php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #62358 Segfault when using traits a lot
Submitted: 2012-06-18 20:23 UTC Modified: 2012-08-31 14:10 UTC
Votes:2
Avg. Score:5.0 ± 0.0
Reproduced:2 of 2 (100.0%)
Same Version:1 (50.0%)
Same OS:2 (100.0%)
From: maciej dot sz at gmail dot com Assigned: laruence (profile)
Status: Closed Package: Reproducible crash
PHP Version: 5.4.4 OS: Linux 3.2.0-25-generic Ubuntu
Private report: No CVE-ID: None
 [2012-06-18 20:23 UTC] maciej dot sz at gmail dot com
Description:
------------
While using traits PHP crashes a lot. This does not seem to be related to any 
certain piece of code, becouse I just have to add a dummy declaration like
$tmp = '';
and the script runs normally.


For example I just wrote code similar to this:

<?php

trait T1
{
   public function t1()
   {
      return 't1';
   }
}

class Foo
{
   use T1;
}

$f = new Foo();
$f->t1();
?>

and segfault occurred. But all I have to do is add the dummy declaration within 
the trait method and the script runs normally:

<?php

trait T1
{
   public function t1()
   {
      $tmp = '';
      return 't1';
   }
}

class Foo
{
   use T1;
}

$f = new Foo();
$f->t1();
?>

Sometimes the segfault error disappears by just running the script again.

All scripts are run from command line, my compile configuration is as follows:
'./configure'  '--with-mysql' '--with-pgsql' '--with-zlib' '--enable-calendar' 
'--with-curl' '--with-jpeg-dir=/usr' '--with-png-dir=/usr' '--with-gd' '--
enable-bcmath' '--enable-soap' '--enable-fpm' '--with-pdo-mysql' '--with-pdo-
pgsql' '--with-pdo-sqlite' '--with-config-file-path=/etc/php54/cli' '--with-
config-file-scan-dir=/etc/php54/cli/conf.d' '--prefix=/usr/local/php54' '--
enable-debug' '--with-mysqli' '--enable-mbstring'

I've recompile PHP several times. This issue appears to consider all 5.4.* 
versions.

Here's a bugtrace:

Program received signal SIGSEGV, Segmentation fault.
0x000000000094dafb in zend_get_function_declaration (fptr=0x1669df0)
    at /home/maciek/Pobrane/php-5.4.4/Zend/zend_compile.c:3052
3052			memcpy(offset, fptr->common.scope->name, fptr-
>common.scope->name_length);
(gdb) bt
#0  0x000000000094dafb in zend_get_function_declaration (fptr=0x1669df0)
    at /home/maciek/Pobrane/php-5.4.4/Zend/zend_compile.c:3052
#1  0x000000000094eaf9 in do_inheritance_check_on_method (child=0x16e15d8, 
parent=0x1680028)
    at /home/maciek/Pobrane/php-5.4.4/Zend/zend_compile.c:3263
#2  0x000000000094ecaf in do_inherit_method_check 
(child_function_table=0x16e1118, parent=0x1680028, 
    hash_key=0x7fffffff9db0, child_ce=0x16e10f0)
    at /home/maciek/Pobrane/php-5.4.4/Zend/zend_compile.c:3288
#3  0x00000000009881ec in zend_hash_replace_checker_wrapper (target=0x16e1118, 
source_data=0x1680028, 
    p=0x167ff80, pParam=0x16e10f0, merge_checker_func=0x94ec28 
<do_inherit_method_check>)
    at /home/maciek/Pobrane/php-5.4.4/Zend/zend_hash.c:878
#4  0x000000000098826d in zend_hash_merge_ex (target=0x16e1118, 
source=0x1668390, 
    pCopyConstructor=0x94d531 <do_inherit_method>, size=240, 
    pMergeSource=0x94ec28 <do_inherit_method_check>, pParam=0x16e10f0)
    at /home/maciek/Pobrane/php-5.4.4/Zend/zend_hash.c:892
#5  0x000000000094ff5d in zend_do_inheritance (ce=0x16e10f0, 
parent_ce=0x1668368)
    at /home/maciek/Pobrane/php-5.4.4/Zend/zend_compile.c:3519
#6  0x0000000000953796 in do_bind_inherited_class (op_array=0x16e2270, 
opline=0x16eacd8, 
    class_table=0x126ce70, parent_ce=0x1668368, compile_time=0 '\000')
    at /home/maciek/Pobrane/php-5.4.4/Zend/zend_compile.c:4569
#7  0x00000000009b6a49 in ZEND_DECLARE_INHERITED_CLASS_SPEC_HANDLER 
(execute_data=0x7ffff7f96538)
    at /home/maciek/Pobrane/php-5.4.4/Zend/zend_vm_execute.h:936
#8  0x00000000009b3741 in execute (op_array=0x16e2270)
    at /home/maciek/Pobrane/php-5.4.4/Zend/zend_vm_execute.h:410
#9  0x0000000000962f23 in zend_call_function (fci=0x7fffffffa3f0, 
fci_cache=0x7fffffffa440)
    at /home/maciek/Pobrane/php-5.4.4/Zend/zend_execute_API.c:958
#10 0x0000000000716989 in zim_reflection_method_invokeArgs (ht=2, 
return_value=0x16d6960, 
---Type <return> to continue, or q <return> to quit---
    return_value_ptr=0x0, this_ptr=0x164abb0, return_value_used=1)
    at /home/maciek/Pobrane/php-5.4.4/ext/reflection/php_reflection.c:2926
#11 0x00000000009b4e57 in zend_do_fcall_common_helper_SPEC 
(execute_data=0x7ffff7f94a38)
    at /home/maciek/Pobrane/php-5.4.4/Zend/zend_vm_execute.h:642
#12 0x00000000009b5cfb in ZEND_DO_FCALL_BY_NAME_SPEC_HANDLER 
(execute_data=0x7ffff7f94a38)
    at /home/maciek/Pobrane/php-5.4.4/Zend/zend_vm_execute.h:752
#13 0x00000000009b3741 in execute (op_array=0x7ffff0d7e680)
    at /home/maciek/Pobrane/php-5.4.4/Zend/zend_vm_execute.h:410
#14 0x00000000009762b2 in zend_execute_scripts (type=8, retval=0x0, 
file_count=3)
    at /home/maciek/Pobrane/php-5.4.4/Zend/zend.c:1279
#15 0x00000000008e8a1a in php_execute_script (primary_file=0x7fffffffcda0)
    at /home/maciek/Pobrane/php-5.4.4/main/main.c:2473
#16 0x0000000000abee99 in do_cli (argc=6, argv=0x7fffffffe188)
    at /home/maciek/Pobrane/php-5.4.4/sapi/cli/php_cli.c:988
#17 0x0000000000abffb9 in main (argc=6, argv=0x7fffffffe188)
    at /home/maciek/Pobrane/php-5.4.4/sapi/cli/php_cli.c:1361

Expected result:
----------------
Script exited normally, without segfault.

Actual result:
--------------
Segmentation fault.

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2012-06-18 23:52 UTC] felipe@php.net
Please try using this snapshot:

  http://snaps.php.net/php5.4-latest.tar.gz
 
For Windows:

  http://windows.php.net/snapshots/


 [2012-06-18 23:52 UTC] felipe@php.net
-Status: Open +Status: Feedback
 [2012-06-19 09:02 UTC] maciej dot sz at gmail dot com
Thank you for the response. I've compiled the snapshot (201206190730) and I got 
segfault with same BT, only this time it occured earlier in the script.

Maybe it is worth mentioning, that I was not able to reproduce the crash with 
small scripts (including only few files). The bug occurs when I use traits with 
large frameworks: PHPUnit or Zend Framework.
 [2012-08-12 12:21 UTC] maciej dot sz at gmail dot com
Another crash, this time in newest 5.4.6RC1 :


Program received signal SIGSEGV, Segmentation fault.
0x000000000094e409 in zend_get_function_declaration (fptr=0x1b5e240)
    at /home/maciek/Downloads/php-5.4.6RC1/Zend/zend_compile.c:3059
3059			size_t name_len = strlen(fptr->common.function_name);
(gdb) bt
#0  0x000000000094e409 in zend_get_function_declaration (fptr=0x1b5e240)
    at /home/maciek/Downloads/php-5.4.6RC1/Zend/zend_compile.c:3059
#1  0x000000000094f37b in do_inheritance_check_on_method (child=0x1ba67c0, parent=0x1b6d2b8)
    at /home/maciek/Downloads/php-5.4.6RC1/Zend/zend_compile.c:3263
#2  0x000000000094f531 in do_inherit_method_check (child_function_table=0x1ba8970, parent=0x1b6d2b8, 
    hash_key=0x7fffffff9dd0, child_ce=0x1ba8948)
    at /home/maciek/Downloads/php-5.4.6RC1/Zend/zend_compile.c:3288
#3  0x0000000000988bf0 in zend_hash_replace_checker_wrapper (target=0x1ba8970, source_data=0x1b6d2b8, 
    p=0x1b79630, pParam=0x1ba8948, merge_checker_func=0x94f4aa <do_inherit_method_check>)
    at /home/maciek/Downloads/php-5.4.6RC1/Zend/zend_hash.c:878
#4  0x0000000000988c71 in zend_hash_merge_ex (target=0x1ba8970, source=0x1b64378, 
    pCopyConstructor=0x94ddb3 <do_inherit_method>, size=240, 
    pMergeSource=0x94f4aa <do_inherit_method_check>, pParam=0x1ba8948)
    at /home/maciek/Downloads/php-5.4.6RC1/Zend/zend_hash.c:892
#5  0x00000000009507df in zend_do_inheritance (ce=0x1ba8948, parent_ce=0x1b64350)
    at /home/maciek/Downloads/php-5.4.6RC1/Zend/zend_compile.c:3519
#6  0x00000000009540a7 in do_bind_inherited_class (op_array=0x1ba5b10, opline=0x1bb74b0, 
    class_table=0x126ee70, parent_ce=0x1b64350, compile_time=0 '\000')
    at /home/maciek/Downloads/php-5.4.6RC1/Zend/zend_compile.c:4570
#7  0x00000000009b742a in ZEND_DECLARE_INHERITED_CLASS_SPEC_HANDLER (execute_data=0x7ffff7f95e70)
    at /home/maciek/Downloads/php-5.4.6RC1/Zend/zend_vm_execute.h:936
#8  0x00000000009b4122 in execute (op_array=0x1ba5b10)
    at /home/maciek/Downloads/php-5.4.6RC1/Zend/zend_vm_execute.h:410
#9  0x000000000096381c in zend_call_function (fci=0x7fffffffa410, fci_cache=0x7fffffffa460)
    at /home/maciek/Downloads/php-5.4.6RC1/Zend/zend_execute_API.c:958
#10 0x0000000000717021 in zim_reflection_method_invokeArgs (ht=2, return_value=0x1ba72f8, 
    return_value_ptr=0x0, this_ptr=0x1b26ed0, return_value_used=1)
    at /home/maciek/Downloads/php-5.4.6RC1/ext/reflection/php_reflection.c:3024
#11 0x00000000009b5838 in zend_do_fcall_common_helper_SPEC (execute_data=0x7ffff7f94728)
    at /home/maciek/Downloads/php-5.4.6RC1/Zend/zend_vm_execute.h:642
#12 0x00000000009b66dc in ZEND_DO_FCALL_BY_NAME_SPEC_HANDLER (execute_data=0x7ffff7f94728)
    at /home/maciek/Downloads/php-5.4.6RC1/Zend/zend_vm_execute.h:752
#13 0x00000000009b4122 in execute (op_array=0x7ffff095e050)
    at /home/maciek/Downloads/php-5.4.6RC1/Zend/zend_vm_execute.h:410
#14 0x0000000000976ca1 in zend_execute_scripts (type=8, retval=0x0, file_count=3)
    at /home/maciek/Downloads/php-5.4.6RC1/Zend/zend.c:1289
#15 0x00000000008e90aa in php_execute_script (primary_file=0x7fffffffcdd0)
    at /home/maciek/Downloads/php-5.4.6RC1/main/main.c:2473
#16 0x0000000000abf8c1 in do_cli (argc=6, argv=0x7fffffffe1b8)
    at /home/maciek/Downloads/php-5.4.6RC1/sapi/cli/php_cli.c:988
#17 0x0000000000ac09fa in main (argc=6, argv=0x7fffffffe1b8)
    at /home/maciek/Downloads/php-5.4.6RC1/sapi/cli/php_cli.c:1364
 [2012-08-12 12:25 UTC] maciej dot sz at gmail dot com
This a very serious bug that stops deploying software to production. Can anyone tell me why the status has been changed to Feedback?
 [2012-08-13 01:17 UTC] aharvey@php.net
-Status: Feedback +Status: Open
 [2012-08-13 01:17 UTC] aharvey@php.net
It should have been set back to Open when you responded.
 [2012-08-13 06:34 UTC] laruence@php.net
-Assigned To: +Assigned To: laruence
 [2012-08-13 06:34 UTC] laruence@php.net
could you give us a reproduce script?

seems you are using reflection in your scripts. (assign to myself, then I can get 
your feedback as soon as possible)
 [2012-08-13 06:36 UTC] laruence@php.net
and btw: could you please print the fptr in your bt out? maybe it will be help, 
like:

gdb > f0
gdb > p *fptr
 [2012-08-13 20:42 UTC] maciej dot sz at gmail dot com
I'm having trouble putting together a reproduce script because, as I've mentioned before, there is a lot of randomness in this crash. I'll keep trying, meanwhile the requested fptr (don't know if I'm doing it right...):

(gdb) f
#0  0x000000000094e37d in zend_get_function_declaration (fptr=0x1b6a6e8)
    at /home/maciek/Downloads/php-5.4.6RC1/Zend/zend_compile.c:3052
3052			memcpy(offset, fptr->common.scope->name, fptr->common.scope->name_length);
(gdb) p *fptr
$2 = {type = 90 'Z', common = {type = 90 'Z', 
    function_name = 0x5a5a5a5a5a5a5a5a <Address 0x5a5a5a5a5a5a5a5a out of bounds>, 
    scope = 0x5a5a5a5a5a5a5a5a, fn_flags = 1515870810, prototype = 0x5a5a5a5a5a5a5a5a, 
    num_args = 1515870810, required_num_args = 1515870810, arg_info = 0x5a5a5a5a5a5a5a5a}, op_array = {
    type = 90 'Z', function_name = 0x5a5a5a5a5a5a5a5a <Address 0x5a5a5a5a5a5a5a5a out of bounds>, 
    scope = 0x5a5a5a5a5a5a5a5a, fn_flags = 1515870810, prototype = 0x5a5a5a5a5a5a5a5a, 
    num_args = 1515870810, required_num_args = 1515870810, arg_info = 0x5a5a5a5a5a5a5a5a, 
    refcount = 0x5a5a5a5a5a5a5a5a, opcodes = 0x5a5a5a5a5a5a5a5a, last = 1515870810, 
    vars = 0x5a5a5a5a5a5a5a5a, last_var = 1515870810, T = 1515870810, 
    brk_cont_array = 0x5a5a5a5a5a5a5a5a, last_brk_cont = 1515870810, 
    try_catch_array = 0x5a5a5a5a5a5a5a5a, last_try_catch = 1515870810, 
    static_variables = 0x5a5a5a5a5a5a5a5a, this_var = 1515870810, 
    filename = 0x5a5a5a5a5a5a5a5a <Address 0x5a5a5a5a5a5a5a5a out of bounds>, line_start = 1515870810, 
    line_end = 1515870810, doc_comment = 0x5a5a5a5a5a5a5a5a <Address 0x5a5a5a5a5a5a5a5a out of bounds>, 
    doc_comment_len = 1515870810, early_binding = 1515870810, literals = 0x5a5a5a5a5a5a5a5a, 
    last_literal = 1515870810, run_time_cache = 0x5a5a5a5a5a5a5a5a, last_cache_slot = 1515870810, 
    reserved = {0x5a5a5a5a5a5a5a5a, 0x5a5a5a5a5a5a5a5a, 0x5a5a5a5a5a5a5a5a, 0x5a5a5a5a5a5a5a5a}}, 
  internal_function = {type = 90 'Z', 
    function_name = 0x5a5a5a5a5a5a5a5a <Address 0x5a5a5a5a5a5a5a5a out of bounds>, 
    scope = 0x5a5a5a5a5a5a5a5a, fn_flags = 1515870810, prototype = 0x5a5a5a5a5a5a5a5a, 
    num_args = 1515870810, required_num_args = 1515870810, arg_info = 0x5a5a5a5a5a5a5a5a, 
    handler = 0x5a5a5a5a5a5a5a5a, module = 0x5a5a5a5a5a5a5a5a}}
(gdb) p $f0
$3 = void
 [2012-08-20 14:30 UTC] maciej dot sz at gmail dot com
It is close to impossible to reproduce this bug on two separate machines. I've tried moving exact code which caused the segfault on one computer to another, but it executed normally there.

Meanwhile I've encountered another, very similar fault with slightly different backtrace, which I think is related (maybe this one will be of any help?):

Program received signal SIGSEGV, Segmentation fault.
0x000000000094e506 in zend_get_function_declaration (fptr=0x1e68018)
    at /home/maciek/Downloads/php-5.4.6RC1/Zend/zend_compile.c:3072
3072				if (arg_info->class_name) {


(gdb) bt
#0  0x000000000094e506 in zend_get_function_declaration (fptr=0x1e68018)
    at /home/maciek/Downloads/php-5.4.6RC1/Zend/zend_compile.c:3072
#1  0x000000000094f37b in do_inheritance_check_on_method (child=0x1eb8700, parent=0x1e6e320)
    at /home/maciek/Downloads/php-5.4.6RC1/Zend/zend_compile.c:3263
#2  0x000000000094f531 in do_inherit_method_check (child_function_table=0x1ea6a80, parent=0x1e6e320, 
    hash_key=0x7fffffff9db0, child_ce=0x1ea6a58)
    at /home/maciek/Downloads/php-5.4.6RC1/Zend/zend_compile.c:3288
#3  0x0000000000988bf0 in zend_hash_replace_checker_wrapper (target=0x1ea6a80, source_data=0x1e6e320, 
    p=0x1e7af20, pParam=0x1ea6a58, merge_checker_func=0x94f4aa <do_inherit_method_check>)
    at /home/maciek/Downloads/php-5.4.6RC1/Zend/zend_hash.c:878
#4  0x0000000000988c71 in zend_hash_merge_ex (target=0x1ea6a80, source=0x1e501a8, 
    pCopyConstructor=0x94ddb3 <do_inherit_method>, size=240, 
    pMergeSource=0x94f4aa <do_inherit_method_check>, pParam=0x1ea6a58)
    at /home/maciek/Downloads/php-5.4.6RC1/Zend/zend_hash.c:892
#5  0x00000000009507df in zend_do_inheritance (ce=0x1ea6a58, parent_ce=0x1e50180)
    at /home/maciek/Downloads/php-5.4.6RC1/Zend/zend_compile.c:3519
#6  0x00000000009540a7 in do_bind_inherited_class (op_array=0x1e60190, opline=0x1ea6f90, 
    class_table=0x126eeb0, parent_ce=0x1e50180, compile_time=0 '\000')
    at /home/maciek/Downloads/php-5.4.6RC1/Zend/zend_compile.c:4570
#7  0x00000000009b742a in ZEND_DECLARE_INHERITED_CLASS_SPEC_HANDLER (execute_data=0x7ffff7f94f30)
    at /home/maciek/Downloads/php-5.4.6RC1/Zend/zend_vm_execute.h:936
#8  0x00000000009b4122 in execute (op_array=0x1e60190)
    at /home/maciek/Downloads/php-5.4.6RC1/Zend/zend_vm_execute.h:410
#9  0x000000000096381c in zend_call_function (fci=0x7fffffffa3f0, fci_cache=0x7fffffffa440)
    at /home/maciek/Downloads/php-5.4.6RC1/Zend/zend_execute_API.c:958
#10 0x0000000000717021 in zim_reflection_method_invokeArgs (ht=2, return_value=0x1ea8ac0, 
    return_value_ptr=0x0, this_ptr=0x1e66070, return_value_used=1)
    at /home/maciek/Downloads/php-5.4.6RC1/ext/reflection/php_reflection.c:3024
#11 0x00000000009b5838 in zend_do_fcall_common_helper_SPEC (execute_data=0x7ffff7f937e8)
    at /home/maciek/Downloads/php-5.4.6RC1/Zend/zend_vm_execute.h:642
#12 0x00000000009b66dc in ZEND_DO_FCALL_BY_NAME_SPEC_HANDLER (execute_data=0x7ffff7f937e8)
    at /home/maciek/Downloads/php-5.4.6RC1/Zend/zend_vm_execute.h:752
#13 0x00000000009b4122 in execute (op_array=0x7ffff083e960)
    at /home/maciek/Downloads/php-5.4.6RC1/Zend/zend_vm_execute.h:410
#14 0x0000000000976ca1 in zend_execute_scripts (type=8, retval=0x0, file_count=3)
    at /home/maciek/Downloads/php-5.4.6RC1/Zend/zend.c:1289
#15 0x00000000008e90aa in php_execute_script (primary_file=0x7fffffffcdb0)
    at /home/maciek/Downloads/php-5.4.6RC1/main/main.c:2473
#16 0x0000000000abf8c1 in do_cli (argc=6, argv=0x7fffffffe198)
    at /home/maciek/Downloads/php-5.4.6RC1/sapi/cli/php_cli.c:988
#17 0x0000000000ac09fa in main (argc=6, argv=0x7fffffffe198)
    at /home/maciek/Downloads/php-5.4.6RC1/sapi/cli/php_cli.c:1364


(gdb) p *arg_info
Cannot access memory at address 0xcf5d2b8b


(gdb) p *fptr
$3 = {type = 152 '\230', common = {type = 152 '\230', function_name = 0x1e7c320 "\001", 
    scope = 0x1e7c288, fn_flags = 9911106, prototype = 0x5a010000, num_args = 2241651391, 
    required_num_args = 1515870810, arg_info = 0xcf5d2b8b}, op_array = {type = 152 '\230', 
    function_name = 0x1e7c320 "\001", scope = 0x1e7c288, fn_flags = 9911106, prototype = 0x5a010000, 
    num_args = 2241651391, required_num_args = 1515870810, arg_info = 0xcf5d2b8b, refcount = 0x79, 
    opcodes = 0xa1, last = 1930623196, vars = 0xfb24d0, last_var = 2019, T = 0, brk_cont_array = 0x0, 
    last_brk_cont = 0, try_catch_array = 0x20, last_try_catch = 1011079938, 
    static_variables = 0x7ffff7f1f490, this_var = 32, 
    filename = 0x600000001 <Address 0x600000001 out of bounds>, line_start = 0, line_end = 0, 
    doc_comment = 0x5a5a5a5a859ce2bf <Address 0x5a5a5a5a859ce2bf out of bounds>, 
    doc_comment_len = 3478989571, early_binding = 0, literals = 0x81, last_literal = 121, 
    run_time_cache = 0x7312f8dc, last_cache_slot = 16458960, reserved = {0x7e3, 0x0, 0x0, 0x20}}, 
  internal_function = {type = 152 '\230', function_name = 0x1e7c320 "\001", scope = 0x1e7c288, 
    fn_flags = 9911106, prototype = 0x5a010000, num_args = 2241651391, required_num_args = 1515870810, 
    arg_info = 0xcf5d2b8b, handler = 0x79, module = 0xa1}}
 [2012-08-20 14:39 UTC] laruence@php.net
did you use some opcodes cache?

seems the function struct is totally mess.
 [2012-08-20 14:48 UTC] maciej dot sz at gmail dot com
Nope, no cache, not even Xdebug nor Zend debug. Pure PHP compiled with following configuration:

'./configure'  '--with-mysql' '--with-pgsql' '--with-zlib' '--enable-calendar' '--with-curl' '--with-jpeg-dir=/usr' '--with-png-dir=/usr' '--with-gd' '--enable-bcmath' '--enable-soap' '--with-pdo-mysql' '--with-pdo-pgsql' '--with-pdo-sqlite' '--with-config-file-path=/usr/local/php54/etc' '--with-config-file-scan-dir=/usr/local/php54/etc/conf.d' '--prefix=/usr/local/php54' '--enable-debug' '--with-mysqli' '--enable-mbstring' '--enable-fpm'
 [2012-08-20 14:52 UTC] laruence@php.net
you can reproduce this in 100% chance?
 [2012-08-20 14:58 UTC] laruence@php.net
if yes, could you please also print the child and parent out in frame 1 ? it will 
be very helpful..

thanks
 [2012-08-20 15:12 UTC] maciej dot sz at gmail dot com
I could, until I restarted computer to check if it's still there... Now it crashes running from bash, but not from gdb console. I'll get back to you as soon as it occur again.
 [2012-08-20 15:16 UTC] laruence@php.net
thanks, btw, from the backtrace seems you are playing with reflection ext, but the 
test script you provide doesn't

so, could you please provide us the exact test script you use? thanks
 [2012-08-20 16:36 UTC] maciej dot sz at gmail dot com
Program received signal SIGSEGV, Segmentation fault.
0x000000000094e37d in zend_get_function_declaration (fptr=0x1a6f7a0)
    at /home/maciek/Downloads/php-5.4.6RC1/Zend/zend_compile.c:3052
3052			memcpy(offset, fptr->common.scope->name, fptr->common.scope->name_length);
(gdb) bt
#0  0x000000000094e37d in zend_get_function_declaration (fptr=0x1a6f7a0)
    at /home/maciek/Downloads/php-5.4.6RC1/Zend/zend_compile.c:3052
#1  0x000000000094f37b in do_inheritance_check_on_method (child=0x1ab5d00, parent=0x1a7edb0)
    at /home/maciek/Downloads/php-5.4.6RC1/Zend/zend_compile.c:3263
(...)

(gdb) frame 1
#1  0x000000000094f37b in do_inheritance_check_on_method (child=0x1ab5d00, parent=0x1a7edb0)
    at /home/maciek/Downloads/php-5.4.6RC1/Zend/zend_compile.c:3263
3263				zend_error(E_COMPILE_ERROR, "Declaration of %s::%s() must be compatible with %s", ZEND_FN_SCOPE_NAME(child), child->common.function_name, zend_get_function_declaration(child->common.prototype? child->common.prototype : parent TSRMLS_CC)); 
(gdb) p *child
$1 = {type = 2 '\002', common = {type = 2 '\002', function_name = 0x1ab5af0 "addTlItem", 
    scope = 0x1ab5760, fn_flags = 134283520, prototype = 0x1a6f7a0, num_args = 1, required_num_args = 1, 
    arg_info = 0x1ab6100}, op_array = {type = 2 '\002', function_name = 0x1ab5af0 "addTlItem", 
    scope = 0x1ab5760, fn_flags = 134283520, prototype = 0x1a6f7a0, num_args = 1, required_num_args = 1, 
    arg_info = 0x1ab6100, refcount = 0x1a7c650, opcodes = 0x1ad5ad8, last = 35, vars = 0x1ab5ea8, 
    last_var = 7, T = 22, brk_cont_array = 0x19ffa18, last_brk_cont = 1, try_catch_array = 0x0, 
    last_try_catch = 0, static_variables = 0x0, this_var = 6, 
    filename = 0x7ffff01935c0 "/usr/share/php/PHPUnit/Framework/MockObject/Generator.php(218) : eval()'d code", line_start = 11, line_end = 31, doc_comment = 0x0, doc_comment_len = 0, 
    early_binding = 4294967295, literals = 0x1ab6298, last_literal = 16, run_time_cache = 0x0, 
    last_cache_slot = 7, reserved = {0x0, 0x0, 0x0, 0x0}}, internal_function = {type = 2 '\002', 
    function_name = 0x1ab5af0 "addTlItem", scope = 0x1ab5760, fn_flags = 134283520, 
    prototype = 0x1a6f7a0, num_args = 1, required_num_args = 1, arg_info = 0x1ab6100, 
    handler = 0x1a7c650, module = 0x1ad5ad8}}


(gdb) p *parent
$2 = {type = 2 '\002', common = {type = 2 '\002', function_name = 0x1a83f80 "addTlItem", 
    scope = 0x1a635c8, fn_flags = 134283528, prototype = 0x1a6f7a0, num_args = 1, required_num_args = 1, 
    arg_info = 0x1a84338}, op_array = {type = 2 '\002', function_name = 0x1a83f80 "addTlItem", 
    scope = 0x1a635c8, fn_flags = 134283528, prototype = 0x1a6f7a0, num_args = 1, required_num_args = 1, 
    arg_info = 0x1a84338, refcount = 0x1a85760, opcodes = 0x1a882a8, last = 25, vars = 0x1a87810, 
    last_var = 3, T = 16, brk_cont_array = 0x0, last_brk_cont = 0, try_catch_array = 0x0, 
    last_try_catch = 0, static_variables = 0x0, this_var = 2, 
    filename = 0x1a6f0e0 "/home/www/workspace/oxio-framework/core/oxio/tl/TElement.php", 
    line_start = 248, line_end = 260, 
    doc_comment = 0x19eb7b0 "/**\n     * Adds a translation item.\n     *\n     * @param Item $TlItem\n     * @return IElement Self instance.\n     * @throws \\oxio\\frame\\exc\\EElementAlreadyExists When an item of given\n     * part name"..., doc_comment_len = 224, early_binding = 4294967295, 
    literals = 0x1a893e8, last_literal = 17, run_time_cache = 0x0, last_cache_slot = 9, reserved = {0x0, 
      0x0, 0x0, 0x0}}, internal_function = {type = 2 '\002', function_name = 0x1a83f80 "addTlItem", 
    scope = 0x1a635c8, fn_flags = 134283528, prototype = 0x1a6f7a0, num_args = 1, required_num_args = 1, 
    arg_info = 0x1a84338, handler = 0x1a85760, module = 0x1a882a8}}
 [2012-08-20 16:37 UTC] maciej dot sz at gmail dot com
The code is here:

http://oxio.pl/php54crash/oxio-framework-snap01.tar.gz

It's quite large, and requires PHPUnit (I'm using 3.6.12).
First run
unit-tests/prepare-data.sh
and then
unit-tests/run.sh

Please let me know if the segfault occurred on your machine.

Also notice the printed fragment in file
core/oxio/struct/config/Cfg.php:493-498
It was at time when I was playing with this fragment when it crashed. There is also something wrong there, as you can see the dump of the array shows that element 'max' is present (NULL value, but present), but when checking the array with isset($_elements['max']) it returns FALSE. It might be related as it seems to be a problem with adressing the memory.

The code:
var_dump($this->_elements);
var_dump($this->_elements['max']);
var_dump(isset($this->_elements['max']));

Outputs:
array(4) {
  ["min"]=>
  int(3)
  ["max"]=>
  NULL
  ["min_or_equal"]=>
  bool(true)
  ["max_or_equal"]=>
  bool(true)
}
NULL
bool(false)   <-- ????
 [2012-08-21 03:54 UTC] laruence@php.net
thanks very much. I will try to reproduce it locally
 [2012-08-22 15:28 UTC] maciej dot sz at gmail dot com
Any luck reproducing the bug? If no please try this one:

http://oxio.pl/php54crash/oxio-framework-snap02.tar.gz

I was able to reproduce it with this code on 3 different machines (2 Ubuntu and 1 FreeBSD). Also the set-up of the script should be easier than in the previous one.

And btw sorry about that last comment regarding null-value array item, just ignore it. My mind was off trying to find some kind of connection.
 [2012-08-23 07:41 UTC] laruence@php.net
Automatic comment on behalf of laruence
Revision: http://git.php.net/?p=php-src.git;a=commit;h=6d1bebfcb0ad746cd0410d403a3812853a2cd457
Log: Fixed bug #62358 (Segfault when using traits a lot)
 [2012-08-23 07:42 UTC] laruence@php.net
Please try using this snapshot:

  http://snaps.php.net/php-trunk-latest.tar.gz
 
For Windows:

  http://windows.php.net/snapshots/

thanks very much for your help, I finally find the reason, please try with the 
latest snapshot
 [2012-08-23 07:42 UTC] laruence@php.net
-Status: Assigned +Status: Feedback
 [2012-08-23 07:42 UTC] laruence@php.net
Automatic comment on behalf of laruence
Revision: http://git.php.net/?p=php-src.git;a=commit;h=6d1bebfcb0ad746cd0410d403a3812853a2cd457
Log: Fixed bug #62358 (Segfault when using traits a lot)
 [2012-08-23 08:04 UTC] laruence@php.net
Automatic comment on behalf of laruence
Revision: http://git.php.net/?p=php-src.git;a=commit;h=d39aa984ad3ef79a8fc3db0cf8dc525a0738a7bc
Log: Refix #62358, previous has side-affect
 [2012-08-23 08:04 UTC] laruence@php.net
Automatic comment on behalf of laruence
Revision: http://git.php.net/?p=php-src.git;a=commit;h=d39aa984ad3ef79a8fc3db0cf8dc525a0738a7bc
Log: Refix #62358, previous has side-affect
 [2012-08-31 13:07 UTC] maciej dot sz at gmail dot com
Works like a charm! :)
A whole week without a single segfault seems to indicate that it's fixed.
Thank YOU very much for this!
 [2012-08-31 14:10 UTC] laruence@php.net
This bug has been fixed in SVN.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.

 For Windows:

http://windows.php.net/snapshots/
 
Thank you for the report, and for helping us make PHP better.

okey, verfied fixed :)
 [2012-08-31 14:10 UTC] laruence@php.net
-Status: Feedback +Status: Closed
 [2014-10-07 23:22 UTC] stas@php.net
Automatic comment on behalf of laruence
Revision: http://git.php.net/?p=php-src-security.git;a=commit;h=d39aa984ad3ef79a8fc3db0cf8dc525a0738a7bc
Log: Refix #62358, previous has side-affect
 [2014-10-07 23:22 UTC] stas@php.net
Automatic comment on behalf of laruence
Revision: http://git.php.net/?p=php-src-security.git;a=commit;h=6d1bebfcb0ad746cd0410d403a3812853a2cd457
Log: Fixed bug #62358 (Segfault when using traits a lot)
 [2014-10-07 23:33 UTC] stas@php.net
Automatic comment on behalf of laruence
Revision: http://git.php.net/?p=php-src-security.git;a=commit;h=d39aa984ad3ef79a8fc3db0cf8dc525a0738a7bc
Log: Refix #62358, previous has side-affect
 [2014-10-07 23:33 UTC] stas@php.net
Automatic comment on behalf of laruence
Revision: http://git.php.net/?p=php-src-security.git;a=commit;h=6d1bebfcb0ad746cd0410d403a3812853a2cd457
Log: Fixed bug #62358 (Segfault when using traits a lot)
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Tue Dec 03 17:01:29 2024 UTC