From:
Operating system: win/linux
PHP version: 5.3.2
Package: Reproducible crash
Bug Type: Bug
Bug description:Modifying debug_backtrace() output causes segmentation fault
Description:
------------
Under certain conditions, when result from debug_backtrace() function is
modified, segmentation fault is triggered.
I noticed this error on PHP 5.2.6/Win and PHP 5.3.2/Linux x64.
PHP 5.3.2 configure line:
'./configure' '--with-apxs2=/usr/local/apache22/bin/apxs'
'--prefix=/usr/local/php53' '--with-zlib=/usr/' '--with-openssl=no'
'--with-mysql=no' '--with-mssql=/usr/local/freetds'
'--with-pgsql=/usr/local/pg83' '--with-gd' '--without-sqlite'
'--with-pdo-pgsql=/usr/local/pg83' '--disable-tokenizer'
'--without-pdo-sqlite' '--disable-xmlreader' '--disable-xmlwriter'
'--with-jpeg-dir=/usr' '--disable-filter' '--enable-soap'
'--enable-mbstring' '--with-libdir=lib64' '--enable-gd-native-ttf'
'--with-freetype-dir=/usr'
'--with-oci8=instantclient,/usr/local/lib/oracle11.7'
The error is hard to trigger, I narrowed it down to below test case. Points
to note:
- array_walk with 3 parameters must be used
- array_walk must iterate over array with at least 2 elements
- walking function creates an object that uses debug_backtrace() and
unsets itself from top of the trace (PEAR_Error object does that).
- the error has something to do with references, because when walk() uses
3rd parameter by-reference, error disappears.
Test script:
---------------
<?php
class i_use_backtrace {
function __construct() {
$this->backtrace = debug_backtrace();
unset($this->backtrace[0]['object']); // PEAR_Error uses the same
behaviour!
}
}
// function walk(&$element, $key, &$params) would behave correctly
function walk(&$element, $key, $params) {
$r = new i_use_backtrace; // you could also use new PEAR_Error
}
$a = array(0, 0);
array_walk($a, 'walk' , array(0));
Expected result:
----------------
No output
Actual result:
--------------
Segmentation fault
--
Edit bug report at http://bugs.php.net/bug.php?id=51552&edit=1
--
Try a snapshot (PHP 5.2):
http://bugs.php.net/fix.php?id=51552&r=trysnapshot52
Try a snapshot (PHP 5.3):
http://bugs.php.net/fix.php?id=51552&r=trysnapshot53
Try a snapshot (PHP 6.0):
http://bugs.php.net/fix.php?id=51552&r=trysnapshot60
Fixed in SVN:
http://bugs.php.net/fix.php?id=51552&r=fixed
Fixed in SVN and need be documented:
http://bugs.php.net/fix.php?id=51552&r=needdocs
Fixed in release:
http://bugs.php.net/fix.php?id=51552&r=alreadyfixed
Need backtrace:
http://bugs.php.net/fix.php?id=51552&r=needtrace
Need Reproduce Script:
http://bugs.php.net/fix.php?id=51552&r=needscript
Try newer version:
http://bugs.php.net/fix.php?id=51552&r=oldversion
Not developer issue:
http://bugs.php.net/fix.php?id=51552&r=support
Expected behavior:
http://bugs.php.net/fix.php?id=51552&r=notwrong
Not enough info:
http://bugs.php.net/fix.php?id=51552&r=notenoughinfo
Submitted twice:
http://bugs.php.net/fix.php?id=51552&r=submittedtwice
register_globals:
http://bugs.php.net/fix.php?id=51552&r=globals
PHP 4 support discontinued: http://bugs.php.net/fix.php?id=51552&r=php4
Daylight Savings: http://bugs.php.net/fix.php?id=51552&r=dst
IIS Stability:
http://bugs.php.net/fix.php?id=51552&r=isapi
Install GNU Sed:
http://bugs.php.net/fix.php?id=51552&r=gnused
Floating point limitations:
http://bugs.php.net/fix.php?id=51552&r=float
No Zend Extensions:
http://bugs.php.net/fix.php?id=51552&r=nozend
MySQL Configuration Error:
http://bugs.php.net/fix.php?id=51552&r=mysqlcfg
