[Bug 984381] [NEW] PHP 5.3.6-13ubuntu3.6 with Suhosin-Patch crashes when using SPLFixedArray built-in class
Attila M. Magyar
984381 at bugs.launchpad.net
Tue Apr 17 21:17:02 UTC 2012
Public bug reported:
Test script
-----------
spl_fixed_array.php:
<?php
for ($i = 0; $i != 10000; ++$i) {
fprintf(STDERR, "$i\n");
$array = new SplFixedArray(1);
$array->offsetSet(0, array($array));
}
?>
Running
-------
php spl_fixed_array.php
Expected result
---------------
The script terminates normally or PHP handles memory limit exhaustion error
(depending on configuration).
Actual result
-------------
1
2
...
4997
4998
4999
Segmentation fault
Backtrace
---------
Program received signal SIGSEGV, Segmentation fault.
spl_fixedarray_object_get_properties (obj=0x156fcc8) at
/build/buildd/php5-5.3.6/Zend/zend.h:381
381 /build/buildd/php5-5.3.6/Zend/zend.h: No such file or directory.
in /build/buildd/php5-5.3.6/Zend/zend.h
(gdb) bt
#0 spl_fixedarray_object_get_properties (obj=0x156fcc8) at /build/buildd/php5-5.3.6/Zend/zend.h:381
#1 0x00000000006b4563 in zval_scan_black (pz=0x156fcc8)
at /build/buildd/php5-5.3.6/Zend/zend_gc.c:285
#2 0x00000000006b47f5 in zval_scan (pz=0x156fcc8) at /build/buildd/php5-5.3.6/Zend/zend_gc.c:453
#3 0x00000000006b4bbe in gc_collect_cycles () at /build/buildd/php5-5.3.6/Zend/zend_gc.c:537
#4 0x00000000006b5244 in gc_zval_possible_root (zv=0x156fcc8)
at /build/buildd/php5-5.3.6/Zend/zend_gc.c:166
#5 0x000000000070bfef in zend_do_fcall_common_helper_SPEC (execute_data=0x7ffff7ebc068)
at /build/buildd/php5-5.3.6/Zend/zend_execute.h:318
#6 0x00000000006bd51b in execute (op_array=0x104c3d0)
at /build/buildd/php5-5.3.6/Zend/zend_vm_execute.h:107
#7 0x00007ffff4be28b5 in xdebug_execute (op_array=0x104c3d0)
at /build/buildd/xdebug-2.1.0/build-php5/xdebug.c:1272
#8 0x0000000000698b70 in zend_execute_scripts (type=0, retval=0x800000000, file_count=3)
at /build/buildd/php5-5.3.6/Zend/zend.c:1266
#9 0x0000000000645913 in php_execute_script (primary_file=0x7ffff5c40e56)
at /build/buildd/php5-5.3.6/main/main.c:2297
#10 0x000000000042c53e in main (argc=32767, argv=0x7fffffffdf36)
at /build/buildd/php5-5.3.6/sapi/cli/php_cli.c:1197
(gdb) p *obj
$1 = {value = {lval = 0, dval = 0, str = {val = 0x0, len = 0}, ht = 0x0, obj = {handle = 0,
handlers = 0x0}}, refcount__gc = 0, type = 0 '\000', is_ref__gc = 0 '\000'}
Version
-------
php --version output:
PHP 5.3.6-13ubuntu3.6 with Suhosin-Patch (cli) (built: Feb 11 2012 03:26:01)
Copyright (c) 1997-2011 The PHP Group
Zend Engine v2.3.0, Copyright (c) 1998-2011 Zend Technologies
with Xdebug v2.1.0, Copyright (c) 2002-2010, by Derick Rethans
apt-cache policy php5 output:
php5:
Installed: (none)
Candidate: 5.3.6-13ubuntu3.6
Version table:
5.3.6-13ubuntu3.6 0
500 http://hu.archive.ubuntu.com/ubuntu/ oneiric-updates/main amd64 Packages
500 http://security.ubuntu.com/ubuntu/ oneiric-security/main amd64 Packages
5.3.6-13ubuntu3.1 0
500 http://hu.archive.ubuntu.com/ubuntu/ oneiric/main amd64 Packages
lsb_release -rd output:
Description: Ubuntu 11.10
Release: 11.10
file /usr/bin/php5 output:
/usr/bin/php5: ELF 64-bit LSB executable, x86-64, version 1 (SYSV),
dynamically linked (uses shared libs), for GNU/Linux 2.6.15, stripped
Reproduction with vanilla PHP
-----------------------------
Manually built current stable release of PHP downloaded from http://php.net.
The issue seemed to be not reproducable. Version:
PHP 5.4.0 (cli) (built: Apr 17 2012 22:23:57)
Copyright (c) 1997-2012 The PHP Group
Zend Engine v2.4.0, Copyright (c) 1998-2012 Zend Technologies
** Affects: php5 (Ubuntu)
Importance: Undecided
Status: New
** Tags: crash php segfault spl splfixedarray
--
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to php5 in Ubuntu.
https://bugs.launchpad.net/bugs/984381
Title:
PHP 5.3.6-13ubuntu3.6 with Suhosin-Patch crashes when using
SPLFixedArray built-in class
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/php5/+bug/984381/+subscriptions
More information about the Ubuntu-server-bugs
mailing list