Edit report at http://bugs.php.net/bug.php?id=54609&edit=1
ID: 54609 Updated by: [email protected] Reported by: aleksey dot v dot korzun at gmail dot com Summary: Certain implementation(s) of SplFixedArray cause hard crash -Status: Open +Status: Feedback Type: Bug Package: SPL related Operating System: *nix PHP Version: 5.3.6 Block user comment: N Private report: N New Comment: Please try using this snapshot: http://snaps.php.net/php-trunk-latest.tar.gz For Windows: http://windows.php.net/snapshots/ Previous Comments: ------------------------------------------------------------------------ [2011-06-05 03:38:14] [email protected] Automatic comment from SVN on behalf of felipe Revision: http://svn.php.net/viewvc/?view=revision&revision=311817 Log: - Possible fix for bug #54609 (Certain implementation(s) of SplFixedArray cause hard crash) ------------------------------------------------------------------------ [2011-05-04 19:02:35] aleksey dot v dot korzun at gmail dot com Possibly x64 related ------------------------------------------------------------------------ [2011-04-26 21:22:25] aleksey dot v dot korzun at gmail dot com Description: ------------ Problem can be reproduced on both Linux and Unix environments, does not seem to be OS specific. Backtrace and other tests point specifically at SplFixedArray. PHP/OS: PHP 5.3.6 8.2-RELEASE FreeBSD Extensions: extension=ctype.so extension=curl.so extension=dom.so extension=filter.so extension=gd.so extension=hash.so extension=json.so extension=mbstring.so extension=mcrypt.so extension=session.so extension=simplexml.so extension=ftp.so extension=mysqli.so extension=igbinary.so extension=apc.so extension=memcached.so Test script: --------------- <?php /** * Proof of concept * @author Aleksey Korzun */ ini_set('memory_limit', '1024M'); ini_set('display_errors', 'On'); error_reporting(E_ALL); // Hard limit for our test loop $limit = 10000; /** * Placeholder model */ class Model { public function foo() {} } /** * Placeholder collection, using SplFixedArray */ class Collection extends \SplFixedArray { // Population method public function bar() { $models = array(); foreach($this as $id => $model) { $model->foo(); $models[$id] = $model; } } } // Initialize and run the test $collection = new Collection; $collection->setSize($limit); while($limit > 0) { --$limit; $collection[$limit] = new Model; } $collection->bar(); Expected result: ---------------- Script should not crash Actual result: -------------- (gdb) bt full #0 0x00000008026f5567 in _zend_is_inconsistent (ht=0xffffffff, file=0x80285a5b8 "/usr/ports/lang/php5/work/php-5.3.6/Zend/zend_hash.c", line=520) at /usr/ports/lang/php5/work/php-5.3.6/Zend/zend_hash.c:53 No locals. #1 0x00000008026f7381 in zend_hash_destroy (ht=0xffffffff) at /usr/ports/lang/php5/work/php-5.3.6/Zend/zend_hash.c:520 p = (Bucket *) 0x802858ff0 q = (Bucket *) 0x480 #2 0x0000000802710a66 in zend_object_std_dtor (object=0x808581920) at /usr/ports/lang/php5/work/php-5.3.6/Zend/zend_objects.c:41 No locals. #3 0x0000000802710f15 in zend_objects_free_object_storage (object=0x808581920) at /usr/ports/lang/php5/work/php-5.3.6/Zend/zend_objects.c:126 No locals. #4 0x0000000802716abf in zend_objects_store_del_ref_by_handle_ex (handle=3697, handlers=0x8029f0c20) at /usr/ports/lang/php5/work/php-5.3.6/Zend/zend_objects_API.c:220 __orig_bailout = (sigjmp_buf *) 0x7fffffffe1b0 __bailout = {{_sjb = {34400725674, 34376863547, 140737488347016, 140737488347184, 140737488350136, 140737488350104, 0, 0, 34499527295, 34498252960, 34499605672, 34359738368}}} obj = (struct _store_object *) 0x8094bdca8 failure = 0 #5 0x00000008027167ae in zend_objects_store_del_ref (zobject=0x8085a8130) at /usr/ports/lang/php5/work/php-5.3.6/Zend/zend_objects_API.c:172 handle = 3697 #6 0x00000008026e35b3 in _zval_dtor_func (zvalue=0x8085a8130, __zend_filename=0x802857e68 "/usr/ports/lang/php5/work/php-5.3.6/Zend/zend_execute_API.c", __zend_lineno=443) at /usr/ports/lang/php5/work/php-5.3.6/Zend/zend_variables.c:52 No locals. #7 0x00000008026d223f in _zval_dtor (zvalue=0x8085a8130, __zend_filename=0x802857e68 "/usr/ports/lang/php5/work/php-5.3.6/Zend/zend_execute_API.c", __zend_lineno=443) at zend_variables.h:35 No locals. #8 0x00000008026d2628 in _zval_ptr_dtor (zval_ptr=0x80821ad58, __zend_filename=0x80282b9d8 "/usr/ports/lang/php5/work/php-5.3.6/ext/spl/spl_fixedarray.c", __zend_lineno=182) at /usr/ports/lang/php5/work/php-5.3.6/Zend/zend_execute_API.c:443 No locals. #9 0x000000080256f408 in spl_fixedarray_object_free_storage (object=0x808214990) at /usr/ports/lang/php5/work/php-5.3.6/ext/spl/spl_fixedarray.c:182 intern = (spl_fixedarray_object *) 0x808214990 i = 897 #10 0x00000008027164bd in zend_objects_store_free_object_storage (objects=0x8029f75b8) at /usr/ports/lang/php5/work/php-5.3.6/Zend/zend_objects_API.c:92 obj = (struct _store_object *) 0x809484668 i = 24 #11 0x00000008026d1f7a in shutdown_executor () at /usr/ports/lang/php5/work/php-5.3.6/Zend/zend_execute_API.c:302 __orig_bailout = (sigjmp_buf *) 0x0 __bailout = {{_sjb = {34400444143, 34376863547, 140737488347560, 140737488347712, 140737488350136, 140737488350104, 0, 0, 34402009727, 34384020168, 140737488347696, 34359738368}}} #12 0x00000008026e56de in zend_deactivate () at /usr/ports/lang/php5/work/php-5.3.6/Zend/zend.c:890 No locals. #13 0x00000008026656a1 in php_request_shutdown (dummy=0x0) at /usr/ports/lang/php5/work/php-5.3.6/main/main.c:1635 report_memleaks = 1 '\001' #14 0x00000008027d98b6 in php_apache_request_dtor (r=0x8035778a8) at /usr/ports/lang/php5/work/php-5.3.6/sapi/apache2handler/sapi_apache2.c:509 No locals. ------------------------------------------------------------------------ -- Edit this bug report at http://bugs.php.net/bug.php?id=54609&edit=1
