Edit report at http://bugs.php.net/bug.php?id=54609&edit=1
ID: 54609
User updated by: aleksey dot v dot korzun at gmail dot com
Reported by: aleksey dot v dot korzun at gmail dot com
Summary: Certain implementation(s) of SplFixedArray cause
hard crash
-Status: Feedback
+Status: Open
Type: Bug
Package: SPL related
Operating System: *nix
PHP Version: 5.3.6
Block user comment: N
Private report: N
New Comment:
Fix is confirmed on my end.
Thank you!
Previous Comments:
------------------------------------------------------------------------
[2011-06-05 03:38:27] [email protected]
Please try using this snapshot:
http://snaps.php.net/php-trunk-latest.tar.gz
For Windows:
http://windows.php.net/snapshots/
------------------------------------------------------------------------
[2011-06-05 03:38:14] [email protected]
Automatic comment from SVN on behalf of felipe
Revision: http://svn.php.net/viewvc/?view=revision&revision=311817
Log: - Possible fix for bug #54609 (Certain implementation(s) of SplFixedArray
cause hard crash)
------------------------------------------------------------------------
[2011-05-04 19:02:35] aleksey dot v dot korzun at gmail dot com
Possibly x64 related
------------------------------------------------------------------------
[2011-04-26 21:22:25] aleksey dot v dot korzun at gmail dot com
Description:
------------
Problem can be reproduced on both Linux and Unix environments, does not seem to
be OS specific.
Backtrace and other tests point specifically at SplFixedArray.
PHP/OS:
PHP 5.3.6
8.2-RELEASE FreeBSD
Extensions:
extension=ctype.so
extension=curl.so
extension=dom.so
extension=filter.so
extension=gd.so
extension=hash.so
extension=json.so
extension=mbstring.so
extension=mcrypt.so
extension=session.so
extension=simplexml.so
extension=ftp.so
extension=mysqli.so
extension=igbinary.so
extension=apc.so
extension=memcached.so
Test script:
---------------
<?php
/**
* Proof of concept
* @author Aleksey Korzun
*/
ini_set('memory_limit', '1024M');
ini_set('display_errors', 'On');
error_reporting(E_ALL);
// Hard limit for our test loop
$limit = 10000;
/**
* Placeholder model
*/
class Model
{
public function foo() {}
}
/**
* Placeholder collection, using SplFixedArray
*/
class Collection extends \SplFixedArray
{
// Population method
public function bar() {
$models = array();
foreach($this as $id => $model) {
$model->foo();
$models[$id] = $model;
}
}
}
// Initialize and run the test
$collection = new Collection;
$collection->setSize($limit);
while($limit > 0) {
--$limit;
$collection[$limit] = new Model;
}
$collection->bar();
Expected result:
----------------
Script should not crash
Actual result:
--------------
(gdb) bt full
#0 0x00000008026f5567 in _zend_is_inconsistent (ht=0xffffffff,
file=0x80285a5b8 "/usr/ports/lang/php5/work/php-5.3.6/Zend/zend_hash.c",
line=520) at /usr/ports/lang/php5/work/php-5.3.6/Zend/zend_hash.c:53
No locals.
#1 0x00000008026f7381 in zend_hash_destroy (ht=0xffffffff) at
/usr/ports/lang/php5/work/php-5.3.6/Zend/zend_hash.c:520
p = (Bucket *) 0x802858ff0
q = (Bucket *) 0x480
#2 0x0000000802710a66 in zend_object_std_dtor (object=0x808581920) at
/usr/ports/lang/php5/work/php-5.3.6/Zend/zend_objects.c:41
No locals.
#3 0x0000000802710f15 in zend_objects_free_object_storage (object=0x808581920)
at /usr/ports/lang/php5/work/php-5.3.6/Zend/zend_objects.c:126
No locals.
#4 0x0000000802716abf in zend_objects_store_del_ref_by_handle_ex (handle=3697,
handlers=0x8029f0c20) at
/usr/ports/lang/php5/work/php-5.3.6/Zend/zend_objects_API.c:220
__orig_bailout = (sigjmp_buf *) 0x7fffffffe1b0
__bailout = {{_sjb = {34400725674, 34376863547, 140737488347016,
140737488347184, 140737488350136, 140737488350104, 0, 0, 34499527295,
34498252960, 34499605672, 34359738368}}}
obj = (struct _store_object *) 0x8094bdca8
failure = 0
#5 0x00000008027167ae in zend_objects_store_del_ref (zobject=0x8085a8130) at
/usr/ports/lang/php5/work/php-5.3.6/Zend/zend_objects_API.c:172
handle = 3697
#6 0x00000008026e35b3 in _zval_dtor_func (zvalue=0x8085a8130,
__zend_filename=0x802857e68
"/usr/ports/lang/php5/work/php-5.3.6/Zend/zend_execute_API.c",
__zend_lineno=443)
at /usr/ports/lang/php5/work/php-5.3.6/Zend/zend_variables.c:52
No locals.
#7 0x00000008026d223f in _zval_dtor (zvalue=0x8085a8130,
__zend_filename=0x802857e68
"/usr/ports/lang/php5/work/php-5.3.6/Zend/zend_execute_API.c",
__zend_lineno=443) at zend_variables.h:35
No locals.
#8 0x00000008026d2628 in _zval_ptr_dtor (zval_ptr=0x80821ad58,
__zend_filename=0x80282b9d8
"/usr/ports/lang/php5/work/php-5.3.6/ext/spl/spl_fixedarray.c",
__zend_lineno=182)
at /usr/ports/lang/php5/work/php-5.3.6/Zend/zend_execute_API.c:443
No locals.
#9 0x000000080256f408 in spl_fixedarray_object_free_storage
(object=0x808214990) at
/usr/ports/lang/php5/work/php-5.3.6/ext/spl/spl_fixedarray.c:182
intern = (spl_fixedarray_object *) 0x808214990
i = 897
#10 0x00000008027164bd in zend_objects_store_free_object_storage
(objects=0x8029f75b8) at
/usr/ports/lang/php5/work/php-5.3.6/Zend/zend_objects_API.c:92
obj = (struct _store_object *) 0x809484668
i = 24
#11 0x00000008026d1f7a in shutdown_executor () at
/usr/ports/lang/php5/work/php-5.3.6/Zend/zend_execute_API.c:302
__orig_bailout = (sigjmp_buf *) 0x0
__bailout = {{_sjb = {34400444143, 34376863547, 140737488347560,
140737488347712, 140737488350136, 140737488350104, 0, 0, 34402009727,
34384020168, 140737488347696, 34359738368}}}
#12 0x00000008026e56de in zend_deactivate () at
/usr/ports/lang/php5/work/php-5.3.6/Zend/zend.c:890
No locals.
#13 0x00000008026656a1 in php_request_shutdown (dummy=0x0) at
/usr/ports/lang/php5/work/php-5.3.6/main/main.c:1635
report_memleaks = 1 '\001'
#14 0x00000008027d98b6 in php_apache_request_dtor (r=0x8035778a8) at
/usr/ports/lang/php5/work/php-5.3.6/sapi/apache2handler/sapi_apache2.c:509
No locals.
------------------------------------------------------------------------
--
Edit this bug report at http://bugs.php.net/bug.php?id=54609&edit=1
