Edit report at http://bugs.php.net/bug.php?id=51552&edit=1
ID: 51552
Updated by: fel...@php.net
Reported by: kkotowicz at gmail dot com
Summary: Modifying debug_backtrace() output causes segmentation
fault
Status: Open
Type: Bug
Package: Reproducible crash
Operating System: win/linux
PHP Version: 5.3.2
New Comment:
It doesn't crash for me, but the Valgrind points actually memory issues
(invalid write/read, and so on):
[...]
==25121== ERROR SUMMARY: 16 errors from 16 contexts (suppressed: 90 from
3)
==25121== malloc/free: in use at exit: 3,673 bytes in 76 blocks.
==25121== malloc/free: 30,671 allocs, 30,595 frees, 3,020,064 bytes
allocated.
==25121== For counts of detected errors, rerun with: -v
==25121== searching for pointers to 76 not-freed blocks.
==25121== checked 1,007,216 bytes.
==25121==
Previous Comments:
------------------------------------------------------------------------
[2010-04-15 00:27:58] kkotowicz at gmail dot com
The problem also exists in
PHP 5.2.10-2ubuntu6.4 with Suhosin-Patch 0.9.7 (cli)
------------------------------------------------------------------------
[2010-04-13 19:02:20] kkotowicz at gmail dot com
Description:
------------
Under certain conditions, when result from debug_backtrace() function is
modified, segmentation fault is triggered.
I noticed this error on PHP 5.2.6/Win and PHP 5.3.2/Linux x64.
PHP 5.3.2 configure line:
'./configure' '--with-apxs2=/usr/local/apache22/bin/apxs'
'--prefix=/usr/local/php53' '--with-zlib=/usr/' '--with-openssl=no'
'--with-mysql=no' '--with-mssql=/usr/local/freetds'
'--with-pgsql=/usr/local/pg83' '--with-gd' '--without-sqlite'
'--with-pdo-pgsql=/usr/local/pg83' '--disable-tokenizer'
'--without-pdo-sqlite' '--disable-xmlreader' '--disable-xmlwriter'
'--with-jpeg-dir=/usr' '--disable-filter' '--enable-soap'
'--enable-mbstring' '--with-libdir=lib64' '--enable-gd-native-ttf'
'--with-freetype-dir=/usr'
'--with-oci8=instantclient,/usr/local/lib/oracle11.7'
The error is hard to trigger, I narrowed it down to below test case.
Points to note:
- array_walk with 3 parameters must be used
- array_walk must iterate over array with at least 2 elements
- walking function creates an object that uses debug_backtrace() and
unsets itself from top of the trace (PEAR_Error object does that).
- the error has something to do with references, because when walk()
uses 3rd parameter by-reference, error disappears.
Test script:
---------------
<?php
class i_use_backtrace {
function __construct() {
$this->backtrace = debug_backtrace();
unset($this->backtrace[0]['object']); // PEAR_Error uses the same
behaviour!
}
}
// function walk(&$element, $key, &$params) would behave correctly
function walk(&$element, $key, $params) {
$r = new i_use_backtrace; // you could also use new PEAR_Error
}
$a = array(0, 0);
array_walk($a, 'walk' , array(0));
Expected result:
----------------
No output
Actual result:
--------------
Segmentation fault
------------------------------------------------------------------------
--
Edit this bug report at http://bugs.php.net/bug.php?id=51552&edit=1
