ID: 30877
User updated by: delphi32 at gmx dot de
Reported By: delphi32 at gmx dot de
-Status: Feedback
+Status: Closed
Bug Type: Zend Engine 2 problem
Operating System: Gentoo Linux 2.6.10-rc1
PHP Version: 5.0.2
Assigned To: andi
New Comment:
Consider this bug as been fixed. I downloaded 'PHP Version 5.1.0-dev'
for linux and ran the following code:
<?php
class CParent
{
private $ch;
public function __construct()
{
echo "BEFORE CParent::__construct()<br>";
$this->ch = new CChild($this);
echo "AFTER CParent::__construct()<br>";
}
public function __destruct()
{
echo "BEFORE CParent::__destruct()<br>";
unset($this->ch);
echo "AFTER CParent::__destruct()<br>";
}
}
class CChild
{
protected $fParent;
public function __construct($aParent)
{
echo "BEFORE CChild::__construct()<br>";
$this->fParent = $aParent;
echo "AFTER CChild::__construct()<br>";
}
public function __destruct()
{
echo "BEFORE CChild::__destruct()<br>";
$this->fParent = FALSE;
echo "AFTER CChild::__destruct()<br>";
}
}
echo "init state<br>";
$parent = new CParent();
echo "running state<br>";
$parent = NULL;
echo "deinit state<br>";
?>
Expected output is:
init state
BEFORE CParent::__construct()
BEFORE CChild::__construct()
AFTER CChild::__construct()
AFTER CParent::__construct()
running state
deinit state
And that's what I see.
Well done guys, nice work.
Enrico Neidt
Previous Comments:
------------------------------------------------------------------------
[2005-03-25 01:21:11] [EMAIL PROTECTED]
Please try using this CVS snapshot:
http://snaps.php.net/php5-latest.tar.gz
For Windows:
http://snaps.php.net/win32/php5-win32-latest.zip
------------------------------------------------------------------------
[2004-11-26 18:44:54] delphi32 at gmx dot de
I was able to produce a backtrace now. I used the latest CVS source
from 2004-11-26 15:30.
The backtrace looks strange to me.
(gdb) run -f segfault.php
Starting program: /home/enrico/php-test/bin/php -f segfault.php
[Thread debugging using libthread_db enabled]
[New Thread 16384 (LWP 6140)]
PARENT DESTRUCT
Before segfault (0)
Before segfault (1)
/var/www/projects/php5-200411261530/Zend/zend_hash.c(510) :
ht=0x82e297c is being destroyed
/var/www/projects/php5-200411261530/Zend/zend_hash.c(510) :
ht=0x82e297c is being destroyed
Program exited normally.
(gdb)
As you can see, php exited normally but script output is wrong. Some
lines are missing. By trying to use a coredump, i got the following:
Core was generated by `php -f segfault.php'.
Program terminated with signal 11, Segmentation fault.
#0 0x0817d503 in zend_do_add_array_element (result=Cannot access
memory at address 0xe
) at /var/www/projects/php5-200411261530/Zend/zend_compile.c:2986
2986 opline->result = *result;
I hope this will help.
Enrico Neidt
------------------------------------------------------------------------
[2004-11-26 17:29:02] [EMAIL PROTECTED]
Cannot reproduce it with HEAD, but here is the backtrace for 5_0:
Program received signal SIGSEGV, Segmentation fault.
0x08156d56 in zend_get_property_info (zobj=0x6, member=0x8220fe4,
silent=0)
at /home/dev/php-src_5_0/Zend/zend_object_handlers.c:202
202 if (zend_hash_quick_find(&zobj->ce->properties_info,
Z_STRVAL_P(member), Z_STRLEN_P(member)+1, h, (void **)
&property_info)==SUCCESS) {
(gdb) bt
#0 0x08156d56 in zend_get_property_info (zobj=0x6, member=0x8220fe4,
silent=0)
at /home/dev/php-src_5_0/Zend/zend_object_handlers.c:202
#1 0x08155b20 in zend_std_read_property (object=0xbfffeb70,
member=0x8220fe4, type=0)
at /home/dev/php-src_5_0/Zend/zend_object_handlers.c:287
#2 0x0816073c in zend_fetch_property_address_read (result=0x8220fb8,
op1=0x8220fcc, op2=0x8220fe0, Ts=0x8220fe4, type=0)
at /home/dev/php-src_5_0/Zend/zend_execute.c:1158
#3 0x08162334 in zend_fetch_obj_r_handler (execute_data=0xbfffe990,
opline=0x8220fb4, op_array=0x821f7f4)
at /home/dev/php-src_5_0/Zend/zend_execute.c:2132
#4 0x08160fa2 in execute (op_array=0x821f7f4) at
/home/dev/php-src_5_0/Zend/zend_execute.c:1400
#5 0x0813df7e in zend_call_function (fci=0xbfffeae0,
fci_cache=0xbfffeac0)
at /home/dev/php-src_5_0/Zend/zend_execute_API.c:836
#6 0x08152128 in zend_call_method (object_pp=0xbfffeb6c,
obj_ce=0x821f14c, fn_proxy=0x0,
function_name=0x819a99b "__destruct", function_name_len=10,
retval_ptr_ptr=0x0, param_count=9, arg1=0x0, arg2=0x0)
at /home/dev/php-src_5_0/Zend/zend_interfaces.c:79
#7 0x08155582 in zend_objects_destroy_object (object=0x821fa6c,
handle=9) at /home/dev/php-src_5_0/Zend/zend_objects.c:78
#8 0x08156f41 in zend_objects_store_call_destructors
(objects=0x81baad4)
at /home/dev/php-src_5_0/Zend/zend_objects_API.c:54
#9 0x0813d02c in shutdown_executor () at
/home/dev/php-src_5_0/Zend/zend_execute_API.c:207
#10 0x08145ec7 in zend_deactivate () at
/home/dev/php-src_5_0/Zend/zend.c:818
#11 0x081182a5 in php_request_shutdown (dummy=0x0) at
/home/dev/php-src_5_0/main/main.c:1212
#12 0x08169b90 in main (argc=3, argv=0xbffff8c4) at
/home/dev/php-src_5_0/sapi/cli/php_cli.c:1046
#13 0x420157a4 in __libc_start_main () from /lib/tls/libc.so.6
Valgrind says:
==3978== Invalid read of size 4
==3978== at 0x8156D56: zend_get_property_info
(zend_object_handlers.c:202)
==3978== by 0x8155B1F: zend_std_read_property
(zend_object_handlers.c:287)
==3978== by 0x816073B: zend_fetch_property_address_read
(zend_execute.c:1158)
==3978== by 0x8162333: zend_fetch_obj_r_handler
(zend_execute.c:2132)
==3978== Address 0x6 is not stack'd, malloc'd or free'd
------------------------------------------------------------------------
[2004-11-24 03:30:22] delphi32 at gmx dot de
Description:
------------
I got a segmentation fault by executing the postet code. If you execute
it in CLI mode, you will see the segfault. If it is executed by mod_php
Firefox does nothing.
I have no idea why PHP segfaults. I was able to reduce the problem to 1
line. I have written comments into the code which show the problem.
Of course, the code is trash but PHP should not segfault in such a
situation.
My config line follows:
./configure --prefix=/usr --host=i686-pc-linux-gnu
--mandir=/usr/share/man --infodir=/usr/share/info --datadir=/usr/share
--sysconfdir=/etc --localstatedir=/var/lib --with-apxs2=/usr/sbin/apxs2
--with-config-file-path=/etc/php/apache2-php5 --without-pear
--disable-bcmath --with-bz2=shared --disable-calendar
--with-cpdflib=shared --disable-ctype --without-curl
--without-curlwrappers --disable-dbase --disable-dio --disable-exif
--without-fam --without-fbsql --without-fdftk --disable-filepro
--enable-ftp=shared --with-gettext=shared --without-gmp --without-hwapi
--with-iconv=shared --without-informix --without-ingres
--without-interbase --enable-mbstring=shared --with-mcrypt=shared
--without-mcve --disable-memory-limit --without-mhash
--with-mime-magic=/usr/share/misc/file/magic.mime --without-ming
--without-mnogosearch --without-msql --without-mssql
--with-ncurses=shared --without-oci8 --without-oracle
--with-openssl=shared --with-openssl-dir=/usr --without-ovrimos
--disable-pcntl --without-pcre-regx --without-pfpro --without-pgsql
--with-pspell=shared --without-recode --disable-simplexml
--enable-shmop --without-snmp --disable-soap --enable-sockets=shared
--without-sybase --without-sybase-ct --disable-sysvmsg
--disable-sysvsem --disable-sysvshm --without-tidy --disable-tokenizer
--disable-wddx --without-xsl --without-xmlrpc --disable-yp
--with-zlib=shared --disable-debug --without-cdb --with-db4=shared
--without-dbm --without-flatfile --with-gdbm=shared --without-inifile
--without-qdbm --with-jpeg-dir=/usr --with-gd=shared,/usr
--enable-gd-jis-conf --enable-gd-native-ttf --with-imap=shared
--with-imap-ssl --with-mysql=shared
--with-mysql-sock=/var/run/mysqld/mysqld.sock --with-mm
--without-msession --without-sqlite --enable-dba=shared --with-readline
--without-libedit
Enrico Neidt
Reproduce code:
---------------
http://www2.schlampenschlacht.de/segfault.txt
I don't know how long I can host the file there. If it's not there just
mail me, I'll send you a copy. Sorry for that.
Expected result:
----------------
This would be correct:
PARENT DESTRUCT
Before segfault (0)
After segfault (0)
Before segfault (1)
After segfault (1)
Before segfault (2)
After segfault (2)
Before segfault (3)
After segfault (3)
Before segfault (4)
After segfault (4)
Actual result:
--------------
Because I am not able (allowed) to debug php (has no debugging symbols)
I only can give you the output generated by the php script:
PARENT DESTRUCT
Before segfault (0)
Before segfault (1)
After segfault (1)
Before segfault (2)
After segfault (2)
Before segfault (3)
After segfault (3)
Before segfault (4)
After segfault (4)
After segfault (0)
Segmentation fault
------------------------------------------------------------------------
--
Edit this bug report at http://bugs.php.net/?id=30877&edit=1
