Bug #49664 [Com]: Clone causes Segmentation fault
Edit report at https://bugs.php.net/bug.php?id=49664&edit=1
ID: 49664
Comment by: initrd dot gz at gmail dot com
Reported by:patrik dot lermon at gmail dot com
Summary:Clone causes Segmentation fault
Status: Re-Opened
Type: Bug
Package:Reproducible crash
Operating System: Linux
PHP Version:5.*, 6 (2009-09-20)
Block user comment: N
Private report: N
New Comment:
C lets you do a lot of stuff you aren't supposed to do. Just because C allows
it
doesn't mean higher level languages like PHP should. An out of memory error is
much more helpful than a segfault, which could come from anything. Also,
segfaults
have historically lead to exploits.
Previous Comments:
[2013-04-06 17:45:36] dinesh dot joshi at yahoo dot com
This segmentation fault / coredump behavior is consistent with what lower level
languages like C. So IMHO this should not be considered a PHP bug. Just don't
get
into infinite recursions. The language can't stop you from doing something
stupid.
Here's a C program that demos the same behavior:
--
#include
void fn() {
char buff[16*1024];
fn();
}
int main(void) {
fn();
}
--
[2013-02-23 22:58:49] cataphr...@php.net
Still present in trunk; reopening.
[2013-01-28 13:43:17] cf0hay at gmail dot com
Same az OP (with PHP 5.4.8):
$ php a.php
a before cloning:
a: [- >]
Segmentation fault
[2013-01-23 12:07:28] patrik dot lermon at gmail dot com
And what do you get when you try with the reproduce code?
[2013-01-23 11:27:55] cf0hay at gmail dot com
> Infinite recursion crashes. There's no fix for that.
Err, what?
$ php -r 'function a(){ a(); } a();'
PHP Fatal error: Allowed memory size of 134217728 bytes exhausted (tried to
allocate 130968 bytes) in Command line code on line 1
Fatal error: Allowed memory size of 134217728 bytes exhausted (tried to
allocate
130968 bytes) in Command line code on line 1
This is the intended behaviour on infinite recursion, not a segmentation fault.
I wouldn't be surprised this could lead a security problem rather just a simple
crash.
The remainder of the comments for this report are too long. To view
the rest of the comments, please view the bug report online at
https://bugs.php.net/bug.php?id=49664
--
Edit this bug report at https://bugs.php.net/bug.php?id=49664&edit=1
Bug #49664 [Com]: Clone causes Segmentation fault
Edit report at https://bugs.php.net/bug.php?id=49664&edit=1
ID: 49664
Comment by: dinesh dot joshi at yahoo dot com
Reported by:patrik dot lermon at gmail dot com
Summary:Clone causes Segmentation fault
Status: Re-Opened
Type: Bug
Package:Reproducible crash
Operating System: Linux
PHP Version:5.*, 6 (2009-09-20)
Block user comment: N
Private report: N
New Comment:
This segmentation fault / coredump behavior is consistent with what lower level
languages like C. So IMHO this should not be considered a PHP bug. Just don't
get
into infinite recursions. The language can't stop you from doing something
stupid.
Here's a C program that demos the same behavior:
--
#include
void fn() {
char buff[16*1024];
fn();
}
int main(void) {
fn();
}
--
Previous Comments:
[2013-02-23 22:58:49] cataphr...@php.net
Still present in trunk; reopening.
[2013-01-28 13:43:17] cf0hay at gmail dot com
Same az OP (with PHP 5.4.8):
$ php a.php
a before cloning:
a: [- >]
Segmentation fault
[2013-01-23 12:07:28] patrik dot lermon at gmail dot com
And what do you get when you try with the reproduce code?
[2013-01-23 11:27:55] cf0hay at gmail dot com
> Infinite recursion crashes. There's no fix for that.
Err, what?
$ php -r 'function a(){ a(); } a();'
PHP Fatal error: Allowed memory size of 134217728 bytes exhausted (tried to
allocate 130968 bytes) in Command line code on line 1
Fatal error: Allowed memory size of 134217728 bytes exhausted (tried to
allocate
130968 bytes) in Command line code on line 1
This is the intended behaviour on infinite recursion, not a segmentation fault.
I wouldn't be surprised this could lead a security problem rather just a simple
crash.
[2012-12-18 23:53:05] kurt at kurtrose dot com
Python handles this kind of recursion fine:
class F(object):
def __repr__(self): return self.__repr__()
>>> repr(F())
File "", line 2, in __repr__
File "", line 2, in __repr__
...
File "", line 2, in __repr__
File "", line 2, in __repr__
RuntimeError: maximum recursion depth exceeded
No segfault.
The remainder of the comments for this report are too long. To view
the rest of the comments, please view the bug report online at
https://bugs.php.net/bug.php?id=49664
--
Edit this bug report at https://bugs.php.net/bug.php?id=49664&edit=1
Bug #49664 [Com]: Clone causes Segmentation fault
Edit report at https://bugs.php.net/bug.php?id=49664&edit=1
ID: 49664
Comment by: cf0hay at gmail dot com
Reported by:patrik dot lermon at gmail dot com
Summary:Clone causes Segmentation fault
Status: Not a bug
Type: Bug
Package:Reproducible crash
Operating System: Linux
PHP Version:5.*, 6 (2009-09-20)
Block user comment: N
Private report: N
New Comment:
Same az OP (with PHP 5.4.8):
$ php a.php
a before cloning:
a: [- >]
Segmentation fault
Previous Comments:
[2013-01-23 12:07:28] patrik dot lermon at gmail dot com
And what do you get when you try with the reproduce code?
[2013-01-23 11:27:55] cf0hay at gmail dot com
> Infinite recursion crashes. There's no fix for that.
Err, what?
$ php -r 'function a(){ a(); } a();'
PHP Fatal error: Allowed memory size of 134217728 bytes exhausted (tried to
allocate 130968 bytes) in Command line code on line 1
Fatal error: Allowed memory size of 134217728 bytes exhausted (tried to
allocate
130968 bytes) in Command line code on line 1
This is the intended behaviour on infinite recursion, not a segmentation fault.
I wouldn't be surprised this could lead a security problem rather just a simple
crash.
[2012-12-18 23:53:05] kurt at kurtrose dot com
Python handles this kind of recursion fine:
class F(object):
def __repr__(self): return self.__repr__()
>>> repr(F())
File "", line 2, in __repr__
File "", line 2, in __repr__
...
File "", line 2, in __repr__
File "", line 2, in __repr__
RuntimeError: maximum recursion depth exceeded
No segfault.
[2009-10-19 15:31:17] patrik dot lermon at gmail dot com
I don't agree. Perhaps my knowledge is not detailed enough, but an infinte
recursion should:
a) run out of memory and die, or
b) detect the recursion and die.
In both these cases PHP should die in a controlled manner, not segfault.
My understanding is that segfault is never ok - that means the code is faulty.
[2009-10-19 15:10:24] j...@php.net
Infinite recursion crashes. There's no fix for that.
The remainder of the comments for this report are too long. To view
the rest of the comments, please view the bug report online at
https://bugs.php.net/bug.php?id=49664
--
Edit this bug report at https://bugs.php.net/bug.php?id=49664&edit=1
Bug #49664 [Com]: Clone causes Segmentation fault
Edit report at https://bugs.php.net/bug.php?id=49664&edit=1
ID: 49664
Comment by: patrik dot lermon at gmail dot com
Reported by:patrik dot lermon at gmail dot com
Summary:Clone causes Segmentation fault
Status: Not a bug
Type: Bug
Package:Reproducible crash
Operating System: Linux
PHP Version:5.*, 6 (2009-09-20)
Block user comment: N
Private report: N
New Comment:
And what do you get when you try with the reproduce code?
Previous Comments:
[2013-01-23 11:27:55] cf0hay at gmail dot com
> Infinite recursion crashes. There's no fix for that.
Err, what?
$ php -r 'function a(){ a(); } a();'
PHP Fatal error: Allowed memory size of 134217728 bytes exhausted (tried to
allocate 130968 bytes) in Command line code on line 1
Fatal error: Allowed memory size of 134217728 bytes exhausted (tried to
allocate
130968 bytes) in Command line code on line 1
This is the intended behaviour on infinite recursion, not a segmentation fault.
I wouldn't be surprised this could lead a security problem rather just a simple
crash.
[2012-12-18 23:53:05] kurt at kurtrose dot com
Python handles this kind of recursion fine:
class F(object):
def __repr__(self): return self.__repr__()
>>> repr(F())
File "", line 2, in __repr__
File "", line 2, in __repr__
...
File "", line 2, in __repr__
File "", line 2, in __repr__
RuntimeError: maximum recursion depth exceeded
No segfault.
[2009-10-19 15:31:17] patrik dot lermon at gmail dot com
I don't agree. Perhaps my knowledge is not detailed enough, but an infinte
recursion should:
a) run out of memory and die, or
b) detect the recursion and die.
In both these cases PHP should die in a controlled manner, not segfault.
My understanding is that segfault is never ok - that means the code is faulty.
[2009-10-19 15:10:24] j...@php.net
Infinite recursion crashes. There's no fix for that.
[2009-09-28 12:06:43] patrik dot lermon at gmail dot com
I get the same result with http://snaps.php.net/php5.3-latest.tar.gz
on Slackware.
The remainder of the comments for this report are too long. To view
the rest of the comments, please view the bug report online at
https://bugs.php.net/bug.php?id=49664
--
Edit this bug report at https://bugs.php.net/bug.php?id=49664&edit=1
Bug #49664 [Com]: Clone causes Segmentation fault
Edit report at https://bugs.php.net/bug.php?id=49664&edit=1
ID: 49664
Comment by: cf0hay at gmail dot com
Reported by:patrik dot lermon at gmail dot com
Summary:Clone causes Segmentation fault
Status: Not a bug
Type: Bug
Package:Reproducible crash
Operating System: Linux
PHP Version:5.*, 6 (2009-09-20)
Block user comment: N
Private report: N
New Comment:
> Infinite recursion crashes. There's no fix for that.
Err, what?
$ php -r 'function a(){ a(); } a();'
PHP Fatal error: Allowed memory size of 134217728 bytes exhausted (tried to
allocate 130968 bytes) in Command line code on line 1
Fatal error: Allowed memory size of 134217728 bytes exhausted (tried to
allocate
130968 bytes) in Command line code on line 1
This is the intended behaviour on infinite recursion, not a segmentation fault.
I wouldn't be surprised this could lead a security problem rather just a simple
crash.
Previous Comments:
[2012-12-18 23:53:05] kurt at kurtrose dot com
Python handles this kind of recursion fine:
class F(object):
def __repr__(self): return self.__repr__()
>>> repr(F())
File "", line 2, in __repr__
File "", line 2, in __repr__
...
File "", line 2, in __repr__
File "", line 2, in __repr__
RuntimeError: maximum recursion depth exceeded
No segfault.
[2009-10-19 15:31:17] patrik dot lermon at gmail dot com
I don't agree. Perhaps my knowledge is not detailed enough, but an infinte
recursion should:
a) run out of memory and die, or
b) detect the recursion and die.
In both these cases PHP should die in a controlled manner, not segfault.
My understanding is that segfault is never ok - that means the code is faulty.
[2009-10-19 15:10:24] j...@php.net
Infinite recursion crashes. There's no fix for that.
[2009-09-28 12:06:43] patrik dot lermon at gmail dot com
I get the same result with http://snaps.php.net/php5.3-latest.tar.gz
on Slackware.
[2009-09-25 07:50:31] patrik dot lermon at gmail dot com
I am aware that the cloning will be recursive in some circumstances, but PHP
should not segfault because of this.
The remainder of the comments for this report are too long. To view
the rest of the comments, please view the bug report online at
https://bugs.php.net/bug.php?id=49664
--
Edit this bug report at https://bugs.php.net/bug.php?id=49664&edit=1
Bug #49664 [Com]: Clone causes Segmentation fault
Edit report at https://bugs.php.net/bug.php?id=49664&edit=1
ID: 49664
Comment by: kurt at kurtrose dot com
Reported by:patrik dot lermon at gmail dot com
Summary:Clone causes Segmentation fault
Status: Not a bug
Type: Bug
Package:Reproducible crash
Operating System: Linux
PHP Version:5.*, 6 (2009-09-20)
Block user comment: N
Private report: N
New Comment:
Python handles this kind of recursion fine:
class F(object):
def __repr__(self): return self.__repr__()
>>> repr(F())
File "", line 2, in __repr__
File "", line 2, in __repr__
...
File "", line 2, in __repr__
File "", line 2, in __repr__
RuntimeError: maximum recursion depth exceeded
No segfault.
Previous Comments:
[2009-10-19 15:31:17] patrik dot lermon at gmail dot com
I don't agree. Perhaps my knowledge is not detailed enough, but an infinte
recursion should:
a) run out of memory and die, or
b) detect the recursion and die.
In both these cases PHP should die in a controlled manner, not segfault.
My understanding is that segfault is never ok - that means the code is faulty.
[2009-10-19 15:10:24] j...@php.net
Infinite recursion crashes. There's no fix for that.
[2009-09-28 12:06:43] patrik dot lermon at gmail dot com
I get the same result with http://snaps.php.net/php5.3-latest.tar.gz
on Slackware.
[2009-09-25 07:50:31] patrik dot lermon at gmail dot com
I am aware that the cloning will be recursive in some circumstances, but PHP
should not segfault because of this.
[2009-09-25 07:46:10] patrik dot lermon at gmail dot com
Description:
Under certain circumstances the clone keyword causes a Segmentation fault. This
code is reproducible and tested with the same result on:
- Ubuntu 9.04 / PHP 5.2.10 (cli) (built: Jun 22 2009 12:32:02)
- Slackware 13.0.0.0.0 / PHP 5.3.0 (cli) (built: Sep 25 2009 08:58:26) (DEBUG)
- Mac OS X 10.5.8 / PHP 5.2.10 (cli) (built: Aug 24 2009 12:47:12)
- Mac OS X 10.6.1 / PHP 5.3.0 (cli) (built: Jul 19 2009 00:34:29)
The Ubuntu and Mac OS X versions are standard builds from Zend, and the
Slackware is built by me like this:
EXTENSION_DIR=/usr/lib/php/extensions \
CFLAGS="-O2 -march=i486 -mtune=i686" \
./configure \
--enable-force-cgi-redirect \
--enable-pcntl \
--enable-sigchild \
--prefix=/usr \
--libdir=/usr/lib \
--with-libdir=lib \
--sysconfdir=/etc \
--disable-safe-mode \
--disable-magic-quotes \
--enable-zend-multibyte \
--enable-mbregex \
--enable-tokenizer=shared \
--with-config-file-scan-dir=/etc/php \
--with-config-file-path=/etc/httpd \
--enable-mod_charset \
--with-layout=PHP \
--enable-sigchild \
--enable-xml \
--with-libxml-dir=/usr \
--enable-simplexml \
--enable-spl \
--enable-filter \
--enable-debug \
--with-openssl=shared \
--with-pcre-regex=/usr \
--with-zlib=shared,/usr \
--enable-bcmath=shared \
--with-bz2=shared,/usr \
--enable-calendar=shared \
--enable-ctype=shared \
--with-curl=shared \
--with-curlwrappers \
--with-mcrypt=/usr \
--enable-dba=shared \
--with-gdbm=/usr \
--with-db4=/usr \
--enable-exif=shared \
--enable-ftp=shared \
--with-gd=shared \
--with-jpeg-dir=/usr \
--with-png-dir=/usr \
--with-zlib-dir=/usr \
--with-xpm-dir=/usr \
--with-freetype-dir=/usr \
--with-t1lib=/usr \
--enable-gd-native-ttf \
--enable-gd-jis-conv \
--with-gettext=shared,/usr \
--with-gmp=shared,/usr \
--with-iconv=shared \
--with-imap-ssl=/usr \
--with-imap=/usr/local/lib/c-client \
--with-ldap=shared \
--enable-mbstring=shared \
--enable-hash \
--with-mysql=shared,/usr \
--with-mysqli=shared,/usr/bin/mysql_config \
--enable-pdo=shared \
--with-pdo-mysql=shared,/usr \
--with-pdo-sqlite=shared \
--with-pspell=shared,/usr \
--with-mm=/usr \
--enable-shmop=shared \
--with-snmp=shared,/usr \
--enable-soap=shared \
--enable-sockets \
--with-sqlite=shared \
--enable-sqlite-utf8 \
--with-regex=php \
--enable-sysvmsg \
--enable-sysvsem \
--enable-sysvshm \
--enable-wddx=shared \
--with-xsl=shared,/usr \
--enable-zip=shared \
--with-tsrm-pthreads \
--enable-shared=yes \
--enable-static=no \
--with-gnu-ld \
--with-pic \
--build=i486-slackware-linux
Reproduce code:
---
previous != NULL ? $this->previous = clone $this->previous :
$this->previous = NULL;
$this->next != NULL ? $this->next = clone $this->next : $this->next =
NULL;
}
public function __toString() {
return '[' . ($this->previous != NULL ? '<' : '-') . ' ' . ($this->next
!= NULL ? '>' : '-') . ']';
}
}
// Create some test objects
$a = new Test(); $b = new Test();
// Link them together
$a->next =& $b; $b->previo
