ID: 22510
User updated by: php at codewhore dot org
Reported By: php at codewhore dot org
-Status: Feedback
+Status: Open
Bug Type: Reproducible crash
Operating System: Linux 2.4
PHP Version: 4CVS-2003-03-02 (stable)
New Comment:
Hi:
Thanks for waiting. Below is a test case which I've used to
reproducibly crash 4.3.0 and 4.3.2-dev on three seperate machines.
Sorry it's so long, but this is the absolute minimum I was able to come
up with. I haven't captured another backtrace for this particular case
yet, but I'd be happy to do so if you'd like.
---- >8 --- cut here --- 8< ----
<?php
class module
{
function module(&$controller)
{
$this->controller =& $controller;
}
}
class runnable_module extends module
{
function initialize() { }
function finalize() { }
function method() { }
}
class first extends runnable_module
{
function method()
{
$data =& $this->controller->get($data);
}
}
class second extends runnable_module
{
function initialize()
{
$this->list = array();
}
function finalize()
{
echo "About to get SIGSEGV...\n";
$cl =& $this->list;
echo "Shouldn't see this\n";
}
}
class controller
{
function finalize()
{
foreach ($this->module_list as $k => $x)
$this->module_list[$k]->finalize();
}
function &get($name)
{
return @$this->vars[$name];
}
function call($function)
{
$symbol =& $this->symtab[$function][0];
call_user_func($symbol, array());
}
function load($name, $method)
{
$instance =& new $name($this);
$instance->initialize();
$this->module_list[$name] =& $instance;
$this->symtab[$name] = array(array(&$instance, $method));
}
function run()
{
$this->load('first', 'method');
$this->load('second', 'method');
$this->call('first');
$this->call('first');
}
}
class application
{
function application(&$controller)
{
$this->controller =& $controller;
}
function run()
{
$controller =& $this->controller;
$removing_this_global_usage_prevents_segv = $_GET['x'];
$controller->run();
}
}
$controller = new controller();
$app = new application($controller);
$app->run();
$controller->finalize();
?>
---- >8 --- cut here --- 8< ----
Thanks again,
- Dave
Previous Comments:
------------------------------------------------------------------------
[2003-03-03 11:36:18] [EMAIL PROTECTED]
keep at feedback status until the asked feedback is actually given..
------------------------------------------------------------------------
[2003-03-03 07:47:15] php at codewhore dot org
I'm working on it - there's a ton of code here, and it's proving
difficult to pare it down to a simple test case. However, I hope to
have one posted by the end of the day today.
Thanks.
------------------------------------------------------------------------
[2003-03-03 00:59:43] [EMAIL PROTECTED]
Please provide us a minimum and self-contained script for reproducing
the problem.
I cannot reproduce this with the following code;
<?php
class foo
{
function transaction_commit() {
return true;
}
}
class test
{
var $commit_list;
function test() {
$a = array('a'=>new foo(), 'b'=>new foo());
$this->commit_list = &$a;
}
function finalize() {
$cl =& $this->commit_list;
foreach ($cl as $k => $x)
{
if (!$cl[$k]->transaction_commit())
return $this->throw(E_SYS);
}
return true;
}
}
$a = new test();
$a->finalize();
?>
------------------------------------------------------------------------
[2003-03-02 17:30:18] php at codewhore dot org
Accidently posted the non-crashing code snippet. Here's the one that
crashes:
function finalize()
{
$cl =& $this->commit_list;
/* Note:
These are references; we leave the value, $x, unused. */
foreach ($cl as $k => $x)
{
if (!$cl[$k]->transaction_commit())
return $this->throw(E_SYS);
}
return true;
}
------------------------------------------------------------------------
[2003-03-02 17:28:54] php at codewhore dot org
I've been able to reproducibly crash the PHP interpreter with a
section of code that I'm working that passes around and calls through a
lot of references. The function that causes the crash looks like:
function finalize()
{
/* Note:
These are references; we leave the value, $x, unused. */
foreach ($this->commit_list as $k => $x)
{
if (!$this->commit_list[$k]->transaction_commit())
return $this->throw(E_SYS);
}
return true;
}
I haven't managed to narrow it down any further - executing similar
code in isolation hasn't been able to reproduce the crash yet. I'll
keep trying.
The backtrace:
--------------
Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 16384 (LWP 8158)]
0x4034913f in _efree (ptr=0x403b4564) at
/usr/src/web-server/php-4.3-cvs/Zend/zend_alloc.c:233
233 REMOVE_POINTER_FROM_LIST(p);
(gdb) bt
#0 0x4034913f in _efree (ptr=0x403b4564) at
/usr/src/web-server/php-4.3-cvs/Zend/zend_alloc.c:233
#1 0x403669fe in zend_assign_to_variable_reference (result=0x8264b6c,
variable_ptr_ptr=0x82509a0,
value_ptr_ptr=0x82637e8, Ts=0xbfffc550) at
/usr/src/web-server/php-4.3-cvs/Zend/zend_execute.c:271
#2 0x40369b83 in execute (op_array=0x8263344) at
/usr/src/web-server/php-4.3-cvs/Zend/zend_execute.c:1344
#3 0x4036aa90 in execute (op_array=0x817cad4) at
/usr/src/web-server/php-4.3-cvs/Zend/zend_execute.c:1640
#4 0x4036aa90 in execute (op_array=0x818a144) at
/usr/src/web-server/php-4.3-cvs/Zend/zend_execute.c:1640
#5 0x4036aa90 in execute (op_array=0x81fa9bc) at
/usr/src/web-server/php-4.3-cvs/Zend/zend_execute.c:1640
#6 0x4035b219 in zend_execute_scripts (type=8, retval=0x0,
file_count=3)
at /usr/src/web-server/php-4.3-cvs/Zend/zend.c:864
#7 0x40329fcc in php_execute_script (primary_file=0xbffff820)
at /usr/src/web-server/php-4.3-cvs/main/main.c:1588
#8 0x4036f1a2 in apache_php_module_main (r=0x811047c,
display_source_mode=0)
at /usr/src/web-server/php-4.3-cvs/sapi/apache/sapi_apache.c:55
#9 0x403700e6 in send_php (r=0x811047c, display_source_mode=0,
filename=0x8112204 "/web/sites/frylock/development/node.php")
at /usr/src/web-server/php-4.3-cvs/sapi/apache/mod_php4.c:617
#10 0x4037016c in send_parsed_php (r=0x811047c)
at /usr/src/web-server/php-4.3-cvs/sapi/apache/mod_php4.c:632
#11 0x08054360 in ap_invoke_handler (r=0x811047c) at http_config.c:518
#12 0x08068aae in process_request_internal (r=0x811047c) at
http_request.c:1308
#13 0x08068b0e in ap_process_request (r=0x811047c) at
http_request.c:1324
#14 0x0805fd6e in child_main (child_num_arg=0) at http_main.c:4689
#15 0x0805ff34 in make_child (s=0x8094ec4, slot=0, now=1046645587) at
http_main.c:4813
#16 0x0806009b in startup_children (number_to_start=8) at
http_main.c:4895
#17 0x080606c8 in standalone_main (argc=5, argv=0xbffffca4) at
http_main.c:5203
#18 0x08060f00 in main (argc=5, argv=0xbffffca4) at http_main.c:5566
#19 0x400d3bb4 in __libc_start_main () from /lib/libc.so.6
(gdb) frame 2
#2 0x40369b83 in execute (op_array=0x8263344) at
/usr/src/web-server/php-4.3-cvs/Zend/zend_execute.c:1344
1344
zend_assign_to_variable_reference(&EX(opline)->result,
get_zval_ptr_ptr(&EX(opline)->op1, EX(Ts), BP_VAR_W),
get_zval_ptr_ptr(&EX(opline)->op2, EX(Ts), BP_VAR_W), EX(Ts)
TSRMLS_CC);
(gdb) print (char
*)(executor_globals.function_state_ptr->function)->common.function_name
$1 = 0x8258b0c "finalize"
(gdb) frame 1
#1 0x403669fe in zend_assign_to_variable_reference (result=0x8264b6c,
variable_ptr_ptr=0x82509a0,
value_ptr_ptr=0x82637e8, Ts=0xbfffc550) at
/usr/src/web-server/php-4.3-cvs/Zend/zend_execute.c:271
271 FREE_ZVAL(variable_ptr);
(gdb) p *value_ptr_ptr
$6 = (struct _zval_struct *) 0x825925c
(gdb) p **value_ptr_ptr
$7 = {value = {lval = 136677812, dval = 7.6896363518630331, str = {val
= 0x82589b4 "\b",
len = 1075757616}, ht = 0x82589b4, obj = {ce = 0x82589b4,
properties = 0x401ec230}},
type = 4 '\004', is_ref = 0 '\0', refcount = 2}
(gdb) p *result
$9 = {op_type = 4, u = {constant = {value = {lval = 3, dval =
2.1219957924474693e-314, str = {
val = 0x3 <Address 0x3 out of bounds>, len = 1}, ht = 0x3,
obj = {ce = 0x3, properties = 0x1}},
type = 0 '\0', is_ref = 0 '\0', refcount = 0}, var = 3,
opline_num = 3, fetch_type = 3,
op_array = 0x3, EA = {var = 3, type = 1}}}
(gdb) p *variable_ptr_ptr
$10 = (struct _zval_struct *) 0x403b4564
(gdb) p **variable_ptr_ptr
$11 = {value = {lval = 0, dval = 0, str = {val = 0x0, len = 0}, ht =
0x0, obj = {ce = 0x0,
properties = 0x0}}, type = 0 '\0', is_ref = 0 '\0', refcount =
0}
------------------------------------------------------------------------
--
Edit this bug report at http://bugs.php.net/?id=22510&edit=1
