664 Clone causes Segmentation fault
Submitted: 2009-09-25 07:46 UTC Modified: 2015-03-19 20:59 UTC
Votes:7
Avg. Score:4.3 ± 0.9
Reproduced:4 of 4 (100.0%)
Same Version:4 (100.0%)
Same OS:3 (75.0%)
From: patrik dot lermon at gmail dot com Assigned:
Status: Not a bug Package: Reproducible crash
PHP Version: 5.*, 6 (2009-09-20) OS: Linux
Private report: No CVE-ID:
 [2009-09-25 07:46 UTC] patrik dot lermon at gmail dot com
Description:
------------
Under certain circumstances the clone keyword causes a Segmentation fault. This code is reproducible and tested with the same result on:
  - Ubuntu 9.04 / PHP 5.2.10 (cli) (built: Jun 22 2009 12:32:02)
  - Slackware 13.0.0.0.0 / PHP 5.3.0 (cli) (built: Sep 25 2009 08:58:26) (DEBUG)
  - Mac OS X 10.5.8 / PHP 5.2.10 (cli) (built: Aug 24 2009 12:47:12) 
  - Mac OS X 10.6.1 / PHP 5.3.0 (cli) (built: Jul 19 2009 00:34:29)

The Ubuntu and Mac OS X versions are standard builds from Zend, and the Slackware is built by me like this:

EXTENSION_DIR=/usr/lib/php/extensions \
CFLAGS="-O2 -march=i486 -mtune=i686" \
./configure \
--enable-force-cgi-redirect \
--enable-pcntl \
--enable-sigchild \
--prefix=/usr \
--libdir=/usr/lib \
--with-libdir=lib \
--sysconfdir=/etc \
--disable-safe-mode \
--disable-magic-quotes \
--enable-zend-multibyte \
--enable-mbregex \
--enable-tokenizer=shared \
--with-config-file-scan-dir=/etc/php \
--with-config-file-path=/etc/httpd \
--enable-mod_charset \
--with-layout=PHP \
--enable-sigchild \
--enable-xml \
--with-libxml-dir=/usr \
--enable-simplexml \
--enable-spl \
--enable-filter \
--enable-debug \
--with-openssl=shared \
--with-pcre-regex=/usr \
--with-zlib=shared,/usr \
--enable-bcmath=shared \
--with-bz2=shared,/usr \
--enable-calendar=shared \
--enable-ctype=shared \
--with-curl=shared \
--with-curlwrappers \
--with-mcrypt=/usr \
--enable-dba=shared \
--with-gdbm=/usr \
--with-db4=/usr \
--enable-exif=shared \
--enable-ftp=shared \
--with-gd=shared \
--with-jpeg-dir=/usr \
--with-png-dir=/usr \
--with-zlib-dir=/usr \
--with-xpm-dir=/usr \
--with-freetype-dir=/usr \
--with-t1lib=/usr \
--enable-gd-native-ttf \
--enable-gd-jis-conv \
--with-gettext=shared,/usr \
--with-gmp=shared,/usr \
--with-iconv=shared \
--with-imap-ssl=/usr \
--with-imap=/usr/local/lib/c-client \
--with-ldap=shared \
--enable-mbstring=shared \
--enable-hash \
--with-mysql=shared,/usr \
--with-mysqli=shared,/usr/bin/mysql_config \
--enable-pdo=shared \
--with-pdo-mysql=shared,/usr \
--with-pdo-sqlite=shared \
--with-pspell=shared,/usr \
--with-mm=/usr \
--enable-shmop=shared \
--with-snmp=shared,/usr \
--enable-soap=shared \
--enable-sockets \
--with-sqlite=shared \
--enable-sqlite-utf8 \
--with-regex=php \
--enable-sysvmsg \
--enable-sysvsem \
--enable-sysvshm \
--enable-wddx=shared \
--with-xsl=shared,/usr \
--enable-zip=shared \
--with-tsrm-pthreads \
--enable-shared=yes \
--enable-static=no \
--with-gnu-ld \
--with-pic \
--build=i486-slackware-linux


Reproduce code:
---------------
<?php
date_default_timezone_set('America/Los_Angeles');
class Test {
    public $previous, $next = NULL;
    public function __clone() {
        $this->previous != NULL ? $this->previous = clone $this->previous : $this->previous = NULL;
        $this->next != NULL ? $this->next = clone $this->next : $this->next = NULL;
    }
    public function __toString() {
        return '[' . ($this->previous != NULL ? '<' : '-') . ' ' . ($this->next != NULL ? '>' : '-') . ']';
    }
}

// Create some test objects
$a = new Test(); $b = new Test();

// Link them together
$a->next =& $b; $b->previous =& $a;

// Clone and print
echo "a before cloning:\na: " . $a . "\n";
$b = clone $a;
echo "These two should not look the same:\na: " . $a . "\nb: " . $clone . "\n";


Expected result:
----------------
a before cloning:
a: [- >]
These two should not look the same:
a: [- >]
b: [- -]


Actual result:
--------------
a before cloning:
a: [- >]
Segmentation fault


Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2009-09-25 07:50 UTC] patrik dot lermon at gmail dot com
I am aware that the cloning will be recursive in some circumstances, but PHP should not segfault because of this.
 [2009-09-28 12:06 UTC] patrik dot lermon at gmail dot com
I get the same result with http://snaps.php.net/php5.3-latest.tar.gz
on Slackware.
 [2009-10-19 15:10 UTC] jani@php.net
Infinite recursion crashes. There's no fix for that.
 [2009-10-19 15:31 UTC] patrik dot lermon at gmail dot com
I don't agree. Perhaps my knowledge is not detailed enough, but an infinte recursion should:
a) run out of memory and die, or
b) detect the recursion and die.
In both these cases PHP should die in a controlled manner, not segfault.

My understanding is that segfault is never ok - that means the code is faulty.
 [2012-12-18 23:53 UTC] kurt at kurtrose dot com
Python handles this kind of recursion fine:

class F(object):
   def __repr__(self): return self.__repr__()

>>> repr(F())
  File "<stdin>", line 2, in __repr__
  File "<stdin>", line 2, in __repr__
  ...
  File "<stdin>", line 2, in __repr__
  File "<stdin>", line 2, in __repr__
RuntimeError: maximum recursion depth exceeded

No segfault.
 [2013-01-23 11:27 UTC] cf0hay at gmail dot com
> Infinite recursion crashes. There's no fix for that.

Err, what?

$ php -r 'function a(){ a(); } a();'
PHP Fatal error:  Allowed memory size of 134217728 bytes exhausted (tried to 
allocate 130968 bytes) in Command line code on line 1

Fatal error: Allowed memory size of 134217728 bytes exhausted (tried to allocate 
130968 bytes) in Command line code on line 1

This is the intended behaviour on infinite recursion, not a segmentation fault. 
I wouldn't be surprised this could lead a security problem rather just a simple 
crash.
 [2013-01-23 12:07 UTC] patrik dot lermon at gmail dot com
And what do you get when you try with the reproduce code?
 [2013-01-28 13:43 UTC] cf0hay at gmail dot com
Same az OP (with PHP 5.4.8):

$ php a.php
a before cloning:
a: [- >]
Segmentation fault
 [2013-02-23 22:58 UTC] cataphract@php.net
-Status: Not a bug +Status: Re-Opened
 [2013-02-23 22:58 UTC] cataphract@php.net
Still present in trunk; reopening.
 [2013-04-06 17:45 UTC] dinesh dot joshi at yahoo dot com
This segmentation fault / coredump behavior is consistent with what lower level 
languages like C. So IMHO this should not be considered a PHP bug. Just don't get 
into infinite recursions. The language can't stop you from doing something stupid.

Here's a C program that demos the same behavior:

------------------------------
#include<stdio.h>

void fn() {
    char buff[16*1024]; 
    fn();
}

int main(void) {
    fn();
}
------------------------------
 [2013-08-07 20:19 UTC] initrd dot gz at gmail dot com
C lets you do a lot of stuff you aren't supposed to do. Just because C allows it 
doesn't mean higher level languages like PHP should. An out of memory error is 
much more helpful than a segfault, which could come from anything. Also, segfaults 
have historically lead to exploits.
 [2014-04-03 12:15 UTC] mike@php.net
-Status: Re-Opened +Status: Not a bug
 [2014-04-03 12:15 UTC] mike@php.net
@cataphract, why was this re-opened?
AFAICT there won't be a recursion counter.
 [2015-03-19 19:52 UTC] omars@php.net
I'd say the best way to handle this, could be using an ini directive.
 [2015-03-19 20:44 UTC] patrik dot lermon at gmail dot com
The error is for instance handled in a civilised manner by hhvm (Fatal error: Stack overflow in /in/aMjnT on line 6). So I guess infinite recursion crashes, and there is a way to realise this without segfaulting.
I withstand if a high level programming language segfaults its design is broken, and thus this the bug should remain open IMHO.
I'm not familiar with the underlaying design in php, but I guess that it just tries to reference memory and hope for the best instead of actually perform some checks, which hhvm manages to do. Again, I'm just guessing.

Segfault or stack overflow, does it matter?
Someone correct me if I'm wrong here, but as I understand it a stack overflow is realised and reported by the interpreter itself, while a segfault is the actual OS realising that the process tries to reference memory that it's not allowed to access and kills it. And if that is the case the actual use case for fixing this would be to give the user a proper error message (what happened, what file and line). Or if a proper exception handling was implemented in php (not mixing errors and exceptions) I presume the programmer could even wrap his code in a try-catch and make his own decision what to do in case of a stack overflow.


See http://3v4l.org/aMjnT


hhvm-3.3.1 - 3.5.1
    a before cloning:
    a: [- >]
    
    Fatal error: Stack overflow in /in/aMjnT on line 6
    
    Process exited with code 255.
 [2015-03-19 20:59 UTC] yohgaki@php.net
@patrik Open new feature request for recursion limit if it's not exist.

IIRC, perl segfault (well at least old one). Ruby/Python has limit like 1000.
 
PHP Copyright © 2001-2015 The PHP Group
All rights reserved.
Last updated: Fri May 22 13:02:13 2015 UTC