Bug #65367 [Fbk]: Segmentation fault when mixing =& and =

mbeccati Fri, 02 Aug 2013 00:31:32 -0700

Edit report at https://bugs.php.net/bug.php?id=65367&edit=1


 ID:                 65367
 Updated by:         mbecc...@php.net
 Reported by:        mbecc...@php.net
 Summary:            Segmentation fault when mixing =& and =
 Status:             Feedback
 Type:               Bug
 Package:            Reproducible crash
 Operating System:   Any
 PHP Version:        5.5.1
 Block user comment: N
 Private report:     N

 New Comment:

Yes, the patch fixes the issue as far as I can tell. Well done!


Previous Comments:
------------------------------------------------------------------------
[2013-08-02 02:00:15] larue...@php.net

could you please verify the fix I attached at #65372?
thanks

------------------------------------------------------------------------
[2013-08-02 01:11:26] larue...@php.net

Seems similar to #65372

------------------------------------------------------------------------
[2013-07-31 11:13:15] mbecc...@php.net

I forgot to mention that you can easily install the necessary PEAR libraries in 
the current dir without polluting the global PEAR installation with:

pear install -R . MDB2 MDB2#pgsql

------------------------------------------------------------------------
[2013-07-31 11:10:29] mbecc...@php.net

Description:
------------
While updating an old open source application to work with PHP 5.4 and 5.5, I 
somehow managed to trigger a segmentation fault when removing an =& assignment. 
I've been able to write a small reproduce script, which however still requires 
MDB2 from PEAR (tested only with the pgsql driver).

Changing back a specific assignment to =& prevents the shutdown segfault from 
happening.

The code works fine with 5.3 and crashes on 5.4+. Tested on Windows and Linux.

Test script:
---------------
<?php

require './usr/share/php/MDB2.php';

class A {
        static function singleton()
        {
                $db = 
MDB2::connect('pgsql://postgres:password@localhost/postgres');
                $db->loadModule('Datatype');

                $GLOBALS['DB'] = $db; // Using =& $db doesn't crash

                return $GLOBALS['DB'];
        }
}

class B {
        function __construct()
        {
                $this->db =& $this->getDb();
        }

        function &getDB()
        {
                return A::singleton();
        }
}

$b = new B();


Expected result:
----------------
PHP Notice:  Only variable references should be returned by reference in 
foobar.php on line 25


Actual result:
--------------
#0  0x0000000000812979 in gc_zval_possible_root (zv=0x7fffeef256e0) at 
/root/compile/php-5.5.1/Zend/zend_gc.c:143
No locals.
#1  0x0000000000801268 in zend_hash_destroy (ht=0x7fffeef2b4a0) at 
/root/compile/php-5.5.1/Zend/zend_hash.c:560
        p = 0x7fffeef2b860
        q = 0x7fffeef2b7b0
#2  0x00000000007f206b in _zval_dtor_func (zvalue=0x7fffeef2b470) at 
/root/compile/php-5.5.1/Zend/zend_variables.c:45
No locals.
#3  0x00000000007e3178 in _zval_dtor (zvalue=0x7fffeef2b470) at 
/root/compile/php-5.5.1/Zend/zend_variables.h:35
No locals.
#4  i_zval_ptr_dtor (zval_ptr=0x7fffeef2b470) at 
/root/compile/php-5.5.1/Zend/zend_execute.h:81
No locals.
#5  _zval_ptr_dtor (zval_ptr=<optimized out>) at 
/root/compile/php-5.5.1/Zend/zend_execute_API.c:426
No locals.
#6  0x0000000000801268 in zend_hash_destroy (ht=0x7fffeef28b10) at 
/root/compile/php-5.5.1/Zend/zend_hash.c:560
        p = 0x7fffeef2bfd0
        q = 0x7fffeef2ba80
#7  0x00000000007f206b in _zval_dtor_func (zvalue=0x7fffeef28778) at 
/root/compile/php-5.5.1/Zend/zend_variables.c:45
No locals.
#8  0x00000000007e3178 in _zval_dtor (zvalue=0x7fffeef28778) at 
/root/compile/php-5.5.1/Zend/zend_variables.h:35
No locals.
#9  i_zval_ptr_dtor (zval_ptr=0x7fffeef28778) at 
/root/compile/php-5.5.1/Zend/zend_execute.h:81
No locals.
#10 _zval_ptr_dtor (zval_ptr=<optimized out>) at 
/root/compile/php-5.5.1/Zend/zend_execute_API.c:426
No locals.
#11 0x0000000000801268 in zend_hash_destroy (ht=0x7fffeef2cbb8) at 
/root/compile/php-5.5.1/Zend/zend_hash.c:560
        p = 0x7fffeef2ce78
        q = 0x7fffeef2ce20
#12 0x000000000081579c in zend_object_std_dtor (object=0x7fffeef27cb0) at 
/root/compile/php-5.5.1/Zend/zend_objects.c:44
No locals.
#13 0x0000000000815829 in zend_objects_free_object_storage 
(object=0x7fffeef27cb0) at /root/compile/php-5.5.1/Zend/zend_objects.c:137
No locals.
#14 0x000000000081b476 in zend_objects_store_free_object_storage 
(objects=0x1085120)
    at /root/compile/php-5.5.1/Zend/zend_objects_API.c:92
        obj = <optimized out>
        i = <optimized out>
#15 0x00000000007e37e3 in shutdown_executor () at 
/root/compile/php-5.5.1/Zend/zend_execute_API.c:293
        __orig_bailout = 0x7fffffffe460
        __bailout = {{__jmpbuf = {17321344, -8869895244590628792, 0, 0, 0, 
17333536, 8869894737283235912, -8869895235585851320},
            __mask_was_saved = 0, __saved_mask = {__val = {9576849035021516823, 
0, 8402366, 17291648, 17319392, 140737353913872,
                140737353912280, 140737353913920, 140737353912280, 0, 17321080, 
1, 0, 0, 8330270, 17320992}}}}
#16 0x00000000007f3075 in zend_deactivate () at 
/root/compile/php-5.5.1/Zend/zend.c:939
No locals.
#17 0x0000000000791637 in php_request_shutdown (dummy=<optimized out>) at 
/root/compile/php-5.5.1/main/main.c:1803
        report_memleaks = 1 '\001'
<snip>


------------------------------------------------------------------------



-- 
Edit this bug report at https://bugs.php.net/bug.php?id=65367&edit=1

Bug #65367 [Fbk]: Segmentation fault when mixing =& and =

Reply via email to