#38220 [NEW]: Crash on some object operations

ddk at krasn dot ru Wed, 26 Jul 2006 03:22:24 -0700

From:             ddk at krasn dot ru
Operating system: winxp sp2, freebsd 4.11
PHP version:      5.1.4
PHP Bug Type:     Reproducible crash
Bug description:  Crash on some object operations


Description:
------------
Crash occurs when specified code is executed.

If uncomment line "$drv->obj = null;" everything works fine.


Reproduce code:
---------------
<?php


class drv {

        public $obj;

        function func1() {
                echo "func1(): {$this->obj->i}\n";
        }

        function close() {
                echo "close(): {$this->obj->i}\n";
        }
}

class A {

        public $i;

        function __construct($i) {
                $this->i = $i;
        }

        function __call($method, $args) {
                $drv = myserv::drv();

                $drv->obj = $this;

                echo "before call $method\n";
                print_r($this);
                call_user_func_array(array($drv, $method), $args);
                echo "after call $method\n";

                // Uncomment this line to work without crash
//              $drv->obj = null;
        }

        function __destruct() {
                echo "A::__destruct()\n";
                $this->close();
        }
}



class myserv {

        private static $drv = null;

        static function drv() {
                if (is_null(self::$drv))
                        self::$drv = new drv;

                return self::$drv;

        }
}


$obj1 = new A(1);
$obj1->func1();

$obj2 = new A(2);

unset($obj1);

$obj2->func1();



?>

Expected result:
----------------
before call func1
A Object
(
    [i] => 1
)
func1(): 1
after call func1
A::__destruct()
before call close
A Object
(
    [i] => 1
)
close(): 1
after call close
before call func1
A Object
(
    [i] => 2
)
func1(): 2
after call func1
A::__destruct()
before call close
A Object
(
    [i] => 2
)
close(): 2
after call close


Actual result:
--------------
before call func1
A Object
(
    [i] => 1
)
func1(): 1
after call func1
A::__destruct()
before call close
... crash ...

backtrace:

#0  zend_std_object_get_class_name (object=0xbfbfdd70,
class_name=0xbfbfd6d8, class_name_len=0xbfbfd6dc, parent=0)
    at
/usr/ports/lang/php5/work/php-5.1.4/Zend/zend_object_handlers.c:1019
1019                    ce = zobj->ce;
#0  zend_std_object_get_class_name (object=0xbfbfdd70,
class_name=0xbfbfd6d8, class_name_len=0xbfbfd6dc, parent=0)
    at
/usr/ports/lang/php5/work/php-5.1.4/Zend/zend_object_handlers.c:1019
#1  0x813b69a in zend_print_zval_r_ex (write_func=0x81047c4
<php_body_write_wrapper>, expr=0xbfbfdd70, indent=0)
    at /usr/ports/lang/php5/work/php-5.1.4/Zend/zend.c:383
#2  0x813b606 in zend_print_zval_r (expr=0xbfbfdd70, indent=0) at
/usr/ports/lang/php5/work/php-5.1.4/Zend/zend.c:359
#3  0x80ace08 in zif_print_r (ht=1, return_value=0x832d5e4,
return_value_ptr=0x0, this_ptr=0x0, return_value_used=0)
    at
/usr/ports/lang/php5/work/php-5.1.4/ext/standard/basic_functions.c:2807
#4  0x8155bef in zend_do_fcall_common_helper_SPEC
(execute_data=0xbfbfd8f0) at
/usr/ports/lang/php5/work/php-5.1.4/Zend/zend_vm_execute.h:200
#5  0x815b728 in ZEND_DO_FCALL_SPEC_CONST_HANDLER
(execute_data=0xbfbfd8f0) at
/usr/ports/lang/php5/work/php-5.1.4/Zend/zend_vm_execute.h:1640
#6  0x815555f in execute (op_array=0x832c124) at
/usr/ports/lang/php5/work/php-5.1.4/Zend/zend_vm_execute.h:92
#7  0x8131e0d in zend_call_function (fci=0xbfbfda3c, fci_cache=0xbfbfda1c)
at /usr/ports/lang/php5/work/php-5.1.4/Zend/zend_execute_API.c:938
#8  0x814c98b in zend_call_method (object_pp=0xbfbfdad4, obj_ce=0x8314a24,
fn_proxy=0x8314b40, function_name=0x8222c40 "__call", function_name_len=6,

    retval_ptr_ptr=0xbfbfdabc, param_count=2, arg1=0x832dae4,
arg2=0x832dba4) at
/usr/ports/lang/php5/work/php-5.1.4/Zend/zend_interfaces.c:88
#9  0x81527f4 in zend_std_call_user_call (ht=0, return_value=0x832db24,
return_value_ptr=0x0, this_ptr=0xbfbfdd70, return_value_used=0)
    at
/usr/ports/lang/php5/work/php-5.1.4/Zend/zend_object_handlers.c:634
#10 0x8155bef in zend_do_fcall_common_helper_SPEC
(execute_data=0xbfbfdbb0) at
/usr/ports/lang/php5/work/php-5.1.4/Zend/zend_vm_execute.h:200
#11 0x8156104 in ZEND_DO_FCALL_BY_NAME_SPEC_HANDLER
(execute_data=0xbfbfdbb0) at
/usr/ports/lang/php5/work/php-5.1.4/Zend/zend_vm_execute.h:322
#12 0x815555f in execute (op_array=0x832c324) at
/usr/ports/lang/php5/work/php-5.1.4/Zend/zend_vm_execute.h:92
#13 0x8131e0d in zend_call_function (fci=0xbfbfdcfc, fci_cache=0xbfbfdcdc)
at /usr/ports/lang/php5/work/php-5.1.4/Zend/zend_execute_API.c:938
#14 0x814c98b in zend_call_method (object_pp=0xbfbfdd6c, obj_ce=0x8314a24,
fn_proxy=0x8314b28, function_name=0x8222777 "__destruct",
function_name_len=10, 
    retval_ptr_ptr=0x0, param_count=0, arg1=0x0, arg2=0x0) at
/usr/ports/lang/php5/work/php-5.1.4/Zend/zend_interfaces.c:88
#15 0x8150bef in zend_objects_destroy_object (object=0x831f564, handle=1)
at /usr/ports/lang/php5/work/php-5.1.4/Zend/zend_objects.c:98
#16 0x81538d2 in zend_objects_store_del_ref (zobject=0x832d5e4) at
/usr/ports/lang/php5/work/php-5.1.4/Zend/zend_objects_API.c:166
#17 0x813ab9c in _zval_dtor_func (zvalue=0x832d5e4,
__zend_filename=0x821cca0
"/usr/ports/lang/php5/work/php-5.1.4/Zend/zend_variables.h",
__zend_lineno=35)
    at /usr/ports/lang/php5/work/php-5.1.4/Zend/zend_variables.c:52
#18 0x8130701 in _zval_ptr_dtor (zval_ptr=0x832a6b0,
__zend_filename=0x821e5a0
"/usr/ports/lang/php5/work/php-5.1.4/Zend/zend_variables.c", 
    __zend_lineno=175) at
/usr/ports/lang/php5/work/php-5.1.4/Zend/zend_variables.h:35
#19 0x813adaf in _zval_ptr_dtor_wrapper (zval_ptr=0x832a6b0) at
/usr/ports/lang/php5/work/php-5.1.4/Zend/zend_variables.c:175
#20 0x8143b64 in _zend_hash_quick_add_or_update (ht=0x832a5a4,
arKey=0x831f6a4 "obj", nKeyLength=4, h=2090572832, pData=0xbfbfdee0,
nDataSize=4, 
    pDest=0xbfbfdeb4, flag=1, __zend_filename=0x82229c0
"/usr/ports/lang/php5/work/php-5.1.4/Zend/zend_object_handlers.c",
__zend_lineno=419)
    at /usr/ports/lang/php5/work/php-5.1.4/Zend/zend_hash.c:294
#21 0x8151c25 in zend_std_write_property (object=0x832d964,
member=0x832e268, value=0x832d8a4)
    at
/usr/ports/lang/php5/work/php-5.1.4/Zend/zend_object_handlers.c:419
#22 0x81b9f62 in ZEND_ASSIGN_OBJ_SPEC_CV_CONST_HANDLER
(execute_data=0xbfbfe060) at
/usr/ports/lang/php5/work/php-5.1.4/Zend/zend_execute.c:617
#23 0x815555f in execute (op_array=0x832c124) at
/usr/ports/lang/php5/work/php-5.1.4/Zend/zend_vm_execute.h:92
#24 0x8131e0d in zend_call_function (fci=0xbfbfe1ac, fci_cache=0xbfbfe18c)
at /usr/ports/lang/php5/work/php-5.1.4/Zend/zend_execute_API.c:938
#25 0x814c98b in zend_call_method (object_pp=0xbfbfe244, obj_ce=0x8314a24,
fn_proxy=0x8314b40, function_name=0x8222c40 "__call", function_name_len=6,

    retval_ptr_ptr=0xbfbfe22c, param_count=2, arg1=0x832db64,
arg2=0x832dbe4) at
/usr/ports/lang/php5/work/php-5.1.4/Zend/zend_interfaces.c:88
#26 0x81527f4 in zend_std_call_user_call (ht=0, return_value=0x832d264,
return_value_ptr=0x0, this_ptr=0x832d8a4, return_value_used=0)
    at
/usr/ports/lang/php5/work/php-5.1.4/Zend/zend_object_handlers.c:634
#27 0x8155bef in zend_do_fcall_common_helper_SPEC
(execute_data=0xbfbfe430) at
/usr/ports/lang/php5/work/php-5.1.4/Zend/zend_vm_execute.h:200
#28 0x8156104 in ZEND_DO_FCALL_BY_NAME_SPEC_HANDLER
(execute_data=0xbfbfe430) at
/usr/ports/lang/php5/work/php-5.1.4/Zend/zend_vm_execute.h:322
#29 0x815555f in execute (op_array=0x830cc24) at
/usr/ports/lang/php5/work/php-5.1.4/Zend/zend_vm_execute.h:92
#30 0x813c609 in zend_execute_scripts (type=8, retval=0x0, file_count=3)
at /usr/ports/lang/php5/work/php-5.1.4/Zend/zend.c:1109
#31 0x8105008 in php_execute_script (primary_file=0xbfbffb3c) at
/usr/ports/lang/php5/work/php-5.1.4/main/main.c:1732
#32 0x81dbf91 in main (argc=2, argv=0xbfbffbb4) at
/usr/ports/lang/php5/work/php-5.1.4/sapi/cli/php_cli.c:1092


-- 
Edit bug report at http://bugs.php.net/?id=38220&edit=1
-- 
Try a CVS snapshot (PHP 4.4): 
http://bugs.php.net/fix.php?id=38220&r=trysnapshot44
Try a CVS snapshot (PHP 5.2): 
http://bugs.php.net/fix.php?id=38220&r=trysnapshot52
Try a CVS snapshot (PHP 6.0): 
http://bugs.php.net/fix.php?id=38220&r=trysnapshot60
Fixed in CVS:                 http://bugs.php.net/fix.php?id=38220&r=fixedcvs
Fixed in release:             
http://bugs.php.net/fix.php?id=38220&r=alreadyfixed
Need backtrace:               http://bugs.php.net/fix.php?id=38220&r=needtrace
Need Reproduce Script:        http://bugs.php.net/fix.php?id=38220&r=needscript
Try newer version:            http://bugs.php.net/fix.php?id=38220&r=oldversion
Not developer issue:          http://bugs.php.net/fix.php?id=38220&r=support
Expected behavior:            http://bugs.php.net/fix.php?id=38220&r=notwrong
Not enough info:              
http://bugs.php.net/fix.php?id=38220&r=notenoughinfo
Submitted twice:              
http://bugs.php.net/fix.php?id=38220&r=submittedtwice
register_globals:             http://bugs.php.net/fix.php?id=38220&r=globals
PHP 3 support discontinued:   http://bugs.php.net/fix.php?id=38220&r=php3
Daylight Savings:             http://bugs.php.net/fix.php?id=38220&r=dst
IIS Stability:                http://bugs.php.net/fix.php?id=38220&r=isapi
Install GNU Sed:              http://bugs.php.net/fix.php?id=38220&r=gnused
Floating point limitations:   http://bugs.php.net/fix.php?id=38220&r=float
No Zend Extensions:           http://bugs.php.net/fix.php?id=38220&r=nozend
MySQL Configuration Error:    http://bugs.php.net/fix.php?id=38220&r=mysqlcfg

#38220 [NEW]: Crash on some object operations

Reply via email to