PHP :: Bug #34712 :: zend.ze1_compatibility

PHP :: Bug #34712 :: zend.ze1_compatibility_mode = on segfault

Bug #34712	zend.ze1_compatibility_mode = on segfault
Submitted:	2005-10-03 10:05 UTC	Modified:	2005-10-20 10:56 UTC
From:	jason at jasonjustman dot com	Assigned:	dmitry (profile)
Status:	Closed	Package:	Reproducible crash
PHP Version:	5CVS-2005-10-03 (snap)	OS:	*
Private report:	No	CVE-ID:	None

[2005-10-03 10:05 UTC] jason at jasonjustman dot com

Description:
------------
segfault in solaris 10, using php-5.0.6-dev - php5-STABLE-200510030637


Program received signal SIGSEGV, Segmentation fault.
0xff019b38 in zend_objects_clone_obj (zobject=0xff3fffd8) at /export/apache/php5-STABLE-200510030637/Zend/zend_objects.c:181
181             new_obj_val = zend_objects_new(&new_object, old_object->ce TSRMLS_CC);

(gdb) backtrace
#0  0xff019b38 in zend_objects_clone_obj (zobject=0xff3fffd8) at /export/apache/php5-STABLE-200510030637/Zend/zend_objects.c:181
#1  0xff019970 in zval_add_ref_or_clone (p=0x0) at /export/apache/php5-STABLE-200510030637/Zend/zend_objects.c:127


Reproduce code:
---------------
can't exactly pin down reproduceable code, but it seems to be something similar to the following:

class aggrevator {
 function aggrevator(&$obj) {
   $this->obj = &$obj;
   $this->_call();
 }
 function _call()
 {
  $this->obj->callback();
 }
}

class helper {
function helper(&$obj)
 {
  $this->obj_ref = &$obj;
 }
}

class parent { }
class child extends parent {
 function callback() {
   $this->_helper = new helper($this);
 }
}
  
$c = new child;
$h = new helper($c);


Expected result:
----------------
not to crash...


Actual result:
--------------
f'd in the a, segfault

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2005-10-03 10:29 UTC] jason at jasonjustman dot com

last two lines of sample code should be:

$c = new child;
$a = new aggrevator($c);

[2005-10-03 12:13 UTC] dmitry@php.net

This test case must not work at all.

$ php -d "zend.ze1_compatibility_mode=1" bug34712.php

Fatal error: Cannot use 'parent' as class name as it is reserved in /home/dmitry/php/test/bug34712.php on line 20

Without "parent" it works fine on Linux/i386.

Try to make full rebuild.

[2005-10-03 18:02 UTC] jason at jasonjustman dot com

Like i said before, i can't track down the exact sequence (stacktrace of the .php script code shows its in the 12-14th depth), and for full debug - only after parsing about 15kloc of code. 

When adding in debugging php source code in the new call ( $this->_helper = new helper($this);), it prevents the crash but in one case a print_r($this) in the aggrevator:: scope resulted in an empty object. 

This testcase is more pseudocode of the segfault pattern than actual instance.  If you'd like I can privately attach the application source - but again, its not an application problem - as turning off ze1_compat doesn't cause a segfault , but is required for implicit clone.

This happens in the same spot for the 5.0.5, 5.0.6-dev and 5.0.6-latest - even after building in seperate directories with no caching enabled.

[2005-10-03 22:23 UTC] sniper@php.net

We really need a reproducing script. Please try come up with one.

[2005-10-04 08:44 UTC] jason at jasonjustman dot com

http://www.jasonjustman.com/crash.phps

line 114 is what causes the segfault:

$this->_transform_actions = new base_object_meta_transform_actions($this);

its not clean nor tight, but an example of the pattern that causes it to crash

[2005-10-04 09:18 UTC] sniper@php.net

Dmitry, with the provided script I can reproduce this.

[2005-10-18 22:16 UTC] jason at jasonjustman dot com

still present in:

PHP 5.1.0RC3 (cli) (built: Oct 18 2005 08:28:41)
Copyright (c) 1997-2005 The PHP Group
Zend Engine v2.1.0-dev, Copyright (c) 1998-2005 Zend Technologies