Bug #64896 [Opn->Fbk]: Segfault with gc_collect_cycles using unserialize on certain objects

Wed, 22 May 2013 01:34:58 -0700 

Edit report at https://bugs.php.net/bug.php?id=64896&edit=1

 ID:                 64896
 Updated by:         larue...@php.net
 Reported by:        mark dot chong at acquireap dot com
 Summary:            Segfault with gc_collect_cycles using unserialize on
                     certain objects
-Status:             Open
+Status:             Feedback
 Type:               Bug
 Package:            Reproducible crash
 Operating System:   ubuntu
 PHP Version:        5.4.15
 Block user comment: N
 Private report:     N

 New Comment:

Thank you for this bug report. To properly diagnose the problem, we
need a backtrace to see what is happening behind the scenes. To
find out how to generate a backtrace, please read
http://bugs.php.net/bugs-generating-backtrace.php for *NIX and
http://bugs.php.net/bugs-generating-backtrace-win32.php for Win32

Once you have generated a backtrace, please submit it to this bug
report and change the status back to "Open". Thank you for helping
us make PHP better.

I have got it run till ouputs "1315828", no segfault occurred,

please show us the backtrace you get, will be helpful

thanks


Previous Comments:
------------------------------------------------------------------------
[2013-05-22 08:05:39] mark dot chong at acquireap dot com

Description:
------------
There are a few open bugs this may duplicate, but I have a reproducible case 
under very specific circumstances:

Having an object that has
 a. circular reference
 b. changes global variable on destructor

If this object is unserialize()'d then gc_collect_cycles will cause a segfault

Test script:
---------------
<?php
class bad
{
        private $_private = array();

        public function __construct()
        {
                $this->_private[] = 'oh noes';
        }

        public function __destruct()
        {
                //echo "bad::destructor\n";

                global $bar;
                $bar = $this->_private;
        }
}

$foo = new stdclass;
$foo->foo = $foo;
$foo->bad = new bad;
print_r($foo);

gc_disable();

for ($i=0; true; $i++)
{
        $deep_clone = unserialize(serialize($foo));
        gc_collect_cycles();
        var_dump($i);
}

Expected result:
----------------
Script should run indefinitely.

Actual result:
--------------
int(0)
int(1)
Segmentation fault (core dumped)


------------------------------------------------------------------------



-- 
Edit this bug report at https://bugs.php.net/bug.php?id=64896&edit=1

Reply via email to