#36376 [Opn->Asn]: Segfault when using clone '$this>test2' notation in __clone method

[tony2001]

 ID:               36376
 Updated by:       [EMAIL PROTECTED]
 Reported By:      jaco at welnet dot nl
-Status:           Open
+Status:           Assigned
 Bug Type:         Reproducible crash
 Operating System: CentOS 4.2
 PHP Version:      5.1.2
-Assigned To:      
+Assigned To:      dmitry
 New Comment:

Assigned to Dmitry, he'll take a look at it.


Previous Comments:
------------------------------------------------------------------------

[2006-02-13 11:52:37] jaco at welnet dot nl

backtrace from latest cvs cli version:

(gdb) bt
#0  0x00979f1f in _int_malloc () from /lib/tls/libc.so.6
#1  0x0097bf81 in malloc () from /lib/tls/libc.so.6
#2  0x08204a69 in _emalloc (size=10745888, __zend_filename=0xfffffff0
<Address 0xfffffff0 out of bounds>,
    __zend_lineno=904, __zend_orig_filename=0x0, __zend_orig_lineno=0)
at /usr/src/php5.1-200602130930/Zend/zend_alloc.c:182
#3  0x0820f848 in zend_call_function (fci=0xbf4001d0,
fci_cache=0xbf4001b0)
    at /usr/src/php5.1-200602130930/Zend/zend_execute_API.c:904
#4  0x0822aa1b in zend_call_method (object_pp=0xbf400250,
obj_ce=0x99d01a4, fn_proxy=0x99d02ac,
    function_name=0x82a885a "__clone", function_name_len=7,
retval_ptr_ptr=0x0, param_count=88, arg1=0x0, arg2=0x0)
    at /usr/src/php5.1-200602130930/Zend/zend_interfaces.c:88
#5  0x0822ed8e in zend_objects_clone_members (new_object=0xa30dadc,
new_obj_val={handle = 0, handlers = 0xbf400250},
    old_object=0xa30d804, handle=13367) at
/usr/src/php5.1-200602130930/Zend/zend_objects.c:152
#6  0x0822ee2f in zend_objects_clone_obj (zobject=0x58) at
/usr/src/php5.1-200602130930/Zend/zend_objects.c:173
#7  0x0824724a in ZEND_CLONE_SPEC_VAR_HANDLER
(execute_data=0xbf4003a0)
    at /usr/src/php5.1-200602130930/Zend/zend_vm_execute.h:7198
#8  0x08234785 in execute (op_array=0x99d096c) at
/usr/src/php5.1-200602130930/Zend/zend_vm_execute.h:92
#9  0x0820f1fc in zend_call_function (fci=0xbf4004f0,
fci_cache=0xbf4004d0)
    at /usr/src/php5.1-200602130930/Zend/zend_execute_API.c:913
#10 0x0822aa1b in zend_call_method (object_pp=0xbf400570,
obj_ce=0x99d01a4, fn_proxy=0x99d02ac,
    function_name=0x82a885a "__clone", function_name_len=7,
retval_ptr_ptr=0x0, param_count=88, arg1=0x0, arg2=0x0)
    at /usr/src/php5.1-200602130930/Zend/zend_interfaces.c:88
#11 0x0822ed8e in zend_objects_clone_members (new_object=0xa30d804,
new_obj_val={handle = 0, handlers = 0xbf400570},
    old_object=0xa30d52c, handle=13366) at
/usr/src/php5.1-200602130930/Zend/zend_objects.c:152
#12 0x0822ee2f in zend_objects_clone_obj (zobject=0x58) at
/usr/src/php5.1-200602130930/Zend/zend_objects.c:173
#13 0x0824724a in ZEND_CLONE_SPEC_VAR_HANDLER
(execute_data=0xbf4006c0)
    at /usr/src/php5.1-200602130930/Zend/zend_vm_execute.h:7198
#14 0x08234785 in execute (op_array=0x99d096c) at
/usr/src/php5.1-200602130930/Zend/zend_vm_execute.h:92
#15 0x0820f1fc in zend_call_function (fci=0xbf400810,
fci_cache=0xbf4007f0)
    at /usr/src/php5.1-200602130930/Zend/zend_execute_API.c:913
#16 0x0822aa1b in zend_call_method (object_pp=0xbf400890,
obj_ce=0x99d01a4, fn_proxy=0x99d02ac,
    function_name=0x82a885a "__clone", function_name_len=7,
retval_ptr_ptr=0x0, param_count=88, arg1=0x0, arg2=0x0)
    at /usr/src/php5.1-200602130930/Zend/zend_interfaces.c:88
#17 0x0822ed8e in zend_objects_clone_members (new_object=0xa30d52c,
new_obj_val={handle = 0, handlers = 0xbf400890},
    old_object=0xa30d254, handle=13365) at
/usr/src/php5.1-200602130930/Zend/zend_objects.c:152

---
These are the last 17 frames (?) of the backtrace. Is this enough or do
you need more?

------------------------------------------------------------------------

[2006-02-13 11:11:24] [EMAIL PROTECTED]

Thank you for this bug report. To properly diagnose the problem, we
need a backtrace to see what is happening behind the scenes. To
find out how to generate a backtrace, please read
http://bugs.php.net/bugs-generating-backtrace.php for *NIX and
http://bugs.php.net/bugs-generating-backtrace-win32.php for Win32

Once you have generated a backtrace, please submit it to this bug
report and change the status back to "Open". Thank you for helping
us make PHP better.

------------------------------------------------------------------------

[2006-02-13 11:01:01] jaco at welnet dot nl

Description:
------------
PHP segfaults when there is code like '$this->object = clone
$this>object' in __clone method. note the '>' syntax which is faulty
ofcourse but produces the segfault.

tested with latest cvs:
PHP 5.1.3-dev (cli) (built: Feb 13 2006 10:52:02)


Reproduce code:
---------------
class test2 {}

class test {
        public $test2;
        
        public function __construct() {
                $this->test2 = new test2();
        }
        
        public function __clone() {
                $test2 = clone $this>test2;
        }
}

$test = new test();
$test2 = clone $test; 

Expected result:
----------------
Notice: Use of undefined constant test2 - assumed 'test2' in FILE on
line XX

Notice: Object of class test could not be converted to int in FILE on
line XX


Actual result:
--------------
[Mon Feb 13 10:38:40 2006] [notice] child pid 12798 exit signal
Segmentation fault (11)



------------------------------------------------------------------------


-- 
Edit this bug report at http://bugs.php.net/?id=36376&edit=1