php5 crashed with SIGSEGV in execute()

Bug #577710 reported by Volodymyr Kolesnykov
12
This bug affects 1 person
Affects Status Importance Assigned to Milestone
php5 (Ubuntu)
Invalid
Medium
Unassigned

Bug Description

Binary package hint: php5

1. lsb_release -rd
Description: Ubuntu 9.10
Release: 9.10

2. php5:
  Installed: (none)
  Candidate: 5.2.10.dfsg.1-2ubuntu6.4
  Version table:
     5.2.10.dfsg.1-2ubuntu6.4 0
        500 http://us.archive.ubuntu.com karmic-updates/main Packages
        500 http://security.ubuntu.com karmic-security/main Packages
     5.2.10.dfsg.1-2ubuntu6 0
        500 http://us.archive.ubuntu.com karmic/main Packages

Crashes are random, I was unable to create a minimal test case.

ProblemType: Crash
Architecture: amd64
CrashCounter: 1
Date: Sun May 9 02:54:11 2010
DistroRelease: Ubuntu 9.10
ExecutablePath: /usr/bin/php5
NonfreeKernelModules: backupdriver
Package: php5-cli 5.2.10.dfsg.1-2ubuntu6.4
ProcCmdline: php wp-config.php
ProcEnviron:
 SHELL=/bin/bash
 LANG=en_US.UTF-8
ProcVersionSignature: Ubuntu 2.6.31-21.59-server
SegvAnalysis:
 Segfault happened at: 0x68e333 <execute+195>: callq 0x45f0d8 <memset@plt>
 PC (0x0068e333) ok
 source "0x45f0d8" (0x0045f0d8) ok
 Reason could not be automatically determined.
Signal: 11
SourcePackage: php5
StacktraceTop:
 execute (op_array=0x391c5d8) at /usr/include/bits/string3.h:85
 zend_do_fcall_common_helper_SPEC (execute_data=0x7fff936852a0) at /build/buildd/php5-5.2.10.dfsg.1/Zend/zend_vm_execute.h:234
 execute (op_array=0x3929168) at /build/buildd/php5-5.2.10.dfsg.1/Zend/zend_vm_execute.h:92
 zend_do_fcall_common_helper_SPEC (execute_data=0x7fff936854d0) at /build/buildd/php5-5.2.10.dfsg.1/Zend/zend_vm_execute.h:234
 execute (op_array=0x391c5d8) at /build/buildd/php5-5.2.10.dfsg.1/Zend/zend_vm_execute.h:92
Title: php5 crashed with SIGSEGV in execute()
Uname: Linux 2.6.31-21-server x86_64
UserGroups:

Revision history for this message
Volodymyr Kolesnykov (sjinks) wrote :
Revision history for this message
Volodymyr Kolesnykov (sjinks) wrote :

Attached is the test case that always reproduces this bug.

The bug is triggered when a child class calls a PHP4-style constructor from the base class which has both PHP4 and PHP5-style constructors and PHP4-style one calls PHP5-style one.

One example where this can happen is WordPress - its WP_Widget class has both constructors and PHP4-style one calls PHP5-style constructor. If a class that inherits from WP_Widget is unlucky enough to call parent::WP_Widget() instead of parent::__construct(), php crashes.

Revision history for this message
Volodymyr Kolesnykov (sjinks) wrote :

The bug also happens in Lucid:

lsb_release -rd
Description: Ubuntu 10.04 LTS
Release: 10.04

apt-cache policy php5
php5:
  Установлен: (отсутствует)
  Кандидат: 5.3.2-1ubuntu4.1
  Таблица версий:
     5.3.2-1ubuntu4.1 0
        500 http://ua.archive.ubuntu.com/ubuntu/ lucid-proposed/main Packages
     5.3.2-1ubuntu4 0
        500 http://ua.archive.ubuntu.com/ubuntu/ lucid/main Packages

dpkg -l | grep php5 | awk '{print $2, $3}'
libapache2-mod-php5 5.3.2-1ubuntu4.1
php5-cgi 5.3.2-1ubuntu4.1
php5-cli 5.3.2-1ubuntu4.1
php5-common 5.3.2-1ubuntu4.1
php5-curl 5.3.2-1ubuntu4.1
php5-dbg 5.3.2-1ubuntu4.1
php5-dev 5.3.2-1ubuntu4.1
php5-imap 5.3.2-0ubuntu2
php5-mcrypt 5.3.2-0ubuntu1
php5-memcached 1.0.0-1build1
php5-mmapi 0.1.3-1lucid1
php5-mysql 5.3.2-1ubuntu4.1
php5-suhosin 0.9.29-1ubuntu1
php5-xcache 1.3.0-5ubuntu1

visibility: private → public
Scott Moser (smoser)
Changed in php5 (Ubuntu):
status: New → Triaged
importance: Undecided → Medium
Revision history for this message
Apport retracing service (apport) wrote : Stacktrace.txt (retraced)

StacktraceTop:execute (op_array=0x391c5d8) at /usr/include/bits/string3.h:85

Revision history for this message
Apport retracing service (apport) wrote : ThreadStacktrace.txt (retraced)
tags: removed: need-amd64-retrace
Revision history for this message
Clint Byrum (clint-fewbar) wrote :
Download full text (6.4 KiB)

Vladimir, thanks very much for this bug report!

I believe this is essentially infinite recursion caused by the way PHP resolves methods..

the test case basically does this

create a new Test_PHP5 object, named $this
call $this->__construct()
$this->__construct calls parent::Test(), which leaves $this as a Test_PHP5, and maps to Test::Test()
Test::Test() calls $this->__construct(), which is mapped to Test_PHP5::__construct()
$this->__construct() calls parent::Test() which maps to Test::Test()
... infinite recursion

This would cause issues with any PHP interpreter. On Maverick though, this is the result:

PHP Fatal error: Maximum function nesting level of '100' reached, aborting! in /home/clint/test.php on line 7
PHP Stack trace:
PHP 1. {main}() /home/clint/test.php:0
PHP 2. Test_PHP5->__construct() /home/clint/test.php:26
PHP 3. Test->Test() /home/clint/test.php:22
PHP 4. Test_PHP5->__construct() /home/clint/test.php:7
PHP 5. Test->Test() /home/clint/test.php:22
PHP 6. Test_PHP5->__construct() /home/clint/test.php:7
PHP 7. Test->Test() /home/clint/test.php:22
PHP 8. Test_PHP5->__construct() /home/clint/test.php:7
PHP 9. Test->Test() /home/clint/test.php:22
PHP 10. Test_PHP5->__construct() /home/clint/test.php:7
PHP 11. Test->Test() /home/clint/test.php:22
PHP 12. Test_PHP5->__construct() /home/clint/test.php:7
PHP 13. Test->Test() /home/clint/test.php:22
PHP 14. Test_PHP5->__construct() /home/clint/test.php:7
PHP 15. Test->Test() /home/clint/test.php:22
PHP 16. Test_PHP5->__construct() /home/clint/test.php:7
PHP 17. Test->Test() /home/clint/test.php:22
PHP 18. Test_PHP5->__construct() /home/clint/test.php:7
PHP 19. Test->Test() /home/clint/test.php:22
PHP 20. Test_PHP5->__construct() /home/clint/test.php:7
PHP 21. Test->Test() /home/clint/test.php:22
PHP 22. Test_PHP5->__construct() /home/clint/test.php:7
PHP 23. Test->Test() /home/clint/test.php:22
PHP 24. Test_PHP5->__construct() /home/clint/test.php:7
PHP 25. Test->Test() /home/clint/test.php:22
PHP 26. Test_PHP5->__construct() /home/clint/test.php:7
PHP 27. Test->Test() /home/clint/test.php:22
PHP 28. Test_PHP5->__construct() /home/clint/test.php:7
PHP 29. Test->Test() /home/clint/test.php:22
PHP 30. Test_PHP5->__construct() /home/clint/test.php:7
PHP 31. Test->Test() /home/clint/test.php:22
PHP 32. Test_PHP5->__construct() /home/clint/test.php:7
PHP 33. Test->Test() /home/clint/test.php:22
PHP 34. Test_PHP5->__construct() /home/clint/test.php:7
PHP 35. Test->Test() /home/clint/test.php:22
PHP 36. Test_PHP5->__construct() /home/clint/test.php:7
PHP 37. Test->Test() /home/clint/test.php:22
PHP 38. Test_PHP5->__construct() /home/clint/test.php:7
PHP 39. Test->Test() /home/clint/test.php:22
PHP 40. Test_PHP5->__construct() /home/clint/test.php:7
PHP 41. Test->Test() /home/clint/test.php:22
PHP 42. Test_PHP5->__construct() /home/clint/test.php:7
PHP 43. Test->Test() /home/clint/test.php:22
PHP 44. Test_PHP5->__construct() /home/clint/test.php:7
PHP 45. Test->Test() /home/clint/test.php:22
PHP 46. Test_PHP5->__construct() /home/clint/test.php:7
PHP 47. Test->Test() /home/clint/test.php:22
PHP 48. Test_PHP5->__construct() /home/clint/...

Read more...

Changed in php5 (Ubuntu):
status: Triaged → Invalid
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.