[PHP-DEV] Bug #12049 Updated: Crash in Zend Engine
ID: 12049
User updated by: [EMAIL PROTECTED]
Reported By: [EMAIL PROTECTED]
Status: Analyzed
Bug Type: Reproducible crash
Operating System: Debian GNU/Linux
PHP Version: 4.0.6
New Comment:
H...
That code snippet crashes on my system before it has even
given the error message.
It's a very strange bug. Things that shouldn't make a
difference, such as taking out empty class definitions or
changing the order of the class definitions, will stop the
code from crashing. I'm sure that there isn't an endless
recursive call anywhere because just changing the order of
the class definitions prevents it from crashing.
Generating the error messages that you recieved is the
correct behavior for the code I gave. :)
Originally, I had a zoom() function in the A class, so that
the code would actually work if there was not a segfault,
but I found that the code segfaulted with or without it, so
I just left it out to save space.
I'd be glad to give you any other information that might
help you reproduce the crash.
I'm using a Debian GNU/Linux i386 2.2 (potato) system with
Ximian Gnome packages and the PHP 4.0.6 packages and apache
1.3.20 packages from Debian woody.
Previous Comments:
[2001-07-11 13:56:43] [EMAIL PROTECTED]
The code snippet you supplied doesn't work - it dies with
Fatal error: Call to undefined function: zoom() in test.php on line
9
test.php(9) : Fatal error - Call to undefined function: zoom()
At any rate - the backtrace appears to suggest you have some endless recursive call.
This is most probably the problem.
[2001-07-11 10:32:12] [EMAIL PROTECTED]
This code reproduces the crash:
class A{}
class B extends A {}
class D extends C
{
function zoom()
{
return (parent::zoom());
}
}
class E extends D {}
class C extends B
{
function C()
{
$this->x = 5;
}
}
class Storage
{
var $items;
function Storage()
{
$this->items=array();
}
function add()
{
$foo = new E();
$this->items[] = $foo;
end($this->items);
return key($this->items);
}
function get($who)
{
return $this->items[$who];
}
}
$Store = new Storage();
$ID = $Store->add();
$Obj = $Store->get($ID);
//Segfaults here
$Obj->zoom();
[2001-07-11 09:28:48] [EMAIL PROTECTED]
PHP is crashing on a call to an object method. Currently,
the code is too complex to paste here. Will try to create
simpler example. Here's a gdb backtrace:
# gdb /usr/sbin/apache.dbg
GNU gdb 19990928
Copyright 1998 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public
License, and you are
welcome to change it and/or distribute copies of it under
certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB. Type "show
warranty" for details.
This GDB was configured as "i686-pc-linux-gnu"...
(gdb) run -X
Starting program: /usr/sbin/apache.dbg -X
Program received signal SIGSEGV, Segmentation fault.
0x40267713 in execute (op_array=0x8237f04) at
../../Zend/zend_execute.c:1140
1140
zend_fetch_var_address(&opline->result, &opline->op1,
&opline->op2, Ts, BP_VAR_W ELS_CC);
(gdb) bt
#0 0x40267713 in execute (op_array=0x8237f04)
at ../../Zend/zend_execute.c:1140
#1 0x40269f0f in execute (op_array=0x8237f04)
at ../../Zend/zend_execute.c:1544
#2 0x40269f0f in execute (op_array=0x8237f04)
at ../../Zend/zend_execute.c:1544
#3 0x40269f0f in execute (op_array=0x8237f04)
at ../../Zend/zend_execute.c:1544
#4 0x40269f0f in execute (op_array=0x8237f04)
at ../../Zend/zend_execute.c:1544
#5 0x40269f0f in execute (op_array=0x8237f04)
at ../../Zend/zend_execute.c:1544
#6 0x40269f0f in execute (op_array=0x8237f04)
at ../../Zend/zend_execute.c:1544
#7 0x40269f0f in execute (op_array=0x8237f04)
at ../../Zend/zend_execute.c:1544
#8 0x40269f0f in execute (op_array=0x8237f04)
at ../../Zend/zend_execute.c:1544
#9 0x40269f0f in execute (op_array=0x8237f04)
at ../../Zend/zend_execute.c:1544
#10 0x40269f0f in execute (op_array=0x8237f04)
at ../../Zend/zend_execute.c:1544
#11 0x40269f0f in execute (op_array=0x8237f04)
---Type to continue, or q to quit---q
at ../../Zend/zend_execute.c:1544Quit
(gdb) p opline
$1 = (zend_op *) 0x823de5c
(gdb) p *optline
$2 = {opcode = 83 'S', result = {op_type = 4, u = {constant
= {value = {
lval = 0, dval = 0, str = {val = 0x0, len = 0}, ht
= 0x0, obj = {
ce = 0x0, properties = 0x0}}, type = 0 '\000',
is_ref = 0 '\000',
refcount = 0}, var = 0, opline_num = 0, fetch_type = 0,
op_array = 0x0, EA = {var = 0, type =
[PHP-DEV] Bug #12049 Updated: Crash in Zend Engine
ID: 12049
User updated by: [EMAIL PROTECTED]
Reported By: [EMAIL PROTECTED]
Status: Open
Bug Type: Reproducible crash
Operating System: Debian GNU/Linux
PHP Version: 4.0.6
New Comment:
This code reproduces the crash:
class A{}
class B extends A {}
class D extends C
{
function zoom()
{
return (parent::zoom());
}
}
class E extends D {}
class C extends B
{
function C()
{
$this->x = 5;
}
}
class Storage
{
var $items;
function Storage()
{
$this->items=array();
}
function add()
{
$foo = new E();
$this->items[] = $foo;
end($this->items);
return key($this->items);
}
function get($who)
{
return $this->items[$who];
}
}
$Store = new Storage();
$ID = $Store->add();
$Obj = $Store->get($ID);
//Segfaults here
$Obj->zoom();
Previous Comments:
[2001-07-11 09:28:48] [EMAIL PROTECTED]
PHP is crashing on a call to an object method. Currently,
the code is too complex to paste here. Will try to create
simpler example. Here's a gdb backtrace:
# gdb /usr/sbin/apache.dbg
GNU gdb 19990928
Copyright 1998 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public
License, and you are
welcome to change it and/or distribute copies of it under
certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB. Type "show
warranty" for details.
This GDB was configured as "i686-pc-linux-gnu"...
(gdb) run -X
Starting program: /usr/sbin/apache.dbg -X
Program received signal SIGSEGV, Segmentation fault.
0x40267713 in execute (op_array=0x8237f04) at
../../Zend/zend_execute.c:1140
1140
zend_fetch_var_address(&opline->result, &opline->op1,
&opline->op2, Ts, BP_VAR_W ELS_CC);
(gdb) bt
#0 0x40267713 in execute (op_array=0x8237f04)
at ../../Zend/zend_execute.c:1140
#1 0x40269f0f in execute (op_array=0x8237f04)
at ../../Zend/zend_execute.c:1544
#2 0x40269f0f in execute (op_array=0x8237f04)
at ../../Zend/zend_execute.c:1544
#3 0x40269f0f in execute (op_array=0x8237f04)
at ../../Zend/zend_execute.c:1544
#4 0x40269f0f in execute (op_array=0x8237f04)
at ../../Zend/zend_execute.c:1544
#5 0x40269f0f in execute (op_array=0x8237f04)
at ../../Zend/zend_execute.c:1544
#6 0x40269f0f in execute (op_array=0x8237f04)
at ../../Zend/zend_execute.c:1544
#7 0x40269f0f in execute (op_array=0x8237f04)
at ../../Zend/zend_execute.c:1544
#8 0x40269f0f in execute (op_array=0x8237f04)
at ../../Zend/zend_execute.c:1544
#9 0x40269f0f in execute (op_array=0x8237f04)
at ../../Zend/zend_execute.c:1544
#10 0x40269f0f in execute (op_array=0x8237f04)
at ../../Zend/zend_execute.c:1544
#11 0x40269f0f in execute (op_array=0x8237f04)
---Type to continue, or q to quit---q
at ../../Zend/zend_execute.c:1544Quit
(gdb) p opline
$1 = (zend_op *) 0x823de5c
(gdb) p *optline
$2 = {opcode = 83 'S', result = {op_type = 4, u = {constant
= {value = {
lval = 0, dval = 0, str = {val = 0x0, len = 0}, ht
= 0x0, obj = {
ce = 0x0, properties = 0x0}}, type = 0 '\000',
is_ref = 0 '\000',
refcount = 0}, var = 0, opline_num = 0, fetch_type = 0,
op_array = 0x0, EA = {var = 0, type = 0}}}, op1 =
{op_type = 1, u = {
constant = {value = {lval = 136544148, dval =
1.0677440727493824e-313,
str = {val = 0x8237f94 "other", len = 5}, ht =
0x8237f94, obj = {
ce = 0x8237f94, properties = 0x5}}, type = 3
'\003',
is_ref = 1 '\001', refcount = 2}, var = 136544148,
opline_num = 136544148, fetch_type = 136544148,
op_array = 0x8237f94,
EA = {var = 136544148, type = 5}}}, op2 = {op_type =
8, u = {constant = {
value = {lval = 1, dval = 4.9406564584124654e-324,
str = {
val = 0x1 , len = 0},
ht = 0x1, obj = {
ce = 0x1, properties = 0x0}}, type = 0 '\000',
is_ref = 0 '\000',
refcount = 0}, var = 1, opline_num = 1, fetch_type = 1,
op_array = 0x1, EA = {var = 1, type = 0}}},
extended_value = 0,
lineno = 1056}
(gdb)
ATTENTION! Do NOT reply to this email!
To reply, use the web interface found at http://bugs.php.net/?id=12049&edit=1
--
PHP Development Mailing List
[PHP-DEV] Bug #11909 Updated: Object Copied By Reference!!
ID: 11909
User Update by: [EMAIL PROTECTED]
Status: Bogus
Bug Type: Scripting Engine problem
Operating system: Debian GNU/Linux (woody)
PHP Version: 4.0.6
Description: Object Copied By Reference!!
Yes. PHP probably should make a new reference to a new
piece of data in this case. It would seem to make more
sense to assign everything by value, since according to the
manual the assignment operator "really means that the the
left operand gets set to the value of the expression on the
right"
The current behavior is inconsistent. If $a is a variable
inside an object and I set $a by value, the = operator
copies it by value, but if I set $a by reference, the =
operator copies the reference. Outside of an object, = will
copy a variable by value no matter how it is set.
In other words, "references" are treated like a different
data type in this case. However, the programmer has no way
of determining this type(as far as I can tell).
If this behavior isn't changed, it should at least be
carefully documented, and there should be some way to
determine whether or not a variable is a reference variable.
For now, this will copy entirely by value:
$a = unserialize(serialize($b));
Previous Comments:
---
[2001-07-05 18:02:34] [EMAIL PROTECTED]
But, the object that you referenced in the share() call is still in existence. And
the reference to that object is still good. All obj1 has is a reference to something
in its a var. It copies that reference to the new object. I don't see where a copy
should have been made here.
Are you wanting PHP to make a new reference to a new piece of data?
---
[2001-07-05 15:48:49] [EMAIL PROTECTED]
I think you misunderstood me. I'm not assuming that the
object in $obj2 should be gone after I copy something else
to this object. I AM assuming that the object in $obj is
that same object as was in $obj2 and that the object in
$obj2 is now a different object.
The issue is that the = operator does not create a complete
copy of the object referenced by $obj. It instead creates
an object containing an object that is referenced by both
$obj and $obj2.
Maybe this will make it easier to see:
If you change "$obj2 = $obj;" to "$obj3 = $obj;" and "echo
$obj2->get();" to "echo $obj3->get();" in my code, you still
get the same results.
If you comment out "$obj->share($obj2);" the code returns 1,
which is what you would expect.
If this is the expected behavior, then it is not clearly
documented. If that is the case, this bug should probably be
changed to a documentation bug, and this example should be
added to the documentation with a detailed explanation.
---
[2001-07-05 15:05:26] [EMAIL PROTECTED]
This is expected behavior. You are assuming that the object you had in $obj2 should
be gone when you copy $obj to that var. That is not the case. It only changes what
$obj2 points to. Take this case:
$var=3;
$var2=&$var;
unset($var);
echo $var2;
$var2 is still 3. The reference is gone but not the value of the var. That is what
makes references nice.
Brian.
---
[2001-07-05 10:54:01] [EMAIL PROTECTED]
When objects that contain objects that are referenced
elsewhere, they are not correctly dereferenced, and strange
side effects result
class Foo{
var $a;
function Foo($value)
{
$this->set($value);
}
function set($value)
{
$this->a = $value;
}
function get()
{
return $this->a;
}
}
class Bar{
var $a;
function Bar($value)
{
$this->a = new Foo($value);
}
function set($value)
{
$this->a->set($value);
}
function get()
{
return $this->a->get();
}
function share($other)
{
$this->a = & $other->a;
}
}
//Objects are initialized
$obj = new Bar(1);
$obj2 = new Bar(2);
//$obj and $obj2 both contain an internal reference to the
//same Foo object, with a value of 2
$obj->share($obj2);
//$obj2 now references a new Bar object with a new
//Foo object containing a value of 3
$obj2 = new Bar(3);
//$obj2 should be a copy of $obj1 and contain a new
//Foo object with a value of 2
$obj2 = $obj;
//Somehow, this also changes the value in $obj2
$obj->set(4);
//In a sane world, this outputs 2
//In reality, we get a 4
echo $obj2->get();
---
Full Bug description available at: http://bugs.php.net/?id=11909
--
PHP Development Mailing List
[PHP-DEV] Bug #11909 Updated: Object Copied By Reference!!
ID: 11909
User Update by: [EMAIL PROTECTED]
Status: Bogus
Bug Type: Scripting Engine problem
Operating system: Debian GNU/Linux (woody)
PHP Version: 4.0.6
Description: Object Copied By Reference!!
I think you misunderstood me. I'm not assuming that the
object in $obj2 should be gone after I copy something else
to this object. I AM assuming that the object in $obj is
that same object as was in $obj2 and that the object in
$obj2 is now a different object.
The issue is that the = operator does not create a complete
copy of the object referenced by $obj. It instead creates
an object containing an object that is referenced by both
$obj and $obj2.
Maybe this will make it easier to see:
If you change "$obj2 = $obj;" to "$obj3 = $obj;" and "echo
$obj2->get();" to "echo $obj3->get();" in my code, you still
get the same results.
If you comment out "$obj->share($obj2);" the code returns 1,
which is what you would expect.
If this is the expected behavior, then it is not clearly
documented. If that is the case, this bug should probably be
changed to a documentation bug, and this example should be
added to the documentation with a detailed explanation.
Previous Comments:
---
[2001-07-05 15:05:26] [EMAIL PROTECTED]
This is expected behavior. You are assuming that the object you had in $obj2 should
be gone when you copy $obj to that var. That is not the case. It only changes what
$obj2 points to. Take this case:
$var=3;
$var2=&$var;
unset($var);
echo $var2;
$var2 is still 3. The reference is gone but not the value of the var. That is what
makes references nice.
Brian.
---
[2001-07-05 10:54:01] [EMAIL PROTECTED]
When objects that contain objects that are referenced
elsewhere, they are not correctly dereferenced, and strange
side effects result
class Foo{
var $a;
function Foo($value)
{
$this->set($value);
}
function set($value)
{
$this->a = $value;
}
function get()
{
return $this->a;
}
}
class Bar{
var $a;
function Bar($value)
{
$this->a = new Foo($value);
}
function set($value)
{
$this->a->set($value);
}
function get()
{
return $this->a->get();
}
function share($other)
{
$this->a = & $other->a;
}
}
//Objects are initialized
$obj = new Bar(1);
$obj2 = new Bar(2);
//$obj and $obj2 both contain an internal reference to the
//same Foo object, with a value of 2
$obj->share($obj2);
//$obj2 now references a new Bar object with a new
//Foo object containing a value of 3
$obj2 = new Bar(3);
//$obj2 should be a copy of $obj1 and contain a new
//Foo object with a value of 2
$obj2 = $obj;
//Somehow, this also changes the value in $obj2
$obj->set(4);
//In a sane world, this outputs 2
//In reality, we get a 4
echo $obj2->get();
---
Full Bug description available at: http://bugs.php.net/?id=11909
--
PHP Development Mailing List
[PHP-DEV] Bug #11909: Object Copied By Reference!!
From: [EMAIL PROTECTED]
Operating system: Debian GNU/Linux (woody)
PHP version: 4.0.6
PHP Bug Type: Scripting Engine problem
Bug description: Object Copied By Reference!!
When objects that contain objects that are referenced
elsewhere, they are not correctly dereferenced, and strange
side effects result
class Foo{
var $a;
function Foo($value)
{
$this->set($value);
}
function set($value)
{
$this->a = $value;
}
function get()
{
return $this->a;
}
}
class Bar{
var $a;
function Bar($value)
{
$this->a = new Foo($value);
}
function set($value)
{
$this->a->set($value);
}
function get()
{
return $this->a->get();
}
function share($other)
{
$this->a = & $other->a;
}
}
//Objects are initialized
$obj = new Bar(1);
$obj2 = new Bar(2);
//$obj and $obj2 both contain an internal reference to the
//same Foo object, with a value of 2
$obj->share($obj2);
//$obj2 now references a new Bar object with a new
//Foo object containing a value of 3
$obj2 = new Bar(3);
//$obj2 should be a copy of $obj1 and contain a new
//Foo object with a value of 2
$obj2 = $obj;
//Somehow, this also changes the value in $obj2
$obj->set(4);
//In a sane world, this outputs 2
//In reality, we get a 4
echo $obj2->get();
--
Edit Bug report at: http://bugs.php.net/?id=11909&edit=1
--
PHP Development Mailing List
