php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #51822 Segfault with strange __destruct() for static class variables
Submitted: 2010-05-14 14:38 UTC Modified: 2010-06-10 13:46 UTC
Votes:1
Avg. Score:3.0 ± 0.0
Reproduced:0 of 0 (0.0%)
From: daan at react dot com Assigned: dmitry
Status: Closed Package: Scripting Engine problem
PHP Version: 5.2.13 OS: Debian Etch
Private report: No CVE-ID:
 [2010-05-14 14:38 UTC] daan at react dot com
Description:
------------
When a static class variable is assigned a nested destructable object, it behaves differently when assigned before or after the instantiation an object of the class to which the static property belongs.

When the variable is assigned after object instantiation, the process segfaults.

(tested: PHP 5.3.1 behaves correctly)


Test script:
---------------
<?php
class DestructableObject
{
	public function __destruct()
	{
	}	
}

class DestructorCreator
{
	public function __destruct()
	{
		$this->test = new DestructableObject;	
	}
}

class Test
{
	public static $mystatic;
}

// Uncomment this to avoid segfault
//Test::$mystatic = new DestructorCreator();

$x = new Test();

if (!isset(Test::$mystatic))
	Test::$mystatic = new DestructorCreator();

echo 'bla';

Expected result:
----------------
bla

Actual result:
--------------
Segfault

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2010-05-14 14:58 UTC] felipe@php.net
-Status: Open +Status: Feedback
 [2010-05-14 14:58 UTC] felipe@php.net
Please try using this snapshot:

  http://snaps.php.net/php5.2-latest.tar.gz
 
For Windows:

  http://windows.php.net/snapshots/

I cannot reproduce it on 5_2 SVN.
 [2010-05-14 15:00 UTC] felipe@php.net
-Status: Feedback +Status: Verified
 [2010-05-14 15:00 UTC] felipe@php.net
In fact I got something on Valgring log:

Invalid write & read and:
==5285==  Address 0x65f0ba4 is 4 bytes inside a block of size 256 free'd
==5285==    at 0x4024866: free (vg_replace_malloc.c:325)
==5285==    by 0x83ACBD6: _efree (zend_alloc.c:2308)
==5285==    by 0x83CD787: zend_ptr_stack_destroy (zend_ptr_stack.c:74)
==5285==    by 0x83BE48B: shutdown_executor (zend_execute_API.c:283)
==5285==    by 0x83D05D9: zend_deactivate (zend.c:860)
==5285==    by 0x836D12B: php_request_shutdown (main.c:1504)
==5285==    by 0x8459950: main (php_cli.c:1346)
 [2010-05-14 15:04 UTC] daan at react dot com
JIC you still need it - a trace:

#0  0x0837f473 in zend_hash_find (ht=0x9ce0398, arKey=0xb73babed "", nKeyLength=5, pData=0xbfc0ea7c)
    at /usr/src/php-5.2.13/Zend/zend_hash.c:880
#1  0xb739e2f2 in xdebug_execute (op_array=0x9ce5214) at /tmp/pear/temp/xdebug/xdebug.c:1392
#2  0x08368c20 in zend_call_function (fci=0xbfc0ebec, fci_cache=0xbfc0ec10)
    at /usr/src/php-5.2.13/Zend/zend_execute_API.c:1039
#3  0x08387b2c in zend_call_method (object_pp=0xbfc0ec94, obj_ce=0x9ce3c0c, fn_proxy=0xbfc0ec98, 
    function_name=0x8638cb8 "__destruct", function_name_len=10, retval_ptr_ptr=0x0, param_count=0, arg1=0x0, 
    arg2=0x0) at /usr/src/php-5.2.13/Zend/zend_interfaces.c:88
#4  0x0838da67 in zend_objects_destroy_object (object=0x9ce4898, handle=1)
    at /usr/src/php-5.2.13/Zend/zend_objects.c:101
#5  0x08390d30 in zend_objects_store_del_ref_by_handle (handle=1)
    at /usr/src/php-5.2.13/Zend/zend_objects_API.c:198
#6  0x08390d75 in zend_objects_store_del_ref (zobject=0x9ce22c4)
    at /usr/src/php-5.2.13/Zend/zend_objects_API.c:169
#7  0x08367ee9 in _zval_ptr_dtor (zval_ptr=0x9ce4928) at /usr/src/php-5.2.13/Zend/zend_variables.h:35
#8  0x0837e245 in zend_hash_destroy (ht=0x9ce48ec) at /usr/src/php-5.2.13/Zend/zend_hash.c:526
#9  0x0838dc07 in zend_object_std_dtor (object=0x9ce3284) at /usr/src/php-5.2.13/Zend/zend_objects.c:45
#10 0x0838dc40 in zend_objects_free_object_storage (object=0x9ce3284)
    at /usr/src/php-5.2.13/Zend/zend_objects.c:122
#11 0x08390d52 in zend_objects_store_del_ref_by_handle (handle=2)
    at /usr/src/php-5.2.13/Zend/zend_objects_API.c:211
#12 0x08390d75 in zend_objects_store_del_ref (zobject=0x9ce48d4)
    at /usr/src/php-5.2.13/Zend/zend_objects_API.c:169
#13 0x08367ee9 in _zval_ptr_dtor (zval_ptr=0x9ce46f8) at /usr/src/php-5.2.13/Zend/zend_variables.h:35
#14 0x0837e245 in zend_hash_destroy (ht=0x9ce4548) at /usr/src/php-5.2.13/Zend/zend_hash.c:526
#15 0x0836c123 in destroy_zend_class (pce=0x9d1a78c) at /usr/src/php-5.2.13/Zend/zend_opcode.c:184
#16 0x0837de9c in zend_hash_apply_deleter (ht=0x9b136a0, p=0x9d1a780)
    at /usr/src/php-5.2.13/Zend/zend_hash.c:611
#17 0x0837dfcb in zend_hash_reverse_apply (ht=0x9b136a0, apply_func=0x83675b0 <clean_non_persistent_class>)
    at /usr/src/php-5.2.13/Zend/zend_hash.c:760
#18 0x0836a8b6 in shutdown_executor () at /usr/src/php-5.2.13/Zend/zend_execute_API.c:291
#19 0x083752e4 in zend_deactivate () at /usr/src/php-5.2.13/Zend/zend.c:860
#20 0x083356eb in php_request_shutdown (dummy=0x0) at /usr/src/php-5.2.13/main/main.c:1504
#21 0x083e0872 in main (argc=2, argv=0xbfc0f4f4) at /usr/src/php-5.2.13/sapi/cli/php_cli.c:1346
 [2010-05-14 15:14 UTC] daan at react dot com
Hmm looks like it might be xdebug related.. 
"#1  0xb739e2f2 in xdebug_execute (op_array=0x9ce5214) at /tmp/pear/temp/xdebug/xdebug.c:1392"

I tried it on a non-xdebug php 5.2.10, and that had no problems - the 5.3.1 I tested with did not have xdebug installed either.

Will throw the bug that way then.. apologies for the misdirected bug report!
 [2010-05-14 15:20 UTC] daan at react dot com
Reference to bugreport at xdebug:
http://bugs.xdebug.org/view.php?id=580
 [2010-06-08 13:22 UTC] tony2001@php.net
-Status: Verified +Status: Assigned -Assigned To: +Assigned To: dmitry
 [2010-06-10 13:45 UTC] dmitry@php.net
Automatic comment from SVN on behalf of dmitry
Revision: http://svn.php.net/viewvc/?view=revision&amp;revision=300350
Log: Fixed bug #51822i (Segfault with strange __destruct() for static class variables)
 [2010-06-10 13:46 UTC] dmitry@php.net
-Status: Assigned +Status: Closed
 [2010-06-10 13:46 UTC] dmitry@php.net
This bug has been fixed in SVN.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.
 
Thank you for the report, and for helping us make PHP better.


 
PHP Copyright © 2001-2014 The PHP Group
All rights reserved.
Last updated: Sat Apr 19 22:02:16 2014 UTC