Bug #61998 [Com]: Using traits with method aliases appears to result in crash during execution.
Edit report at https://bugs.php.net/bug.php?id=61998&edit=1 ID: 61998 Comment by: dmitry at zend dot com Reported by:rbarbosa at revelex dot com Summary:Using traits with method aliases appears to result in crash during execution. Status: Feedback Type: Bug Package:Reproducible crash Operating System: Redhat Linux - Kernel 2.6.18 PHP Version:5.4.3 Assigned To:dmitry Block user comment: N Private report: N New Comment: I think my patch is more clear. Please take a look if you see any problems with it. The malloc -> emalloc part of your patch, that is not directly related to this bug, makes full sense. I think you can commit it. Previous Comments: [2012-05-19 06:17:48] larue...@php.net Dmitry, could you please look at the patch(attached) for this? thanks [2012-05-19 06:17:00] larue...@php.net The following patch has been added/updated: Patch Name: bug61998.phpt Revision: 1337408220 URL: https://bugs.php.net/patch-display.php?bug=61998&patch=bug61998.phpt&revision=1337408220 [2012-05-19 06:16:38] larue...@php.net The following patch has been added/updated: Patch Name: bug61998.patch Revision: 1337408198 URL: https://bugs.php.net/patch-display.php?bug=61998&patch=bug61998.patch&revision=1337408198 [2012-05-15 04:32:31] reeze dot xia at gmail dot com Thanks ron for your test script. I've make a minimal reproducible one below: In Class1: newFunc was referred to T::func func was itself (by overriding); In T func was referred by T and itself; --- since class was destroyed by reverse order -- 1. Destroy Tï¼ will not release the function name defined in trait. since the Class1 referred to this function. 2. Destroy Class1ï¼it will destroy the alias name since the aliased function name was referred to it.(this leave the original function name in trait unreleased). after destroy function table it will destroy alias info. but alias was already destroyed in function table releasing phrase. This cause double free(crash). Solutions: 1. Copy the whole function will solve the problem. but it was too heavy. 2. Don't change the aliases function's name, since function call are always lookup by hash key name. but it will make reflection unhappy and can't throw right error message for function. 3. Make a reference in function table if trait function was overrided to avoid releasing problem. This need to change reflection ignore it.get_defined_functions() & get_delcared_clesses() use this trick to filter special entry. so we need to change ReflectionClass::getMethods(). In summary I prefer option 3. What do you think? and I made PR: https://github.com/php/php-src/pull/83 -- Test script --- , is max. 10-20 lines long and does not require any external resources such as databases, etc. If the script requires a database to demonstrate the issue, please make sure it creates all necessary tables, stored procedures etc. Please avoid embedding huge scripts into the report. The remainder of the comments for this report are too long. To view the rest of the comments, please view the bug report online at https://bugs.php.net/bug.php?id=61998 -- Edit this bug report at https://bugs.php.net/bug.php?id=61998&edit=1
Bug #48034 [Com]: Crash when script is 8192 (8KB) bytes long
Edit report at https://bugs.php.net/bug.php?id=48034&edit=1 ID: 48034 Comment by: dmitry at zend dot com Reported by:ninzya at inbox dot lv Summary:Crash when script is 8192 (8KB) bytes long Status: Assigned Type: Bug Package:Reproducible crash Operating System: * PHP Version:5.*, 6CVS (2009-04-21) Assigned To:dmitry Block user comment: N Private report: N New Comment: Can anyone check if the attached patch fixes the problem? Previous Comments: [2012-01-16 11:56:48] pvasilevich at parallels dot com This problem reproduced in 5.3.9 released in public/ It looks like temporary workaround commmited by dmitry in Revision: 279490 (Date: 2:13:30 PM, Tuesday, April 28, 2009) Message: Fixed bug #48034 (PHP crashes when script is 8192 (8KB) bytes long) has been replaced by Revision: 316812 Author: dmitry Date: 6:30:17 PM, Thursday, September 15, 2011 Message: Fixed bug #50982 (incorrect assumption of PAGE_SIZE size) And bug appeared again. Please fix this problem ASAP. [2012-01-11 09:35:29] bugzilla33 at gmail dot com The shortest working example: run testcase Use Apache 2.2.21, PHP 5.*, Win 7 x86/x64 [2012-01-11 09:12:08] bugzilla33 at gmail dot com Description: 1. use Test script to generate crash.php, size 8192 bytes 2. now let crash php engine crash.php 3. Any php file of size 8192 bytes crashes Apache and PHP! 4. Tested with Apache 2.2.21 V9 apache longue, PHP 5.4.0 RC5 or RC6 dev on three other machines, Win 7 x86 or Win 7 x64. Test script: --- testcase php file generator: '; file_put_contents('crash.php',$out); print('1. testcase file generated: crash.php, size '.strlen($out).' bytes'); print('2. now let crash php engine crash.php'); print('3. Any php file of size 8192 bytes crashes Apache and PHP!'); print('4. Tested with Apache 2.2.21 V9 apache longue, PHP 5.4.0 RC5 or RC6 dev on three other machines, Win 7 x86 or Win 7 x64.'); ?> Expected result: NO crash Actual result: -- CRASH [2009-05-04 16:06:37] paj...@php.net Not fixed. Only a temp hack. [2009-04-28 07:16:19] dmi...@php.net This bug has been fixed in CVS. Snapshots of the sources are packaged every three hours; this change will be in the next snapshot. You can grab the snapshot at http://snaps.php.net/. Thank you for the report, and for helping us make PHP better. The remainder of the comments for this report are too long. To view the rest of the comments, please view the bug report online at https://bugs.php.net/bug.php?id=48034 -- Edit this bug report at https://bugs.php.net/bug.php?id=48034&edit=1
#43851 [NEW]: Memory corrution on reuse of assigned value
From: dmitry at zend dot com Operating system: * PHP version: 5.3CVS-2008-01-15 (CVS) PHP Bug Type: Scripting Engine problem Bug description: Memory corrution on reuse of assigned value Description: Run the following script with valgrind and USE_ZEND_ALLOC=0. $ USE_ZEND_ALLOC=0 valgrind sapi/cli/php foo.php Reproduce code: --- Expected result: ok Actual result: -- ==24239== Conditional jump or move depends on uninitialised value(s) ==24239==at 0x83ED944: zend_pzval_unlock_func (zend_execute.c:69) ==24239==by 0x83EFE9A: _get_zval_ptr_var (zend_execute.c:187) ==24239==by 0x8405823: ZEND_MUL_SPEC_VAR_CONST_HANDLER (zend_vm_execute.h:8581) ==24239==by 0x83EC05B: execute (zend_vm_execute.h:87) ==24239==by 0x83EC6B4: zend_do_fcall_common_helper_SPEC (zend_vm_execute.h:221) ==24239==by 0x83ED270: ZEND_DO_FCALL_BY_NAME_SPEC_HANDLER (zend_vm_execute.h:309) ==24239==by 0x83EC05B: execute (zend_vm_execute.h:87) ==24239==by 0x83C493D: zend_execute_scripts (zend.c:1139) ==24239==by 0x836B15D: php_execute_script (main.c:2010) ==24239==by 0x844BEBB: main (php_cli.c:1140) ==24239== ==24239== Conditional jump or move depends on uninitialised value(s) ==24239==at 0x83ED994: zend_pzval_unlock_func (zend_execute.c:76) ==24239==by 0x83EFE9A: _get_zval_ptr_var (zend_execute.c:187) ==24239==by 0x8405823: ZEND_MUL_SPEC_VAR_CONST_HANDLER (zend_vm_execute.h:8581) ==24239==by 0x83EC05B: execute (zend_vm_execute.h:87) ==24239==by 0x83EC6B4: zend_do_fcall_common_helper_SPEC (zend_vm_execute.h:221) ==24239==by 0x83ED270: ZEND_DO_FCALL_BY_NAME_SPEC_HANDLER (zend_vm_execute.h:309) ==24239==by 0x83EC05B: execute (zend_vm_execute.h:87) ==24239==by 0x83C493D: zend_execute_scripts (zend.c:1139) ==24239==by 0x836B15D: php_execute_script (main.c:2010) ==24239==by 0x844BEBB: main (php_cli.c:1140) ==24239== ==24239== Conditional jump or move depends on uninitialised value(s) ==24239==at 0x83ED9A5: zend_pzval_unlock_func (zend_execute.c:76) ==24239==by 0x83EFE9A: _get_zval_ptr_var (zend_execute.c:187) ==24239==by 0x8405823: ZEND_MUL_SPEC_VAR_CONST_HANDLER (zend_vm_execute.h:8581) ==24239==by 0x83EC05B: execute (zend_vm_execute.h:87) ==24239==by 0x83EC6B4: zend_do_fcall_common_helper_SPEC (zend_vm_execute.h:221) ==24239==by 0x83ED270: ZEND_DO_FCALL_BY_NAME_SPEC_HANDLER (zend_vm_execute.h:309) ==24239==by 0x83EC05B: execute (zend_vm_execute.h:87) ==24239==by 0x83C493D: zend_execute_scripts (zend.c:1139) ==24239==by 0x836B15D: php_execute_script (main.c:2010) ==24239==by 0x844BEBB: main (php_cli.c:1140) -- Edit bug report at http://bugs.php.net/?id=43851&edit=1 -- Try a CVS snapshot (PHP 4.4): http://bugs.php.net/fix.php?id=43851&r=trysnapshot44 Try a CVS snapshot (PHP 5.2): http://bugs.php.net/fix.php?id=43851&r=trysnapshot52 Try a CVS snapshot (PHP 5.3): http://bugs.php.net/fix.php?id=43851&r=trysnapshot53 Try a CVS snapshot (PHP 6.0): http://bugs.php.net/fix.php?id=43851&r=trysnapshot60 Fixed in CVS: http://bugs.php.net/fix.php?id=43851&r=fixedcvs Fixed in release: http://bugs.php.net/fix.php?id=43851&r=alreadyfixed Need backtrace: http://bugs.php.net/fix.php?id=43851&r=needtrace Need Reproduce Script:http://bugs.php.net/fix.php?id=43851&r=needscript Try newer version:http://bugs.php.net/fix.php?id=43851&r=oldversion Not developer issue: http://bugs.php.net/fix.php?id=43851&r=support Expected behavior:http://bugs.php.net/fix.php?id=43851&r=notwrong Not enough info: http://bugs.php.net/fix.php?id=43851&r=notenoughinfo Submitted twice: http://bugs.php.net/fix.php?id=43851&r=submittedtwice register_globals: http://bugs.php.net/fix.php?id=43851&r=globals PHP 3 support discontinued: http://bugs.php.net/fix.php?id=43851&r=php3 Daylight Savings: http://bugs.php.net/fix.php?id=43851&r=dst IIS Stability:http://bugs.php.net/fix.php?id=43851&r=isapi Install GNU Sed: http://bugs.php.net/fix.php?id=43851&r=gnused Floating point limitations: http://bugs.php.net/fix.php?id=43851&r=float No Zend Extensions: http://bugs.php.net/fix.php?id=43851&r=nozend MySQL Configuration Error:http://bugs.php.net/fix.php?id=43851&r=mysqlcfg
#36303 [NEW]: foreach on error_zval produces segfault
From: dmitry at zend dot com Operating system: * PHP version: 5CVS-2006-02-06 (CVS) PHP Bug Type: Scripting Engine problem Bug description: foreach on error_zval produces segfault Description: PHP crashes on the following code: Reproduce code: --- a->b as $v) { } echo "ok\n"; ?> Expected result: ok Actual result: -- Segmentation fault -- Edit bug report at http://bugs.php.net/?id=36303&edit=1 -- Try a CVS snapshot (PHP 4.4): http://bugs.php.net/fix.php?id=36303&r=trysnapshot44 Try a CVS snapshot (PHP 5.1): http://bugs.php.net/fix.php?id=36303&r=trysnapshot51 Try a CVS snapshot (PHP 6.0): http://bugs.php.net/fix.php?id=36303&r=trysnapshot60 Fixed in CVS: http://bugs.php.net/fix.php?id=36303&r=fixedcvs Fixed in release: http://bugs.php.net/fix.php?id=36303&r=alreadyfixed Need backtrace: http://bugs.php.net/fix.php?id=36303&r=needtrace Need Reproduce Script:http://bugs.php.net/fix.php?id=36303&r=needscript Try newer version:http://bugs.php.net/fix.php?id=36303&r=oldversion Not developer issue: http://bugs.php.net/fix.php?id=36303&r=support Expected behavior:http://bugs.php.net/fix.php?id=36303&r=notwrong Not enough info: http://bugs.php.net/fix.php?id=36303&r=notenoughinfo Submitted twice: http://bugs.php.net/fix.php?id=36303&r=submittedtwice register_globals: http://bugs.php.net/fix.php?id=36303&r=globals PHP 3 support discontinued: http://bugs.php.net/fix.php?id=36303&r=php3 Daylight Savings: http://bugs.php.net/fix.php?id=36303&r=dst IIS Stability:http://bugs.php.net/fix.php?id=36303&r=isapi Install GNU Sed: http://bugs.php.net/fix.php?id=36303&r=gnused Floating point limitations: http://bugs.php.net/fix.php?id=36303&r=float No Zend Extensions: http://bugs.php.net/fix.php?id=36303&r=nozend MySQL Configuration Error:http://bugs.php.net/fix.php?id=36303&r=mysqlcfg