Edit report at https://bugs.php.net/bug.php?id=62836&edit=1
ID: 62836 Comment by: james at ifixit dot com Reported by: daniel dot beardsley at gmail dot com Summary: Seg fault or broken object references on unserialize() Status: Open Type: Bug Package: Reproducible crash Operating System: CentOS PHP Version: 5.4.5 Block user comment: N Private report: N New Comment: I've just reproduced this on a build from master, at commit b5305d267b6c3b1b09ab0ba4ecf4f66edc5d4077 . root 11:37:49 serialize > php --version PHP 5.5.0-dev (cli) (built: Aug 16 2012 11:37:55) Copyright (c) 1997-2012 The PHP Group Zend Engine v2.4.0, Copyright (c) 1998-2012 Zend Technologies root 11:39:37 serialize > ./run_test.sh ./run_test.sh: line 3: 2267 Segmentation fault php unserialize_autoload.php > after.out Original ========== in autoload: A in autoload: B object(A)#1 (4) { ["b"]=> object(B)#2 (0) { } ["b1"]=> object(B)#2 (0) { } ["c"]=> object(B)#3 (0) { } ["c1"]=> object(B)#3 (0) { } } Unserialized ====== in autoload: A in autoload: B object(A)#1 (4) { ["b"]=> object(B)#2 (0) { } ["b1"]=> object(B)#2 (0) { } ["c"]=> object(B)#3 (0) { } ["c1"]=> NULL } Diff ============== 14,15c14 < object(B)#3 (0) { < } --- > NULL FAILED ============ I built php with the following configure line: ./configure --host=i686-redhat-linux-gnu --build=i686-redhat-linux-gnu \ --target=i386-redhat-linux --program-prefix= --prefix=/usr --exec-prefix=/usr \ --bindir=/usr/bin --sbindir=/usr/sbin --sysconfdir=/etc --datadir=/usr/share \ --includedir=/usr/include --libdir=/usr/lib --libexecdir=/usr/libexec \ --localstatedir=/var --sharedstatedir=/usr/com --mandir=/usr/share/man \ --infodir=/usr/share/info --with-libdir=lib64 --with-config-file-path=/etc \ --with-config-file-scan-dir=/etc/php.d --disable-debug --with-pic \ --disable-rpath --with-bz2 --with-curl --with-exec-dir=/usr/bin \ --with-freetype-dir=/usr --with-png-dir=/usr --enable-gd-native-ttf \ --without-gdbm --with-gettext --with-gmp --with-iconv --with-jpeg-dir=/usr \ --with-openssl --with-pcre-regex=/usr --with-zlib --with-layout=GNU \ --enable-exif --enable-ftp --enable-magic-quotes --enable-sockets \ --enable-sysvsem --enable-sysvshm --enable-sysvmsg --enable-wddx \ --with-kerberos --enable-shmop --enable-calendar \ --without-sqlite --with-libxml-dir=/usr \ --enable-pcntl --with-imap=/usr/lib64 \ --with-imap-ssl=/usr/local/ssl/include/openssl --enable-mbstring \ --enable-mbregex --with-gd --enable-bcmath --with-xmlrpc=shared \ --with-mysql=mysqlnd --with-mysqli=mysqlnd \ --enable-dom --enable-soap=shared --with-xsl=shared,/usr \ --enable-xmlreader=shared --enable-xmlwriter=shared --with-readline \ --with-mcrypt=/usr/local/include/mcrypt --with-mhash --with-tidy=shared,/usr \ --enable-sigchild --enable-intl --with-apxs2=/usr/sbin/apxs \ --enable-fpm --with-fpm-user=apache --with-fpm-group=apache Previous Comments: ------------------------------------------------------------------------ [2012-08-16 08:59:19] daniel dot beardsley at gmail dot com Description: ------------ Occurs on php 5.4.0, but not on 5.3 (I'll try on other versions soon). Please run this test from /tmp/serialize/run_tests.sh (see bottom for explanation) ## Description ## If calling unserialize() somehow calls back into user code (i.e. autoloading a class while unserializing it) and user code does another unserialize() (no matter what it is), object references in the outer unserialization process won't be restored correctly. Sometimes the outer call can result in a Segmentation Fault instead of just broken references. In particular, object refrerences will often be replaced with a seemingly random value from your serialized object graph (or NULL). The call stack at the time of the problem looks like this: #0 /tmp/serialize/setup.php(6): unserialize('i:4'); #1 [internal function]: __autoload('A') #2 /tmp/serialize/unserialize_autoload.php(4): unserialize('O:1:"A":4: {s:1:...') #3 {main} The unserialize call in frame #2 returns incorrect results because of the "recursive" unserialize call in frame #0. Note: For reasons that completely escape me, this code seems dependent on the literal path it's run from. Some paths hide the bug, some cause failure, and some cause a SegFault. It's consistent on a per-path basis, but I found no pattern. Test script: --------------- https://gist.github.com/3353895 Expected result: ---------------- Before and After output should be the same. Last line of output should read: "Passed, no differences" Before Serialization: class A#1 (4) { public $b => class B#2 (0) { } public $b1 => class B#2 (0) { } public $c => class B#3 (0) { } public $c1 => class B#3 (0) { } } Actual result: -------------- After Serialization: class A#1 (4) { public $b => class B#2 (0) { } public $b1 => string(2) "1\000" public $c => class B#3 (0) { } public $c1 => NULL } ------------------------------------------------------------------------ -- Edit this bug report at https://bugs.php.net/bug.php?id=62836&edit=1