Edit report at https://bugs.php.net/bug.php?id=60134&edit=1
ID: 60134 Updated by: [email protected] Reported by: fbaligant at synalabs dot com Summary: SIGSEGV in zend_std_write_property -Status: Feedback +Status: No Feedback Type: Bug Package: Scripting Engine problem Operating System: Debian Squeeze PHP Version: 5.4.0beta2 New Comment: No feedback was provided. The bug is being suspended because we assume that you are no longer experiencing the problem. If this is not the case and you are able to provide the information that was requested earlier, please do so and change the status of the bug back to "Open". Thank you. Previous Comments: ------------------------------------------------------------------------ [2011-10-30 01:33:42] [email protected] This is going to be difficult without a script. If you can't get a short one, a big one is better than nothing. ------------------------------------------------------------------------ [2011-10-28 14:20:32] fbaligant at synalabs dot com Wrong package ------------------------------------------------------------------------ [2011-10-25 22:35:26] fbaligant at synalabs dot com Description: ------------ PHP5.4beta2 from SVN, up to this revision: http://svn.php.net/viewvc? view=revision&revision=318411 Repeatable crash in Symfony 1.4.14's Doctrine 1.2.4 Doctrine_Record constructor. PHP environment is FastCGI with lighttpd. No APC or Xcache active. This code runs fine with PHP 5.3.8. Test script: --------------- Didn't manage to reproduce it in a simple script yet Expected result: ---------------- Should not crash Actual result: -------------- Program received signal SIGSEGV, Segmentation fault. 0x00000000006c787d in zend_std_write_property (object=0x3cc01e0, member=0x2964040, value=0xcd11c69b772c0444, key=0x2964040) at /tmp/buildd/php5- 5.3.99+5.4.0/Zend/zend_object_handlers.c:244 244 if (key && (property_info = CACHED_POLYMORPHIC_PTR(key- >cache_slot, ce)) != NULL) { (gdb) print key $1 = (zend_literal *) 0x2964040 (gdb) print key->cache_slot $2 = 4 (gdb) print ce $3 = (zend_class_entry *) 0x4 (gdb) bt full #0 0x00000000006c787d in zend_std_write_property (object=0x3cc01e0, member=0x2964040, value=0xcd11c69b772c0444, key=0x2964040) at /tmp/buildd/php5- 5.3.99+5.4.0/Zend/zend_object_handlers.c:244 property_info = 0x85 scope_property_info = 0x6c85a3 denied_access = 184 '\270' h = 64829024 zobj = 0x3cc4690 tmp_member = 0x13c21c8 variable_ptr = 0x13c42f0 property_info = 0x0 #1 0x000000000071f5b3 in zend_assign_to_object (retval=0x0, object_ptr=0x3cc01e0, property_name=0x7f18dc45d5e8, value_type=4, value_op=0x29612e0, Ts=0x1, opcode=7471229, key=0x2964040) at /tmp/buildd/php5- 5.3.99+5.4.0/Zend/zend_execute.c:738 object = 0x3cb69e0 value = 0x3cc01e0 opcode = 136 key = 0x2964040 #2 0x000000000072007d in ZEND_ASSIGN_OBJ_SPEC_UNUSED_CONST_HANDLER (execute_data=0x7f18dc45cb58) at /tmp/buildd/php5- 5.3.99+5.4.0/Zend/zend_vm_execute.h:21975 opline = 0x29612e0 #3 0x0000000000711fb8 in execute (op_array=0x3dba620) at /tmp/buildd/php5- 5.3.99+5.4.0/Zend/zend_vm_execute.h:410 ret = 0 execute_data = 0x7f18dc45cb58 nested = 0 '\000' original_in_execution = 0 '\000' #4 0x00000000006a03ad in zend_execute_scripts (type=32767, retval=0x7ffffbb685f0, file_count=3) at /tmp/buildd/php5- 5.3.99+5.4.0/Zend/zend.c:1272 files = {{gp_offset = 0, fp_offset = 0, overflow_arg_area = 0x28, reg_save_area = 0x7ffffbb68680}} i = 1 file_handle = <incomplete type> orig_op_array = 0x0 orig_retval_ptr_ptr = 0xd23518 #5 0x0000000000643268 in php_execute_script (primary_file=0x0) at /tmp/buildd/php5-5.3.99+5.4.0/main/main.c:2414 __orig_bailout = 0x7ffffbb67db0 __bailout = {{__jmpbuf = {4223038732, 32767, 4223038736, 32767, 4223040800, 32767, 4223038688, 32767}, __mask_was_saved = 7041200, __saved_mask = {__val = {6910217, 0, 76, 0, 4223038784, 32767, 64586544, 0, 64623000, 0, 4223038912, 32767, 0, 1, 4223039008, 32767}}}} prepend_file_p = 0x0 append_file_p = 0x0 prepend_file = {type = 3695567936, filename = 0x7f1800000001 <Address 0x7f1800000001 out of bounds>, opened_path = 0x27348c8 "\370Hs\002", handle = {fd = -599399504, fp = 0x7f18dc45e3b0, stream = {handle = 0x7f18dc45e3b0, isatty = 13775168, mmap = { len = 10411208, pos = 4223041392, map = 0x1, buf = 0x2 <Address 0x2 out of bounds>, old_handle = 0x7ffffbb67710, old_closer = 0x20}, reader = 0x648bb2 <xbuf_format_converter+802>, fsizer = 0, closer = 0x6dfc89 <zend_fetch_dimension_address_read+1097>}}, free_filename = 172 '\254'} append_file = {type = 6, filename = 0x0, opened_path = 0x3 <Address 0x3 out of bounds>, handle = {fd = 7012488, fp = 0x6b0088, stream = {handle = 0x6b0088, isatty = 8, mmap = {len = 0, pos = 3695567936, map = 0x7f18dc45e458, buf = 0x6444e0 "H\201", <incomplete sequence \354\230>, old_handle = 0x7f18dc45e3b0, old_closer = 0xd23140 <executor_globals>}, reader = 0, fsizer = 0, closer = 0x25eb400}}, free_filename = 176 '\260'} retval = 0 #6 0x000000000074d03f in main (argc=32767, argv=0x20) at /tmp/buildd/php5- 5.3.99+5.4.0/sapi/cgi/cgi_main.c:2420 __bailout = {{__jmpbuf = {0, 0, 0, 0, 1871636702, 1462165169, 13779936, 0}, __mask_was_saved = -1744377634, __saved_mask = {__val = {0, 32536, 3695797080, 32536, 4223052864, 32767, 3695786312, 32536, 4223052904, 32767, 3695796224, 32536, 20233565, 0, 3693680738, 32536}}}} free_query_string = 0 exit_status = 16178208 cgi = 0 c = 0 i = 16195251 len = 16195251 file_handle = {type = ZEND_HANDLE_FILENAME, filename = 0x7f1800000004 <Address 0x7f1800000004 out of bounds>, opened_path = 0x7f18dc451118 "/var/www/project-sprint/web/index.php", handle = {fd = 0, fp = 0x0, stream = {handle = 0x0, isatty = -599254176, mmap = {len = 0, pos = 511, map = 0x0, buf = 0x0, old_handle = 0x7f18dc2fe000, old_closer = 0}, reader = 0, fsizer = 0x65c090 <_php_stream_read>, closer = 0x6444e0 <php_zend_stream_fsizer>}}, free_filename = 208 '\320'} s = 0xf719bf "/association/autres/4198/photos-videos/ajout-video" behavior = 0 no_headers = 0 orig_optind = 0 orig_optarg = 0x0 script_file = 0xf719aa "/index.php" max_requests = 1 ---Type <return> to continue, or q <return> to quit--- requests = 82 fastcgi = 1 bindpath = 0x1dc492108 <Address 0x1dc492108 out of bounds> fcgi_fd = 16195251 request = 0x0 repeats = 0 benchmark = 0 start = {tv_sec = 7674064, tv_usec = 0} end = {tv_sec = 3651069080, tv_usec = 4223053072} status = 32536 (gdb) zbacktrace [0xdc45cb58] __construct() /home/www/project- sprint/lib/vendor/symfony/lib/plugins/sfDoctrinePlugin/lib/vendor/doctrine/Doctr ine/Record.php:219 [0xdc45c2d0] __construct() /home/www/project- sprint/apps/frontend/modules/associationGallery/actions/actions.class.php:336 Doctrine_Record __construct line 219: public function __construct($table = null, $isNewEntry = false) { if (isset($table) && $table instanceof Doctrine_Table) { $this->_table = $table; $exists = ( ! $isNewEntry); } else { // get the table of this class $class = get_class($this); $this->_table = Doctrine_Core::getTable($class); <-------- ------------------------------------------------------------------------ -- Edit this bug report at https://bugs.php.net/bug.php?id=60134&edit=1
