#41691 [Com]: ArrayObject::exchangeArray hangs Apache

judas dot iscariote at gmail dot com Sat, 16 Jun 2007 04:02:02 -0700

 ID:               41691
 Comment by:       judas dot iscariote at gmail dot com
 Reported By:      killgec at gmail dot com
 Status:           Open
 Bug Type:         SPL related
 Operating System: winXP
 PHP Version:      5.2.3
 New Comment:


Yup, it crashes

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 47885183253760 (LWP 9176)]
0x000000000072c50c in zend_object_store_get_object (zobject=0xc81970)
at /home/cristian/php5/Zend/zend_objects_API.c:255
255             return
EG(objects_store).object_buckets[handle].bucket.obj.object;
(gdb) bt full
#0  0x000000000072c50c in zend_object_store_get_object
(zobject=0xc81970) at /home/cristian/php5/Zend/zend_objects_API.c:255
        handle = 13113824
#1  0x0000000000581522 in spl_array_get_hash_table (intern=0xc80bf0,
check_std_props=0) at /home/cristian/php5/ext/spl/spl_array.c:76
        other = (spl_array_object *) 0x800000048
#2  0x0000000000584035 in spl_array_rewind (intern=0xc80bf0) at
/home/cristian/php5/ext/spl/spl_array.c:829
        aht = (HashTable *) 0xc80c08
#3  0x00000000005849b7 in zim_spl_Array_exchangeArray (ht=1,
return_value=0xc820c8, return_value_ptr=0x0, this_ptr=0xc7fdf8,
return_value_used=0)
    at /home/cristian/php5/ext/spl/spl_array.c:1063
        object = (zval *) 0xc7fdf8
        tmp = (zval *) 0x0
        array = (zval **) 0xc67a80
        intern = (spl_array_object *) 0xc80bf0
#4  0x000000000072ea64 in zend_do_fcall_common_helper_SPEC
(execute_data=0x7fff88edf210) at
/home/cristian/php5/Zend/zend_vm_execute.h:200
        return_reference = 0 '\0'
        opline = (zend_op *) 0xc814c0
        original_return_value = (zval **) 0xc81970
        current_scope = (zend_class_entry *) 0x0
        current_this = (zval *) 0x0
        return_value_used = 0
        should_change_scope = 1 '\001'
        ctor_opline = (zend_op *) 0x111088edefb0
#5  0x000000000072f931 in ZEND_DO_FCALL_BY_NAME_SPEC_HANDLER
(execute_data=0x7fff88edf210) at
/home/cristian/php5/Zend/zend_vm_execute.h:322
No locals.
#6  0x000000000072e4ac in execute (op_array=0xc80ab0) at
/home/cristian/php5/Zend/zend_vm_execute.h:92
        execute_data = {opline = 0xc814c0, function_state =
{function_symbol_table = 0xc81bf8, function = 0xc86d98, reserved =
{0x63006d4ae9, 0x836ec0, 0xc80bf0,
      0x7fff88edf280}}, fbc = 0xc86d98, op_array = 0xc80ab0, object =
0xc7fdf8, Ts = 0x7fff88edf020, CVs = 0x7fff88edf000,
original_in_execution = 0 '\0',
  symbol_table = 0xad7c68, prev_execute_data = 0x0, old_error_reporting
= 0x0}
#7  0x0000000000704794 in zend_execute_scripts (type=8, retval=0x0,
file_count=3) at /home/cristian/php5/Zend/zend.c:1134
---Type <return> to continue, or q <return> to quit---
        files = {{gp_offset = 40, fp_offset = 48, overflow_arg_area =
0x7fff88edf420, reg_save_area = 0x7fff88edf360}}
        i = 1
        file_handle = (zend_file_handle *) 0x7fff88ee1840
        orig_op_array = (zend_op_array *) 0x0
        orig_retval_ptr_ptr = (zval **) 0x0
        local_retval = (zval *) 0x0
#8  0x00000000006a45aa in php_execute_script
(primary_file=0x7fff88ee1840) at /home/cristian/php5/main/main.c:1852
        realfile =
"/home/cristian/arr.php\000\000g&#65533;p\000\000\000\000\000rpl_query_type\000\000&#65533;\006\000\000&#65533;\177\000\000g&#65533;p\000\000\000\000\000rpl_probe\000\203\000\000\000\000\000&#65533;\006\000\000\000\000\000\000&#65533;\006&#65533;\210\017\000\000\000rpl_parse_enabled\000\000\000\000\000\000\000\b{\203\000\000\000\000\000&#65533;\006\000\000&#65533;\177\000\000g&#65533;p\000\000\000\000\000rollback\000{\203\000\000\000\000\000&#65533;\006\000\000&#65533;\177\000\000g&#65533;p\000\000\000\000\000real_query\000\000\000\000\000\000&#65533;\006\000\000&#65533;\177\000\000"...
        __orig_bailout = (jmp_buf *) 0x7fff88ee16f0
        __bailout = {{__jmpbuf = {47885158587360, -68790275682680777,
0, 140735490693760, 0, 0, -68790275682786761, -68710249578982193},
__mask_was_saved = 0, __saved_mask = {
      __val = {0, 0, 47885156425589, 1, 0, 140733193389738, 7388775,
47885177639976, 47885158587360, 140735490688352, 47885156447202,
47885181017424, 8496384, 11427264,
        7406588, 47885181015904}}}}
        prepend_file_p = (zend_file_handle *) 0x0
        append_file_p = (zend_file_handle *) 0x0
        prepend_file = {type = 0 '\0', filename = 0x0, opened_path =
0x0, handle = {fd = 0, fp = 0x0, stream = {handle = 0x0, reader = 0,
closer = 0, fteller = 0,
      interactive = 0}}, free_filename = 0 '\0'}
        append_file = {type = 0 '\0', filename = 0x0, opened_path =
0x0, handle = {fd = 0, fp = 0x0, stream = {handle = 0x0, reader = 0,
closer = 0, fteller = 0,
      interactive = 0}}, free_filename = 0 '\0'}
        old_cwd = 0x7fff88edf440 ""
        retval = 0
#9  0x000000000078b7e6 in main (argc=2, argv=0x7fff88ee1a88) at
/home/cristian/php5/sapi/cli/php_cli.c:1151
        __orig_bailout = (jmp_buf *) 0x0
        __bailout = {{__jmpbuf = {47885158587360, -68790275682676809,
0, 140735490693760, 0, 0, -68790275682680793, -68710249578071107},
__mask_was_saved = 0, __saved_mask = {
      __val = {47885156409919, 0, 47885183250696, 1, 0, 1, 0, 0, 0,
47885183253760, 47885158590016, 140735490693144, 4294967296,
47885181039472, 140735490693248,
        47885181038592}}}}
        exit_status = 0
---Type <return> to continue, or q <return> to quit---
        c = -1
        file_handle = {type = 2 '\002', filename = 0x7fff88ee2fcc
"arr.php", opened_path = 0x0, handle = {fd = 13256160, fp = 0xca45e0,
stream = {handle = 0xca45e0,
      reader = 0x71e994 <zend_stream_stdio_reader>, closer = 0x71e9c0
<zend_stream_stdio_closer>, fteller = 0x71e9ea
<zend_stream_stdio_fteller>, interactive = 0}},
  free_filename = 0 '\0'}
        behavior = 1
        reflection_what = 0x0
        orig_optind = 1
        orig_optarg = 0x0
        arg_free = 0x7fff88ee2fcc "arr.php"
        arg_excp = (char **) 0x7fff88ee1a90
        script_file = 0x7fff88ee2fcc "arr.php"
        interactive = 0
        module_started = 1
        request_started = 1
        lineno = 1
        exec_direct = 0x0
        exec_run = 0x0
        exec_begin = 0x0
        exec_end = 0x0
        param_error = 0x0
        hide_argv = 0
        ini_entries_len = 110


Previous Comments:
------------------------------------------------------------------------

[2007-06-14 14:57:08] killgec at gmail dot com

Description:
------------
I use a descendant of ArrayObject to have public properties quickly
transformed to and back an array. So this object is an ArrayObject
initiated with itself. Then Apache hangs when I try to load an array
into the props by exchangeArray().

Apache says "child process exited with status 3221225477 --
Restarting."

Maybe I'm misusing ArrayObject, but I think it shouldn't hang Apache in
any case. (Anyway, is there any howto or sg for ArrayObject beyond the
reference?)

THX!

Reproduce code:
---------------
                class A extends ArrayObject {
                        public function __construct($dummy, $flags) {
                                parent::__construct($this, $flags);
                        }
                        public $a;
                        public $b;
                        public $c;
                }
                
                $a = new A(null, ArrayObject::ARRAY_AS_PROPS );
                $a->exchangeArray(array('a'=>1,'b'=>1,'c'=>1));


Expected result:
----------------
Array loaded or error or exception.

Actual result:
--------------
Apache restarts.


------------------------------------------------------------------------


-- 
Edit this bug report at http://bugs.php.net/?id=41691&edit=1

#41691 [Com]: ArrayObject::exchangeArray hangs Apache

Reply via email to