[PHP-BUG] Bug #64896 [NEW]: Segfault with gc_collect_cycles using unserialize on certain objects

mark dot chong at acquireap dot com Wed, 22 May 2013 01:05:52 -0700

From:             mark dot chong at acquireap dot com
Operating system: ubuntu
PHP version:      5.4.15
Package:          Reproducible crash
Bug Type:         Bug
Bug description:Segfault with gc_collect_cycles using unserialize on certain 
objects


Description:
------------
There are a few open bugs this may duplicate, but I have a reproducible
case 
under very specific circumstances:

Having an object that has
 a. circular reference
 b. changes global variable on destructor

If this object is unserialize()'d then gc_collect_cycles will cause a
segfault

Test script:
---------------
<?php
class bad
{
        private $_private = array();

        public function __construct()
        {
                $this->_private[] = 'oh noes';
        }

        public function __destruct()
        {
                //echo "bad::destructor\n";

                global $bar;
                $bar = $this->_private;
        }
}

$foo = new stdclass;
$foo->foo = $foo;
$foo->bad = new bad;
print_r($foo);

gc_disable();

for ($i=0; true; $i++)
{
        $deep_clone = unserialize(serialize($foo));
        gc_collect_cycles();
        var_dump($i);
}

Expected result:
----------------
Script should run indefinitely.

Actual result:
--------------
int(0)
int(1)
Segmentation fault (core dumped)

-- 
Edit bug report at https://bugs.php.net/bug.php?id=64896&edit=1
-- 
Try a snapshot (PHP 5.4):   
https://bugs.php.net/fix.php?id=64896&r=trysnapshot54
Try a snapshot (PHP 5.3):   
https://bugs.php.net/fix.php?id=64896&r=trysnapshot53
Try a snapshot (trunk):     
https://bugs.php.net/fix.php?id=64896&r=trysnapshottrunk
Fixed in SVN:               https://bugs.php.net/fix.php?id=64896&r=fixed
Fixed in release:           https://bugs.php.net/fix.php?id=64896&r=alreadyfixed
Need backtrace:             https://bugs.php.net/fix.php?id=64896&r=needtrace
Need Reproduce Script:      https://bugs.php.net/fix.php?id=64896&r=needscript
Try newer version:          https://bugs.php.net/fix.php?id=64896&r=oldversion
Not developer issue:        https://bugs.php.net/fix.php?id=64896&r=support
Expected behavior:          https://bugs.php.net/fix.php?id=64896&r=notwrong
Not enough info:            
https://bugs.php.net/fix.php?id=64896&r=notenoughinfo
Submitted twice:            
https://bugs.php.net/fix.php?id=64896&r=submittedtwice
register_globals:           https://bugs.php.net/fix.php?id=64896&r=globals
PHP 4 support discontinued: https://bugs.php.net/fix.php?id=64896&r=php4
Daylight Savings:           https://bugs.php.net/fix.php?id=64896&r=dst
IIS Stability:              https://bugs.php.net/fix.php?id=64896&r=isapi
Install GNU Sed:            https://bugs.php.net/fix.php?id=64896&r=gnused
Floating point limitations: https://bugs.php.net/fix.php?id=64896&r=float
No Zend Extensions:         https://bugs.php.net/fix.php?id=64896&r=nozend
MySQL Configuration Error:  https://bugs.php.net/fix.php?id=64896&r=mysqlcfg

[PHP-BUG] Bug #64896 [NEW]: Segfault with gc_collect_cycles using unserialize on certain objects

Reply via email to