ID: 28215 Updated by: [EMAIL PROTECTED] Reported By: takanota at alpha dot co dot jp -Status: Verified +Status: Closed Bug Type: Reproducible crash Operating System: * PHP Version: 4CVS, 5CVS New Comment:
This bug has been fixed in CVS. Snapshots of the sources are packaged every three hours; this change will be in the next snapshot. You can grab the snapshot at http://snaps.php.net/. Thank you for the report, and for helping us make PHP better. Previous Comments: ------------------------------------------------------------------------ [2004-07-11 21:50:08] [EMAIL PROTECTED] Didn't try the patch though.. ------------------------------------------------------------------------ [2004-06-30 23:23:24] schulz at schwaar dot com This patch fixes the bug for me. Tested on linux with php-4.3.7. The second changed line of the diff should probably be turned into something like: "if (class_name) free_class_name = 1; else emit_a_warning(WITH_A_PROPER_TEXT);" --- php_incomplete_class.h.orig 2004-06-30 22:40:12.000000000 +0200 +++ php_incomplete_class.h 2004-06-30 23:00:01.000000000 +0200 @@ -29,8 +29,8 @@ #define PHP_SET_CLASS_ATTRIBUTES(struc) \ /* OBJECTS_FIXME: Fix for new object model */ \ if (Z_OBJCE_P(struc) == BG(incomplete_class)) { \ - class_name = php_lookup_class_name(struc, &name_len, 1 TSRMLS_CC); \ - free_class_name = 1; \ + class_name = php_lookup_class_name(struc, &name_len, 0 TSRMLS_CC); \ + if (class_name) free_class_name = 1; \ } else { \ class_name = Z_OBJCE_P(struc)->name; \ name_len = Z_OBJCE_P(struc)->name_length; \ ------------------------------------------------------------------------ [2004-04-29 11:42:50] takanota at alpha dot co dot jp Description: ------------ When serialize() twice to same __PHP_Incomplete_Class object, php will crash on second serialize(). I found this problem on apache and cli sapi on Red Hat Linux 9 (2.4.20-8, not smp). If memory-limit is enabled, php reports memory-limit error. (try to allocate over 1G bytes!) If memory-limit is disabled, php crash with segmentation fault. It seems that serialize() drops __PHP_Incomplete_Class_Name member. Reproduce code: --------------- <?php $object = unserialize('O:9:"testclass":1:{s:5:"value";i:100;}'); var_dump($object); echo serialize($object), "\n\n"; var_dump($object); echo serialize($object), "\n\n"; Expected result: ---------------- object(__PHP_Incomplete_Class)(2) { ["__PHP_Incomplete_Class_Name"]=> string(9) "testclass" ["value"]=> int(100) } O:9:"testclass":1:{s:5:"value";i:100;} object(__PHP_Incomplete_Class)(2) { ["__PHP_Incomplete_Class_Name"]=> string(9) "testclass" ["value"]=> int(100) } O:9:"testclass":1:{s:5:"value";i:100;} Actual result: -------------- object(__PHP_Incomplete_Class)(2) { ["__PHP_Incomplete_Class_Name"]=> string(9) "testclass" ["value"]=> int(100) } O:9:"testclass":1:{s:5:"value";i:100;} object(__PHP_Incomplete_Class)(1) { ["value"]=> int(100) } Fatal error: Allowed memory size of 8388608 bytes exhausted (tried to allocate 1107768167 bytes) in /home/takanota/php/serialize.php on line 8 If memory-limit is disabled, php will crash with segmentation fault. backtrace: ------------ #0 0x4207c1ac in memcpy () from /lib/tls/libc.so.6 #1 0x080afe24 in smart_str_appendl_ex (dest=0xbfffd030, src=0x8159e74 "\204\223\025\b\001", len=1, what=0) at php_smart_str.h:84 #2 0x080b0070 in php_var_serialize_class_name (buf=0xbfffd030, struc=0x8159e74) at /home/takanota/local/src/php-4.3.6/ext/standard/var.c:430 #3 0x080af926 in php_var_serialize_intern (buf=0xbfffd030, struc=0x8159e74, var_hash=0xbfffd040) at /home/takanota/local/src/php-4.3.6/ext/standard/var.c:574 #4 0x080afa94 in php_var_serialize (buf=0xbfffd030, struc=0x8159e74, var_hash=0xbfffd040) at /home/takanota/local/src/php-4.3.6/ext/standard/var.c:626 #5 0x080afb36 in zif_serialize (ht=1, return_value=0x81592ec, this_ptr=0x0, return_value_used=1) at /home/takanota/local/src/php-4.3.6/ext/standard/var.c:649 #6 0x080febe2 in execute (op_array=0x815f48c) at /home/takanota/local/src/php-4.3.6/Zend/zend_execute.c:1635 #7 0x080eef25 in zend_execute_scripts (type=8, retval=0x0, file_count=3) at /home/takanota/local/src/php-4.3.6/Zend/zend.c:886 #8 0x080bf8aa in php_execute_script (primary_file=0xbffff660) at /home/takanota/local/src/php-4.3.6/main/main.c:1731 #9 0x081048c9 in main (argc=2, argv=0xbffff6f4) at /home/takanota/local/src/php-4.3.6/sapi/cli/php_cli.c:822 #10 0x42015574 in __libc_start_main () from /lib/tls/libc.so.6 ------------------------------------------------------------------------ -- Edit this bug report at http://bugs.php.net/?id=28215&edit=1
