From: mbeccati
Operating system: Any
PHP version: 5.5.1
Package: Reproducible crash
Bug Type: Bug
Bug description:Segmentation fault when returning onjects by reference
Description:
------------
While updating an old open source application to work with PHP 5.4 and 5.5,
I somehow managed to trigger a segmentation fault when removing an =&
assignment. I've been able to write a small reproduce script, which however
still requires MDB2 from PEAR (tested only with the pgsql driver).
Changing back a specific assignment to =& prevents the shutdown segfault
from happening.
The code works fine with 5.3 and crashes on 5.4+. Tested on Windows and
Linux.
Test script:
---------------
<?php
require './usr/share/php/MDB2.php';
class A {
static function singleton()
{
$db =
MDB2::connect('pgsql://postgres:password@localhost/postgres');
$db->loadModule('Datatype');
$GLOBALS['DB'] = $db; // Using =& $db doesn't crash
return $GLOBALS['DB'];
}
}
class B {
function __construct()
{
$this->db =& $this->getDb();
}
function &getDB()
{
return A::singleton();
}
}
$b = new B();
Expected result:
----------------
PHP Notice: Only variable references should be returned by reference in
foobar.php on line 25
Actual result:
--------------
#0 0x0000000000812979 in gc_zval_possible_root (zv=0x7fffeef256e0) at
/root/compile/php-5.5.1/Zend/zend_gc.c:143
No locals.
#1 0x0000000000801268 in zend_hash_destroy (ht=0x7fffeef2b4a0) at
/root/compile/php-5.5.1/Zend/zend_hash.c:560
p = 0x7fffeef2b860
q = 0x7fffeef2b7b0
#2 0x00000000007f206b in _zval_dtor_func (zvalue=0x7fffeef2b470) at
/root/compile/php-5.5.1/Zend/zend_variables.c:45
No locals.
#3 0x00000000007e3178 in _zval_dtor (zvalue=0x7fffeef2b470) at
/root/compile/php-5.5.1/Zend/zend_variables.h:35
No locals.
#4 i_zval_ptr_dtor (zval_ptr=0x7fffeef2b470) at
/root/compile/php-5.5.1/Zend/zend_execute.h:81
No locals.
#5 _zval_ptr_dtor (zval_ptr=<optimized out>) at
/root/compile/php-5.5.1/Zend/zend_execute_API.c:426
No locals.
#6 0x0000000000801268 in zend_hash_destroy (ht=0x7fffeef28b10) at
/root/compile/php-5.5.1/Zend/zend_hash.c:560
p = 0x7fffeef2bfd0
q = 0x7fffeef2ba80
#7 0x00000000007f206b in _zval_dtor_func (zvalue=0x7fffeef28778) at
/root/compile/php-5.5.1/Zend/zend_variables.c:45
No locals.
#8 0x00000000007e3178 in _zval_dtor (zvalue=0x7fffeef28778) at
/root/compile/php-5.5.1/Zend/zend_variables.h:35
No locals.
#9 i_zval_ptr_dtor (zval_ptr=0x7fffeef28778) at
/root/compile/php-5.5.1/Zend/zend_execute.h:81
No locals.
#10 _zval_ptr_dtor (zval_ptr=<optimized out>) at
/root/compile/php-5.5.1/Zend/zend_execute_API.c:426
No locals.
#11 0x0000000000801268 in zend_hash_destroy (ht=0x7fffeef2cbb8) at
/root/compile/php-5.5.1/Zend/zend_hash.c:560
p = 0x7fffeef2ce78
q = 0x7fffeef2ce20
#12 0x000000000081579c in zend_object_std_dtor (object=0x7fffeef27cb0) at
/root/compile/php-5.5.1/Zend/zend_objects.c:44
No locals.
#13 0x0000000000815829 in zend_objects_free_object_storage
(object=0x7fffeef27cb0) at /root/compile/php-5.5.1/Zend/zend_objects.c:137
No locals.
#14 0x000000000081b476 in zend_objects_store_free_object_storage
(objects=0x1085120)
at /root/compile/php-5.5.1/Zend/zend_objects_API.c:92
obj = <optimized out>
i = <optimized out>
#15 0x00000000007e37e3 in shutdown_executor () at
/root/compile/php-5.5.1/Zend/zend_execute_API.c:293
__orig_bailout = 0x7fffffffe460
__bailout = {{__jmpbuf = {17321344, -8869895244590628792, 0, 0, 0,
17333536, 8869894737283235912, -8869895235585851320},
__mask_was_saved = 0, __saved_mask = {__val =
{9576849035021516823, 0, 8402366, 17291648, 17319392, 140737353913872,
140737353912280, 140737353913920, 140737353912280, 0,
17321080, 1, 0, 0, 8330270, 17320992}}}}
#16 0x00000000007f3075 in zend_deactivate () at
/root/compile/php-5.5.1/Zend/zend.c:939
No locals.
#17 0x0000000000791637 in php_request_shutdown (dummy=<optimized out>) at
/root/compile/php-5.5.1/main/main.c:1803
report_memleaks = 1 '\001'
<snip>
--
Edit bug report at https://bugs.php.net/bug.php?id=65367&edit=1
--
Try a snapshot (PHP 5.4):
https://bugs.php.net/fix.php?id=65367&r=trysnapshot54
Try a snapshot (PHP 5.3):
https://bugs.php.net/fix.php?id=65367&r=trysnapshot53
Try a snapshot (trunk):
https://bugs.php.net/fix.php?id=65367&r=trysnapshottrunk
Fixed in SVN: https://bugs.php.net/fix.php?id=65367&r=fixed
Fixed in release: https://bugs.php.net/fix.php?id=65367&r=alreadyfixed
Need backtrace: https://bugs.php.net/fix.php?id=65367&r=needtrace
Need Reproduce Script: https://bugs.php.net/fix.php?id=65367&r=needscript
Try newer version: https://bugs.php.net/fix.php?id=65367&r=oldversion
Not developer issue: https://bugs.php.net/fix.php?id=65367&r=support
Expected behavior: https://bugs.php.net/fix.php?id=65367&r=notwrong
Not enough info:
https://bugs.php.net/fix.php?id=65367&r=notenoughinfo
Submitted twice:
https://bugs.php.net/fix.php?id=65367&r=submittedtwice
register_globals: https://bugs.php.net/fix.php?id=65367&r=globals
PHP 4 support discontinued: https://bugs.php.net/fix.php?id=65367&r=php4
Daylight Savings: https://bugs.php.net/fix.php?id=65367&r=dst
IIS Stability: https://bugs.php.net/fix.php?id=65367&r=isapi
Install GNU Sed: https://bugs.php.net/fix.php?id=65367&r=gnused
Floating point limitations: https://bugs.php.net/fix.php?id=65367&r=float
No Zend Extensions: https://bugs.php.net/fix.php?id=65367&r=nozend
MySQL Configuration Error: https://bugs.php.net/fix.php?id=65367&r=mysqlcfg
