php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #55219 Segmentation fault with Serializable Object on self-reference
Submitted: 2011-07-16 23:46 UTC Modified: 2013-08-30 09:43 UTC
Votes:1
Avg. Score:5.0 ± 0.0
Reproduced:1 of 1 (100.0%)
Same Version:1 (100.0%)
Same OS:1 (100.0%)
From: garic dot suess+php at gmail dot com Assigned:
Status: Wont fix Package: Reproducible crash
PHP Version: 5.3.6 OS: Ubuntu Linux 10.10 x64
Private report: No CVE-ID: None
View Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
If you reported this bug, you can edit this bug over here.
(description)
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: garic dot suess+php at gmail dot com
New email:
PHP Version: OS:

 

 [2011-07-16 23:46 UTC] garic dot suess+php at gmail dot com
Description:
------------
---
From manual page: http://www.php.net/class.serializable
---

When a Serializable object contains a reference to it self a Segmentation fault 
is caused.

I first encountered this in 5.3.3, then found a binary package for 5.3.5 for my 
distribution. Finally I compiled my own 5.3.6. The segmentation fault persists in 
all three versions.

If the Serializable interface is removed the code works fine. 

Although the fault is reproducible, I found encountered other self-reference 
scenarios where it is not triggered, making this very unpredictable.

Test script:
---------------
class Test implements Serializable {
	public $member, $message;
	
	function __construct($message) {
		$this->message = $message;
	}

	function serialize() {
		return serialize(array($this->message, $this->member));
	}
	
	function unserialize($serialized) {
		list($this->message, $this->member) = unserialize($serialized); 
	}
}

$constructed = new Test("original");
$constructed->member = $constructed; //References to self (in this example pointless, but technically legal)
var_dump($constructed);
$transported = unserialize(serialize($constructed)); // Segmentation fault.

Expected result:
----------------
Clean exit..

Actual result:
--------------
object(Test)#1 (2) {
  ["member"]=>
  *RECURSION*
  ["message"]=>
  string(8) "original"
}
Segmentation fault


Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2011-07-17 07:48 UTC] felipe@php.net
-Status: Open +Status: Verified
 [2011-07-17 07:48 UTC] felipe@php.net
I can reproduce it only in 5.3 branch. It's due a stack call overflow.
 [2011-07-17 08:23 UTC] felipe@php.net
On 5.4 and trunk works because the r299770 change (Added support for object references in recursive serialize() calls. FR #36424)
 [2011-11-14 14:53 UTC] errebi at gmail dot com
I can reproduce it on PHP 5.2.11, but the result is quite different. (one more 
itaration)


object(Test)#1 (2) {
  ["member"]=>
  object(Test)#1 (2) {
    ["member"]=>
    *RECURSION*
    ["message"]=>
    string(8) "original"
  }
  ["message"]=>
  string(8) "original"
}
Segmentation fault



Hope could help
 [2013-08-30 09:43 UTC] maarten@php.net
-Status: Verified +Status: Wont fix
 [2013-08-30 09:43 UTC] maarten@php.net
Fixed in 5.4.0, see http://3v4l.org/XuJmX

PHP 5.3 is end of life per March 2013 ( http://php.net/releases/5_3_20.php ), so you should upgrade to 5.4. Given that the issue is 2 years old, you might just as well already have. ;)
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Tue Dec 03 18:01:30 2024 UTC