From: Operating system: Tested on Freebsd/CentOS PHP version: 5.3.6 Package: SPL related Bug Type: Bug Bug description:Nested objects cause segmentation fault
Description: ------------ Another discussion on this subject could be found here: http://groups.google.com/group/igbinary/browse_thread/thread/16b8824cbce14c83/8fe37ea6d44556f0#8fe37ea6d44556f0 Test script: --------------- <?php /** * Proof of concept, segmentation fault (spl_array.c/igbinary.c) * when using nested objects. * * PHP 5.3.6, PECL-Memcached 1.x, Igbinary 1.x * * @author Aleksey Korzun */ /** * You must have pecl-memcached + igbinary */ DEFINE('MEMCACHE_SERVER', '192.168.2.85'); DEFINE('MEMCACHE_PORT', 11211); class Storage { public $storage; public function __construct() { $this->storage = new Object; } } class Object { } class Collection extends \ArrayObject { CONST LIMIT = 1000; public function populate() { $limit = 0; while($limit append(new Storage); ++$limit; } } } $memcached = new Memcached; $memcached->setOption( $memcached::OPT_SERIALIZER, $memcached::SERIALIZER_IGBINARY); $memcached->addServer(MEMCACHE_SERVER, MEMCACHE_PORT); $collection = new Collection; $collection->populate(); if($memcached->set('foobar', $collection, 10)) { if($memcached->get('foobar')) { print "Passed"; } } Expected result: ---------------- Script should output 'Passed' Actual result: -------------- #0 0x000000000053b2b4 in var_push_dtor (var_hashx=0x0, rval=0x80163b9f0) at /usr/ports/lang/php5/work/php-5.3.6/ext/standard/var_unserializer.c:60 60 var_entries *var_hash = var_hashx->first_dtor, *prev = NULL; #0 0x000000000053b2b4 in var_push_dtor (var_hashx=0x0, rval=0x80163b9f0) at /usr/ports/lang/php5/work/php-5.3.6/ext/standard/var_unserializer.c:60 var_hash = (var_entries *) 0x80163c560 prev = (var_entries *) 0x77bc58 #1 0x000000000053e2bd in process_nested_data (rval=0x7fffffffc690, p=0x7fffffffc888, max=0x80481553b "", var_hash=0x0, ht=0x80163c560, elements=0) at /usr/ports/lang/php5/work/php-5.3.6/ext/standard/var_unserializer.c:292 key = (zval *) 0x80163c600 data = (zval *) 0x80163c678 old_data = (zval **) 0x80163b9f0 #2 0x000000000053de87 in object_common2 (rval=0x7fffffffc690, p=0x7fffffffc888, max=0x80481553b "", var_hash=0x0, elements=1) at /usr/ports/lang/php5/work/php-5.3.6/ext/standard/var_unserializer.c:363 retval_ptr = (zval *) 0x0 fname = {value = {lval = 0, dval = 0, str = {val = 0x0, len = 75584827}, ht = 0x0, obj = {handle = 0, handlers = 0x481553b}}, refcount__gc = 0, type = 0 '\0', is_ref__gc = 0 '\0'} #3 0x000000000053c450 in php_var_unserialize (rval=0x7fffffffc690, p=0x7fffffffc888, max=0x80481553b "", var_hash=0x0) at /usr/ports/lang/php5/work/php-5.3.6/ext/standard/var_unserializer.c:647 len3 = 7 user_func = (zval *) 0x5fd1a4 arg_func_name = (zval *) 0x98 pce = (zend_class_entry **) 0x80487e7f8 custom_object = 0 len = 7 len2 = 7 maxlen = 531 elements = 1 class_name = 0x80163ba80 "storage" ce = (zend_class_entry *) 0x801631cd8 incomplete_class = 0 retval_ptr = (zval *) 0x7fffffffc5e0 args = {0x10} yych = 34 '"' cursor = ( const unsigned char *) 0x80481532f "\":1:{s:7:\"storage\";O:6:\"Object\":0:{}}i:1;O:7:\"Storage\":1:{s:7:\"storage\";O:6:\"Object\":0:{}}i:2;O:7:\"Storage\":1:{s:7:\"storage\";O:6:\"Object\":0:{}}i:3;O:7:\"Storage\":1:{s:7:\"storage\";O:6:\"Object\":0:{}}i:4;"... limit = ( const unsigned char *) 0x804815323 "O:7:\"Storage\":1:{s:7:\"storage\";O:6:\"Object\":0:{}}i:1;O:7:\"Storage\":1:{s:7:\"storage\";O:6:\"Object\":0:{}}i:2;O:7:\"Storage\":1:{s:7:\"storage\";O:6:\"Object\":0:{}}i:3;O:7:\"Storage\":1:{s:7:\"storage\";O:6:\"Objec"... marker = ( const unsigned char *) 0x804815324 ":7:\"Storage\":1:{s:7:\"storage\";O:6:\"Object\":0:{}}i:1;O:7:\"Storage\":1:{s:7:\"storage\";O:6:\"Object\":0:{}}i:2;O:7:\"Storage\":1:{s:7:\"storage\";O:6:\"Object\":0:{}}i:3;O:7:\"Storage\":1:{s:7:\"storage\";O:6:\"Object"... start = ( const unsigned char *) 0x804815323 "O:7:\"Storage\":1:{s:7:\"storage\";O:6:\"Object\":0:{}}i:1;O:7:\"Storage\":1:{s:7:\"storage\";O:6:\"Object\":0:{}}i:2;O:7:\"Storage\":1:{s:7:\"storage\";O:6:\"Object\":0:{}}i:3;O:7:\"Storage\":1:{s:7:\"storage\";O:6:\"Objec"... rval_ref = (zval **) 0x78 yybm = '\0' <repeats 48 times>, "\200\200\200\200\200\200\200\200\200\200", '\0' <repeats 197 times> #4 0x000000000053e156 in process_nested_data (rval=0x80163bef0, p=0x7fffffffc888, max=0x80481553b "", var_hash=0x0, ht=0x80163c1f0, elements=9) at /usr/ports/lang/php5/work/php-5.3.6/ext/standard/var_unserializer.c:275 key = (zval *) 0x80163c328 data = (zval *) 0x80163c478 old_data = (zval **) 0x77bc58 #5 0x000000000053c7c7 in php_var_unserialize (rval=0x80163bef0, p=0x7fffffffc888, max=0x80481553b "", var_hash=0x0) at /usr/ports/lang/php5/work/php-5.3.6/ext/standard/var_unserializer.c:713 elements = 10 yych = 123 '{' cursor = ( const unsigned char *) 0x80481531f "i:0;O:7:\"Storage\":1:{s:7:\"storage\";O:6:\"Object\":0:{}}i:1;O:7:\"Storage\":1:{s:7:\"storage\";O:6:\"Object\":0:{}}i:2;O:7:\"Storage\":1:{s:7:\"storage\";O:6:\"Object\":0:{}}i:3;O:7:\"Storage\":1:{s:7:\"storage\";O:6:\"O"... limit = ( const unsigned char *) 0x804815319 "a:10:{i:0;O:7:\"Storage\":1:{s:7:\"storage\";O:6:\"Object\":0:{}}i:1;O:7:\"Storage\":1:{s:7:\"storage\";O:6:\"Object\":0:{}}i:2;O:7:\"Storage\":1:{s:7:\"storage\";O:6:\"Object\":0:{}}i:3;O:7:\"Storage\":1:{s:7:\"storage\";"... marker = ( const unsigned char *) 0x80481531a ":10:{i:0;O:7:\"Storage\":1:{s:7:\"storage\";O:6:\"Object\":0:{}}i:1;O:7:\"Storage\":1:{s:7:\"storage\";O:6:\"Object\":0:{}}i:2;O:7:\"Storage\":1:{s:7:\"storage\";O:6:\"Object\":0:{}}i:3;O:7:\"Storage\":1:{s:7:\"storage\";O"... start = ( ---Type <return> to continue, or q <return> to quit--- const unsigned char *) 0x804815319 "a:10:{i:0;O:7:\"Storage\":1:{s:7:\"storage\";O:6:\"Object\":0:{}}i:1;O:7:\"Storage\":1:{s:7:\"storage\";O:6:\"Object\":0:{}}i:2;O:7:\"Storage\":1:{s:7:\"storage\";O:6:\"Object\":0:{}}i:3;O:7:\"Storage\":1:{s:7:\"storage\";"... rval_ref = (zval **) 0x78 yybm = '\0' <repeats 48 times>, "\200\200\200\200\200\200\200\200\200\200", '\0' <repeats 197 times> #6 0x000000000049dc43 in spl_array_unserialize_helper (intern=0x80163bed8, buf=0x804815313 "x:i:0;a:10:{i:0;O:7:\"Storage\":1:{s:7:\"storage\";O:6:\"Object\":0:{}}i:1;O:7:\"Storage\":1:{s:7:\"storage\";O:6:\"Object\":0:{}}i:2;O:7:\"Storage\":1:{s:7:\"storage\";O:6:\"Object\":0:{}}i:3;O:7:\"Storage\":1:{s:7:\"sto"..., buf_len=552, var_hash_p=0x0) at /usr/ports/lang/php5/work/php-5.3.6/ext/spl/spl_array.c:1763 p = ( const unsigned char *) 0x804815353 "}i:1;O:7:\"Storage\":1:{s:7:\"storage\";O:6:\"Object\":0:{}}i:2;O:7:\"Storage\":1:{s:7:\"storage\";O:6:\"Object\":0:{}}i:3;O:7:\"Storage\":1:{s:7:\"storage\";O:6:\"Object\":0:{}}i:4;O:7:\"Storage\":1:{s:7:\"storage\";O:6:\""... s = ( const unsigned char *) 0x804815313 "x:i:0;a:10:{i:0;O:7:\"Storage\":1:{s:7:\"storage\";O:6:\"Object\":0:{}}i:1;O:7:\"Storage\":1:{s:7:\"storage\";O:6:\"Object\":0:{}}i:2;O:7:\"Storage\":1:{s:7:\"storage\";O:6:\"Object\":0:{}}i:3;O:7:\"Storage\":1:{s:7:\"sto"... pmembers = (zval *) 0x72a008dc400 pflags = (zval *) 0x80163c328 flags = 0 #7 0x000000000049e084 in spl_array_unserialize (object=0x7fffffffcbe8, ce=0x801632fc8, buf=0x804815313 "x:i:0;a:10:{i:0;O:7:\"Storage\":1:{s:7:\"storage\";O:6:\"Object\":0:{}}i:1;O:7:\"Storage\":1:{s:7:\"storage\";O:6:\"Object\":0:{}}i:2;O:7:\"Storage\":1:{s:7:\"storage\";O:6:\"Object\":0:{}}i:3;O:7:\"Storage\":1:{s:7:\"sto"..., buf_len=552, data=0x0) at /usr/ports/lang/php5/work/php-5.3.6/ext/spl/spl_array.c:1852 intern = (spl_array_object *) 0x80163bed8 #8 0x0000000803ef1d58 in igbinary_unserialize_object_ser (igsd=0x7fffffffcb20, t=igbinary_type_object_ser16, z=0x7fffffffcbe8, ce=0x801632fc8) at /usr/ports/converters/igbinary/work/igbinary-1.1.1/igbinary.c:1757 n = 552 #9 0x0000000803ef1a07 in igbinary_unserialize_object (igsd=0x7fffffffcb20, t=igbinary_type_object_ser16, z=0x7fffffffcbe8) at /usr/ports/converters/igbinary/work/igbinary-1.1.1/igbinary.c:1884 ce = (zend_class_entry *) 0x801632fc8 pce = (zend_class_entry **) 0x804880a78 h = (zval *) 0x0 f = {value = {lval = 140737488341576, dval = 6.9533558071555652e-310, str = {val = 0x7fffffffca48 "(»c\001\b", len = -13776}, ht = 0x7fffffffca48, obj = {handle = 4294953544, handlers = 0x7fffffffca30}}, refcount__gc = 4294953648, type = 0 '\0', is_ref__gc = 0 '\0'} name = 0x804815306 "Collection\036\002(x:i:0;a:10:{i:0;O:7:\"Storage\":1:{s:7:\"storage\";O:6:\"Object\":0:{}}i:1;O:7:\"Storage\":1:{s:7:\"storage\";O:6:\"Object\":0:{}}i:2;O:7:\"Storage\":1:{s:7:\"storage\";O:6:\"Object\":0:{}}i:3;O:7:\"Storage"... name_len = 10 r = 45 incomplete_class = false user_func = (zval *) 0x98 retval_ptr = (zval *) 0x80163ba90 args = {0x80160a300} arg_func_name = (zval *) 0x40 #10 0x0000000803ef0e7a in igbinary_unserialize_zval (igsd=0x7fffffffcb20, z=0x7fffffffcbe8) at /usr/ports/converters/igbinary/work/igbinary-1.1.1/igbinary.c:1999 t = igbinary_type_object8 tmp_long = 140737488341744 tmp_double = 6.9533558071662371e-310 tmp_chararray = 0x803ef4278 "/usr/ports/converters/igbinary/work/igbinary-1.1.1/igbinary.c" tmp_size_t = 5450313498624 #11 0x0000000803eee705 in igbinary_unserialize (buf=0x804815300 "", buf_len=571, z=0x7fffffffcbe8) at /usr/ports/converters/igbinary/work/igbinary-1.1.1/igbinary.c:363 igsd = {buffer = 0x804815300 "", buffer_size = 571, buffer_offset = 19, strings = 0x80163bae0, strings_count = 1, strings_capacity = 4, references = 0x80163b6f8, references_count = 1, references_capacity = 4, error = 0, string0_buf = { c = 0x0, len = 0, a = 0}} #12 0x000000080423f3f8 in php_memc_zval_from_payload (value=0x801631630, payload=0x804815300 "", payload_len=571, flags=5, serializer=SERIALIZER_IGBINARY) at /root/php-memcached/php_memcached.c:2719 payload_emalloc = 0 '\0' buffer = 0x0 #13 0x0000000804238381 in php_memc_get_impl (ht=1, return_value=0x801631630, return_value_ptr=0x0, this_ptr=0x80162e600, return_value_used=1, by_key=0 '\0') at /root/php-memcached/php_memcached.c:625 rc = 0 return_value_set = 0 '\0' key = 0x80163b810 "foobar" key_len = 6 server_key = 0x0 server_key_len = 0 payload = 0x804815300 "" payload_len = 571 ---Type <return> to continue, or q <return> to quit--- flags = 5 cas = 0 keys = {0x80163b810 "foobar"} key_lens = {6} cas_token = (zval *) 0x0 fci = {size = 0, function_table = 0x0, function_name = 0x0, symbol_table = 0x0, retval_ptr_ptr = 0x0, param_count = 0, params = 0x0, object_ptr = 0x0, no_separation = 0 '\0'} fcc = {initialized = 0 '\0', function_handler = 0x0, calling_scope = 0x0, called_scope = 0x0, object_ptr = 0x0} result = {item_flags = 4294954352, item_expiration = 16, key_length = 140737488342384, item_cas = 6268759, root = 0x80163ba90, value = {end = 0x80160a300 "\001", string = 0x1a520 <Address 0x1a520 out of bounds>, current_size = 16, root = 0x80160aa18, options = {is_allocated = true, is_initialized = false}}, item_key = "úc\001\b\000\000\000\001\000\000\000Ãø\022sð\217y\000\000\000\000\000\000\020#\004»\001\000\000h~y\000\000\000\000\000\220Ã_\000\001\000\000\000\020¸c\001\b\000\000\000\000£`\001\b\000\000\000÷c\001\b", '\0' <repeats 15 times>, "\001\000\000\000à ½_\000\000\000\000\000p½c\001\b\000\000\000\001\000\000\000Ãø\022sh~y\000\000\000\000\000°¿c\001>\001\000\000ÃÃy\000\000\000\000\000`\205\210\004\001\000\000\0000\026c\001\b\000\000\000à ½_\000\000\000\000\000à \025c\001\b\000\000\000\001\000\000\000Ãø\022sh~y\000\000\000\000\000JÃ_\000\000\000\000\000\220Ãy\000\000\000\000\000`\000\000\000\000"..., options = {is_allocated = false, is_initialized = false}} status = MEMCACHED_SUCCESS object = (zval *) 0x80162e600 i_obj = (php_memc_t *) 0x801634410 m_obj = (struct memc_obj *) 0x801638070 #14 0x0000000804237c0b in zim_Memcached_get (ht=1, return_value=0x801631630, return_value_ptr=0x0, this_ptr=0x80162e600, return_value_used=1) at /root/php-memcached/php_memcached.c:465 No locals. #15 0x000000000065ba1c in zend_do_fcall_common_helper_SPEC (execute_data=0x804888080) at zend_vm_execute.h:316 opline = (zend_op *) 0x801630ce0 should_change_scope = 1 '\001' #16 0x000000000065c9c5 in ZEND_DO_FCALL_BY_NAME_SPEC_HANDLER (execute_data=0x804888080) at zend_vm_execute.h:421 No locals. #17 0x000000000065a9ea in execute (op_array=0x801634540) at zend_vm_execute.h:107 ret = 0 execute_data = (zend_execute_data *) 0x804888080 nested = 1 '\001' original_in_execution = 0 '\0' #18 0x000000000062745d in zend_execute_scripts (type=8, retval=0x0, file_count=3) at /usr/ports/lang/php5/work/php-5.3.6/Zend/zend.c:1194 files = {{gp_offset = 40, fp_offset = 48, overflow_arg_area = 0x7fffffffd270, reg_save_area = 0x7fffffffd1b0}} i = 1 file_handle = (zend_file_handle *) 0x7fffffffea20 orig_op_array = (zend_op_array *) 0x0 orig_retval_ptr_ptr = (zval **) 0x0 #19 0x00000000005a7712 in php_execute_script (primary_file=0x7fffffffea20) at /usr/ports/lang/php5/work/php-5.3.6/main/main.c:2268 realfile = "/www/ch9/test.php\000\000\000\002\000\000\000pïb\001\b\000\000\000pïb\001\b\000\000\000\002\000\000\000\001\000\000\000`ðb\001\b\000\000\000\200Ã\215\000\003\000\000\000@ãÿÿÿ\177\000\000\177®c\000\000\000\000\000pïb\001\b\000\000\000\020\000\000\000\002\000\000\000pïb\001\b", '\0' <repeats 11 times>, "8\230x\000\000\000\000\000ð\000\000\000\003\000\000\000ðãÿÿÿ\177\000\000d\032\\\000\000\000\000\000 ª`\001\000\000\000\000\026", '\0' <repeats 15 times>, "\230x\002\000\000\000\000\000pïb\001\b\000\000\000pïb\001\b\000\000\000p\233w\000\000\000\000\000 ïb\001d\001"... __orig_bailout = (sigjmp_buf *) 0x7fffffffe980 __bailout = {{_sjb = {5928021, 2, 140737488343656, 140737488349280, 140737488350208, 140737488350184, 0, 0, 34382807679, 6365355, 140737488349008, 0}}} prepend_file_p = (zend_file_handle *) 0x0 append_file_p = (zend_file_handle *) 0x0 prepend_file = {type = ZEND_HANDLE_FILENAME, filename = 0x0, opened_path = 0x0, handle = {fd = 0, fp = 0x0, stream = { handle = 0x0, isatty = 0, mmap = {len = 0, pos = 0, map = 0x0, buf = 0x0, old_handle = 0x0, old_closer = 0}, reader = 0, fsizer = 0, closer = 0}}, free_filename = 0 '\0'} append_file = {type = ZEND_HANDLE_FILENAME, filename = 0x0, opened_path = 0x0, handle = {fd = 0, fp = 0x0, stream = { handle = 0x0, isatty = 0, mmap = {len = 0, pos = 0, map = 0x0, buf = 0x0, old_handle = 0x0, old_closer = 0}, reader = 0, fsizer = 0, closer = 0}}, free_filename = 0 '\0'} old_cwd = 0x7fffffffd290 "" use_heap = 0 '\0' retval = 0 #20 0x000000000071b74a in main (argc=2, argv=0x7fffffffebe8) at /usr/ports/lang/php5/work/php-5.3.6/sapi/cli/php_cli.c:1193 __orig_bailout = (sigjmp_buf *) 0x0 __bailout = {{_sjb = {7449865, 2, 140737488349288, 140737488350096, 140737488350208, 140737488350184, 0, 0, 34368979839, 34369030656, 34369031168, 34359738368}}} exit_status = 0 c = -1 file_handle = {type = ZEND_HANDLE_MAPPED, filename = 0x7fffffffee2c "test.php", opened_path = 0x0, handle = { fd = 23262976, fp = 0x80162f700, stream = {handle = 0x80162f700, isatty = 0, mmap = {len = 1060, pos = 0, map = 0x8008f4000, buf = 0x8008f4000 <Address 0x8008f4000 out of bounds>, old_handle = 0x801505c20, old_closer = 0x643b30 <zend_stream_stdio_closer>}, reader = 0x643b00 <zend_stream_stdio_reader>, ---Type <return> to continue, or q <return> to quit--- fsizer = 0x643b70 <zend_stream_stdio_fsizer>, closer = 0x643cd0 <zend_stream_mmap_closer>}}, free_filename = 0 '\0'} behavior = 1 reflection_what = 0x0 orig_optind = 1 orig_optarg = 0x0 arg_free = 0x7fffffffee2c "test.php" arg_excp = (char **) 0x7fffffffebf0 script_file = 0x7fffffffee2c "test.php" interactive = 0 module_started = 1 request_started = 1 lineno = 1 exec_direct = 0x0 exec_run = 0x0 exec_begin = 0x0 exec_end = 0x0 param_error = 0x0 hide_argv = 0 ini_entries_len = 110 -- Edit bug report at http://bugs.php.net/bug.php?id=54662&edit=1 -- Try a snapshot (PHP 5.2): http://bugs.php.net/fix.php?id=54662&r=trysnapshot52 Try a snapshot (PHP 5.3): http://bugs.php.net/fix.php?id=54662&r=trysnapshot53 Try a snapshot (trunk): http://bugs.php.net/fix.php?id=54662&r=trysnapshottrunk Fixed in SVN: http://bugs.php.net/fix.php?id=54662&r=fixed Fixed in SVN and need be documented: http://bugs.php.net/fix.php?id=54662&r=needdocs Fixed in release: http://bugs.php.net/fix.php?id=54662&r=alreadyfixed Need backtrace: http://bugs.php.net/fix.php?id=54662&r=needtrace Need Reproduce Script: http://bugs.php.net/fix.php?id=54662&r=needscript Try newer version: http://bugs.php.net/fix.php?id=54662&r=oldversion Not developer issue: http://bugs.php.net/fix.php?id=54662&r=support Expected behavior: http://bugs.php.net/fix.php?id=54662&r=notwrong Not enough info: http://bugs.php.net/fix.php?id=54662&r=notenoughinfo Submitted twice: http://bugs.php.net/fix.php?id=54662&r=submittedtwice register_globals: http://bugs.php.net/fix.php?id=54662&r=globals PHP 4 support discontinued: http://bugs.php.net/fix.php?id=54662&r=php4 Daylight Savings: http://bugs.php.net/fix.php?id=54662&r=dst IIS Stability: http://bugs.php.net/fix.php?id=54662&r=isapi Install GNU Sed: http://bugs.php.net/fix.php?id=54662&r=gnused Floating point limitations: http://bugs.php.net/fix.php?id=54662&r=float No Zend Extensions: http://bugs.php.net/fix.php?id=54662&r=nozend MySQL Configuration Error: http://bugs.php.net/fix.php?id=54662&r=mysqlcfg
