#40833 [NEW]: Crash when using unset() on an ArrayAccess object retrieved via __get()
From: daan at parse dot nl Operating system: Slackware 10.2 PHP version: 5.2.1 PHP Bug Type: Reproducible crash Bug description: Crash when using unset() on an ArrayAccess object retrieved via __get() Description: When trying to trigger the magic offsetUnset() method on a variable which itself is retrieved via a magic __get() method, some sort of object/variable corruption occurs. If the unset() is applied in two operations, it does not crash. Also, to trigger this crash, the object must be re-assigned via 'resetSelf()'. Reproduce code: --- ? class entity { private $data; private $modified; function __get($name) { if ( isset($this-data[$name]) ) return $this-data[$name]; else return $this-data[$name] = new set($this, $name); } function __set($name, $value) { $this-modified[$name] = $value; } } class set implements ArrayAccess { private $entity; private $name; function __construct($entity, $name) { $this-entity = $entity; $this-name = $name; } function offsetUnset($offset) { $this-entity-{$this-name} = null; } function offsetSet($offset, $value) { } function offsetGet($offset) { return 'Bogus'; } function offsetExists($offset) { } function resetSelf() { $this-entity-{$this-name} = $this; } } $entity = new entity(); $entity-whatever-resetSelf(); echo $entity-whatever[0]; //This will crash unset($entity-whatever[0]); //This will not crash (comment previous uncomment this to test // $test = $entity-whatever; unset($test[0]); echo $entity-whatever[0]; var_dump($entity); echo 'All good'; ? Expected result: The string 'BogusBogusvardump resultAllGood'. Actual result: -- Program received signal SIGSEGV, Segmentation fault. [Switching to Thread 16384 (LWP 654)] 0x4065de11 in zend_object_store_get_object (zobject=0x18302664) at /usr/src/php-5.2.1/Zend/zend_objects_API.c:255 255 return EG(objects_store).object_buckets[handle].bucket.obj.object; (gdb) bt #0 0x4065de11 in zend_object_store_get_object (zobject=0x18302664) at /usr/src/php-5.2.1/Zend/zend_objects_API.c:255 #1 0x4065b05f in zend_std_get_properties (object=0x810099c) at /usr/src/php-5.2.1/Zend/zend_object_handlers.c:55 #2 0x405dc642 in php_var_dump (struc=0x8100a9c, level=5) at /usr/src/php-5.2.1/ext/standard/var.c:140 #3 0x405dc921 in php_array_element_dump (zv=0x8100a9c, num_args=1, args=0x80f1188 , hash_key=0xbfffc550) at /usr/src/php-5.2.1/ext/standard/var.c:64 #4 0x4064e4d0 in zend_hash_apply_with_arguments (ht=0x8100ac4, apply_func=0x405dc8c0 php_array_element_dump, num_args=1) at /usr/src/php-5.2.1/Zend/zend_hash.c:729 #5 0x405dc6cf in php_var_dump (struc=0x80fa794, level=3) at /usr/src/php-5.2.1/ext/standard/var.c:152 #6 0x405dc870 in php_object_property_dump (zv=0x80fa794, num_args=1, args=0xbfffc63c \001, hash_key=0x8) at /usr/src/php-5.2.1/ext/standard/var.c:96 #7 0x4064e4d0 in zend_hash_apply_with_arguments (ht=0x80fb0b0, apply_func=0x405dc7c0 php_object_property_dump, num_args=1) at /usr/src/php-5.2.1/Zend/zend_hash.c:729 #8 0x405dc6cf in php_var_dump (struc=0x80f0bf0, level=1) at /usr/src/php-5.2.1/ext/standard/var.c:152 #9 0x405dc9be in zif_var_dump (ht=1, return_value=0x8100e5c, return_value_ptr=0x0, this_ptr=0x0, return_value_used=0) at /usr/src/php-5.2.1/ext/standard/var.c:193 #10 0x40660b14 in zend_do_fcall_common_helper_SPEC (execute_data=0xbfffc8e0) at /usr/src/php-5.2.1/Zend/zend_vm_execute.h:200 #11 0x40660249 in execute (op_array=0x80fa554) at /usr/src/php-5.2.1/Zend/zend_vm_execute.h:92 #12 0x40645274 in zend_execute_scripts (type=8, retval=0x0, file_count=3) at /usr/src/php-5.2.1/Zend/zend.c:1135 #13 0x4060990a in php_execute_script (primary_file=0xbfffebb0) at /usr/src/php-5.2.1/main/main.c:1784 #14 0x406c7842 in apache_php_module_main (r=0x80cb5bc, display_source_mode=0) at /usr/src/php-5.2.1/sapi/apache/sapi_apache.c:53 #15 0x406c82b6 in send_php (r=0x80cb5bc, display_source_mode=0, filename=0x0) at /usr/src/php-5.2.1/sapi/apache/mod_php5.c:663 #16 0x406c84c6 in send_parsed_php (r=0x80cb5bc) at /usr/src/php-5.2.1/sapi/apache/mod_php5.c:678 #17 0x08053ff7 in ap_invoke_handler () #18
#39346 [Asn]: Unsetting a static variable inside a destructor causes segfault later on
ID: 39346 User updated by: daan at parse dot nl Reported By: daan at parse dot nl Status: Assigned Bug Type: Reproducible crash Operating System: Slackware 10.2 PHP Version: 5.2.0RC5 Assigned To: dmitry New Comment: @ duncanh at icritical dot com: That's probably an unrelated bug, which also results in a memory related segfault. The best thing to do is to report it as a new bug, and perhaps reference to this bug in your description. (and of course see if you can narrow it down to single piece of code) Previous Comments: [2006-12-20 10:33:24] duncanh at icritical dot com OS: CentOS 4.4 Apache: httpd-2.0.52-28.ent.centos4 PHP: PHP 5.2.0 (cli) (built: Dec 13 2006 10:13:00) I'm seeing similar segfaults in the same area (0x0122081d in _zend_mm_alloc_int (heap=0x8494f90, size=32) at /root/Files/php-5.2.0/Zend/zend_alloc.c:1076), but I'm not using destructors at all. function Tenant($clientid) { doDebug(6, __METHOD__.($clientid)); doDebug(6, __METHOD__); } Logs show Tenant::Tenant(), and Tenant::Tenant. The apache child then falls over in a heap. I can only assume that somewhere in my includes, a bit of code is doing something that the Zend code can't handle. I've trawled through my code changes since this last worked, and nothing obvious is showing up. I'm now working on reducing my code to bare-bones, and building it back up until the segfaults occur again. [2006-11-08 17:28:21] daan at parse dot nl Ah I was tinkering with an instances static array, which first held only the $this-_id, but then I changed it into $this (which is indeed a bit strange, I figured that out too later) - but the crash still was a crash and not some error, so hence the bugreport. [2006-11-08 17:06:54] [EMAIL PROTECTED] I don't know how to fix this. BTW I don't understand what do you like to do with this code. Note that object is not destroied while someone is refering it, so if you put it into self::$instances[] it never be destroied. The test::__destruct() can only be called from test::__construct() then you update self::$instances[$this-_id]. And this makes double free() and crash. [2006-11-06 15:36:53] daan at parse dot nl Also crashing on 5.2.0 final. [2006-11-02 16:54:38] daan at parse dot nl Description: Tested on 5.2.0RC6 Unsetting a static variable referring to the object itself causes a segfault later on. (possible alloc problems) I was able to reproduce segfaults in this situation with other functions besides debug_backtrace(), for instance with mysqli_fetch_assoc(). The resulting backtrace also led to _zend_mm_alloc_int. (I am presuming it is the same bug) PS. The print_r() is not required to trigger the crash. Reproduce code: --- ?php class test { protected $_id; static $instances; public function __construct($id) { $this-test(); $this-_id = $id; self::$instances[$this-_id] = $this; } function __destruct() { unset(self::$instances[$this-_id]); } function test() { print_r(debug_backtrace()); } } $test = new test(2); $test = new test(1); $test = new test(2); $test = new test(3); ? Expected result: No crash. Actual result: -- #0 _zend_mm_alloc_int (heap=0x80ebbb8, size=16) at /usr/src/php-5.2.0RC6/Zend/zend_alloc.c:1090 #1 0x4063f953 in add_assoc_long_ex (arg=0x3, key=0x40769a60 line, key_len=5, n=16) at /usr/src/php-5.2.0RC6/Zend/zend_API.c:977 #2 0x4064d2d8 in zend_fetch_debug_backtrace (return_value=0x40f289cc, skip_last=1, provide_object=1) at /usr/src/php-5.2.0RC6/Zend/zend_builtin_functions.c:1962 #3 0x40658d54 in zend_do_fcall_common_helper_SPEC (execute_data=0xbfffacc0) at /usr/src/php-5.2.0RC6/Zend/zend_vm_execute.h:200 #4 0x40658489 in execute (op_array=0x40f282c8) at /usr/src/php-5.2.0RC6/Zend/zend_vm_execute.h:92 #5 0x40658709 in zend_do_fcall_common_helper_SPEC (execute_data=0xbfffae80) at /usr/src/php-5.2.0RC6/Zend/zend_vm_execute.h:234 #6 0x40658489 in execute (op_array=0x40f28fd4) at /usr/src/php-5.2.0RC6/Zend/zend_vm_execute.h:92 #7 0x40658709 in zend_do_fcall_common_helper_SPEC (execute_data=0xbfffb0e0) at /usr/src/php-5.2.0RC6/Zend/zend_vm_execute.h:234 #8 0x40658489 in execute (op_array=0x40f24194) at /usr/src/php-5.2.0RC6/Zend/zend_vm_execute.h:92 #9 0x4063ebfc
#39445 [NEW]: Calling debug_backtrace() in the __toString() function produces a crash
From: daan at parse dot nl Operating system: Slackware 10.2 PHP version: 5.2.0 PHP Bug Type: Reproducible crash Bug description: Calling debug_backtrace() in the __toString() function produces a crash Description: Calling debug_backtrace() in an __toString() function produces a crash, but only when the __toString() function is triggered by a native php string function. Reproduce code: --- ?php class test { public function __toString() { debug_backtrace(); return 'lowercase'; } } $test = new test(); echo strtoupper($test); ? Expected result: An echoed LOWERCASE Actual result: -- Program received signal SIGSEGV, Segmentation fault. [Switching to Thread 16384 (LWP 28346)] zend_objects_store_del_ref_by_handle (handle=1089634572) at /usr/src/php-5.2.0/Zend/zend_objects_API.c:187 187 if (EG(objects_store).object_buckets[handle].valid) { (gdb) bt #0 zend_objects_store_del_ref_by_handle (handle=1089634572) at /usr/src/php-5.2.0/Zend/zend_objects_API.c:187 #1 0x40656015 in zend_objects_store_del_ref (zobject=0x40f27e10) at /usr/src/php-5.2.0/Zend/zend_objects_API.c:165 #2 0x40636a52 in _convert_to_string (op=0x40f27e10) at /usr/src/php-5.2.0/Zend/zend_variables.h:35 #3 0x405c8b79 in zif_strtoupper (ht=1, return_value=0x40f27df8, return_value_ptr=0x0, this_ptr=0x0, return_value_used=0) at /usr/src/php-5.2.0/ext/standard/string.c:1132 #4 0x40658d64 in zend_do_fcall_common_helper_SPEC (execute_data=0xbfffb260) at /usr/src/php-5.2.0/Zend/zend_vm_execute.h:200 #5 0x40658499 in execute (op_array=0x40f24184) at /usr/src/php-5.2.0/Zend/zend_vm_execute.h:92 #6 0x4063ec0c in zend_execute_scripts (type=8, retval=0x0, file_count=3) at /usr/src/php-5.2.0/Zend/zend.c:1097 #7 0x40604e3a in php_execute_script (primary_file=0xbfffd5c0) at /usr/src/php-5.2.0/main/main.c:1758 #8 0x406bf8d2 in apache_php_module_main (r=0x80cb5bc, display_source_mode=0) at /usr/src/php-5.2.0/sapi/apache/sapi_apache.c:53 #9 0x406c02e6 in send_php (r=0x80cb5bc, display_source_mode=0, filename=0x0) at /usr/src/php-5.2.0/sapi/apache/mod_php5.c:660 #10 0x406c04f6 in send_parsed_php (r=0x80cb5bc) at /usr/src/php-5.2.0/sapi/apache/mod_php5.c:675 #11 0x08053ff7 in ap_invoke_handler () #12 0x08069039 in process_request_internal () #13 0x08069098 in ap_process_request () #14 0x080600ba in child_main () #15 0x08060262 in make_child () #16 0x080603c8 in startup_children () #17 0x08060a88 in standalone_main () #18 0x080612a6 in main () -- Edit bug report at http://bugs.php.net/?id=39445edit=1 -- Try a CVS snapshot (PHP 4.4): http://bugs.php.net/fix.php?id=39445r=trysnapshot44 Try a CVS snapshot (PHP 5.2): http://bugs.php.net/fix.php?id=39445r=trysnapshot52 Try a CVS snapshot (PHP 6.0): http://bugs.php.net/fix.php?id=39445r=trysnapshot60 Fixed in CVS: http://bugs.php.net/fix.php?id=39445r=fixedcvs Fixed in release: http://bugs.php.net/fix.php?id=39445r=alreadyfixed Need backtrace: http://bugs.php.net/fix.php?id=39445r=needtrace Need Reproduce Script:http://bugs.php.net/fix.php?id=39445r=needscript Try newer version:http://bugs.php.net/fix.php?id=39445r=oldversion Not developer issue: http://bugs.php.net/fix.php?id=39445r=support Expected behavior:http://bugs.php.net/fix.php?id=39445r=notwrong Not enough info: http://bugs.php.net/fix.php?id=39445r=notenoughinfo Submitted twice: http://bugs.php.net/fix.php?id=39445r=submittedtwice register_globals: http://bugs.php.net/fix.php?id=39445r=globals PHP 3 support discontinued: http://bugs.php.net/fix.php?id=39445r=php3 Daylight Savings: http://bugs.php.net/fix.php?id=39445r=dst IIS Stability:http://bugs.php.net/fix.php?id=39445r=isapi Install GNU Sed: http://bugs.php.net/fix.php?id=39445r=gnused Floating point limitations: http://bugs.php.net/fix.php?id=39445r=float No Zend Extensions: http://bugs.php.net/fix.php?id=39445r=nozend MySQL Configuration Error:http://bugs.php.net/fix.php?id=39445r=mysqlcfg
#39346 [Asn]: Unsetting a static variable inside a destructor causes segfault later on
ID: 39346 User updated by: daan at parse dot nl Reported By: daan at parse dot nl Status: Assigned Bug Type: Reproducible crash Operating System: Slackware 10.2 PHP Version: 5.2.0RC5 Assigned To: dmitry New Comment: Ah I was tinkering with an instances static array, which first held only the $this-_id, but then I changed it into $this (which is indeed a bit strange, I figured that out too later) - but the crash still was a crash and not some error, so hence the bugreport. Previous Comments: [2006-11-08 17:06:54] [EMAIL PROTECTED] I don't know how to fix this. BTW I don't understand what do you like to do with this code. Note that object is not destroied while someone is refering it, so if you put it into self::$instances[] it never be destroied. The test::__destruct() can only be called from test::__construct() then you update self::$instances[$this-_id]. And this makes double free() and crash. [2006-11-06 15:36:53] daan at parse dot nl Also crashing on 5.2.0 final. [2006-11-02 16:54:38] daan at parse dot nl Description: Tested on 5.2.0RC6 Unsetting a static variable referring to the object itself causes a segfault later on. (possible alloc problems) I was able to reproduce segfaults in this situation with other functions besides debug_backtrace(), for instance with mysqli_fetch_assoc(). The resulting backtrace also led to _zend_mm_alloc_int. (I am presuming it is the same bug) PS. The print_r() is not required to trigger the crash. Reproduce code: --- ?php class test { protected $_id; static $instances; public function __construct($id) { $this-test(); $this-_id = $id; self::$instances[$this-_id] = $this; } function __destruct() { unset(self::$instances[$this-_id]); } function test() { print_r(debug_backtrace()); } } $test = new test(2); $test = new test(1); $test = new test(2); $test = new test(3); ? Expected result: No crash. Actual result: -- #0 _zend_mm_alloc_int (heap=0x80ebbb8, size=16) at /usr/src/php-5.2.0RC6/Zend/zend_alloc.c:1090 #1 0x4063f953 in add_assoc_long_ex (arg=0x3, key=0x40769a60 line, key_len=5, n=16) at /usr/src/php-5.2.0RC6/Zend/zend_API.c:977 #2 0x4064d2d8 in zend_fetch_debug_backtrace (return_value=0x40f289cc, skip_last=1, provide_object=1) at /usr/src/php-5.2.0RC6/Zend/zend_builtin_functions.c:1962 #3 0x40658d54 in zend_do_fcall_common_helper_SPEC (execute_data=0xbfffacc0) at /usr/src/php-5.2.0RC6/Zend/zend_vm_execute.h:200 #4 0x40658489 in execute (op_array=0x40f282c8) at /usr/src/php-5.2.0RC6/Zend/zend_vm_execute.h:92 #5 0x40658709 in zend_do_fcall_common_helper_SPEC (execute_data=0xbfffae80) at /usr/src/php-5.2.0RC6/Zend/zend_vm_execute.h:234 #6 0x40658489 in execute (op_array=0x40f28fd4) at /usr/src/php-5.2.0RC6/Zend/zend_vm_execute.h:92 #7 0x40658709 in zend_do_fcall_common_helper_SPEC (execute_data=0xbfffb0e0) at /usr/src/php-5.2.0RC6/Zend/zend_vm_execute.h:234 #8 0x40658489 in execute (op_array=0x40f24194) at /usr/src/php-5.2.0RC6/Zend/zend_vm_execute.h:92 #9 0x4063ebfc in zend_execute_scripts (type=8, retval=0x0, file_count=3) at /usr/src/php-5.2.0RC6/Zend/zend.c:1097 #10 0x40604e2a in php_execute_script (primary_file=0xbfffd440) at /usr/src/php-5.2.0RC6/main/main.c:1758 #11 0x406bf882 in apache_php_module_main (r=0x80cb5bc, display_source_mode=0) at /usr/src/php-5.2.0RC6/sapi/apache/sapi_apache.c:53 #12 0x406c0296 in send_php (r=0x80cb5bc, display_source_mode=0, filename=0x0) at /usr/src/php-5.2.0RC6/sapi/apache/mod_php5.c:660 #13 0x406c04a6 in send_parsed_php (r=0x80cb5bc) at /usr/src/php-5.2.0RC6/sapi/apache/mod_php5.c:675 #14 0x08053ff7 in ap_invoke_handler () #15 0x08069039 in process_request_internal () #16 0x08069098 in ap_process_request () #17 0x080600ba in child_main () #18 0x08060262 in make_child () #19 0x080603c8 in startup_children () #20 0x08060a88 in standalone_main () #21 0x080612a6 in main () -- Edit this bug report at http://bugs.php.net/?id=39346edit=1
#39346 [Opn]: Unsetting a static variable inside a destructor causes segfault later on
ID: 39346 User updated by: daan at parse dot nl Reported By: daan at parse dot nl Status: Open Bug Type: Reproducible crash Operating System: Slackware 10.2 PHP Version: 5.2.0RC5 New Comment: Also crashing on 5.2.0 final. Previous Comments: [2006-11-02 16:54:38] daan at parse dot nl Description: Tested on 5.2.0RC6 Unsetting a static variable referring to the object itself causes a segfault later on. (possible alloc problems) I was able to reproduce segfaults in this situation with other functions besides debug_backtrace(), for instance with mysqli_fetch_assoc(). The resulting backtrace also led to _zend_mm_alloc_int. (I am presuming it is the same bug) PS. The print_r() is not required to trigger the crash. Reproduce code: --- ?php class test { protected $_id; static $instances; public function __construct($id) { $this-test(); $this-_id = $id; self::$instances[$this-_id] = $this; } function __destruct() { unset(self::$instances[$this-_id]); } function test() { print_r(debug_backtrace()); } } $test = new test(2); $test = new test(1); $test = new test(2); $test = new test(3); ? Expected result: No crash. Actual result: -- #0 _zend_mm_alloc_int (heap=0x80ebbb8, size=16) at /usr/src/php-5.2.0RC6/Zend/zend_alloc.c:1090 #1 0x4063f953 in add_assoc_long_ex (arg=0x3, key=0x40769a60 line, key_len=5, n=16) at /usr/src/php-5.2.0RC6/Zend/zend_API.c:977 #2 0x4064d2d8 in zend_fetch_debug_backtrace (return_value=0x40f289cc, skip_last=1, provide_object=1) at /usr/src/php-5.2.0RC6/Zend/zend_builtin_functions.c:1962 #3 0x40658d54 in zend_do_fcall_common_helper_SPEC (execute_data=0xbfffacc0) at /usr/src/php-5.2.0RC6/Zend/zend_vm_execute.h:200 #4 0x40658489 in execute (op_array=0x40f282c8) at /usr/src/php-5.2.0RC6/Zend/zend_vm_execute.h:92 #5 0x40658709 in zend_do_fcall_common_helper_SPEC (execute_data=0xbfffae80) at /usr/src/php-5.2.0RC6/Zend/zend_vm_execute.h:234 #6 0x40658489 in execute (op_array=0x40f28fd4) at /usr/src/php-5.2.0RC6/Zend/zend_vm_execute.h:92 #7 0x40658709 in zend_do_fcall_common_helper_SPEC (execute_data=0xbfffb0e0) at /usr/src/php-5.2.0RC6/Zend/zend_vm_execute.h:234 #8 0x40658489 in execute (op_array=0x40f24194) at /usr/src/php-5.2.0RC6/Zend/zend_vm_execute.h:92 #9 0x4063ebfc in zend_execute_scripts (type=8, retval=0x0, file_count=3) at /usr/src/php-5.2.0RC6/Zend/zend.c:1097 #10 0x40604e2a in php_execute_script (primary_file=0xbfffd440) at /usr/src/php-5.2.0RC6/main/main.c:1758 #11 0x406bf882 in apache_php_module_main (r=0x80cb5bc, display_source_mode=0) at /usr/src/php-5.2.0RC6/sapi/apache/sapi_apache.c:53 #12 0x406c0296 in send_php (r=0x80cb5bc, display_source_mode=0, filename=0x0) at /usr/src/php-5.2.0RC6/sapi/apache/mod_php5.c:660 #13 0x406c04a6 in send_parsed_php (r=0x80cb5bc) at /usr/src/php-5.2.0RC6/sapi/apache/mod_php5.c:675 #14 0x08053ff7 in ap_invoke_handler () #15 0x08069039 in process_request_internal () #16 0x08069098 in ap_process_request () #17 0x080600ba in child_main () #18 0x08060262 in make_child () #19 0x080603c8 in startup_children () #20 0x08060a88 in standalone_main () #21 0x080612a6 in main () -- Edit this bug report at http://bugs.php.net/?id=39346edit=1
#39346 [NEW]: Unsetting a static variable inside a destructor causes segfault later on
From: daan at parse dot nl Operating system: Slackware 10.2 PHP version: 5.2.0RC5 PHP Bug Type: Reproducible crash Bug description: Unsetting a static variable inside a destructor causes segfault later on Description: Tested on 5.2.0RC6 Unsetting a static variable referring to the object itself causes a segfault later on. (possible alloc problems) I was able to reproduce segfaults in this situation with other functions besides debug_backtrace(), for instance with mysqli_fetch_assoc(). The resulting backtrace also led to _zend_mm_alloc_int. (I am presuming it is the same bug) PS. The print_r() is not required to trigger the crash. Reproduce code: --- ?php class test { protected $_id; static $instances; public function __construct($id) { $this-test(); $this-_id = $id; self::$instances[$this-_id] = $this; } function __destruct() { unset(self::$instances[$this-_id]); } function test() { print_r(debug_backtrace()); } } $test = new test(2); $test = new test(1); $test = new test(2); $test = new test(3); ? Expected result: No crash. Actual result: -- #0 _zend_mm_alloc_int (heap=0x80ebbb8, size=16) at /usr/src/php-5.2.0RC6/Zend/zend_alloc.c:1090 #1 0x4063f953 in add_assoc_long_ex (arg=0x3, key=0x40769a60 line, key_len=5, n=16) at /usr/src/php-5.2.0RC6/Zend/zend_API.c:977 #2 0x4064d2d8 in zend_fetch_debug_backtrace (return_value=0x40f289cc, skip_last=1, provide_object=1) at /usr/src/php-5.2.0RC6/Zend/zend_builtin_functions.c:1962 #3 0x40658d54 in zend_do_fcall_common_helper_SPEC (execute_data=0xbfffacc0) at /usr/src/php-5.2.0RC6/Zend/zend_vm_execute.h:200 #4 0x40658489 in execute (op_array=0x40f282c8) at /usr/src/php-5.2.0RC6/Zend/zend_vm_execute.h:92 #5 0x40658709 in zend_do_fcall_common_helper_SPEC (execute_data=0xbfffae80) at /usr/src/php-5.2.0RC6/Zend/zend_vm_execute.h:234 #6 0x40658489 in execute (op_array=0x40f28fd4) at /usr/src/php-5.2.0RC6/Zend/zend_vm_execute.h:92 #7 0x40658709 in zend_do_fcall_common_helper_SPEC (execute_data=0xbfffb0e0) at /usr/src/php-5.2.0RC6/Zend/zend_vm_execute.h:234 #8 0x40658489 in execute (op_array=0x40f24194) at /usr/src/php-5.2.0RC6/Zend/zend_vm_execute.h:92 #9 0x4063ebfc in zend_execute_scripts (type=8, retval=0x0, file_count=3) at /usr/src/php-5.2.0RC6/Zend/zend.c:1097 #10 0x40604e2a in php_execute_script (primary_file=0xbfffd440) at /usr/src/php-5.2.0RC6/main/main.c:1758 #11 0x406bf882 in apache_php_module_main (r=0x80cb5bc, display_source_mode=0) at /usr/src/php-5.2.0RC6/sapi/apache/sapi_apache.c:53 #12 0x406c0296 in send_php (r=0x80cb5bc, display_source_mode=0, filename=0x0) at /usr/src/php-5.2.0RC6/sapi/apache/mod_php5.c:660 #13 0x406c04a6 in send_parsed_php (r=0x80cb5bc) at /usr/src/php-5.2.0RC6/sapi/apache/mod_php5.c:675 #14 0x08053ff7 in ap_invoke_handler () #15 0x08069039 in process_request_internal () #16 0x08069098 in ap_process_request () #17 0x080600ba in child_main () #18 0x08060262 in make_child () #19 0x080603c8 in startup_children () #20 0x08060a88 in standalone_main () #21 0x080612a6 in main () -- Edit bug report at http://bugs.php.net/?id=39346edit=1 -- Try a CVS snapshot (PHP 4.4): http://bugs.php.net/fix.php?id=39346r=trysnapshot44 Try a CVS snapshot (PHP 5.2): http://bugs.php.net/fix.php?id=39346r=trysnapshot52 Try a CVS snapshot (PHP 6.0): http://bugs.php.net/fix.php?id=39346r=trysnapshot60 Fixed in CVS: http://bugs.php.net/fix.php?id=39346r=fixedcvs Fixed in release: http://bugs.php.net/fix.php?id=39346r=alreadyfixed Need backtrace: http://bugs.php.net/fix.php?id=39346r=needtrace Need Reproduce Script:http://bugs.php.net/fix.php?id=39346r=needscript Try newer version:http://bugs.php.net/fix.php?id=39346r=oldversion Not developer issue: http://bugs.php.net/fix.php?id=39346r=support Expected behavior:http://bugs.php.net/fix.php?id=39346r=notwrong Not enough info: http://bugs.php.net/fix.php?id=39346r=notenoughinfo Submitted twice: http://bugs.php.net/fix.php?id=39346r=submittedtwice register_globals: http://bugs.php.net/fix.php?id=39346r=globals PHP 3 support discontinued: http://bugs.php.net/fix.php?id=39346r=php3 Daylight Savings: http://bugs.php.net/fix.php?id=39346r=dst IIS Stability:http://bugs.php.net/fix.php?id=39346r=isapi Install GNU Sed: http://bugs.php.net/fix.php?id=39346r=gnused Floating point limitations: http://bugs.php.net/fix.php?id=39346r=float No Zend Extensions: http://bugs.php.net/fix.php?id=39346r=nozend MySQL Configuration
#38651 [NEW]: Segfault in pdo_mysql_stmt_dtor
From: daan at parse dot nl Operating system: Slackware 10.2 PHP version: 5.1.5 PHP Bug Type: Reproducible crash Bug description: Segfault in pdo_mysql_stmt_dtor Description: Segmentation fault when doing a PDO query. Using php 5.1.6 Reproduce code: --- ? function test1($options) { $test_pdo = new PDO( 'mysql:dbname={your_dbname};host={your_host}', '{your_username}', '{your_password}' ); /* valid insert into existing table */ $result = $test_pdo-query('INSERT INTO user SET name=asdas'); // Nonsense call $lalal-bababa(); } test1($options); echo 'I make it - yay!'; ? Expected result: Error on the $lala-bababa() function. Actual result: -- Segmentation fault. Extra: - When you don't assign the result of the $test_pdo-query() call to a variable, no segmentation fault occurs. - Call has to take place inside a function or method - calling it regulary will not trigger the crash Backtrace: #0 0x405fc05a in mysql_more_results () from /usr/local/apache-php5/libexec/libphp5.so #1 0x40464700 in pdo_mysql_stmt_dtor (stmt=0x8328a1c) at /usr/src/php-5.1.6/ext/pdo_mysql/mysql_statement.c:67 #2 0x40461687 in free_statement (stmt=0x8328a1c) at /usr/src/php-5.1.6/ext/pdo/pdo_stmt.c:2200 #3 0x405ab129 in zend_objects_store_free_object_storage (objects=0x407d877c) at /usr/src/php-5.1.6/Zend/zend_objects_API.c:86 #4 0x4058aac9 in shutdown_executor () at /usr/src/php-5.1.6/Zend/zend_execute_API.c:281 #5 0x405954ef in zend_deactivate () at /usr/src/php-5.1.6/Zend/zend.c:854 #6 0x4055f55e in php_request_shutdown (dummy=0x0) at /usr/src/php-5.1.6/main/main.c:1292 #7 0x405f64fa in apache_php_module_main (r=0x80cadd4, display_source_mode=0) at /usr/src/php-5.1.6/sapi/apache/sapi_apache.c:59 #8 0x405f6f65 in send_php (r=0x80cadd4, display_source_mode=0, filename=0x0) at /usr/src/php-5.1.6/sapi/apache/mod_php5.c:661 #9 0x405f70e3 in send_parsed_php (r=0x80cadd4) at /usr/src/php-5.1.6/sapi/apache/mod_php5.c:676 #10 0x08053ff7 in ap_invoke_handler () #11 0x08069039 in process_request_internal () #12 0x08069098 in ap_process_request () #13 0x080600ba in child_main () #14 0x08060262 in make_child () #15 0x080603c8 in startup_children () #16 0x08060a88 in standalone_main () #17 0x080612a6 in main () -- Edit bug report at http://bugs.php.net/?id=38651edit=1 -- Try a CVS snapshot (PHP 4.4): http://bugs.php.net/fix.php?id=38651r=trysnapshot44 Try a CVS snapshot (PHP 5.2): http://bugs.php.net/fix.php?id=38651r=trysnapshot52 Try a CVS snapshot (PHP 6.0): http://bugs.php.net/fix.php?id=38651r=trysnapshot60 Fixed in CVS: http://bugs.php.net/fix.php?id=38651r=fixedcvs Fixed in release: http://bugs.php.net/fix.php?id=38651r=alreadyfixed Need backtrace: http://bugs.php.net/fix.php?id=38651r=needtrace Need Reproduce Script:http://bugs.php.net/fix.php?id=38651r=needscript Try newer version:http://bugs.php.net/fix.php?id=38651r=oldversion Not developer issue: http://bugs.php.net/fix.php?id=38651r=support Expected behavior:http://bugs.php.net/fix.php?id=38651r=notwrong Not enough info: http://bugs.php.net/fix.php?id=38651r=notenoughinfo Submitted twice: http://bugs.php.net/fix.php?id=38651r=submittedtwice register_globals: http://bugs.php.net/fix.php?id=38651r=globals PHP 3 support discontinued: http://bugs.php.net/fix.php?id=38651r=php3 Daylight Savings: http://bugs.php.net/fix.php?id=38651r=dst IIS Stability:http://bugs.php.net/fix.php?id=38651r=isapi Install GNU Sed: http://bugs.php.net/fix.php?id=38651r=gnused Floating point limitations: http://bugs.php.net/fix.php?id=38651r=float No Zend Extensions: http://bugs.php.net/fix.php?id=38651r=nozend MySQL Configuration Error:http://bugs.php.net/fix.php?id=38651r=mysqlcfg