From: Operating system: Debian Squeeze PHP version: 5.4.0beta2 Package: Class/Object related Bug Type: Bug Bug description:SIGSEGV in zend_std_write_property
Description: ------------ PHP5.4beta2 from SVN, up to this revision: http://svn.php.net/viewvc? view=revision&revision=318411 Repeatable crash in Symfony 1.4.14's Doctrine 1.2.4 Doctrine_Record constructor. PHP environment is FastCGI with lighttpd. No APC or Xcache active. This code runs fine with PHP 5.3.8. Test script: --------------- Didn't manage to reproduce it in a simple script yet Expected result: ---------------- Should not crash Actual result: -------------- Program received signal SIGSEGV, Segmentation fault. 0x00000000006c787d in zend_std_write_property (object=0x3cc01e0, member=0x2964040, value=0xcd11c69b772c0444, key=0x2964040) at /tmp/buildd/php5- 5.3.99+5.4.0/Zend/zend_object_handlers.c:244 244 if (key && (property_info = CACHED_POLYMORPHIC_PTR(key- >cache_slot, ce)) != NULL) { (gdb) print key $1 = (zend_literal *) 0x2964040 (gdb) print key->cache_slot $2 = 4 (gdb) print ce $3 = (zend_class_entry *) 0x4 (gdb) bt full #0 0x00000000006c787d in zend_std_write_property (object=0x3cc01e0, member=0x2964040, value=0xcd11c69b772c0444, key=0x2964040) at /tmp/buildd/php5- 5.3.99+5.4.0/Zend/zend_object_handlers.c:244 property_info = 0x85 scope_property_info = 0x6c85a3 denied_access = 184 '\270' h = 64829024 zobj = 0x3cc4690 tmp_member = 0x13c21c8 variable_ptr = 0x13c42f0 property_info = 0x0 #1 0x000000000071f5b3 in zend_assign_to_object (retval=0x0, object_ptr=0x3cc01e0, property_name=0x7f18dc45d5e8, value_type=4, value_op=0x29612e0, Ts=0x1, opcode=7471229, key=0x2964040) at /tmp/buildd/php5- 5.3.99+5.4.0/Zend/zend_execute.c:738 object = 0x3cb69e0 value = 0x3cc01e0 opcode = 136 key = 0x2964040 #2 0x000000000072007d in ZEND_ASSIGN_OBJ_SPEC_UNUSED_CONST_HANDLER (execute_data=0x7f18dc45cb58) at /tmp/buildd/php5- 5.3.99+5.4.0/Zend/zend_vm_execute.h:21975 opline = 0x29612e0 #3 0x0000000000711fb8 in execute (op_array=0x3dba620) at /tmp/buildd/php5- 5.3.99+5.4.0/Zend/zend_vm_execute.h:410 ret = 0 execute_data = 0x7f18dc45cb58 nested = 0 '\000' original_in_execution = 0 '\000' #4 0x00000000006a03ad in zend_execute_scripts (type=32767, retval=0x7ffffbb685f0, file_count=3) at /tmp/buildd/php5- 5.3.99+5.4.0/Zend/zend.c:1272 files = {{gp_offset = 0, fp_offset = 0, overflow_arg_area = 0x28, reg_save_area = 0x7ffffbb68680}} i = 1 file_handle = <incomplete type> orig_op_array = 0x0 orig_retval_ptr_ptr = 0xd23518 #5 0x0000000000643268 in php_execute_script (primary_file=0x0) at /tmp/buildd/php5-5.3.99+5.4.0/main/main.c:2414 __orig_bailout = 0x7ffffbb67db0 __bailout = {{__jmpbuf = {4223038732, 32767, 4223038736, 32767, 4223040800, 32767, 4223038688, 32767}, __mask_was_saved = 7041200, __saved_mask = {__val = {6910217, 0, 76, 0, 4223038784, 32767, 64586544, 0, 64623000, 0, 4223038912, 32767, 0, 1, 4223039008, 32767}}}} prepend_file_p = 0x0 append_file_p = 0x0 prepend_file = {type = 3695567936, filename = 0x7f1800000001 <Address 0x7f1800000001 out of bounds>, opened_path = 0x27348c8 "\370Hs\002", handle = {fd = -599399504, fp = 0x7f18dc45e3b0, stream = {handle = 0x7f18dc45e3b0, isatty = 13775168, mmap = { len = 10411208, pos = 4223041392, map = 0x1, buf = 0x2 <Address 0x2 out of bounds>, old_handle = 0x7ffffbb67710, old_closer = 0x20}, reader = 0x648bb2 <xbuf_format_converter+802>, fsizer = 0, closer = 0x6dfc89 <zend_fetch_dimension_address_read+1097>}}, free_filename = 172 '\254'} append_file = {type = 6, filename = 0x0, opened_path = 0x3 <Address 0x3 out of bounds>, handle = {fd = 7012488, fp = 0x6b0088, stream = {handle = 0x6b0088, isatty = 8, mmap = {len = 0, pos = 3695567936, map = 0x7f18dc45e458, buf = 0x6444e0 "H\201", <incomplete sequence \354\230>, old_handle = 0x7f18dc45e3b0, old_closer = 0xd23140 <executor_globals>}, reader = 0, fsizer = 0, closer = 0x25eb400}}, free_filename = 176 '\260'} retval = 0 #6 0x000000000074d03f in main (argc=32767, argv=0x20) at /tmp/buildd/php5- 5.3.99+5.4.0/sapi/cgi/cgi_main.c:2420 __bailout = {{__jmpbuf = {0, 0, 0, 0, 1871636702, 1462165169, 13779936, 0}, __mask_was_saved = -1744377634, __saved_mask = {__val = {0, 32536, 3695797080, 32536, 4223052864, 32767, 3695786312, 32536, 4223052904, 32767, 3695796224, 32536, 20233565, 0, 3693680738, 32536}}}} free_query_string = 0 exit_status = 16178208 cgi = 0 c = 0 i = 16195251 len = 16195251 file_handle = {type = ZEND_HANDLE_FILENAME, filename = 0x7f1800000004 <Address 0x7f1800000004 out of bounds>, opened_path = 0x7f18dc451118 "/var/www/project-sprint/web/index.php", handle = {fd = 0, fp = 0x0, stream = {handle = 0x0, isatty = -599254176, mmap = {len = 0, pos = 511, map = 0x0, buf = 0x0, old_handle = 0x7f18dc2fe000, old_closer = 0}, reader = 0, fsizer = 0x65c090 <_php_stream_read>, closer = 0x6444e0 <php_zend_stream_fsizer>}}, free_filename = 208 '\320'} s = 0xf719bf "/association/autres/4198/photos-videos/ajout-video" behavior = 0 no_headers = 0 orig_optind = 0 orig_optarg = 0x0 script_file = 0xf719aa "/index.php" max_requests = 1 ---Type <return> to continue, or q <return> to quit--- requests = 82 fastcgi = 1 bindpath = 0x1dc492108 <Address 0x1dc492108 out of bounds> fcgi_fd = 16195251 request = 0x0 repeats = 0 benchmark = 0 start = {tv_sec = 7674064, tv_usec = 0} end = {tv_sec = 3651069080, tv_usec = 4223053072} status = 32536 (gdb) zbacktrace [0xdc45cb58] __construct() /home/www/project- sprint/lib/vendor/symfony/lib/plugins/sfDoctrinePlugin/lib/vendor/doctrine/Doctr ine/Record.php:219 [0xdc45c2d0] __construct() /home/www/project- sprint/apps/frontend/modules/associationGallery/actions/actions.class.php:336 Doctrine_Record __construct line 219: public function __construct($table = null, $isNewEntry = false) { if (isset($table) && $table instanceof Doctrine_Table) { $this->_table = $table; $exists = ( ! $isNewEntry); } else { // get the table of this class $class = get_class($this); $this->_table = Doctrine_Core::getTable($class); <-------- -- Edit bug report at https://bugs.php.net/bug.php?id=60134&edit=1 -- Try a snapshot (PHP 5.4): https://bugs.php.net/fix.php?id=60134&r=trysnapshot54 Try a snapshot (PHP 5.3): https://bugs.php.net/fix.php?id=60134&r=trysnapshot53 Try a snapshot (trunk): https://bugs.php.net/fix.php?id=60134&r=trysnapshottrunk Fixed in SVN: https://bugs.php.net/fix.php?id=60134&r=fixed Fixed in SVN and need be documented: https://bugs.php.net/fix.php?id=60134&r=needdocs Fixed in release: https://bugs.php.net/fix.php?id=60134&r=alreadyfixed Need backtrace: https://bugs.php.net/fix.php?id=60134&r=needtrace Need Reproduce Script: https://bugs.php.net/fix.php?id=60134&r=needscript Try newer version: https://bugs.php.net/fix.php?id=60134&r=oldversion Not developer issue: https://bugs.php.net/fix.php?id=60134&r=support Expected behavior: https://bugs.php.net/fix.php?id=60134&r=notwrong Not enough info: https://bugs.php.net/fix.php?id=60134&r=notenoughinfo Submitted twice: https://bugs.php.net/fix.php?id=60134&r=submittedtwice register_globals: https://bugs.php.net/fix.php?id=60134&r=globals PHP 4 support discontinued: https://bugs.php.net/fix.php?id=60134&r=php4 Daylight Savings: https://bugs.php.net/fix.php?id=60134&r=dst IIS Stability: https://bugs.php.net/fix.php?id=60134&r=isapi Install GNU Sed: https://bugs.php.net/fix.php?id=60134&r=gnused Floating point limitations: https://bugs.php.net/fix.php?id=60134&r=float No Zend Extensions: https://bugs.php.net/fix.php?id=60134&r=nozend MySQL Configuration Error: https://bugs.php.net/fix.php?id=60134&r=mysqlcfg
