#40833 [NEW]: Crash when using unset() on an ArrayAccess object retrieved via __get()
From: daan at parse dot nl
Operating system: Slackware 10.2
PHP version: 5.2.1
PHP Bug Type: Reproducible crash
Bug description: Crash when using unset() on an ArrayAccess object retrieved
via __get()
Description:
When trying to trigger the magic offsetUnset() method on a variable which
itself is retrieved via a magic __get() method, some sort of
object/variable corruption occurs.
If the unset() is applied in two operations, it does not crash.
Also, to trigger this crash, the object must be re-assigned via
'resetSelf()'.
Reproduce code:
---
?
class entity
{
private $data;
private $modified;
function __get($name)
{
if ( isset($this-data[$name]) )
return $this-data[$name];
else
return $this-data[$name] = new set($this,
$name);
}
function __set($name, $value)
{
$this-modified[$name] = $value;
}
}
class set implements ArrayAccess
{
private $entity;
private $name;
function __construct($entity, $name)
{
$this-entity = $entity;
$this-name = $name;
}
function offsetUnset($offset)
{
$this-entity-{$this-name} = null;
}
function offsetSet($offset, $value)
{
}
function offsetGet($offset)
{
return 'Bogus';
}
function offsetExists($offset)
{
}
function resetSelf()
{
$this-entity-{$this-name} = $this;
}
}
$entity = new entity();
$entity-whatever-resetSelf();
echo $entity-whatever[0];
//This will crash
unset($entity-whatever[0]);
//This will not crash (comment previous uncomment this to test
// $test = $entity-whatever; unset($test[0]);
echo $entity-whatever[0];
var_dump($entity);
echo 'All good';
?
Expected result:
The string 'BogusBogusvardump resultAllGood'.
Actual result:
--
Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 16384 (LWP 654)]
0x4065de11 in zend_object_store_get_object (zobject=0x18302664) at
/usr/src/php-5.2.1/Zend/zend_objects_API.c:255
255 return
EG(objects_store).object_buckets[handle].bucket.obj.object;
(gdb) bt
#0 0x4065de11 in zend_object_store_get_object (zobject=0x18302664) at
/usr/src/php-5.2.1/Zend/zend_objects_API.c:255
#1 0x4065b05f in zend_std_get_properties (object=0x810099c) at
/usr/src/php-5.2.1/Zend/zend_object_handlers.c:55
#2 0x405dc642 in php_var_dump (struc=0x8100a9c, level=5) at
/usr/src/php-5.2.1/ext/standard/var.c:140
#3 0x405dc921 in php_array_element_dump (zv=0x8100a9c, num_args=1,
args=0x80f1188 , hash_key=0xbfffc550) at
/usr/src/php-5.2.1/ext/standard/var.c:64
#4 0x4064e4d0 in zend_hash_apply_with_arguments (ht=0x8100ac4,
apply_func=0x405dc8c0 php_array_element_dump, num_args=1)
at /usr/src/php-5.2.1/Zend/zend_hash.c:729
#5 0x405dc6cf in php_var_dump (struc=0x80fa794, level=3) at
/usr/src/php-5.2.1/ext/standard/var.c:152
#6 0x405dc870 in php_object_property_dump (zv=0x80fa794, num_args=1,
args=0xbfffc63c \001, hash_key=0x8) at
/usr/src/php-5.2.1/ext/standard/var.c:96
#7 0x4064e4d0 in zend_hash_apply_with_arguments (ht=0x80fb0b0,
apply_func=0x405dc7c0 php_object_property_dump, num_args=1)
at /usr/src/php-5.2.1/Zend/zend_hash.c:729
#8 0x405dc6cf in php_var_dump (struc=0x80f0bf0, level=1) at
/usr/src/php-5.2.1/ext/standard/var.c:152
#9 0x405dc9be in zif_var_dump (ht=1, return_value=0x8100e5c,
return_value_ptr=0x0, this_ptr=0x0, return_value_used=0)
at /usr/src/php-5.2.1/ext/standard/var.c:193
#10 0x40660b14 in zend_do_fcall_common_helper_SPEC
(execute_data=0xbfffc8e0) at
/usr/src/php-5.2.1/Zend/zend_vm_execute.h:200
#11 0x40660249 in execute (op_array=0x80fa554) at
/usr/src/php-5.2.1/Zend/zend_vm_execute.h:92
#12 0x40645274 in zend_execute_scripts (type=8, retval=0x0, file_count=3)
at /usr/src/php-5.2.1/Zend/zend.c:1135
#13 0x4060990a in php_execute_script (primary_file=0xbfffebb0) at
/usr/src/php-5.2.1/main/main.c:1784
#14 0x406c7842 in apache_php_module_main (r=0x80cb5bc,
display_source_mode=0) at /usr/src/php-5.2.1/sapi/apache/sapi_apache.c:53
#15 0x406c82b6 in send_php (r=0x80cb5bc, display_source_mode=0,
filename=0x0) at /usr/src/php-5.2.1/sapi/apache/mod_php5.c:663
#16 0x406c84c6 in send_parsed_php (r=0x80cb5bc) at
/usr/src/php-5.2.1/sapi/apache/mod_php5.c:678
#17 0x08053ff7 in ap_invoke_handler ()
#18
#39346 [Asn]: Unsetting a static variable inside a destructor causes segfault later on
ID: 39346
User updated by: daan at parse dot nl
Reported By: daan at parse dot nl
Status: Assigned
Bug Type: Reproducible crash
Operating System: Slackware 10.2
PHP Version: 5.2.0RC5
Assigned To: dmitry
New Comment:
@ duncanh at icritical dot com:
That's probably an unrelated bug, which also results in a memory
related segfault.
The best thing to do is to report it as a new bug, and perhaps
reference to this bug in your description.
(and of course see if you can narrow it down to single piece of code)
Previous Comments:
[2006-12-20 10:33:24] duncanh at icritical dot com
OS: CentOS 4.4
Apache: httpd-2.0.52-28.ent.centos4
PHP: PHP 5.2.0 (cli) (built: Dec 13 2006 10:13:00)
I'm seeing similar segfaults in the same area (0x0122081d
in _zend_mm_alloc_int (heap=0x8494f90, size=32)
at /root/Files/php-5.2.0/Zend/zend_alloc.c:1076), but I'm
not using destructors at all.
function Tenant($clientid) {
doDebug(6, __METHOD__.($clientid));
doDebug(6, __METHOD__);
}
Logs show Tenant::Tenant(), and Tenant::Tenant. The
apache child then falls over in a heap. I can only assume
that somewhere in my includes, a bit of code is doing
something that the Zend code can't handle. I've trawled
through my code changes since this last worked, and
nothing obvious is showing up. I'm now working on
reducing my code to bare-bones, and building it back up
until the segfaults occur again.
[2006-11-08 17:28:21] daan at parse dot nl
Ah I was tinkering with an instances static array, which first held
only the $this-_id, but then I changed it into $this (which is indeed
a bit strange, I figured that out too later) - but the crash still was
a crash and not some error, so hence the bugreport.
[2006-11-08 17:06:54] [EMAIL PROTECTED]
I don't know how to fix this.
BTW I don't understand what do you like to do with this code. Note that
object is not destroied while someone is refering it, so if you put it
into self::$instances[] it never be destroied. The test::__destruct()
can only be called from test::__construct() then you update
self::$instances[$this-_id]. And this makes double free() and crash.
[2006-11-06 15:36:53] daan at parse dot nl
Also crashing on 5.2.0 final.
[2006-11-02 16:54:38] daan at parse dot nl
Description:
Tested on 5.2.0RC6
Unsetting a static variable referring to the object itself causes a
segfault later on. (possible alloc problems)
I was able to reproduce segfaults in this situation with other
functions besides debug_backtrace(), for instance with
mysqli_fetch_assoc(). The resulting backtrace also led to
_zend_mm_alloc_int. (I am presuming it is the same bug)
PS. The print_r() is not required to trigger the crash.
Reproduce code:
---
?php
class test
{
protected $_id;
static $instances;
public function __construct($id)
{
$this-test();
$this-_id = $id;
self::$instances[$this-_id] = $this;
}
function __destruct()
{
unset(self::$instances[$this-_id]);
}
function test()
{
print_r(debug_backtrace());
}
}
$test = new test(2);
$test = new test(1);
$test = new test(2);
$test = new test(3);
?
Expected result:
No crash.
Actual result:
--
#0 _zend_mm_alloc_int (heap=0x80ebbb8, size=16) at
/usr/src/php-5.2.0RC6/Zend/zend_alloc.c:1090
#1 0x4063f953 in add_assoc_long_ex (arg=0x3, key=0x40769a60 line,
key_len=5, n=16) at /usr/src/php-5.2.0RC6/Zend/zend_API.c:977
#2 0x4064d2d8 in zend_fetch_debug_backtrace (return_value=0x40f289cc,
skip_last=1, provide_object=1)
at /usr/src/php-5.2.0RC6/Zend/zend_builtin_functions.c:1962
#3 0x40658d54 in zend_do_fcall_common_helper_SPEC
(execute_data=0xbfffacc0) at
/usr/src/php-5.2.0RC6/Zend/zend_vm_execute.h:200
#4 0x40658489 in execute (op_array=0x40f282c8) at
/usr/src/php-5.2.0RC6/Zend/zend_vm_execute.h:92
#5 0x40658709 in zend_do_fcall_common_helper_SPEC
(execute_data=0xbfffae80) at
/usr/src/php-5.2.0RC6/Zend/zend_vm_execute.h:234
#6 0x40658489 in execute (op_array=0x40f28fd4) at
/usr/src/php-5.2.0RC6/Zend/zend_vm_execute.h:92
#7 0x40658709 in zend_do_fcall_common_helper_SPEC
(execute_data=0xbfffb0e0) at
/usr/src/php-5.2.0RC6/Zend/zend_vm_execute.h:234
#8 0x40658489 in execute (op_array=0x40f24194) at
/usr/src/php-5.2.0RC6/Zend/zend_vm_execute.h:92
#9 0x4063ebfc
#39445 [NEW]: Calling debug_backtrace() in the __toString() function produces a crash
From: daan at parse dot nl
Operating system: Slackware 10.2
PHP version: 5.2.0
PHP Bug Type: Reproducible crash
Bug description: Calling debug_backtrace() in the __toString() function
produces a crash
Description:
Calling debug_backtrace() in an __toString() function produces a crash,
but only when the __toString() function is triggered by a native php
string function.
Reproduce code:
---
?php
class test
{
public function __toString()
{
debug_backtrace();
return 'lowercase';
}
}
$test = new test();
echo strtoupper($test);
?
Expected result:
An echoed LOWERCASE
Actual result:
--
Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 16384 (LWP 28346)]
zend_objects_store_del_ref_by_handle (handle=1089634572)
at /usr/src/php-5.2.0/Zend/zend_objects_API.c:187
187 if (EG(objects_store).object_buckets[handle].valid) {
(gdb) bt
#0 zend_objects_store_del_ref_by_handle (handle=1089634572)
at /usr/src/php-5.2.0/Zend/zend_objects_API.c:187
#1 0x40656015 in zend_objects_store_del_ref (zobject=0x40f27e10)
at /usr/src/php-5.2.0/Zend/zend_objects_API.c:165
#2 0x40636a52 in _convert_to_string (op=0x40f27e10)
at /usr/src/php-5.2.0/Zend/zend_variables.h:35
#3 0x405c8b79 in zif_strtoupper (ht=1, return_value=0x40f27df8,
return_value_ptr=0x0, this_ptr=0x0, return_value_used=0)
at /usr/src/php-5.2.0/ext/standard/string.c:1132
#4 0x40658d64 in zend_do_fcall_common_helper_SPEC
(execute_data=0xbfffb260)
at /usr/src/php-5.2.0/Zend/zend_vm_execute.h:200
#5 0x40658499 in execute (op_array=0x40f24184)
at /usr/src/php-5.2.0/Zend/zend_vm_execute.h:92
#6 0x4063ec0c in zend_execute_scripts (type=8, retval=0x0, file_count=3)
at /usr/src/php-5.2.0/Zend/zend.c:1097
#7 0x40604e3a in php_execute_script (primary_file=0xbfffd5c0)
at /usr/src/php-5.2.0/main/main.c:1758
#8 0x406bf8d2 in apache_php_module_main (r=0x80cb5bc,
display_source_mode=0)
at /usr/src/php-5.2.0/sapi/apache/sapi_apache.c:53
#9 0x406c02e6 in send_php (r=0x80cb5bc, display_source_mode=0,
filename=0x0)
at /usr/src/php-5.2.0/sapi/apache/mod_php5.c:660
#10 0x406c04f6 in send_parsed_php (r=0x80cb5bc)
at /usr/src/php-5.2.0/sapi/apache/mod_php5.c:675
#11 0x08053ff7 in ap_invoke_handler ()
#12 0x08069039 in process_request_internal ()
#13 0x08069098 in ap_process_request ()
#14 0x080600ba in child_main ()
#15 0x08060262 in make_child ()
#16 0x080603c8 in startup_children ()
#17 0x08060a88 in standalone_main ()
#18 0x080612a6 in main ()
--
Edit bug report at http://bugs.php.net/?id=39445edit=1
--
Try a CVS snapshot (PHP 4.4):
http://bugs.php.net/fix.php?id=39445r=trysnapshot44
Try a CVS snapshot (PHP 5.2):
http://bugs.php.net/fix.php?id=39445r=trysnapshot52
Try a CVS snapshot (PHP 6.0):
http://bugs.php.net/fix.php?id=39445r=trysnapshot60
Fixed in CVS: http://bugs.php.net/fix.php?id=39445r=fixedcvs
Fixed in release:
http://bugs.php.net/fix.php?id=39445r=alreadyfixed
Need backtrace: http://bugs.php.net/fix.php?id=39445r=needtrace
Need Reproduce Script:http://bugs.php.net/fix.php?id=39445r=needscript
Try newer version:http://bugs.php.net/fix.php?id=39445r=oldversion
Not developer issue: http://bugs.php.net/fix.php?id=39445r=support
Expected behavior:http://bugs.php.net/fix.php?id=39445r=notwrong
Not enough info:
http://bugs.php.net/fix.php?id=39445r=notenoughinfo
Submitted twice:
http://bugs.php.net/fix.php?id=39445r=submittedtwice
register_globals: http://bugs.php.net/fix.php?id=39445r=globals
PHP 3 support discontinued: http://bugs.php.net/fix.php?id=39445r=php3
Daylight Savings: http://bugs.php.net/fix.php?id=39445r=dst
IIS Stability:http://bugs.php.net/fix.php?id=39445r=isapi
Install GNU Sed: http://bugs.php.net/fix.php?id=39445r=gnused
Floating point limitations: http://bugs.php.net/fix.php?id=39445r=float
No Zend Extensions: http://bugs.php.net/fix.php?id=39445r=nozend
MySQL Configuration Error:http://bugs.php.net/fix.php?id=39445r=mysqlcfg
#39346 [Asn]: Unsetting a static variable inside a destructor causes segfault later on
ID: 39346
User updated by: daan at parse dot nl
Reported By: daan at parse dot nl
Status: Assigned
Bug Type: Reproducible crash
Operating System: Slackware 10.2
PHP Version: 5.2.0RC5
Assigned To: dmitry
New Comment:
Ah I was tinkering with an instances static array, which first held
only the $this-_id, but then I changed it into $this (which is indeed
a bit strange, I figured that out too later) - but the crash still was
a crash and not some error, so hence the bugreport.
Previous Comments:
[2006-11-08 17:06:54] [EMAIL PROTECTED]
I don't know how to fix this.
BTW I don't understand what do you like to do with this code. Note that
object is not destroied while someone is refering it, so if you put it
into self::$instances[] it never be destroied. The test::__destruct()
can only be called from test::__construct() then you update
self::$instances[$this-_id]. And this makes double free() and crash.
[2006-11-06 15:36:53] daan at parse dot nl
Also crashing on 5.2.0 final.
[2006-11-02 16:54:38] daan at parse dot nl
Description:
Tested on 5.2.0RC6
Unsetting a static variable referring to the object itself causes a
segfault later on. (possible alloc problems)
I was able to reproduce segfaults in this situation with other
functions besides debug_backtrace(), for instance with
mysqli_fetch_assoc(). The resulting backtrace also led to
_zend_mm_alloc_int. (I am presuming it is the same bug)
PS. The print_r() is not required to trigger the crash.
Reproduce code:
---
?php
class test
{
protected $_id;
static $instances;
public function __construct($id)
{
$this-test();
$this-_id = $id;
self::$instances[$this-_id] = $this;
}
function __destruct()
{
unset(self::$instances[$this-_id]);
}
function test()
{
print_r(debug_backtrace());
}
}
$test = new test(2);
$test = new test(1);
$test = new test(2);
$test = new test(3);
?
Expected result:
No crash.
Actual result:
--
#0 _zend_mm_alloc_int (heap=0x80ebbb8, size=16) at
/usr/src/php-5.2.0RC6/Zend/zend_alloc.c:1090
#1 0x4063f953 in add_assoc_long_ex (arg=0x3, key=0x40769a60 line,
key_len=5, n=16) at /usr/src/php-5.2.0RC6/Zend/zend_API.c:977
#2 0x4064d2d8 in zend_fetch_debug_backtrace (return_value=0x40f289cc,
skip_last=1, provide_object=1)
at /usr/src/php-5.2.0RC6/Zend/zend_builtin_functions.c:1962
#3 0x40658d54 in zend_do_fcall_common_helper_SPEC
(execute_data=0xbfffacc0) at
/usr/src/php-5.2.0RC6/Zend/zend_vm_execute.h:200
#4 0x40658489 in execute (op_array=0x40f282c8) at
/usr/src/php-5.2.0RC6/Zend/zend_vm_execute.h:92
#5 0x40658709 in zend_do_fcall_common_helper_SPEC
(execute_data=0xbfffae80) at
/usr/src/php-5.2.0RC6/Zend/zend_vm_execute.h:234
#6 0x40658489 in execute (op_array=0x40f28fd4) at
/usr/src/php-5.2.0RC6/Zend/zend_vm_execute.h:92
#7 0x40658709 in zend_do_fcall_common_helper_SPEC
(execute_data=0xbfffb0e0) at
/usr/src/php-5.2.0RC6/Zend/zend_vm_execute.h:234
#8 0x40658489 in execute (op_array=0x40f24194) at
/usr/src/php-5.2.0RC6/Zend/zend_vm_execute.h:92
#9 0x4063ebfc in zend_execute_scripts (type=8, retval=0x0,
file_count=3) at /usr/src/php-5.2.0RC6/Zend/zend.c:1097
#10 0x40604e2a in php_execute_script (primary_file=0xbfffd440) at
/usr/src/php-5.2.0RC6/main/main.c:1758
#11 0x406bf882 in apache_php_module_main (r=0x80cb5bc,
display_source_mode=0) at
/usr/src/php-5.2.0RC6/sapi/apache/sapi_apache.c:53
#12 0x406c0296 in send_php (r=0x80cb5bc, display_source_mode=0,
filename=0x0) at /usr/src/php-5.2.0RC6/sapi/apache/mod_php5.c:660
#13 0x406c04a6 in send_parsed_php (r=0x80cb5bc) at
/usr/src/php-5.2.0RC6/sapi/apache/mod_php5.c:675
#14 0x08053ff7 in ap_invoke_handler ()
#15 0x08069039 in process_request_internal ()
#16 0x08069098 in ap_process_request ()
#17 0x080600ba in child_main ()
#18 0x08060262 in make_child ()
#19 0x080603c8 in startup_children ()
#20 0x08060a88 in standalone_main ()
#21 0x080612a6 in main ()
--
Edit this bug report at http://bugs.php.net/?id=39346edit=1
#39346 [Opn]: Unsetting a static variable inside a destructor causes segfault later on
ID: 39346
User updated by: daan at parse dot nl
Reported By: daan at parse dot nl
Status: Open
Bug Type: Reproducible crash
Operating System: Slackware 10.2
PHP Version: 5.2.0RC5
New Comment:
Also crashing on 5.2.0 final.
Previous Comments:
[2006-11-02 16:54:38] daan at parse dot nl
Description:
Tested on 5.2.0RC6
Unsetting a static variable referring to the object itself causes a
segfault later on. (possible alloc problems)
I was able to reproduce segfaults in this situation with other
functions besides debug_backtrace(), for instance with
mysqli_fetch_assoc(). The resulting backtrace also led to
_zend_mm_alloc_int. (I am presuming it is the same bug)
PS. The print_r() is not required to trigger the crash.
Reproduce code:
---
?php
class test
{
protected $_id;
static $instances;
public function __construct($id)
{
$this-test();
$this-_id = $id;
self::$instances[$this-_id] = $this;
}
function __destruct()
{
unset(self::$instances[$this-_id]);
}
function test()
{
print_r(debug_backtrace());
}
}
$test = new test(2);
$test = new test(1);
$test = new test(2);
$test = new test(3);
?
Expected result:
No crash.
Actual result:
--
#0 _zend_mm_alloc_int (heap=0x80ebbb8, size=16) at
/usr/src/php-5.2.0RC6/Zend/zend_alloc.c:1090
#1 0x4063f953 in add_assoc_long_ex (arg=0x3, key=0x40769a60 line,
key_len=5, n=16) at /usr/src/php-5.2.0RC6/Zend/zend_API.c:977
#2 0x4064d2d8 in zend_fetch_debug_backtrace (return_value=0x40f289cc,
skip_last=1, provide_object=1)
at /usr/src/php-5.2.0RC6/Zend/zend_builtin_functions.c:1962
#3 0x40658d54 in zend_do_fcall_common_helper_SPEC
(execute_data=0xbfffacc0) at
/usr/src/php-5.2.0RC6/Zend/zend_vm_execute.h:200
#4 0x40658489 in execute (op_array=0x40f282c8) at
/usr/src/php-5.2.0RC6/Zend/zend_vm_execute.h:92
#5 0x40658709 in zend_do_fcall_common_helper_SPEC
(execute_data=0xbfffae80) at
/usr/src/php-5.2.0RC6/Zend/zend_vm_execute.h:234
#6 0x40658489 in execute (op_array=0x40f28fd4) at
/usr/src/php-5.2.0RC6/Zend/zend_vm_execute.h:92
#7 0x40658709 in zend_do_fcall_common_helper_SPEC
(execute_data=0xbfffb0e0) at
/usr/src/php-5.2.0RC6/Zend/zend_vm_execute.h:234
#8 0x40658489 in execute (op_array=0x40f24194) at
/usr/src/php-5.2.0RC6/Zend/zend_vm_execute.h:92
#9 0x4063ebfc in zend_execute_scripts (type=8, retval=0x0,
file_count=3) at /usr/src/php-5.2.0RC6/Zend/zend.c:1097
#10 0x40604e2a in php_execute_script (primary_file=0xbfffd440) at
/usr/src/php-5.2.0RC6/main/main.c:1758
#11 0x406bf882 in apache_php_module_main (r=0x80cb5bc,
display_source_mode=0) at
/usr/src/php-5.2.0RC6/sapi/apache/sapi_apache.c:53
#12 0x406c0296 in send_php (r=0x80cb5bc, display_source_mode=0,
filename=0x0) at /usr/src/php-5.2.0RC6/sapi/apache/mod_php5.c:660
#13 0x406c04a6 in send_parsed_php (r=0x80cb5bc) at
/usr/src/php-5.2.0RC6/sapi/apache/mod_php5.c:675
#14 0x08053ff7 in ap_invoke_handler ()
#15 0x08069039 in process_request_internal ()
#16 0x08069098 in ap_process_request ()
#17 0x080600ba in child_main ()
#18 0x08060262 in make_child ()
#19 0x080603c8 in startup_children ()
#20 0x08060a88 in standalone_main ()
#21 0x080612a6 in main ()
--
Edit this bug report at http://bugs.php.net/?id=39346edit=1
#39346 [NEW]: Unsetting a static variable inside a destructor causes segfault later on
From: daan at parse dot nl
Operating system: Slackware 10.2
PHP version: 5.2.0RC5
PHP Bug Type: Reproducible crash
Bug description: Unsetting a static variable inside a destructor causes
segfault later on
Description:
Tested on 5.2.0RC6
Unsetting a static variable referring to the object itself causes a
segfault later on. (possible alloc problems)
I was able to reproduce segfaults in this situation with other functions
besides debug_backtrace(), for instance with mysqli_fetch_assoc(). The
resulting backtrace also led to _zend_mm_alloc_int. (I am presuming it is
the same bug)
PS. The print_r() is not required to trigger the crash.
Reproduce code:
---
?php
class test
{
protected $_id;
static $instances;
public function __construct($id)
{
$this-test();
$this-_id = $id;
self::$instances[$this-_id] = $this;
}
function __destruct()
{
unset(self::$instances[$this-_id]);
}
function test()
{
print_r(debug_backtrace());
}
}
$test = new test(2);
$test = new test(1);
$test = new test(2);
$test = new test(3);
?
Expected result:
No crash.
Actual result:
--
#0 _zend_mm_alloc_int (heap=0x80ebbb8, size=16) at
/usr/src/php-5.2.0RC6/Zend/zend_alloc.c:1090
#1 0x4063f953 in add_assoc_long_ex (arg=0x3, key=0x40769a60 line,
key_len=5, n=16) at /usr/src/php-5.2.0RC6/Zend/zend_API.c:977
#2 0x4064d2d8 in zend_fetch_debug_backtrace (return_value=0x40f289cc,
skip_last=1, provide_object=1)
at /usr/src/php-5.2.0RC6/Zend/zend_builtin_functions.c:1962
#3 0x40658d54 in zend_do_fcall_common_helper_SPEC
(execute_data=0xbfffacc0) at
/usr/src/php-5.2.0RC6/Zend/zend_vm_execute.h:200
#4 0x40658489 in execute (op_array=0x40f282c8) at
/usr/src/php-5.2.0RC6/Zend/zend_vm_execute.h:92
#5 0x40658709 in zend_do_fcall_common_helper_SPEC
(execute_data=0xbfffae80) at
/usr/src/php-5.2.0RC6/Zend/zend_vm_execute.h:234
#6 0x40658489 in execute (op_array=0x40f28fd4) at
/usr/src/php-5.2.0RC6/Zend/zend_vm_execute.h:92
#7 0x40658709 in zend_do_fcall_common_helper_SPEC
(execute_data=0xbfffb0e0) at
/usr/src/php-5.2.0RC6/Zend/zend_vm_execute.h:234
#8 0x40658489 in execute (op_array=0x40f24194) at
/usr/src/php-5.2.0RC6/Zend/zend_vm_execute.h:92
#9 0x4063ebfc in zend_execute_scripts (type=8, retval=0x0, file_count=3)
at /usr/src/php-5.2.0RC6/Zend/zend.c:1097
#10 0x40604e2a in php_execute_script (primary_file=0xbfffd440) at
/usr/src/php-5.2.0RC6/main/main.c:1758
#11 0x406bf882 in apache_php_module_main (r=0x80cb5bc,
display_source_mode=0) at
/usr/src/php-5.2.0RC6/sapi/apache/sapi_apache.c:53
#12 0x406c0296 in send_php (r=0x80cb5bc, display_source_mode=0,
filename=0x0) at /usr/src/php-5.2.0RC6/sapi/apache/mod_php5.c:660
#13 0x406c04a6 in send_parsed_php (r=0x80cb5bc) at
/usr/src/php-5.2.0RC6/sapi/apache/mod_php5.c:675
#14 0x08053ff7 in ap_invoke_handler ()
#15 0x08069039 in process_request_internal ()
#16 0x08069098 in ap_process_request ()
#17 0x080600ba in child_main ()
#18 0x08060262 in make_child ()
#19 0x080603c8 in startup_children ()
#20 0x08060a88 in standalone_main ()
#21 0x080612a6 in main ()
--
Edit bug report at http://bugs.php.net/?id=39346edit=1
--
Try a CVS snapshot (PHP 4.4):
http://bugs.php.net/fix.php?id=39346r=trysnapshot44
Try a CVS snapshot (PHP 5.2):
http://bugs.php.net/fix.php?id=39346r=trysnapshot52
Try a CVS snapshot (PHP 6.0):
http://bugs.php.net/fix.php?id=39346r=trysnapshot60
Fixed in CVS: http://bugs.php.net/fix.php?id=39346r=fixedcvs
Fixed in release:
http://bugs.php.net/fix.php?id=39346r=alreadyfixed
Need backtrace: http://bugs.php.net/fix.php?id=39346r=needtrace
Need Reproduce Script:http://bugs.php.net/fix.php?id=39346r=needscript
Try newer version:http://bugs.php.net/fix.php?id=39346r=oldversion
Not developer issue: http://bugs.php.net/fix.php?id=39346r=support
Expected behavior:http://bugs.php.net/fix.php?id=39346r=notwrong
Not enough info:
http://bugs.php.net/fix.php?id=39346r=notenoughinfo
Submitted twice:
http://bugs.php.net/fix.php?id=39346r=submittedtwice
register_globals: http://bugs.php.net/fix.php?id=39346r=globals
PHP 3 support discontinued: http://bugs.php.net/fix.php?id=39346r=php3
Daylight Savings: http://bugs.php.net/fix.php?id=39346r=dst
IIS Stability:http://bugs.php.net/fix.php?id=39346r=isapi
Install GNU Sed: http://bugs.php.net/fix.php?id=39346r=gnused
Floating point limitations: http://bugs.php.net/fix.php?id=39346r=float
No Zend Extensions: http://bugs.php.net/fix.php?id=39346r=nozend
MySQL Configuration
#38651 [NEW]: Segfault in pdo_mysql_stmt_dtor
From: daan at parse dot nl
Operating system: Slackware 10.2
PHP version: 5.1.5
PHP Bug Type: Reproducible crash
Bug description: Segfault in pdo_mysql_stmt_dtor
Description:
Segmentation fault when doing a PDO query.
Using php 5.1.6
Reproduce code:
---
?
function test1($options)
{
$test_pdo = new PDO(
'mysql:dbname={your_dbname};host={your_host}',
'{your_username}',
'{your_password}'
);
/* valid insert into existing table */
$result = $test_pdo-query('INSERT INTO user SET name=asdas');
// Nonsense call
$lalal-bababa();
}
test1($options);
echo 'I make it - yay!';
?
Expected result:
Error on the $lala-bababa() function.
Actual result:
--
Segmentation fault.
Extra:
- When you don't assign the result of the $test_pdo-query() call to a
variable, no segmentation fault occurs.
- Call has to take place inside a function or method - calling it regulary
will not trigger the crash
Backtrace:
#0 0x405fc05a in mysql_more_results () from
/usr/local/apache-php5/libexec/libphp5.so
#1 0x40464700 in pdo_mysql_stmt_dtor (stmt=0x8328a1c)
at /usr/src/php-5.1.6/ext/pdo_mysql/mysql_statement.c:67
#2 0x40461687 in free_statement (stmt=0x8328a1c)
at /usr/src/php-5.1.6/ext/pdo/pdo_stmt.c:2200
#3 0x405ab129 in zend_objects_store_free_object_storage
(objects=0x407d877c)
at /usr/src/php-5.1.6/Zend/zend_objects_API.c:86
#4 0x4058aac9 in shutdown_executor () at
/usr/src/php-5.1.6/Zend/zend_execute_API.c:281
#5 0x405954ef in zend_deactivate () at /usr/src/php-5.1.6/Zend/zend.c:854
#6 0x4055f55e in php_request_shutdown (dummy=0x0) at
/usr/src/php-5.1.6/main/main.c:1292
#7 0x405f64fa in apache_php_module_main (r=0x80cadd4,
display_source_mode=0)
at /usr/src/php-5.1.6/sapi/apache/sapi_apache.c:59
#8 0x405f6f65 in send_php (r=0x80cadd4, display_source_mode=0,
filename=0x0)
at /usr/src/php-5.1.6/sapi/apache/mod_php5.c:661
#9 0x405f70e3 in send_parsed_php (r=0x80cadd4)
at /usr/src/php-5.1.6/sapi/apache/mod_php5.c:676
#10 0x08053ff7 in ap_invoke_handler ()
#11 0x08069039 in process_request_internal ()
#12 0x08069098 in ap_process_request ()
#13 0x080600ba in child_main ()
#14 0x08060262 in make_child ()
#15 0x080603c8 in startup_children ()
#16 0x08060a88 in standalone_main ()
#17 0x080612a6 in main ()
--
Edit bug report at http://bugs.php.net/?id=38651edit=1
--
Try a CVS snapshot (PHP 4.4):
http://bugs.php.net/fix.php?id=38651r=trysnapshot44
Try a CVS snapshot (PHP 5.2):
http://bugs.php.net/fix.php?id=38651r=trysnapshot52
Try a CVS snapshot (PHP 6.0):
http://bugs.php.net/fix.php?id=38651r=trysnapshot60
Fixed in CVS: http://bugs.php.net/fix.php?id=38651r=fixedcvs
Fixed in release:
http://bugs.php.net/fix.php?id=38651r=alreadyfixed
Need backtrace: http://bugs.php.net/fix.php?id=38651r=needtrace
Need Reproduce Script:http://bugs.php.net/fix.php?id=38651r=needscript
Try newer version:http://bugs.php.net/fix.php?id=38651r=oldversion
Not developer issue: http://bugs.php.net/fix.php?id=38651r=support
Expected behavior:http://bugs.php.net/fix.php?id=38651r=notwrong
Not enough info:
http://bugs.php.net/fix.php?id=38651r=notenoughinfo
Submitted twice:
http://bugs.php.net/fix.php?id=38651r=submittedtwice
register_globals: http://bugs.php.net/fix.php?id=38651r=globals
PHP 3 support discontinued: http://bugs.php.net/fix.php?id=38651r=php3
Daylight Savings: http://bugs.php.net/fix.php?id=38651r=dst
IIS Stability:http://bugs.php.net/fix.php?id=38651r=isapi
Install GNU Sed: http://bugs.php.net/fix.php?id=38651r=gnused
Floating point limitations: http://bugs.php.net/fix.php?id=38651r=float
No Zend Extensions: http://bugs.php.net/fix.php?id=38651r=nozend
MySQL Configuration Error:http://bugs.php.net/fix.php?id=38651r=mysqlcfg
