Bug #49664 [Com]: Clone causes Segmentation fault
Edit report at https://bugs.php.net/bug.php?id=49664&edit=1 ID: 49664 Comment by: initrd dot gz at gmail dot com Reported by:patrik dot lermon at gmail dot com Summary:Clone causes Segmentation fault Status: Re-Opened Type: Bug Package:Reproducible crash Operating System: Linux PHP Version:5.*, 6 (2009-09-20) Block user comment: N Private report: N New Comment: C lets you do a lot of stuff you aren't supposed to do. Just because C allows it doesn't mean higher level languages like PHP should. An out of memory error is much more helpful than a segfault, which could come from anything. Also, segfaults have historically lead to exploits. Previous Comments: [2013-04-06 17:45:36] dinesh dot joshi at yahoo dot com This segmentation fault / coredump behavior is consistent with what lower level languages like C. So IMHO this should not be considered a PHP bug. Just don't get into infinite recursions. The language can't stop you from doing something stupid. Here's a C program that demos the same behavior: -- #include void fn() { char buff[16*1024]; fn(); } int main(void) { fn(); } -- [2013-02-23 22:58:49] cataphr...@php.net Still present in trunk; reopening. [2013-01-28 13:43:17] cf0hay at gmail dot com Same az OP (with PHP 5.4.8): $ php a.php a before cloning: a: [- >] Segmentation fault [2013-01-23 12:07:28] patrik dot lermon at gmail dot com And what do you get when you try with the reproduce code? [2013-01-23 11:27:55] cf0hay at gmail dot com > Infinite recursion crashes. There's no fix for that. Err, what? $ php -r 'function a(){ a(); } a();' PHP Fatal error: Allowed memory size of 134217728 bytes exhausted (tried to allocate 130968 bytes) in Command line code on line 1 Fatal error: Allowed memory size of 134217728 bytes exhausted (tried to allocate 130968 bytes) in Command line code on line 1 This is the intended behaviour on infinite recursion, not a segmentation fault. I wouldn't be surprised this could lead a security problem rather just a simple crash. The remainder of the comments for this report are too long. To view the rest of the comments, please view the bug report online at https://bugs.php.net/bug.php?id=49664 -- Edit this bug report at https://bugs.php.net/bug.php?id=49664&edit=1
Bug #49664 [Com]: Clone causes Segmentation fault
Edit report at https://bugs.php.net/bug.php?id=49664&edit=1 ID: 49664 Comment by: dinesh dot joshi at yahoo dot com Reported by:patrik dot lermon at gmail dot com Summary:Clone causes Segmentation fault Status: Re-Opened Type: Bug Package:Reproducible crash Operating System: Linux PHP Version:5.*, 6 (2009-09-20) Block user comment: N Private report: N New Comment: This segmentation fault / coredump behavior is consistent with what lower level languages like C. So IMHO this should not be considered a PHP bug. Just don't get into infinite recursions. The language can't stop you from doing something stupid. Here's a C program that demos the same behavior: -- #include void fn() { char buff[16*1024]; fn(); } int main(void) { fn(); } -- Previous Comments: [2013-02-23 22:58:49] cataphr...@php.net Still present in trunk; reopening. [2013-01-28 13:43:17] cf0hay at gmail dot com Same az OP (with PHP 5.4.8): $ php a.php a before cloning: a: [- >] Segmentation fault [2013-01-23 12:07:28] patrik dot lermon at gmail dot com And what do you get when you try with the reproduce code? [2013-01-23 11:27:55] cf0hay at gmail dot com > Infinite recursion crashes. There's no fix for that. Err, what? $ php -r 'function a(){ a(); } a();' PHP Fatal error: Allowed memory size of 134217728 bytes exhausted (tried to allocate 130968 bytes) in Command line code on line 1 Fatal error: Allowed memory size of 134217728 bytes exhausted (tried to allocate 130968 bytes) in Command line code on line 1 This is the intended behaviour on infinite recursion, not a segmentation fault. I wouldn't be surprised this could lead a security problem rather just a simple crash. [2012-12-18 23:53:05] kurt at kurtrose dot com Python handles this kind of recursion fine: class F(object): def __repr__(self): return self.__repr__() >>> repr(F()) File "", line 2, in __repr__ File "", line 2, in __repr__ ... File "", line 2, in __repr__ File "", line 2, in __repr__ RuntimeError: maximum recursion depth exceeded No segfault. The remainder of the comments for this report are too long. To view the rest of the comments, please view the bug report online at https://bugs.php.net/bug.php?id=49664 -- Edit this bug report at https://bugs.php.net/bug.php?id=49664&edit=1
Bug #49664 [Com]: Clone causes Segmentation fault
Edit report at https://bugs.php.net/bug.php?id=49664&edit=1 ID: 49664 Comment by: cf0hay at gmail dot com Reported by:patrik dot lermon at gmail dot com Summary:Clone causes Segmentation fault Status: Not a bug Type: Bug Package:Reproducible crash Operating System: Linux PHP Version:5.*, 6 (2009-09-20) Block user comment: N Private report: N New Comment: Same az OP (with PHP 5.4.8): $ php a.php a before cloning: a: [- >] Segmentation fault Previous Comments: [2013-01-23 12:07:28] patrik dot lermon at gmail dot com And what do you get when you try with the reproduce code? [2013-01-23 11:27:55] cf0hay at gmail dot com > Infinite recursion crashes. There's no fix for that. Err, what? $ php -r 'function a(){ a(); } a();' PHP Fatal error: Allowed memory size of 134217728 bytes exhausted (tried to allocate 130968 bytes) in Command line code on line 1 Fatal error: Allowed memory size of 134217728 bytes exhausted (tried to allocate 130968 bytes) in Command line code on line 1 This is the intended behaviour on infinite recursion, not a segmentation fault. I wouldn't be surprised this could lead a security problem rather just a simple crash. [2012-12-18 23:53:05] kurt at kurtrose dot com Python handles this kind of recursion fine: class F(object): def __repr__(self): return self.__repr__() >>> repr(F()) File "", line 2, in __repr__ File "", line 2, in __repr__ ... File "", line 2, in __repr__ File "", line 2, in __repr__ RuntimeError: maximum recursion depth exceeded No segfault. [2009-10-19 15:31:17] patrik dot lermon at gmail dot com I don't agree. Perhaps my knowledge is not detailed enough, but an infinte recursion should: a) run out of memory and die, or b) detect the recursion and die. In both these cases PHP should die in a controlled manner, not segfault. My understanding is that segfault is never ok - that means the code is faulty. [2009-10-19 15:10:24] j...@php.net Infinite recursion crashes. There's no fix for that. The remainder of the comments for this report are too long. To view the rest of the comments, please view the bug report online at https://bugs.php.net/bug.php?id=49664 -- Edit this bug report at https://bugs.php.net/bug.php?id=49664&edit=1
Bug #49664 [Com]: Clone causes Segmentation fault
Edit report at https://bugs.php.net/bug.php?id=49664&edit=1 ID: 49664 Comment by: patrik dot lermon at gmail dot com Reported by:patrik dot lermon at gmail dot com Summary:Clone causes Segmentation fault Status: Not a bug Type: Bug Package:Reproducible crash Operating System: Linux PHP Version:5.*, 6 (2009-09-20) Block user comment: N Private report: N New Comment: And what do you get when you try with the reproduce code? Previous Comments: [2013-01-23 11:27:55] cf0hay at gmail dot com > Infinite recursion crashes. There's no fix for that. Err, what? $ php -r 'function a(){ a(); } a();' PHP Fatal error: Allowed memory size of 134217728 bytes exhausted (tried to allocate 130968 bytes) in Command line code on line 1 Fatal error: Allowed memory size of 134217728 bytes exhausted (tried to allocate 130968 bytes) in Command line code on line 1 This is the intended behaviour on infinite recursion, not a segmentation fault. I wouldn't be surprised this could lead a security problem rather just a simple crash. [2012-12-18 23:53:05] kurt at kurtrose dot com Python handles this kind of recursion fine: class F(object): def __repr__(self): return self.__repr__() >>> repr(F()) File "", line 2, in __repr__ File "", line 2, in __repr__ ... File "", line 2, in __repr__ File "", line 2, in __repr__ RuntimeError: maximum recursion depth exceeded No segfault. [2009-10-19 15:31:17] patrik dot lermon at gmail dot com I don't agree. Perhaps my knowledge is not detailed enough, but an infinte recursion should: a) run out of memory and die, or b) detect the recursion and die. In both these cases PHP should die in a controlled manner, not segfault. My understanding is that segfault is never ok - that means the code is faulty. [2009-10-19 15:10:24] j...@php.net Infinite recursion crashes. There's no fix for that. [2009-09-28 12:06:43] patrik dot lermon at gmail dot com I get the same result with http://snaps.php.net/php5.3-latest.tar.gz on Slackware. The remainder of the comments for this report are too long. To view the rest of the comments, please view the bug report online at https://bugs.php.net/bug.php?id=49664 -- Edit this bug report at https://bugs.php.net/bug.php?id=49664&edit=1
Bug #49664 [Com]: Clone causes Segmentation fault
Edit report at https://bugs.php.net/bug.php?id=49664&edit=1 ID: 49664 Comment by: cf0hay at gmail dot com Reported by:patrik dot lermon at gmail dot com Summary:Clone causes Segmentation fault Status: Not a bug Type: Bug Package:Reproducible crash Operating System: Linux PHP Version:5.*, 6 (2009-09-20) Block user comment: N Private report: N New Comment: > Infinite recursion crashes. There's no fix for that. Err, what? $ php -r 'function a(){ a(); } a();' PHP Fatal error: Allowed memory size of 134217728 bytes exhausted (tried to allocate 130968 bytes) in Command line code on line 1 Fatal error: Allowed memory size of 134217728 bytes exhausted (tried to allocate 130968 bytes) in Command line code on line 1 This is the intended behaviour on infinite recursion, not a segmentation fault. I wouldn't be surprised this could lead a security problem rather just a simple crash. Previous Comments: [2012-12-18 23:53:05] kurt at kurtrose dot com Python handles this kind of recursion fine: class F(object): def __repr__(self): return self.__repr__() >>> repr(F()) File "", line 2, in __repr__ File "", line 2, in __repr__ ... File "", line 2, in __repr__ File "", line 2, in __repr__ RuntimeError: maximum recursion depth exceeded No segfault. [2009-10-19 15:31:17] patrik dot lermon at gmail dot com I don't agree. Perhaps my knowledge is not detailed enough, but an infinte recursion should: a) run out of memory and die, or b) detect the recursion and die. In both these cases PHP should die in a controlled manner, not segfault. My understanding is that segfault is never ok - that means the code is faulty. [2009-10-19 15:10:24] j...@php.net Infinite recursion crashes. There's no fix for that. [2009-09-28 12:06:43] patrik dot lermon at gmail dot com I get the same result with http://snaps.php.net/php5.3-latest.tar.gz on Slackware. [2009-09-25 07:50:31] patrik dot lermon at gmail dot com I am aware that the cloning will be recursive in some circumstances, but PHP should not segfault because of this. The remainder of the comments for this report are too long. To view the rest of the comments, please view the bug report online at https://bugs.php.net/bug.php?id=49664 -- Edit this bug report at https://bugs.php.net/bug.php?id=49664&edit=1
Bug #49664 [Com]: Clone causes Segmentation fault
Edit report at https://bugs.php.net/bug.php?id=49664&edit=1 ID: 49664 Comment by: kurt at kurtrose dot com Reported by:patrik dot lermon at gmail dot com Summary:Clone causes Segmentation fault Status: Not a bug Type: Bug Package:Reproducible crash Operating System: Linux PHP Version:5.*, 6 (2009-09-20) Block user comment: N Private report: N New Comment: Python handles this kind of recursion fine: class F(object): def __repr__(self): return self.__repr__() >>> repr(F()) File "", line 2, in __repr__ File "", line 2, in __repr__ ... File "", line 2, in __repr__ File "", line 2, in __repr__ RuntimeError: maximum recursion depth exceeded No segfault. Previous Comments: [2009-10-19 15:31:17] patrik dot lermon at gmail dot com I don't agree. Perhaps my knowledge is not detailed enough, but an infinte recursion should: a) run out of memory and die, or b) detect the recursion and die. In both these cases PHP should die in a controlled manner, not segfault. My understanding is that segfault is never ok - that means the code is faulty. [2009-10-19 15:10:24] j...@php.net Infinite recursion crashes. There's no fix for that. [2009-09-28 12:06:43] patrik dot lermon at gmail dot com I get the same result with http://snaps.php.net/php5.3-latest.tar.gz on Slackware. [2009-09-25 07:50:31] patrik dot lermon at gmail dot com I am aware that the cloning will be recursive in some circumstances, but PHP should not segfault because of this. [2009-09-25 07:46:10] patrik dot lermon at gmail dot com Description: Under certain circumstances the clone keyword causes a Segmentation fault. This code is reproducible and tested with the same result on: - Ubuntu 9.04 / PHP 5.2.10 (cli) (built: Jun 22 2009 12:32:02) - Slackware 13.0.0.0.0 / PHP 5.3.0 (cli) (built: Sep 25 2009 08:58:26) (DEBUG) - Mac OS X 10.5.8 / PHP 5.2.10 (cli) (built: Aug 24 2009 12:47:12) - Mac OS X 10.6.1 / PHP 5.3.0 (cli) (built: Jul 19 2009 00:34:29) The Ubuntu and Mac OS X versions are standard builds from Zend, and the Slackware is built by me like this: EXTENSION_DIR=/usr/lib/php/extensions \ CFLAGS="-O2 -march=i486 -mtune=i686" \ ./configure \ --enable-force-cgi-redirect \ --enable-pcntl \ --enable-sigchild \ --prefix=/usr \ --libdir=/usr/lib \ --with-libdir=lib \ --sysconfdir=/etc \ --disable-safe-mode \ --disable-magic-quotes \ --enable-zend-multibyte \ --enable-mbregex \ --enable-tokenizer=shared \ --with-config-file-scan-dir=/etc/php \ --with-config-file-path=/etc/httpd \ --enable-mod_charset \ --with-layout=PHP \ --enable-sigchild \ --enable-xml \ --with-libxml-dir=/usr \ --enable-simplexml \ --enable-spl \ --enable-filter \ --enable-debug \ --with-openssl=shared \ --with-pcre-regex=/usr \ --with-zlib=shared,/usr \ --enable-bcmath=shared \ --with-bz2=shared,/usr \ --enable-calendar=shared \ --enable-ctype=shared \ --with-curl=shared \ --with-curlwrappers \ --with-mcrypt=/usr \ --enable-dba=shared \ --with-gdbm=/usr \ --with-db4=/usr \ --enable-exif=shared \ --enable-ftp=shared \ --with-gd=shared \ --with-jpeg-dir=/usr \ --with-png-dir=/usr \ --with-zlib-dir=/usr \ --with-xpm-dir=/usr \ --with-freetype-dir=/usr \ --with-t1lib=/usr \ --enable-gd-native-ttf \ --enable-gd-jis-conv \ --with-gettext=shared,/usr \ --with-gmp=shared,/usr \ --with-iconv=shared \ --with-imap-ssl=/usr \ --with-imap=/usr/local/lib/c-client \ --with-ldap=shared \ --enable-mbstring=shared \ --enable-hash \ --with-mysql=shared,/usr \ --with-mysqli=shared,/usr/bin/mysql_config \ --enable-pdo=shared \ --with-pdo-mysql=shared,/usr \ --with-pdo-sqlite=shared \ --with-pspell=shared,/usr \ --with-mm=/usr \ --enable-shmop=shared \ --with-snmp=shared,/usr \ --enable-soap=shared \ --enable-sockets \ --with-sqlite=shared \ --enable-sqlite-utf8 \ --with-regex=php \ --enable-sysvmsg \ --enable-sysvsem \ --enable-sysvshm \ --enable-wddx=shared \ --with-xsl=shared,/usr \ --enable-zip=shared \ --with-tsrm-pthreads \ --enable-shared=yes \ --enable-static=no \ --with-gnu-ld \ --with-pic \ --build=i486-slackware-linux Reproduce code: --- previous != NULL ? $this->previous = clone $this->previous : $this->previous = NULL; $this->next != NULL ? $this->next = clone $this->next : $this->next = NULL; } public function __toString() { return '[' . ($this->previous != NULL ? '<' : '-') . ' ' . ($this->next != NULL ? '>' : '-') . ']'; } } // Create some test objects $a = new Test(); $b = new Test(); // Link them together $a->next =& $b; $b->previo