Bug #51552 [Com]: Modifying debug_backtrace() output causes segmentation fault

Wed, 14 Apr 2010 15:28:08 -0700 

Edit report at http://bugs.php.net/bug.php?id=51552&edit=1

 ID:               51552
 Comment by:       kkotowicz at gmail dot com
 Reported by:      kkotowicz at gmail dot com
 Summary:          Modifying debug_backtrace() output causes segmentation
                   fault
 Status:           Open
 Type:             Bug
 Package:          Reproducible crash
 Operating System: win/linux
 PHP Version:      5.3.2

 New Comment:

The problem also exists in 



PHP 5.2.10-2ubuntu6.4 with Suhosin-Patch 0.9.7 (cli)


Previous Comments:
------------------------------------------------------------------------
[2010-04-13 19:02:20] kkotowicz at gmail dot com

Description:
------------
Under certain conditions, when result from debug_backtrace() function is
modified, segmentation fault is triggered. 



I noticed this error on PHP 5.2.6/Win and PHP 5.3.2/Linux x64.



PHP 5.3.2 configure line:



'./configure' '--with-apxs2=/usr/local/apache22/bin/apxs'
'--prefix=/usr/local/php53' '--with-zlib=/usr/' '--with-openssl=no'
'--with-mysql=no' '--with-mssql=/usr/local/freetds'
'--with-pgsql=/usr/local/pg83' '--with-gd' '--without-sqlite'
'--with-pdo-pgsql=/usr/local/pg83' '--disable-tokenizer'
'--without-pdo-sqlite' '--disable-xmlreader' '--disable-xmlwriter'
'--with-jpeg-dir=/usr' '--disable-filter' '--enable-soap'
'--enable-mbstring' '--with-libdir=lib64' '--enable-gd-native-ttf'
'--with-freetype-dir=/usr'
'--with-oci8=instantclient,/usr/local/lib/oracle11.7'



The error is hard to trigger, I narrowed it down to below test case.
Points to note:

 - array_walk with 3 parameters must be used 

 - array_walk must iterate over array with at least 2 elements

 - walking function creates an object that uses debug_backtrace() and
unsets itself from top of the trace (PEAR_Error object does that).

 - the error has something to do with references, because when walk()
uses 3rd parameter by-reference, error disappears.



Test script:
---------------
<?php



class i_use_backtrace { 

  function __construct() {

    $this->backtrace = debug_backtrace();

    unset($this->backtrace[0]['object']); // PEAR_Error uses the same
behaviour!

  }

}



// function walk(&$element, $key, &$params) would behave correctly

function walk(&$element, $key, $params) {

  $r = new i_use_backtrace; // you could also use new PEAR_Error

}



$a = array(0, 0);

array_walk($a, 'walk' , array(0));

Expected result:
----------------
No output

Actual result:
--------------
Segmentation fault






------------------------------------------------------------------------



-- 
Edit this bug report at http://bugs.php.net/bug.php?id=51552&edit=1

Reply via email to