ID: 32963 User updated by: Jason at hybd dot net Reported By: Jason at hybd dot net Status: Open Bug Type: Reproducible crash Operating System: CentOS 4 / RHEL 3 PHP Version: 5CVS-2005-05-06 (dev) New Comment:
There seems to be no way I can reduce this bug down to a few lines. I can only think some eariler piece of code triggers some sort of memory corruption. I've tried with a test script, fiddling about with things like scopes and making circlar references, thinking maybe that was to do with it (seeing as it's destruction call to the offset that seems to be creating the problem, from what I can make out in the src) Although I don't think it's the same thing as (Certainly I had some code that was doing what was said in these bugs, but it seems like it works now, which makes me believe the bugs below are different, although the behaviour is rather similar at times)... http://bugs.php.net/bug.php?id=30346 OR http://bugs.php.net/bug.php?id=32252 It is very similar. The issue is to do with offsetGet(). Frame 5 of the dump seems to the most likely problem area. Previous Comments: ------------------------------------------------------------------------ [2005-05-09 15:17:20] Jason at hybd dot net In a worst case scenario (if I can't get a small test script developed), would it be OK to email you with access details to the scripts/server so you can investigate for yourself. I can give you suitable SSH access to our testing box. That way you can do what you want in the way of running gdb, recompiling etc if need be. ------------------------------------------------------------------------ [2005-05-09 11:38:38] [EMAIL PROTECTED] We can't do much without a script to reproduce it ourselves, so try come up with one.. ------------------------------------------------------------------------ [2005-05-09 11:28:08] jason at amp-design dot net I normally do try and isolate bugs in PHP by producing a short few lines of PHP in order to replicate the problem. I have tried on many occasions when I have had this bug to replicate it by stripping parts of the code down, but I have not managed to do it sucessfully yet. Is there any other way I can profide feedback? I could probably try and limit the amount code down to some extent, but even so I doubt it would be a small chunk of code. Anyway, I will attempt to find a way to replicate this as soon as I can get time. ------------------------------------------------------------------------ [2005-05-07 05:48:04] [EMAIL PROTECTED] Thank you for this bug report. To properly diagnose the problem, we need a short but complete example script to be able to reproduce this bug ourselves. A proper reproducing script starts with <?php and ends with ?>, is max. 10-20 lines long and does not require any external resources such as databases, etc. If possible, make the script source available online and provide an URL to it here. Try to avoid embedding huge scripts into the report. ------------------------------------------------------------------------ [2005-05-06 16:05:48] jason at amp-design dot net OK, I've tried to narrow down things a little more. This is not proving easy. OK, I can see why this is making things crash according to different browsers. I have a piece of code like this ... /** * Extracts path data from URL into a string. * * This will attempt to read the path data from many locations, * such as after the .php part of the URL, the path request variable * or from the site root. */ function iq_extract_path() { if (!isset($_REQUEST['path'])) { /* try to extract it from URL */ $path_string = $_SERVER['REQUEST_URI']; /* Are we hiding the .php file ? */ if (strpos($_SERVER['SCRIPT_NAME'], '.php') !== false) { /* Remove the index or whatever .php bit */ $path_string = preg_replace('/\/[\w]+.php/', '', $path_string); } /* We need to trim on / or it replaces '/' if we are running from root dir */ $prefix_path = trim(dirname($_SERVER['SCRIPT_NAME']), '/'); /* Remove any prefixed URL path */ $path_string = str_replace($prefix_path, '', $path_string); /* remove query string */ $path_string = str_replace('?'.$_SERVER['QUERY_STRING'], '', $path_string); } else { $path_string = $_REQUEST['path']; } return $path_string; } As you can see, this looks at server variables, which explains that. On the site it's used, it allows us to use a clean search engine / user friendly URL system, instead of using HTTP GET/POST variables for the front controller's dispatching. If no server variables are used, it looks at $_REQUEST['path'] as a safety fallback. I found that setting $_REQUEST['path'] to the right value (so it doesn't touch the $_SERVER array) stops the segfault. The segfault it's self is because of the SPL. I'm 99.99999% sure of this. zend_execute.c:1205 confirms this, and other scenarios where I get segfaults normally involve SPL ArrayAccess objects. We use a template system, which is modelled as an object. This implements the ArrayAccess interface, so it makes it easy to set variables. It's initialized like this ... $payment_schedule = new IQ_Template('admin/payment_schedule.xml'); we can poke data in like this... $payment_schedule['schedule_year'] = $year; likewise, there is some system in place where we can write custom web controls so it behaves like WACT / ASP.NETs template system. Anyway, I found another way to prevent the crash, instead of setting $_REQUEST['path'] was to place ... $payment_schedule = 'insert random string here'; before the line $payment_schedule = new IQ_Template('admin/payment_schedule.xml'); Despite the fact the additional line does nothing, it stops the segfault. I tried this after realising that the issue was related with a decreasing reference count due to _zval_ptr_dtor() being called. I can't say this always happens always when assignments are made between two objects implementing ArrayAccess through the [] subscripts. However it does appear that there is always an ArrayAccess object with a [] subscript the left of the assignment operator at the point of the segfault. Obviously this seems like a memory management issue at the heart of the variable managment / Zend engine's object overloading system, which explains it's complex, tricky nature as far as tracing is concerned. I hope this is enough information. This is quite important issue to me as we often come across this issue in other places. Previously we've got round it by using temporary arrays to assign into and then copy that array into the object implementing array access (which is a nasty hack). Also being part of the internals/core of the Zend engine, is another reason see this as a pressing issue. ------------------------------------------------------------------------ The remainder of the comments for this report are too long. To view the rest of the comments, please view the bug report online at http://bugs.php.net/32963 -- Edit this bug report at http://bugs.php.net/?id=32963&edit=1
