php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #49664 Clone causes Segmentation fault
Submitted: 2009-09-25 07:46 UTC Modified: 2014-04-03 12:15 UTC
Votes:7
Avg. Score:4.3 ± 0.9
Reproduced:4 of 4 (100.0%)
Same Version:4 (100.0%)
Same OS:3 (75.0%)
From: patrik dot lermon at gmail dot com Assigned:
Status: Not a bug Package: Reproducible crash
PHP Version: 5.*, 6 (2009-09-20) OS: Linux
Private report: No CVE-ID:
 [2009-09-25 07:46 UTC] patrik dot lermon at gmail dot com
Description:
------------
Under certain circumstances the clone keyword causes a Segmentation fault. This code is reproducible and tested with the same result on:
  - Ubuntu 9.04 / PHP 5.2.10 (cli) (built: Jun 22 2009 12:32:02)
  - Slackware 13.0.0.0.0 / PHP 5.3.0 (cli) (built: Sep 25 2009 08:58:26) (DEBUG)
  - Mac OS X 10.5.8 / PHP 5.2.10 (cli) (built: Aug 24 2009 12:47:12) 
  - Mac OS X 10.6.1 / PHP 5.3.0 (cli) (built: Jul 19 2009 00:34:29)

The Ubuntu and Mac OS X versions are standard builds from Zend, and the Slackware is built by me like this:

EXTENSION_DIR=/usr/lib/php/extensions \
CFLAGS="-O2 -march=i486 -mtune=i686" \
./configure \
--enable-force-cgi-redirect \
--enable-pcntl \
--enable-sigchild \
--prefix=/usr \
--libdir=/usr/lib \
--with-libdir=lib \
--sysconfdir=/etc \
--disable-safe-mode \
--disable-magic-quotes \
--enable-zend-multibyte \
--enable-mbregex \
--enable-tokenizer=shared \
--with-config-file-scan-dir=/etc/php \
--with-config-file-path=/etc/httpd \
--enable-mod_charset \
--with-layout=PHP \
--enable-sigchild \
--enable-xml \
--with-libxml-dir=/usr \
--enable-simplexml \
--enable-spl \
--enable-filter \
--enable-debug \
--with-openssl=shared \
--with-pcre-regex=/usr \
--with-zlib=shared,/usr \
--enable-bcmath=shared \
--with-bz2=shared,/usr \
--enable-calendar=shared \
--enable-ctype=shared \
--with-curl=shared \
--with-curlwrappers \
--with-mcrypt=/usr \
--enable-dba=shared \
--with-gdbm=/usr \
--with-db4=/usr \
--enable-exif=shared \
--enable-ftp=shared \
--with-gd=shared \
--with-jpeg-dir=/usr \
--with-png-dir=/usr \
--with-zlib-dir=/usr \
--with-xpm-dir=/usr \
--with-freetype-dir=/usr \
--with-t1lib=/usr \
--enable-gd-native-ttf \
--enable-gd-jis-conv \
--with-gettext=shared,/usr \
--with-gmp=shared,/usr \
--with-iconv=shared \
--with-imap-ssl=/usr \
--with-imap=/usr/local/lib/c-client \
--with-ldap=shared \
--enable-mbstring=shared \
--enable-hash \
--with-mysql=shared,/usr \
--with-mysqli=shared,/usr/bin/mysql_config \
--enable-pdo=shared \
--with-pdo-mysql=shared,/usr \
--with-pdo-sqlite=shared \
--with-pspell=shared,/usr \
--with-mm=/usr \
--enable-shmop=shared \
--with-snmp=shared,/usr \
--enable-soap=shared \
--enable-sockets \
--with-sqlite=shared \
--enable-sqlite-utf8 \
--with-regex=php \
--enable-sysvmsg \
--enable-sysvsem \
--enable-sysvshm \
--enable-wddx=shared \
--with-xsl=shared,/usr \
--enable-zip=shared \
--with-tsrm-pthreads \
--enable-shared=yes \
--enable-static=no \
--with-gnu-ld \
--with-pic \
--build=i486-slackware-linux


Reproduce code:
---------------
<?php
date_default_timezone_set('America/Los_Angeles');
class Test {
    public $previous, $next = NULL;
    public function __clone() {
        $this->previous != NULL ? $this->previous = clone $this->previous : $this->previous = NULL;
        $this->next != NULL ? $this->next = clone $this->next : $this->next = NULL;
    }
    public function __toString() {
        return '[' . ($this->previous != NULL ? '<' : '-') . ' ' . ($this->next != NULL ? '>' : '-') . ']';
    }
}

// Create some test objects
$a = new Test(); $b = new Test();

// Link them together
$a->next =& $b; $b->previous =& $a;

// Clone and print
echo "a before cloning:\na: " . $a . "\n";
$b = clone $a;
echo "These two should not look the same:\na: " . $a . "\nb: " . $clone . "\n";


Expected result:
----------------
a before cloning:
a: [- >]
These two should not look the same:
a: [- >]
b: [- -]


Actual result:
--------------
a before cloning:
a: [- >]
Segmentation fault


Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2009-09-25 07:50 UTC] patrik dot lermon at gmail dot com
I am aware that the cloning will be recursive in some circumstances, but PHP should not segfault because of this.
 [2009-09-28 12:06 UTC] patrik dot lermon at gmail dot com
I get the same result with http://snaps.php.net/php5.3-latest.tar.gz
on Slackware.
 [2009-10-19 15:10 UTC] jani@php.net
Infinite recursion crashes. There's no fix for that.
 [2009-10-19 15:31 UTC] patrik dot lermon at gmail dot com
I don't agree. Perhaps my knowledge is not detailed enough, but an infinte recursion should:
a) run out of memory and die, or
b) detect the recursion and die.
In both these cases PHP should die in a controlled manner, not segfault.

My understanding is that segfault is never ok - that means the code is faulty.
 [2012-12-18 23:53 UTC] kurt at kurtrose dot com
Python handles this kind of recursion fine:

class F(object):
   def __repr__(self): return self.__repr__()

>>> repr(F())
  File "<stdin>", line 2, in __repr__
  File "<stdin>", line 2, in __repr__
  ...
  File "<stdin>", line 2, in __repr__
  File "<stdin>", line 2, in __repr__
RuntimeError: maximum recursion depth exceeded

No segfault.
 [2013-01-23 11:27 UTC] cf0hay at gmail dot com
> Infinite recursion crashes. There's no fix for that.

Err, what?

$ php -r 'function a(){ a(); } a();'
PHP Fatal error:  Allowed memory size of 134217728 bytes exhausted (tried to 
allocate 130968 bytes) in Command line code on line 1

Fatal error: Allowed memory size of 134217728 bytes exhausted (tried to allocate 
130968 bytes) in Command line code on line 1

This is the intended behaviour on infinite recursion, not a segmentation fault. 
I wouldn't be surprised this could lead a security problem rather just a simple 
crash.
 [2013-01-23 12:07 UTC] patrik dot lermon at gmail dot com
And what do you get when you try with the reproduce code?
 [2013-01-28 13:43 UTC] cf0hay at gmail dot com
Same az OP (with PHP 5.4.8):

$ php a.php
a before cloning:
a: [- >]
Segmentation fault
 [2013-02-23 22:58 UTC] cataphract@php.net
-Status: Not a bug +Status: Re-Opened
 [2013-02-23 22:58 UTC] cataphract@php.net
Still present in trunk; reopening.
 [2013-04-06 17:45 UTC] dinesh dot joshi at yahoo dot com
This segmentation fault / coredump behavior is consistent with what lower level 
languages like C. So IMHO this should not be considered a PHP bug. Just don't get 
into infinite recursions. The language can't stop you from doing something stupid.

Here's a C program that demos the same behavior:

------------------------------
#include<stdio.h>

void fn() {
    char buff[16*1024]; 
    fn();
}

int main(void) {
    fn();
}
------------------------------
 [2013-08-07 20:19 UTC] initrd dot gz at gmail dot com
C lets you do a lot of stuff you aren't supposed to do. Just because C allows it 
doesn't mean higher level languages like PHP should. An out of memory error is 
much more helpful than a segfault, which could come from anything. Also, segfaults 
have historically lead to exploits.
 [2014-04-03 12:15 UTC] mike@php.net
-Status: Re-Opened +Status: Not a bug
 [2014-04-03 12:15 UTC] mike@php.net
@cataphract, why was this re-opened?
AFAICT there won't be a recursion counter.
 
PHP Copyright © 2001-2014 The PHP Group
All rights reserved.
Last updated: Wed Apr 23 14:02:33 2014 UTC