Bug #64896 [Com]: Segfault with gc_collect_cycles using unserialize on certain objects

2013-06-11 Thread webm4st0r at gmail dot com
Edit report at https://bugs.php.net/bug.php?id=64896&edit=1

 ID: 64896
 Comment by: webm4st0r at gmail dot com
 Reported by:mark dot chong at acquireap dot com
 Summary:Segfault with gc_collect_cycles using unserialize on
 certain objects
 Status: Open
 Type:   Bug
 Package:Reproducible crash
 Operating System:   ubuntu
 PHP Version:5.4.15
 Block user comment: N
 Private report: N

 New Comment:

I believe I am hitting a similar issue to this through running some test 
suites. 
I've not yet been able to get a smaller script to reproduce the problem, though 
the one in this issue does fail to run.

I have tested this on 5.4.16 on 64bit CentOS 6. I would be interested in 
testing 
a patch for this to determine if it truly is the same problem, as the crash I'm 
seeing in the test run is during php_request_shutdown, sometimes within a 
gc_collect_cycles, sometimes within a destroy_zend_class.

I am unable to reproduce these failures with zend.enable_gc = 0, or in a debug 
build.

I can provide some stack traces for both failures I've seen if that would be 
useful in looking into this.


Previous Comments:

[2013-06-05 13:32:34] larue...@php.net

Ha, I can reproduce this with non-debug build now. thanks


[2013-06-05 11:18:22] arjen at react dot com

I can confirm the segfault using PHP-5.4.15 build from php.net sources.

Backtrace is same as above @ https://gist.github.com/anonymous/5713123
Valgrind trace @ https://gist.github.com/anonymous/5713183


[2013-05-30 21:17:17] sjon at hortensius dot net

@laruence I can reproduce this easily, see http://3v4l.org/Z9Bg7#v545 every 
version of PHP since 5.4.5 segfaults on the script (without xdebug)

here is your backtrace without xdebug:

#0  0x00608737 in ?? ()
#1  0x0061f349 in _zval_ptr_dtor ()
#2  0x0063b8d8 in zend_hash_destroy ()
#3  0x0062d37b in _zval_dtor_func ()
#4  0x0069e31d in ?? ()
#5  0x0065508f in execute ()
#6  0x00621190 in zend_call_function ()
#7  0x00644e55 in zend_call_method ()
#8  0x0064eab2 in zend_objects_destroy_object ()
#9  0x0064c9a8 in gc_collect_cycles ()
#10 0x0063e699 in ?? ()
#11 0x006d6d6c in ?? ()
#12 0x0065508f in execute ()
#13 0x0062fb94 in zend_execute_scripts ()
#14 0x005d1afc in php_execute_script ()
#15 0x006d8d1f in ?? ()
#16 0x0042615d in ?? ()
#17 0x7690fa15 in __libc_start_main () from /usr/lib/libc.so.6
#18 0x004261f9 in _start ()

With a debug-build; this problem seems unreproducable


[2013-05-24 13:23:43] larue...@php.net

please disable xdebug then try again


[2013-05-24 01:21:08] edward dot savage at dodo dot com

With the given test case I get the segfault as described (Ubuntu 13.04/PHP 
5.4.9-4ubuntu2).  I found that I could work around it by adding a function like 
'usleep(1);' or '$var = 2;' between global and the $bar operation in the 
destructor.  A simple operation like '6^123;', even repeated at length, wasn't 
enough to avoid the fault.  

Once the test case was running without crashing I started looking at the array 
assignment to $bar.  I found that printing the result of $bar after the 
destructor ran showed that the values of $this->_private were lost from the 
global $bar.  Even more information is lost when gc_collect_cycles is executed. 
 It can be shown to only be the values as an assigned multidimensional array 
will retain its keys.  

This loss of data and the segfault can be avoided by moving the $bar assignment 
into a pseudo destructor or by removing the circular reference.  However, for 
the reported case there is definitely a data integrity issue when assigning an 
array to a global in a __destruct with a circular reference present.  I could 
not repeat this issue with other types of assignment like string and object.




The remainder of the comments for this report are too long. To view
the rest of the comments, please view the bug report online at

https://bugs.php.net/bug.php?id=64896


-- 
Edit this bug report at https://bugs.php.net/bug.php?id=64896&edit=1


[PHP-BUG] Bug #55323 [NEW]: SoapClient segmentation fault when XSD_TYPEKIND_EXTENSION contains itself

2011-07-30 Thread webm4st0r at gmail dot com
From: 
Operating system: Any
PHP version:  Irrelevant
Package:  SOAP related
Bug Type: Bug
Bug description:SoapClient segmentation fault when XSD_TYPEKIND_EXTENSION 
contains itself

Description:

While running a soap client in wsdl mode, if the response of a call
contains an 
element which is 
an extension, and it contains itself, an infinite loop occurs in resulting
in a 
segmentation fault. The provided patch is against 5.3.6, does not produce
the 
expected results (but does not segfault), and causes other tests to fail,
but it 
identifies where the problem is (to_zval_object_ex). I've confirmed that
this also 
occurs in previous versions.

Test script:
---
Test script: http://soapbug.privatepaste.com/700d21fc7f
WSDL: http://soapbug.privatepaste.com/4d7e882d61
XSD: http://soapbug.privatepaste.com/43f7a3e274

Expected result:

object(stdClass)#%d (2) {
  ["accountId"]=>
  int(1234)
  ["parent"]=>
  *RECURSION*
  }
}


Actual result:
--
Segmentation fault

-- 
Edit bug report at https://bugs.php.net/bug.php?id=55323&edit=1
-- 
Try a snapshot (PHP 5.4):
https://bugs.php.net/fix.php?id=55323&r=trysnapshot54
Try a snapshot (PHP 5.3):
https://bugs.php.net/fix.php?id=55323&r=trysnapshot53
Try a snapshot (trunk):  
https://bugs.php.net/fix.php?id=55323&r=trysnapshottrunk
Fixed in SVN:
https://bugs.php.net/fix.php?id=55323&r=fixed
Fixed in SVN and need be documented: 
https://bugs.php.net/fix.php?id=55323&r=needdocs
Fixed in release:
https://bugs.php.net/fix.php?id=55323&r=alreadyfixed
Need backtrace:  
https://bugs.php.net/fix.php?id=55323&r=needtrace
Need Reproduce Script:   
https://bugs.php.net/fix.php?id=55323&r=needscript
Try newer version:   
https://bugs.php.net/fix.php?id=55323&r=oldversion
Not developer issue: 
https://bugs.php.net/fix.php?id=55323&r=support
Expected behavior:   
https://bugs.php.net/fix.php?id=55323&r=notwrong
Not enough info: 
https://bugs.php.net/fix.php?id=55323&r=notenoughinfo
Submitted twice: 
https://bugs.php.net/fix.php?id=55323&r=submittedtwice
register_globals:
https://bugs.php.net/fix.php?id=55323&r=globals
PHP 4 support discontinued:  
https://bugs.php.net/fix.php?id=55323&r=php4
Daylight Savings:https://bugs.php.net/fix.php?id=55323&r=dst
IIS Stability:   
https://bugs.php.net/fix.php?id=55323&r=isapi
Install GNU Sed: 
https://bugs.php.net/fix.php?id=55323&r=gnused
Floating point limitations:  
https://bugs.php.net/fix.php?id=55323&r=float
No Zend Extensions:  
https://bugs.php.net/fix.php?id=55323&r=nozend
MySQL Configuration Error:   
https://bugs.php.net/fix.php?id=55323&r=mysqlcfg



Bug #55323 [Com]: SoapClient segmentation fault when XSD_TYPEKIND_EXTENSION contains itself

2011-08-01 Thread webm4st0r at gmail dot com
Edit report at https://bugs.php.net/bug.php?id=55323&edit=1

 ID: 55323
 Comment by: webm4st0r at gmail dot com
 Reported by:webm4st0r at gmail dot com
 Summary:SoapClient segmentation fault when
 XSD_TYPEKIND_EXTENSION contains itself
 Status: Open
 Type:   Bug
 Package:SOAP related
 Operating System:   Any
 PHP Version:Irrelevant
 Block user comment: N
 Private report: N

 New Comment:

Updated the attached patch with one that appears to produce the correct results 
and passes all existing tests.


Previous Comments:

[2011-07-30 08:43:59] webm4st0r at gmail dot com

Description:

While running a soap client in wsdl mode, if the response of a call contains an 
element which is 
an extension, and it contains itself, an infinite loop occurs in resulting in a 
segmentation fault. The provided patch is against 5.3.6, does not produce the 
expected results (but does not segfault), and causes other tests to fail, but 
it 
identifies where the problem is (to_zval_object_ex). I've confirmed that this 
also 
occurs in previous versions.

Test script:
---
Test script: http://soapbug.privatepaste.com/700d21fc7f
WSDL: http://soapbug.privatepaste.com/4d7e882d61
XSD: http://soapbug.privatepaste.com/43f7a3e274

Expected result:

object(stdClass)#%d (2) {
  ["accountId"]=>
  int(1234)
  ["parent"]=>
  *RECURSION*
  }
}


Actual result:
--
Segmentation fault






-- 
Edit this bug report at https://bugs.php.net/bug.php?id=55323&edit=1