php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #51187 Segmentation fault with Zend_Form/Zend_View
Submitted: 2010-03-03 00:32 UTC Modified: 2010-03-25 13:24 UTC
From: bostjan at a2o dot si Assigned:
Status: Duplicate Package: Reproducible crash
PHP Version: Irrelevant OS: Linux
Private report: No CVE-ID: None
 [2010-03-03 00:32 UTC] bostjan at a2o dot si
Description:
------------
If I accidentally pass a wrong parameter to Zend_Form when creating a new element
(common mistake during development) and I pass an element itself, it causes segmentation fault.

I don't have time to investigate this issue further to pinpoint exact location of segfault in Zend Framework, therefore I am attaching only proof of concept code below, which uses Zend Framework classes.


Test script:
---------------
// Enable Zend Autoloader
require_once "Zend/Loader/Autoloader.php";
$autoloader = Zend_Loader_Autoloader::getInstance();


// Get form object
$domain = 'a2o.si';
$Form   = _getForm($domain);
echo $Form->render();



// Function that creates form object
function _getForm ($domain)
{
    $View = new Zend_View();

    // Create form
    $Form = new Zend_Form();
    $Form->setView($View);
    $Form->setAction('/domain/createrr')
	->setMethod('post')
	->setName('form_createrr');

    // Add an element - NOTE A BUGGY WAY TO ADD IT 
    // ($domain is not 'a2o.si' anymore after this line)
    $domain = $Form->createElement('hidden', 'domain');
    $domain->setValue($domain);
    $Form->addElement($domain);

    return $Form;
}


Expected result:
----------------
Form in HTML notation.

Actual result:
--------------
Segmentation fault (tested with CLI and Apache Handler)


Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2010-03-03 00:37 UTC] johannes@php.net
-Status: Open +Status: Feedback
 [2010-03-03 00:37 UTC] johannes@php.net
I assume this is an endless recursion, can you please provide a stacktrack?
 [2010-03-03 04:33 UTC] bostjan at a2o dot si
It most certainly is an endless recursion, though it should only lead to memory limit error.

How do I acquire a stack track?
 [2010-03-03 04:54 UTC] aharvey@php.net
-Status: Open +Status: Feedback
 [2010-03-03 04:54 UTC] aharvey@php.net
You can find instructions on generating a backtrace at http://bugs.php.net/bugs-
generating-backtrace.php.
 [2010-03-03 13:32 UTC] weierophinney@php.net
I understand completely what's happening -- you set the value of the object to 
the object itself; when rendering, it then attempts to cast the value to a 
string, which means casting the object to a string... which means rendering the 
element, which will in turn need to cast the value to a string. It's indeed 
recursion.

I can potentially put in some recursion detection in ZF; I'm not sure if the PHP 
team wants to investigate the segfault, however.

Personally, though, I'd consider fixing the code instead, to ensure you're not 
overwriting the value passed to the function (which is the real error here).
 [2010-03-03 13:58 UTC] bostjan at a2o dot si
:) Code was fixed imediately because segfaults were persistent and thus development stopped.

It still is a PHP crashing bug though (and ZF inconvenience bug if there is such a thing).
 [2010-03-25 13:23 UTC] kalle@php.net
-Status: Open +Status: Closed -Assigned To: +Assigned To: kalle
 [2010-03-25 13:23 UTC] kalle@php.net
Can you check if the crash is either one of those described in #46156 and its comments? If its not then please add a comment with how to reproduce it so we have one report with all possible cases we can find.
 [2010-03-25 13:24 UTC] kalle@php.net
-Status: Closed +Status: Duplicate -Assigned To: kalle +Assigned To:
 
PHP Copyright © 2001-2021 The PHP Group
All rights reserved.
Last updated: Mon Oct 25 17:03:33 2021 UTC