php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #60134 SIGSEGV in zend_std_write_property
Submitted: 2011-10-25 22:35 UTC Modified: 2013-02-18 00:35 UTC
From: fbaligant at synalabs dot com Assigned:
Status: No Feedback Package: Scripting Engine problem
PHP Version: 5.4.0beta2 OS: Debian Squeeze
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.
(description)
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: fbaligant at synalabs dot com
New email:
PHP Version: OS:

 

 [2011-10-25 22:35 UTC] fbaligant at synalabs dot com
Description:
------------
PHP5.4beta2 from SVN, up to this revision: http://svn.php.net/viewvc?
view=revision&revision=318411

Repeatable crash in Symfony 1.4.14's Doctrine 1.2.4 Doctrine_Record constructor.

PHP environment is FastCGI with lighttpd.

No APC or Xcache active.

This code runs fine with PHP 5.3.8.


Test script:
---------------
Didn't manage to reproduce it in a simple script yet

Expected result:
----------------
Should not crash

Actual result:
--------------
Program received signal SIGSEGV, Segmentation fault.
0x00000000006c787d in zend_std_write_property (object=0x3cc01e0, 
member=0x2964040, value=0xcd11c69b772c0444, key=0x2964040) at /tmp/buildd/php5-
5.3.99+5.4.0/Zend/zend_object_handlers.c:244
244		if (key && (property_info = CACHED_POLYMORPHIC_PTR(key-
>cache_slot, ce)) != NULL) {
(gdb) print key
$1 = (zend_literal *) 0x2964040
(gdb) print key->cache_slot
$2 = 4
(gdb) print ce
$3 = (zend_class_entry *) 0x4
(gdb) bt full
#0  0x00000000006c787d in zend_std_write_property (object=0x3cc01e0, 
member=0x2964040, value=0xcd11c69b772c0444, key=0x2964040) at /tmp/buildd/php5-
5.3.99+5.4.0/Zend/zend_object_handlers.c:244
        property_info = 0x85
        scope_property_info = 0x6c85a3
        denied_access = 184 '\270'
        h = 64829024
        zobj = 0x3cc4690
        tmp_member = 0x13c21c8
        variable_ptr = 0x13c42f0
        property_info = 0x0
#1  0x000000000071f5b3 in zend_assign_to_object (retval=0x0, 
object_ptr=0x3cc01e0, property_name=0x7f18dc45d5e8, value_type=4, 
value_op=0x29612e0, Ts=0x1, opcode=7471229, key=0x2964040) at /tmp/buildd/php5-
5.3.99+5.4.0/Zend/zend_execute.c:738
        object = 0x3cb69e0
        value = 0x3cc01e0
        opcode = 136
        key = 0x2964040
#2  0x000000000072007d in ZEND_ASSIGN_OBJ_SPEC_UNUSED_CONST_HANDLER 
(execute_data=0x7f18dc45cb58) at /tmp/buildd/php5-
5.3.99+5.4.0/Zend/zend_vm_execute.h:21975
        opline = 0x29612e0
#3  0x0000000000711fb8 in execute (op_array=0x3dba620) at /tmp/buildd/php5-
5.3.99+5.4.0/Zend/zend_vm_execute.h:410
        ret = 0
        execute_data = 0x7f18dc45cb58
        nested = 0 '\000'
        original_in_execution = 0 '\000'
#4  0x00000000006a03ad in zend_execute_scripts (type=32767, 
retval=0x7ffffbb685f0, file_count=3) at /tmp/buildd/php5-
5.3.99+5.4.0/Zend/zend.c:1272
        files = {{gp_offset = 0, fp_offset = 0, overflow_arg_area = 0x28, 
reg_save_area = 0x7ffffbb68680}}
        i = 1
        file_handle = <incomplete type>
        orig_op_array = 0x0
        orig_retval_ptr_ptr = 0xd23518
#5  0x0000000000643268 in php_execute_script (primary_file=0x0) at 
/tmp/buildd/php5-5.3.99+5.4.0/main/main.c:2414
        __orig_bailout = 0x7ffffbb67db0
        __bailout = {{__jmpbuf = {4223038732, 32767, 4223038736, 32767, 
4223040800, 32767, 4223038688, 32767}, __mask_was_saved = 7041200, __saved_mask 
= {__val = {6910217, 0, 76, 0, 4223038784, 32767, 64586544, 0, 64623000, 0, 
4223038912, 32767, 0, 1, 4223039008, 
                32767}}}}
        prepend_file_p = 0x0
        append_file_p = 0x0
        prepend_file = {type = 3695567936, filename = 0x7f1800000001 <Address 
0x7f1800000001 out of bounds>, opened_path = 0x27348c8 "\370Hs\002", handle = 
{fd = -599399504, fp = 0x7f18dc45e3b0, stream = {handle = 0x7f18dc45e3b0, isatty 
= 13775168, mmap = {
                len = 10411208, pos = 4223041392, map = 0x1, buf = 0x2 <Address 
0x2 out of bounds>, old_handle = 0x7ffffbb67710, old_closer = 0x20}, reader = 
0x648bb2 <xbuf_format_converter+802>, fsizer = 0, 
              closer = 0x6dfc89 <zend_fetch_dimension_address_read+1097>}}, 
free_filename = 172 '\254'}
        append_file = {type = 6, filename = 0x0, opened_path = 0x3 <Address 0x3 
out of bounds>, handle = {fd = 7012488, fp = 0x6b0088, stream = {handle = 
0x6b0088, isatty = 8, mmap = {len = 0, pos = 3695567936, map = 0x7f18dc45e458, 
                buf = 0x6444e0 "H\201", <incomplete sequence \354\230>, 
old_handle = 0x7f18dc45e3b0, old_closer = 0xd23140 <executor_globals>}, reader = 
0, fsizer = 0, closer = 0x25eb400}}, free_filename = 176 '\260'}
        retval = 0
#6  0x000000000074d03f in main (argc=32767, argv=0x20) at /tmp/buildd/php5-
5.3.99+5.4.0/sapi/cgi/cgi_main.c:2420
        __bailout = {{__jmpbuf = {0, 0, 0, 0, 1871636702, 1462165169, 13779936, 
0}, __mask_was_saved = -1744377634, __saved_mask = {__val = {0, 32536, 
3695797080, 32536, 4223052864, 32767, 3695786312, 32536, 4223052904, 32767, 
3695796224, 32536, 20233565, 0, 
                3693680738, 32536}}}}
        free_query_string = 0
        exit_status = 16178208
        cgi = 0
        c = 0
        i = 16195251
        len = 16195251
        file_handle = {type = ZEND_HANDLE_FILENAME, filename = 0x7f1800000004 
<Address 0x7f1800000004 out of bounds>, opened_path = 0x7f18dc451118 
"/var/www/project-sprint/web/index.php", handle = {fd = 0, fp = 0x0, stream = 
{handle = 0x0, isatty = -599254176, 
              mmap = {len = 0, pos = 511, map = 0x0, buf = 0x0, old_handle = 
0x7f18dc2fe000, old_closer = 0}, reader = 0, fsizer = 0x65c090 
<_php_stream_read>, closer = 0x6444e0 <php_zend_stream_fsizer>}}, free_filename 
= 208 '\320'}
        s = 0xf719bf "/association/autres/4198/photos-videos/ajout-video"
        behavior = 0
        no_headers = 0
        orig_optind = 0
        orig_optarg = 0x0
        script_file = 0xf719aa "/index.php"
        max_requests = 1
---Type <return> to continue, or q <return> to quit---
        requests = 82
        fastcgi = 1
        bindpath = 0x1dc492108 <Address 0x1dc492108 out of bounds>
        fcgi_fd = 16195251
        request = 0x0
        repeats = 0
        benchmark = 0
        start = {tv_sec = 7674064, tv_usec = 0}
        end = {tv_sec = 3651069080, tv_usec = 4223053072}
        status = 32536

(gdb) zbacktrace
[0xdc45cb58] __construct() /home/www/project-
sprint/lib/vendor/symfony/lib/plugins/sfDoctrinePlugin/lib/vendor/doctrine/Doctr
ine/Record.php:219 
[0xdc45c2d0] __construct() /home/www/project-
sprint/apps/frontend/modules/associationGallery/actions/actions.class.php:336 

Doctrine_Record __construct line 219:

    public function __construct($table = null, $isNewEntry = false)
    {
        if (isset($table) && $table instanceof Doctrine_Table) {
            $this->_table = $table;
            $exists = ( ! $isNewEntry);
        } else {
            // get the table of this class
            $class = get_class($this);
            $this->_table = Doctrine_Core::getTable($class);  <--------

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2011-10-28 14:20 UTC] fbaligant at synalabs dot com
-Package: Class/Object related +Package: Scripting Engine problem
 [2011-10-28 14:20 UTC] fbaligant at synalabs dot com
Wrong package
 [2011-10-30 01:33 UTC] cataphract@php.net
This is going to be difficult without a script. If you can't get a short one, a big one is better than nothing.
 [2011-10-30 01:33 UTC] cataphract@php.net
-Status: Open +Status: Feedback
 [2013-02-18 00:35 UTC] php-bugs at lists dot php dot net
No feedback was provided. The bug is being suspended because
we assume that you are no longer experiencing the problem.
If this is not the case and you are able to provide the
information that was requested earlier, please do so and
change the status of the bug back to "Open". Thank you.
 
PHP Copyright © 2001-2020 The PHP Group
All rights reserved.
Last updated: Sun Feb 16 20:01:25 2020 UTC