Edit report at https://bugs.php.net/bug.php?id=61165&edit=1

 ID:                 61165
 Comment by:         me at ktamura dot com
 Reported by:        tomas dot liska at actumg2 dot cz
 Summary:            Segfault - strip_tags()
 Status:             Assigned
 Type:               Bug
 Package:            Reproducible crash
 Operating System:   Linux
 PHP Version:        Irrelevant
 Assigned To:        dmitry
 Block user comment: N
 Private report:     N

 New Comment:

I am fairly certain it is some kind of pointer deferencing here on L446 of 
Zend/zend_execution_API.c (php-5.3.10) I am not sure what the exact cause is 
yet 
though.


 434 ZEND_API void _zval_ptr_dtor(zval **zval_ptr ZEND_FILE_LINE_DC) /* {{{ */
 435 {
 436     zval *zv = *zval_ptr;
 437 
 438 #if DEBUG_ZEND>=2
 439     printf("Reducing refcount for %x (%x): %d->%d\n", *zval_ptr, zval_ptr, 
Z_REFCOUNT_PP(zval_ptr), Z_REFCOUNT_PP(zval_ptr) - 1);
 440 #endif
 441     Z_DELREF_P(zv);
 442     if (Z_REFCOUNT_P(zv) == 0) {
 443         TSRMLS_FETCH();
 444 
 445         if (zv != &EG(uninitialized_zval)) {
 446             GC_REMOVE_ZVAL_FROM_BUFFER(zv);
 447             zval_dtor(zv);
 448             efree_rel(zv);


Previous Comments:
------------------------------------------------------------------------
[2012-02-24 08:32:29] tomas dot liska at actumg2 dot cz

I might have the cause of this. This code produces $cnt - 1 leaks:

<?php
error_reporting(E_ALL | E_NOTICE | E_STRICT);

class T {
    private $params = array();
    private $_this;

    public function __toString() {
        //$this->params['this'] = $this; // <-- uncoment this
        //$this->_this = $this;          // <-- or this (both cause the leak)
        return 'A';
    }
}

$t = new T;
$cnt = 2;
for ($i = 0; $i < $cnt; $i++) {
    strip_tags($t);
    echo "$i\n";
}

Output:
0
1
[Fri Feb 24 09:27:16 2012]  Script:  'go_own_own.php'
/home/users/tliska/wd/php/php-5.4.0RC8/ext/standard/string.c(4087) :  Freeing 
0x2B9B23ADC678 (2 bytes), script=go_own_own.php

------------------------------------------------------------------------
[2012-02-24 04:56:31] larue...@php.net

this is not the strip_tags's issue. 
ervery internal function perfer a 's', will act the same result(segfault).

so the problem should be in the __toString of that object...

I will keep digging..

thanks

------------------------------------------------------------------------
[2012-02-23 05:41:30] larue...@php.net

I can confirm this issue exists.  but still can not figure out the reason. 
dmitry,  could you plz look at this? thanks

------------------------------------------------------------------------
[2012-02-22 15:08:57] tomas dot liska at actumg2 dot cz

Description:
------------
Running attached script causes heap corruption resulting in segfault or other 
simillar results in all tested PHP versions: 5.3.2, 5.3.8, 5.3.9, 5.3.10, 
5.4.0-RC*

Passing object with __toString() causes segfault in random script iteration. 
When casted to string beforehand, it runs OK.



Test script:
---------------
http://dl.dropbox.com/u/63573745/test.tar.gz

Since I'm not sure what causes the problem, I was unable to create a smaller 
test case.

Expected result:
----------------
Range of numbers from 0 to 9999 (included).

Actual result:
--------------
php-5.3.8:
$ php go.php
0
1
Segmentation fault

php-5.3.9:
0
1
...
739
740
Segmentation fault

Core dump:
Program terminated with signal 11, Segmentation fault.
#0  0x0000000000795ad1 in _zval_dtor_func (zvalue=0x7fff3f7421a0, 
__zend_filename=0xb00838 
"/home/users/tliska/wd/php/php-5.3.9/Zend/zend_execute.c", __zend_lineno=690) 
at /home/users/tliska/wd/php/php-5.3.9/Zend/zend_variables.c:52
52                                      Z_OBJ_HT_P(zvalue)->del_ref(zvalue 
TSRMLS_CC);
(gdb) bt
#0  0x0000000000795ad1 in _zval_dtor_func (zvalue=0x7fff3f7421a0, 
__zend_filename=0xb00838 
"/home/users/tliska/wd/php/php-5.3.9/Zend/zend_execute.c", __zend_lineno=690) 
at /home/users/tliska/wd/php/php-5.3.9/Zend/zend_variables.c:52
#1  0x00000000007c9ac1 in _zval_dtor (zvalue=0x7fff3f7421a0, 
__zend_filename=0xb00838 
"/home/users/tliska/wd/php/php-5.3.9/Zend/zend_execute.c", __zend_lineno=690) 
at /home/users/tliska/wd/php/php-5.3.9/Zend/zend_variables.h:35
#2  0x0000000000802714 in zend_assign_to_variable (variable_ptr_ptr=0xf3810f8, 
value=0xf389130, is_tmp_var=0) at 
/home/users/tliska/wd/php/php-5.3.9/Zend/zend_execute.c:690
#3  0x000000000080218e in ZEND_ASSIGN_DIM_SPEC_VAR_CONST_HANDLER 
(execute_data=0x2b3bb0b002f8) at 
/home/users/tliska/wd/php/php-5.3.9/Zend/zend_vm_execute.h:10382
#4  0x00000000007cc29e in execute (op_array=0xf3313f8) at 
/home/users/tliska/wd/php/php-5.3.9/Zend/zend_vm_execute.h:107
#5  0x0000000000787822 in zend_call_function (fci=0x7fff3f742860, 
fci_cache=0x7fff3f7427f0) at 
/home/users/tliska/wd/php/php-5.3.9/Zend/zend_execute_API.c:969
#6  0x00000000007b6c75 in zend_call_method (object_pp=0x7fff3f742918, 
obj_ce=0xf355c60, fn_proxy=0xf355e50, function_name=0xb005be "__tostring", 
function_name_len=10, retval_ptr_ptr=0x7fff3f742928, param_count=0, arg1=0x0, 
arg2=0x0)
    at /home/users/tliska/wd/php/php-5.3.9/Zend/zend_interfaces.c:97
#7  0x00000000007c84f7 in zend_std_cast_object_tostring (readobj=0xf389130, 
writeobj=0xf389130, type=6) at 
/home/users/tliska/wd/php/php-5.3.9/Zend/zend_object_handlers.c:1269
#8  0x0000000000799d68 in parse_arg_object_to_string (arg=0x2b3bb0aff4f8) at 
/home/users/tliska/wd/php/php-5.3.9/Zend/zend_API.c:258
#9  0x000000000079c608 in zend_parse_va_args (num_args=1, type_spec=0xadeffc 
"s|Z", va=0x7fff3f742c00, flags=0) at 
/home/users/tliska/wd/php/php-5.3.9/Zend/zend_API.c:692
#10 0x000000000079d022 in zend_parse_parameters (num_args=1, type_spec=0xadeffc 
"s|Z") at /home/users/tliska/wd/php/php-5.3.9/Zend/zend_API.c:871
#11 0x00000000006b6d87 in zif_strip_tags (ht=1, return_value=0xf388750, 
return_value_ptr=0x0, this_ptr=0x0, return_value_used=0) at 
/home/users/tliska/wd/php/php-5.3.9/ext/standard/string.c:4056
#12 0x00000000007cd2bb in zend_do_fcall_common_helper_SPEC 
(execute_data=0x2b3bb0aff090) at 
/home/users/tliska/wd/php/php-5.3.9/Zend/zend_vm_execute.h:320
#13 0x00000000007d3185 in ZEND_DO_FCALL_SPEC_CONST_HANDLER 
(execute_data=0x2b3bb0aff090) at 
/home/users/tliska/wd/php/php-5.3.9/Zend/zend_vm_execute.h:1640
#14 0x00000000007cc29e in execute (op_array=0xf3569f0) at 
/home/users/tliska/wd/php/php-5.3.9/Zend/zend_vm_execute.h:107
#15 0x0000000000798f1a in zend_execute_scripts (type=8, retval=0x0, 
file_count=3) at /home/users/tliska/wd/php/php-5.3.9/Zend/zend.c:1236
#16 0x0000000000717a8e in php_execute_script (primary_file=0x7fff3f745560) at 
/home/users/tliska/wd/php/php-5.3.9/main/main.c:2308
#17 0x000000000088c464 in main (argc=2, argv=0x7fff3f7457e8) at 
/home/users/tliska/wd/php/php-5.3.9/sapi/cli/php_cli.c:1184


php-5.4.0RC8:
0
1
...
689
/php-5.4.0RC8/Zend/zend_hash.c(551) : ht=0x2ada805a4960 is being destroyed

No core dump produced here.



------------------------------------------------------------------------



-- 
Edit this bug report at https://bugs.php.net/bug.php?id=61165&edit=1

Reply via email to