[PHP-BUG] Bug #55578 [NEW]: Segfault on implode/concat

[kontakt at beberlei dot de]

From:             
Operating system: 
PHP version:      5.4.0alpha3
Package:          Reproducible crash
Bug Type:         Bug
Bug description:Segfault on implode/concat

Description:
------------
I found this issue running the Doctrine 2 testsuite with PHP 5.4.0 alpha 3
and could isolate the segfault behavior to a very simple php script.

I cant make anything out of the backtrace with regard to the nature of the
failing. But it seems to have something to do with the __toString() that
gets implicitly called.

Test script:
---------------
<?php

$options = array(
    'pre' => '(',
    'post' => ')',
    'separator' => ' AND ',
);

class Foo
{
    public function __toString()
    {
        return 'Foo';
    }
}   

function test($options, $queryPart)
{
        return (isset($options['pre']) ? $options['pre'] : '')
             . (is_array($queryPart) ? implode($options['separator'],
$queryPart) : $queryPart)
             . (isset($options['post']) ? $options['post'] : '');
}

#echo test($options, "test"); // comment this in and the line after works
aswell
echo test($options, new Foo()); // this segfaults

Expected result:
----------------
(Foo)




Actual result:
--------------
Segfault, Backtrace is:

#0  gc_remove_zval_from_buffer (zv=0xb5f5b1b0) at
/home/benny/downloads/php-5.4.0alpha3/Zend/zend_gc.c:265
#1  0x083723c8 in _zval_ptr_dtor (zval_ptr=0x8913da8) at
/home/benny/downloads/php-5.4.0alpha3/Zend/zend_execute_API.c:437
#2  0x08374065 in zend_call_function (fci=0xbfffc8ac, fci_cache=0xbfffc8d0)
at /home/benny/downloads/php-5.4.0alpha3/Zend/zend_execute_API.c:1018
#3  0x0839660b in zend_call_method (object_pp=0xbfffc9a0, obj_ce=<value
optimized out>, fn_proxy=0xb5f76d38, function_name=0x8866e95 "__tostring",
function_name_len=10, 
    retval_ptr_ptr=0xbfffc97c, param_count=0, arg1=0x0, arg2=0x0) at
/home/benny/downloads/php-5.4.0alpha3/Zend/zend_interfaces.c:97
#4  0x083a0f11 in zend_std_cast_object_tostring (readobj=0xb5f5b1b0,
writeobj=0xbfffca48, type=6)
    at
/home/benny/downloads/php-5.4.0alpha3/Zend/zend_object_handlers.c:1472
#5  0x0838152b in zend_make_printable_zval (expr=0xb5f5b1b0,
expr_copy=0xbfffca48, use_copy=0xbfffca68) at
/home/benny/downloads/php-5.4.0alpha3/Zend/zend.c:260
#6  0x0837c678 in concat_function (result=0xb5f5b1c0, op1=0xb5f5b170,
op2=0xb5f5b1b0) at
/home/benny/downloads/php-5.4.0alpha3/Zend/zend_operators.c:1243
#7  0x083d4d53 in ZEND_CONCAT_SPEC_TMP_TMP_HANDLER
(execute_data=0xb5f5b0f8) at
/home/benny/downloads/php-5.4.0alpha3/Zend/zend_vm_execute.h:8133
#8  0x083e52e6 in execute (op_array=0x8a5e7b0) at
/home/benny/downloads/php-5.4.0alpha3/Zend/zend_vm_execute.h:410
#9  0x08381d82 in zend_execute_scripts (type=8, retval=0x0, file_count=3)
at /home/benny/downloads/php-5.4.0alpha3/Zend/zend.c:1262
#10 0x083247a2 in php_execute_script (primary_file=0xbfffeebc) at
/home/benny/downloads/php-5.4.0alpha3/main/main.c:2385
#11 0x0842005e in do_cli (argc=2, argv=0xbffff144) at
/home/benny/downloads/php-5.4.0alpha3/sapi/cli/php_cli.c:983
#12 0x084208d7 in main (argc=2, argv=0xbffff144) at
/home/benny/downloads/php-5.4.0alpha3/sapi/cli/php_cli.c:1356

-- 
Edit bug report at https://bugs.php.net/bug.php?id=55578&edit=1
-- 
Try a snapshot (PHP 5.4):            
https://bugs.php.net/fix.php?id=55578&r=trysnapshot54
Try a snapshot (PHP 5.3):            
https://bugs.php.net/fix.php?id=55578&r=trysnapshot53
Try a snapshot (trunk):              
https://bugs.php.net/fix.php?id=55578&r=trysnapshottrunk
Fixed in SVN:                        
https://bugs.php.net/fix.php?id=55578&r=fixed
Fixed in SVN and need be documented: 
https://bugs.php.net/fix.php?id=55578&r=needdocs
Fixed in release:                    
https://bugs.php.net/fix.php?id=55578&r=alreadyfixed
Need backtrace:                      
https://bugs.php.net/fix.php?id=55578&r=needtrace
Need Reproduce Script:               
https://bugs.php.net/fix.php?id=55578&r=needscript
Try newer version:                   
https://bugs.php.net/fix.php?id=55578&r=oldversion
Not developer issue:                 
https://bugs.php.net/fix.php?id=55578&r=support
Expected behavior:                   
https://bugs.php.net/fix.php?id=55578&r=notwrong
Not enough info:                     
https://bugs.php.net/fix.php?id=55578&r=notenoughinfo
Submitted twice:                     
https://bugs.php.net/fix.php?id=55578&r=submittedtwice
register_globals:                    
https://bugs.php.net/fix.php?id=55578&r=globals
PHP 4 support discontinued:          
https://bugs.php.net/fix.php?id=55578&r=php4
Daylight Savings:                    https://bugs.php.net/fix.php?id=55578&r=dst
IIS Stability:                       
https://bugs.php.net/fix.php?id=55578&r=isapi
Install GNU Sed:                     
https://bugs.php.net/fix.php?id=55578&r=gnused
Floating point limitations:          
https://bugs.php.net/fix.php?id=55578&r=float
No Zend Extensions:                  
https://bugs.php.net/fix.php?id=55578&r=nozend
MySQL Configuration Error:           
https://bugs.php.net/fix.php?id=55578&r=mysqlcfg