From: mbeccati Operating system: Any PHP version: 5.5.1 Package: Reproducible crash Bug Type: Bug Bug description:Segmentation fault when returning onjects by reference
Description: ------------ While updating an old open source application to work with PHP 5.4 and 5.5, I somehow managed to trigger a segmentation fault when removing an =& assignment. I've been able to write a small reproduce script, which however still requires MDB2 from PEAR (tested only with the pgsql driver). Changing back a specific assignment to =& prevents the shutdown segfault from happening. The code works fine with 5.3 and crashes on 5.4+. Tested on Windows and Linux. Test script: --------------- <?php require './usr/share/php/MDB2.php'; class A { static function singleton() { $db = MDB2::connect('pgsql://postgres:password@localhost/postgres'); $db->loadModule('Datatype'); $GLOBALS['DB'] = $db; // Using =& $db doesn't crash return $GLOBALS['DB']; } } class B { function __construct() { $this->db =& $this->getDb(); } function &getDB() { return A::singleton(); } } $b = new B(); Expected result: ---------------- PHP Notice: Only variable references should be returned by reference in foobar.php on line 25 Actual result: -------------- #0 0x0000000000812979 in gc_zval_possible_root (zv=0x7fffeef256e0) at /root/compile/php-5.5.1/Zend/zend_gc.c:143 No locals. #1 0x0000000000801268 in zend_hash_destroy (ht=0x7fffeef2b4a0) at /root/compile/php-5.5.1/Zend/zend_hash.c:560 p = 0x7fffeef2b860 q = 0x7fffeef2b7b0 #2 0x00000000007f206b in _zval_dtor_func (zvalue=0x7fffeef2b470) at /root/compile/php-5.5.1/Zend/zend_variables.c:45 No locals. #3 0x00000000007e3178 in _zval_dtor (zvalue=0x7fffeef2b470) at /root/compile/php-5.5.1/Zend/zend_variables.h:35 No locals. #4 i_zval_ptr_dtor (zval_ptr=0x7fffeef2b470) at /root/compile/php-5.5.1/Zend/zend_execute.h:81 No locals. #5 _zval_ptr_dtor (zval_ptr=<optimized out>) at /root/compile/php-5.5.1/Zend/zend_execute_API.c:426 No locals. #6 0x0000000000801268 in zend_hash_destroy (ht=0x7fffeef28b10) at /root/compile/php-5.5.1/Zend/zend_hash.c:560 p = 0x7fffeef2bfd0 q = 0x7fffeef2ba80 #7 0x00000000007f206b in _zval_dtor_func (zvalue=0x7fffeef28778) at /root/compile/php-5.5.1/Zend/zend_variables.c:45 No locals. #8 0x00000000007e3178 in _zval_dtor (zvalue=0x7fffeef28778) at /root/compile/php-5.5.1/Zend/zend_variables.h:35 No locals. #9 i_zval_ptr_dtor (zval_ptr=0x7fffeef28778) at /root/compile/php-5.5.1/Zend/zend_execute.h:81 No locals. #10 _zval_ptr_dtor (zval_ptr=<optimized out>) at /root/compile/php-5.5.1/Zend/zend_execute_API.c:426 No locals. #11 0x0000000000801268 in zend_hash_destroy (ht=0x7fffeef2cbb8) at /root/compile/php-5.5.1/Zend/zend_hash.c:560 p = 0x7fffeef2ce78 q = 0x7fffeef2ce20 #12 0x000000000081579c in zend_object_std_dtor (object=0x7fffeef27cb0) at /root/compile/php-5.5.1/Zend/zend_objects.c:44 No locals. #13 0x0000000000815829 in zend_objects_free_object_storage (object=0x7fffeef27cb0) at /root/compile/php-5.5.1/Zend/zend_objects.c:137 No locals. #14 0x000000000081b476 in zend_objects_store_free_object_storage (objects=0x1085120) at /root/compile/php-5.5.1/Zend/zend_objects_API.c:92 obj = <optimized out> i = <optimized out> #15 0x00000000007e37e3 in shutdown_executor () at /root/compile/php-5.5.1/Zend/zend_execute_API.c:293 __orig_bailout = 0x7fffffffe460 __bailout = {{__jmpbuf = {17321344, -8869895244590628792, 0, 0, 0, 17333536, 8869894737283235912, -8869895235585851320}, __mask_was_saved = 0, __saved_mask = {__val = {9576849035021516823, 0, 8402366, 17291648, 17319392, 140737353913872, 140737353912280, 140737353913920, 140737353912280, 0, 17321080, 1, 0, 0, 8330270, 17320992}}}} #16 0x00000000007f3075 in zend_deactivate () at /root/compile/php-5.5.1/Zend/zend.c:939 No locals. #17 0x0000000000791637 in php_request_shutdown (dummy=<optimized out>) at /root/compile/php-5.5.1/main/main.c:1803 report_memleaks = 1 '\001' <snip> -- Edit bug report at https://bugs.php.net/bug.php?id=65367&edit=1 -- Try a snapshot (PHP 5.4): https://bugs.php.net/fix.php?id=65367&r=trysnapshot54 Try a snapshot (PHP 5.3): https://bugs.php.net/fix.php?id=65367&r=trysnapshot53 Try a snapshot (trunk): https://bugs.php.net/fix.php?id=65367&r=trysnapshottrunk Fixed in SVN: https://bugs.php.net/fix.php?id=65367&r=fixed Fixed in release: https://bugs.php.net/fix.php?id=65367&r=alreadyfixed Need backtrace: https://bugs.php.net/fix.php?id=65367&r=needtrace Need Reproduce Script: https://bugs.php.net/fix.php?id=65367&r=needscript Try newer version: https://bugs.php.net/fix.php?id=65367&r=oldversion Not developer issue: https://bugs.php.net/fix.php?id=65367&r=support Expected behavior: https://bugs.php.net/fix.php?id=65367&r=notwrong Not enough info: https://bugs.php.net/fix.php?id=65367&r=notenoughinfo Submitted twice: https://bugs.php.net/fix.php?id=65367&r=submittedtwice register_globals: https://bugs.php.net/fix.php?id=65367&r=globals PHP 4 support discontinued: https://bugs.php.net/fix.php?id=65367&r=php4 Daylight Savings: https://bugs.php.net/fix.php?id=65367&r=dst IIS Stability: https://bugs.php.net/fix.php?id=65367&r=isapi Install GNU Sed: https://bugs.php.net/fix.php?id=65367&r=gnused Floating point limitations: https://bugs.php.net/fix.php?id=65367&r=float No Zend Extensions: https://bugs.php.net/fix.php?id=65367&r=nozend MySQL Configuration Error: https://bugs.php.net/fix.php?id=65367&r=mysqlcfg