Edit report at https://bugs.php.net/bug.php?id=60701&edit=1
ID: 60701
Updated by: s...@php.net
Reported by: daan at react dot com
Summary: __toString() which stores $this reference triggers
segfault (with fix!)
Status: Assigned
Type: Bug
Package: Reproducible crash
Operating System: CentOS
PHP Version: 5.3.8
Assigned To: dmitry
Block user comment: N
Private report: N
New Comment:
OK, I think I know what may be going on here. What you're getting as $this in
toString() is not a real $object but a copy what was generated by
SEPARATE_ZVAL_IF_NOT_REF() in parse_arg_object_to_string(). If you save this
copy, there might be trouble since it'd be destroyed by writeobj and later
cleanup of the function arguments. However, the patch proposed doesn't seem to
solve the problem completely since $this->test variable is still corrupted in
this scenario...
Previous Comments:
------------------------------------------------------------------------
[2012-03-26 08:38:59] s...@php.net
I looked more into the code, and as far as I can see, the case where readobj ==
writeobj comes from parse_arg_object_to_string() - but there it is preceeded by
SEPARATE_ZVAL_IF_NOT_REF(arg); so I don't see how you can get refcount > 1
there
unless you have IS_REF. Something else is going on there...
------------------------------------------------------------------------
[2012-03-26 07:21:23] s...@php.net
I'm not sure I understand the patch, especially this part:
if (readobj == writeobj) {
+ if (Z_REFCOUNT_P(readobj) <= 1)
{
+ INIT_PZVAL(writeobj);
+ }
zval_dtor(readobj);
It looks like you initializing the object and then immediately calling dtor on
it (since readobj == writeobj). Could you explain why and what you are trying
to
do there?
------------------------------------------------------------------------
[2012-02-13 19:48:38] pada at hrz dot tu-chemnitz dot de
@sjon: Now, I retried with the original Test script from daan.
This patch works for me too, thanks :)
------------------------------------------------------------------------
[2012-02-13 19:16:25] sjon at hortensius dot net
@andrew at localcoast dot net
Did you try to remove all __toString methods from your application? If that
didn't fix it you are experiencing another bug and will probably need to
generate
a small reproducing script yourself
@pada at hrz dot tu-chemnitz dot de
your problem has nothing to do with this bug, You are simply demonstrating a
recursive loop.
------------------------------------------------------------------------
[2012-02-13 18:00:01] pada at hrz dot tu-chemnitz dot de
This patch does not work for me. I'm still experiencing SegFaults with the
following code on CentOS 6.0 with php 5.3.3 and
https://bugs.php.net/patch-display.php?bug_id=60701&patch=bug60701.patch&revision=1327066212
applied.
Test-Script:
<?php
class C{function f(){$this->o=new O();return$this->o;}function
__destruct(){}}class O{function __toString(){$this->$this;}}$c=new
C();$o=$c->f();trim($o);
?>
With the patch applied, I'm still getting SegFaults in
/var/log/httpd/error_log, but no coredumps any more. This is very strange,
since coredumping is correctly configured and with other reproducer scripts
from other bugs I'm getting coredumps.
------------------------------------------------------------------------
The remainder of the comments for this report are too long. To view
the rest of the comments, please view the bug report online at
https://bugs.php.net/bug.php?id=60701
--
Edit this bug report at https://bugs.php.net/bug.php?id=60701&edit=1
