php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #33389 double free() when exporting a ReflectionClass
Submitted: 2005-06-18 00:32 UTC Modified: 2005-06-27 23:54 UTC
From: antony at zend dot com Assigned: helly (profile)
Status: Closed Package: Scripting Engine problem
PHP Version: 5CVS-2005-06-19 OS: *
Private report: No CVE-ID: None
View Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
If you reported this bug, you can edit this bug over here.
(description)
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: antony at zend dot com
New email:
PHP Version: OS:

 

 [2005-06-18 00:32 UTC] antony at zend dot com
Description:
------------
Memory related errors while freeing resources after export()ing certain ReflectionClass object.
Tested with latest 5.1-CVS and 5.0.5-CVS.
See details below.

Reproduce code:
---------------
<?php
class Test {
    function foo($arg2=false) {
    }
    function bar() {
    }
}

Reflection::export(new ReflectionClass('Test'));
?>

Expected result:
----------------
.

Actual result:
--------------
With Zend MM enabled:

Warning: String is not zero-terminated (Z*Z*) (source: /usr/src/dev/php-src_head/Zend/zend_variables.h:35) in Unknown on line 0
[Sat Jun 18 02:20:58 2005]  Script:  'index.php'
---------------------------------------
/usr/src/dev/php-src_head/Zend/zend_variables.h(35) : Block 0x0845EAE8 status:
/usr/src/dev/php-src_head/Zend/zend_variables.c(36) : Actual location (location was relayed)
Beginning:      Cached (allocated on /usr/src/dev/php-src_head/Zend/zend.c:205, 1 bytes)
      End:      OK
---------------------------------------

With Zend MM disabled:

Warning: String is not zero-terminated &#65533;&#65533;@) (source: /usr/src/dev/clean/php-src_head/Zend/zend_variables.h:35) in Unknown on line 0
*** glibc detected *** double free or corruption (!prev): 0x08382470 ***

Valgrind output:

==17469== Invalid read of size 1
==17469==    at 0x81AC287: _zval_dtor_func (zend_variables.c:35)
==17469==    by 0x81A5ED0: _zval_dtor (zend_variables.h:35)
==17469==    by 0x81A58B4: destroy_op_array (zend_opcode.c:236)
==17469==    by 0x81A54ED: destroy_zend_function (zend_opcode.c:109)
==17469==    by 0x81A5503: zend_function_dtor (zend_opcode.c:121)
==17469==    by 0x81B4FCB: zend_hash_destroy (zend_hash.c:519)
==17469==    by 0x81A5628: destroy_zend_class (zend_opcode.c:164)
==17469==    by 0x81B4F05: zend_hash_del_key_or_index (zend_hash.c:490)
==17469==    by 0x81B55C6: zend_hash_reverse_apply (zend_hash.c:736)
==17469==    by 0x81A1828: shutdown_executor (zend_execute_API.c:264)
==17469==  Address 0x1BDA99C5 is 5 bytes inside a block of size 6 free'd
==17469==    at 0x1B9060B1: free (in /usr/lib/valgrind/vgpreload_memcheck.so)
==17469==    by 0x81A1DBD: zval_update_constant (zend_execute_API.c:442)
==17469==    by 0x81C76D9: _parameter_string (zend_reflection_api.c:565)
==17469==    by 0x81C7884: _function_parameter_string (zend_reflection_api.c:601)
==17469==    by 0x81C7B39: _function_string (zend_reflection_api.c:670)
==17469==    by 0x81C741D: _class_string (zend_reflection_api.c:486)
==17469==    by 0x81CC8FF: zif_reflection_class___toString (zend_reflection_api.c:2477)
==17469==    by 0x81A31BE: zend_call_function (zend_execute_API.c:867)
==17469==    by 0x81A2279: call_user_function_ex (zend_execute_API.c:555)
==17469==    by 0x81C8E62: zif_reflection_export (zend_reflection_api.c:1127)
==17469==
==17469== Invalid free() / delete / delete[]
==17469==    at 0x1B9060B1: free (in /usr/lib/valgrind/vgpreload_memcheck.so)
==17469==    by 0x81AC2BD: _zval_dtor_func (zend_variables.c:36)
==17469==    by 0x81A5ED0: _zval_dtor (zend_variables.h:35)
==17469==    by 0x81A58B4: destroy_op_array (zend_opcode.c:236)
==17469==    by 0x81A54ED: destroy_zend_function (zend_opcode.c:109)
==17469==    by 0x81A5503: zend_function_dtor (zend_opcode.c:121)
==17469==    by 0x81B4FCB: zend_hash_destroy (zend_hash.c:519)
==17469==    by 0x81A5628: destroy_zend_class (zend_opcode.c:164)
==17469==    by 0x81B4F05: zend_hash_del_key_or_index (zend_hash.c:490)
==17469==    by 0x81B55C6: zend_hash_reverse_apply (zend_hash.c:736)
==17469==  Address 0x1BDA99C0 is 0 bytes inside a block of size 6 free'd
==17469==    at 0x1B9060B1: free (in /usr/lib/valgrind/vgpreload_memcheck.so)
==17469==    by 0x81A1DBD: zval_update_constant (zend_execute_API.c:442)
==17469==    by 0x81C76D9: _parameter_string (zend_reflection_api.c:565)
==17469==    by 0x81C7884: _function_parameter_string (zend_reflection_api.c:601)
==17469==    by 0x81C7B39: _function_string (zend_reflection_api.c:670)
==17469==    by 0x81C741D: _class_string (zend_reflection_api.c:486)
==17469==    by 0x81CC8FF: zif_reflection_class___toString (zend_reflection_api.c:2477)
==17469==    by 0x81A31BE: zend_call_function (zend_execute_API.c:867)
==17469==    by 0x81A2279: call_user_function_ex (zend_execute_API.c:555)
==17469==    by 0x81C8E62: zif_reflection_export (zend_reflection_api.c:1127)



Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2005-06-18 02:00 UTC] sniper@php.net
This only happens when there is an optional parameter in a method and ONLY if that optional value for the parameter is null or any constant.
 [2005-06-18 03:08 UTC] sniper@php.net
constants are shown by their value, not name (expected?)
booleans are not shown at all.

 [2005-06-20 03:38 UTC] helly@php.net
This bug has been fixed in CVS.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.
 
Thank you for the report, and for helping us make PHP better.


 [2005-06-21 16:01 UTC] dmitry@php.net
The bug is not completly fixed.

1) It is still exists in PHP_5_0.

2) The test file in HEAD fails because constant is substituted by its value.

3) Array argument give a memory leak

<?php
class Test {
  function foo($arg=array(a=>b)) {}
} 
Reflection::export(new ReflectionClass('Test'));
?>

/home/dmitry/php/php5/Zend/zend.c(214) :  Freeing 0x084384CC (6 bytes)

 [2005-06-21 18:00 UTC] sniper@php.net
assigned back to Marcus.

 [2005-06-27 23:54 UTC] sniper@php.net
Seems to be fixed, I can't reproduce any of the things anymore which Dmitry mentioned. (and we don't really care if it exists in PHP_5_0)

 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Thu Nov 21 12:01:29 2024 UTC