From:
Operating system: Linux
PHP version: 5.2SVN-2010-03-29 (snap)
Package: Reproducible crash
Bug Type: Bug
Bug description:Problem with method_exists and autoloader
Description:
------------
A call to method_exists may invoke a class loader. If the class loader is
complicated enough, PHP will reallocate the stack to make more room. Once
the class loader returns, PHP will then dereference a variable that is no
longer valid.
Test script:
---------------
<?php
function recurse($i) {
if ($i > 0) {
recurse($i - 1);
} else {
class C { }
}
}
function autoload_function($unused) {
recurse(17);
}
spl_autoload_register('autoload_function');
method_exists('C', 'foo');
Actual result:
--------------
$ gdb --args ./sapi/cli/php crash.php
GNU gdb (GDB) 7.0-ubuntu
Copyright (C) 2009 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later
<http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law. Type "show copying"
and "show warranty" for details.
This GDB was configured as "i486-linux-gnu".
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>...
Reading symbols from
/home/mboland/src/php5.2-201003291630/sapi/cli/php...done.
(gdb) break zif_method_exists
Breakpoint 1 at 0x832a702: file
/home/mboland/src/php5.2-201003291630/Zend/zend_builtin_functions.c, line
898.
(gdb) r
Starting program: /home/mboland/src/php5.2-201003291630/sapi/cli/php
crash.php
[Thread debugging using libthread_db enabled]
Breakpoint 1, zif_method_exists (ht=2, return_value=0x854e124,
return_value_ptr=0x0, this_ptr=0x0, return_value_used=0)
at
/home/mboland/src/php5.2-201003291630/Zend/zend_builtin_functions.c:898
898 if (ZEND_NUM_ARGS()!=2 || zend_get_parameters_ex(2, &klass,
&method_name)==FAILURE) {
(gdb) n
901 if (Z_TYPE_PP(klass) == IS_OBJECT) {
(gdb) print method_name
$1 = (zval **) 0x854344c
(gdb) print *method_name
$2 = (zval *) 0x854b6e4
(gdb) print *method_name
$3 = {value = {lval = 139780340, dval = 6.435048036853826e-314, str = {
val = 0x854e0f4 "foo", len = 3}, ht = 0x854e0f4, obj = {
handle = 139780340, handlers = 0x3}}, refcount = 1, type = 6 '\006',
is_ref = 0 '\000'}
(gdb) watch *method_name
Hardware watchpoint 2: *method_name
(gdb) c
Continuing.
Hardware watchpoint 2: *method_name
Old value = (zval *) 0x854b6e4
New value = (zval *) 0x5a5a5a5a
memset () at ../sysdeps/i386/i686/memset.S:85
85 ../sysdeps/i386/i686/memset.S: No such file or directory.
in ../sysdeps/i386/i686/memset.S
Current language: auto
The current source language is "auto; currently asm".
(gdb) bt
#0 memset () at ../sysdeps/i386/i686/memset.S:85
#1 0x082fc11c in _zend_mm_free_int (heap=0x848a1d8, p=0x8543444,
__zend_filename=0x845db80
"/home/mboland/src/php5.2-201003291630/Zend/zend_ptr_stack.h",
__zend_lineno=73, __zend_orig_filename=0x0, __zend_orig_lineno=0)
at /home/mboland/src/php5.2-201003291630/Zend/zend_alloc.c:1952
#2 0x082fcdd0 in _zend_mm_realloc_int (heap=0x848a1d8, p=0x8543444,
size=520,
__zend_filename=0x845db80
"/home/mboland/src/php5.2-201003291630/Zend/zend_ptr_stack.h",
__zend_lineno=73, __zend_orig_filename=0x0, __zend_orig_lineno=0)
at /home/mboland/src/php5.2-201003291630/Zend/zend_alloc.c:2237
#3 0x082fd040 in _erealloc (ptr=0x8543444, size=520, allow_failure=0,
__zend_filename=0x845db80
"/home/mboland/src/php5.2-201003291630/Zend/zend_ptr_stack.h",
__zend_lineno=73, __zend_orig_filename=0x0, __zend_orig_lineno=0)
at /home/mboland/src/php5.2-201003291630/Zend/zend_alloc.c:2321
#4 0x0833ca69 in zend_ptr_stack_2_push (stack=0x8489580, a=0x1, b=0x0)
at /home/mboland/src/php5.2-201003291630/Zend/zend_ptr_stack.h:73
--
Edit bug report at http://bugs.php.net/bug.php?id=51431&edit=1
--
Try a snapshot (PHP 5.2):
http://bugs.php.net/fix.php?id=51431&r=trysnapshot52
Try a snapshot (PHP 5.3):
http://bugs.php.net/fix.php?id=51431&r=trysnapshot53
Try a snapshot (PHP 6.0):
http://bugs.php.net/fix.php?id=51431&r=trysnapshot60
Fixed in SVN:
http://bugs.php.net/fix.php?id=51431&r=fixed
Fixed in SVN and need be documented:
http://bugs.php.net/fix.php?id=51431&r=needdocs
Fixed in release:
http://bugs.php.net/fix.php?id=51431&r=alreadyfixed
Need backtrace:
http://bugs.php.net/fix.php?id=51431&r=needtrace
Need Reproduce Script:
http://bugs.php.net/fix.php?id=51431&r=needscript
Try newer version:
http://bugs.php.net/fix.php?id=51431&r=oldversion
Not developer issue:
http://bugs.php.net/fix.php?id=51431&r=support
Expected behavior:
http://bugs.php.net/fix.php?id=51431&r=notwrong
Not enough info:
http://bugs.php.net/fix.php?id=51431&r=notenoughinfo
Submitted twice:
http://bugs.php.net/fix.php?id=51431&r=submittedtwice
register_globals:
http://bugs.php.net/fix.php?id=51431&r=globals
PHP 4 support discontinued: http://bugs.php.net/fix.php?id=51431&r=php4
Daylight Savings: http://bugs.php.net/fix.php?id=51431&r=dst
IIS Stability:
http://bugs.php.net/fix.php?id=51431&r=isapi
Install GNU Sed:
http://bugs.php.net/fix.php?id=51431&r=gnused
Floating point limitations:
http://bugs.php.net/fix.php?id=51431&r=float
No Zend Extensions:
http://bugs.php.net/fix.php?id=51431&r=nozend
MySQL Configuration Error:
http://bugs.php.net/fix.php?id=51431&r=mysqlcfg
