php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #64997 Segfault while using RecursiveIteratorIterator on 64-bits systems
Submitted: 2013-06-08 23:22 UTC Modified: 2013-06-09 14:17 UTC
From: cyrille dot faucheux+php at gmail dot com Assigned: laruence
Status: Closed Package: Reproducible crash
PHP Version: 5.5Git-2013-06-08 (Git) OS: Debian Jessie 64-bits
Private report: No CVE-ID:
 [2013-06-08 23:22 UTC] cyrille dot faucheux+php at gmail dot com
Description:
------------
I was playing with the Respect data validation library from [1], which makes use of Recursive*Iterator to retrieve validation errors.

On my 64-bits Debian Jessie, retrieving the errors with the getFullMessage() function causes a segfault. On a 32-bits one, everything works as expected. May be related to bug #48206.

This bug is reproducible with the versions 5.4.4-15 (packaged by Debian) and the 5.5Git from today (bccacb6).

How to reproduce:
- Clone from [1].
- Place the attached script at the root of the checkout.
- Run # php demo.php

[1]: https://github.com/Respect/Validation

Test script:
---------------
<?php // demo.php
// Place this script at the root of the Respect\Validation library

require_once 'tests/bootstrap.php';

use Respect\Validation\Validator as v;

$userValidator = v::key('name', v::string()->length(1,32))
    ->key('birthdate', v::date('Y-m-d')->minimumAge(18)->setName('age'));

try {
    $userValidator->assert(array('name' => 'bob', 'birthdate' => "1996-07-18"));
} catch (\InvalidArgumentException $e) {
    var_dump($e->getFullMessage());
}

Expected result:
----------------
Should display:

string(73) "\-These rules must pass for "Array"
  \-The age must be 18 years or more."

Actual result:
--------------
#0  0x00000000006f84d0 in gc_remove_from_buffer (root=0x5dfcbc <zim_spl_RecursiveIteratorIterator_valid+76>) at /root/Dev/php/v5.5/Zend/zend_gc.h:189
#1  gc_remove_zval_from_buffer (zv=zv@entry=0x7fffce7c89f0) at /root/Dev/php/v5.5/Zend/zend_gc.c:265
#2  0x00000000006c9948 in i_zval_ptr_dtor (zval_ptr=0x7fffce7c89f0) at /root/Dev/php/v5.5/Zend/zend_execute.h:80
#3  _zval_ptr_dtor (zval_ptr=<optimized out>) at /root/Dev/php/v5.5/Zend/zend_execute_API.c:426
#4  0x00000000006cb55d in zend_call_function (fci=fci@entry=0x7fffce7c8820, fci_cache=0x7ffd74ba0960, fci_cache@entry=0x7fffce7c87f0)
    at /root/Dev/php/v5.5/Zend/zend_execute_API.c:999
#5  0x00000000006f0bf5 in zend_call_method (object_pp=object_pp@entry=0x7fffce7c88d8, obj_ce=<optimized out>, obj_ce@entry=0x7ffd766757c8, 
    fn_proxy=fn_proxy@entry=0x7ffd76675930, function_name=function_name@entry=0xb7ff4f "__tostring", function_name_len=function_name_len@entry=10, 
    retval_ptr_ptr=retval_ptr_ptr@entry=0x7fffce7c88e8, param_count=param_count@entry=0, arg1=arg1@entry=0x0, arg2=arg2@entry=0x0)
    at /root/Dev/php/v5.5/Zend/zend_interfaces.c:97
#6  0x00000000006fcab4 in zend_std_cast_object_tostring (readobj=0x7fffce7c89f0, writeobj=0x7fffce7c8930, type=<optimized out>)
    at /root/Dev/php/v5.5/Zend/zend_object_handlers.c:1537
#7  0x00000000006d0810 in _convert_to_string (op=op@entry=0x7fffce7c89f0) at /root/Dev/php/v5.5/Zend/zend_operators.c:643
#8  0x00000000005e31c8 in spl_recursive_tree_iterator_get_entry (return_value=return_value@entry=0x7fffce7c89f0, object=0x7ffd74bb6c20, object=0x7ffd74bb6c20)
    at /root/Dev/php/v5.5/ext/spl/spl_iterators.c:1021
#9  0x00000000005e3326 in zim_spl_RecursiveTreeIterator_current (ht=0, return_value=0x7ffd74bb5dd0, return_value_ptr=<optimized out>, this_ptr=<optimized out>, 
    return_value_used=<optimized out>) at /root/Dev/php/v5.5/ext/spl/spl_iterators.c:1123
#10 0x00000000006cb868 in zend_call_function (fci=fci@entry=0x7fffce7c8c10, fci_cache=fci_cache@entry=0x7fffce7c8be0) at /root/Dev/php/v5.5/Zend/zend_execute_API.c:957
#11 0x00000000006f0bf5 in zend_call_method (object_pp=object_pp@entry=0x7fffce7c8cc8, obj_ce=<optimized out>, fn_proxy=0x2587488, 
    function_name=function_name@entry=0x7945d6 "current", function_name_len=function_name_len@entry=7, retval_ptr_ptr=retval_ptr_ptr@entry=0x7ffd74bb5aa8, 
    param_count=param_count@entry=0, arg1=arg1@entry=0x0, arg2=arg2@entry=0x0) at /root/Dev/php/v5.5/Zend/zend_interfaces.c:97
#12 0x00000000006f126e in zend_user_it_get_current_data (_iter=0x7ffd74bb5a88, data=0x7fffce7c8d00) at /root/Dev/php/v5.5/Zend/zend_interfaces.c:181
#13 0x0000000000725ebc in ZEND_FE_FETCH_SPEC_VAR_HANDLER (execute_data=0x7ffd7668b578) at /root/Dev/php/v5.5/Zend/zend_vm_execute.h:13640
#14 0x0000000000747de8 in execute_ex (execute_data=0x7ffd7668b578) at /root/Dev/php/v5.5/Zend/zend_vm_execute.h:356
#15 0x00000000006dae19 in zend_execute_scripts (type=type@entry=8, retval=retval@entry=0x0, file_count=file_count@entry=3) at /root/Dev/php/v5.5/Zend/zend.c:1316
#16 0x000000000067a5cb in php_execute_script (primary_file=primary_file@entry=0x7fffce7cb270) at /root/Dev/php/v5.5/main/main.c:2481
#17 0x000000000078b409 in do_cli (argc=2, argv=0x24aa3a0) at /root/Dev/php/v5.5/sapi/cli/php_cli.c:993
#18 0x000000000042890f in main (argc=2, argv=0x24aa3a0) at /root/Dev/php/v5.5/sapi/cli/php_cli.c:1377

Patches

bug64997.patch (last revision 2013-06-09 10:43 UTC) by laruence@php.net)
bug64977.patch (last revision 2013-06-09 10:33 UTC) by laruence@php.net)

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2013-06-09 10:33 UTC] laruence@php.net
The following patch has been added/updated:

Patch Name: bug64977.patch
Revision:   1370774035
URL:        https://bugs.php.net/patch-display.php?bug=64997&patch=bug64977.patch&revision=1370774035
 [2013-06-09 10:43 UTC] laruence@php.net
The following patch has been added/updated:

Patch Name: bug64997.patch
Revision:   1370774591
URL:        https://bugs.php.net/patch-display.php?bug=64997&patch=bug64997.patch&revision=1370774591
 [2013-06-09 10:46 UTC] laruence@php.net
-Status: Open +Status: Feedback
 [2013-06-09 10:46 UTC] laruence@php.net
could you verify the fix works?

I can not reproduce segfault, but do see some warnings in valgrind, so I think 
this fix should solve your problem..

thanks
 [2013-06-09 12:12 UTC] cyrille dot faucheux+php at gmail dot com
-Status: Feedback +Status: Open
 [2013-06-09 12:12 UTC] cyrille dot faucheux+php at gmail dot com
I've just build branches 5.4 & 5.5 with this patch on my 64-bits Debian Jessie, no more segfault.
 [2013-06-09 14:17 UTC] laruence@php.net
-Assigned To: +Assigned To: laruence
 [2013-06-09 14:17 UTC] laruence@php.net
Okey, thanks, I will commit it.
 [2013-06-09 14:26 UTC] laruence@php.net
Automatic comment on behalf of laruence
Revision: http://git.php.net/?p=php-src.git;a=commit;h=75c57122e36897c81c33dae81c436f7bad65e35c
Log: Fixed bug #64997 (Segfault while using RecursiveIteratorIterator on 64-bits systems)
 [2013-06-09 14:26 UTC] laruence@php.net
-Status: Assigned +Status: Closed
 
PHP Copyright © 2001-2014 The PHP Group
All rights reserved.
Last updated: Thu Apr 17 12:01:59 2014 UTC