php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #46308 Invalid write when changing property from inside getter
Submitted: 2008-10-16 00:06 UTC Modified: 2008-10-17 10:26 UTC
From: ob dot php at daevel dot fr Assigned: dmitry (profile)
Status: Closed Package: Scripting Engine problem
PHP Version: 5.2.6 OS: Debian Linux 64bit
Private report: No CVE-ID: None
View Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
If you reported this bug, you can edit this bug over here.
(description)
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: ob dot php at daevel dot fr
New email:
PHP Version: OS:

 

 [2008-10-16 00:06 UTC] ob dot php at daevel dot fr
Description:
------------
Hello,

with this code and USE_ZEND_ALLOC=0, PHP throw a segfault.

Reproduce code:
---------------
In "first.php" I have this code :
============================================================
<?php
class main
{
   public static $dummy        = NULL ;
   public static $dataAccessor = NULL ;
}

class dataAccessor
{
}

class relay
{
   public function __get( $name )
   {
       main::$dataAccessor = new dataAccessor;
   }
}

class dummy
{
}

main::$dummy        = new dummy();
main::$dataAccessor = new relay();
?>
============================================================

And in "second.php" I have this :
(if I regroup all code in one file, there is no segfault)

============================================================
<?php
require 'first.php';
main::$dataAccessor->bar;
?>
============================================================


Actual result:
--------------
*** glibc detected *** /home/dev-olivier/usr/bin/php: corrupted double-linked list: 0x0000000002603800 ***
======= Backtrace: =========
/lib/libc.so.6[0x7f038ba39948]
/lib/libc.so.6[0x7f038ba39bda]
/lib/libc.so.6[0x7f038ba3b708]
/lib/libc.so.6(cfree+0x76)[0x7f038ba3ba56]
/home/dev-olivier/usr/bin/php[0x53ec31]
/home/dev-olivier/usr/bin/php[0x53ecb3]
/home/dev-olivier/usr/bin/php[0x541d2b]
/home/dev-olivier/usr/bin/php(zend_mm_shutdown+0x4c)[0x540a80]
/home/dev-olivier/usr/bin/php(shutdown_memory_manager+0x20)[0x5436ae]
/home/dev-olivier/usr/bin/php(php_request_shutdown+0x31c)[0x50add9]
/home/dev-olivier/usr/bin/php(main+0x17c1)[0x5e6c24]
/lib/libc.so.6(__libc_start_main+0xe6)[0x7f038b9e41a6]
/home/dev-olivier/usr/bin/php[0x425c39]
======= Memory map: ========
00400000-006ad000 r-xp 00000000 fd:04 1968300                            /home/dev-olivier/usr/bin/php
008ac000-008ca000 rw-p 002ac000 fd:04 1968300                            /home/dev-olivier/usr/bin/php
008ca000-008cf000 rw-p 008ca000 00:00 0
0253b000-0260c000 rw-p 0253b000 00:00 0                                  [heap]
7f0384000000-7f0384021000 rw-p 7f0384000000 00:00 0
7f0384021000-7f0388000000 ---p 7f0384021000 00:00 0
7f038b5fe000-7f038b614000 r-xp 00000000 09:01 285898                     /lib/libgcc_s.so.1
7f038b614000-7f038b814000 ---p 00016000 09:01 285898                     /lib/libgcc_s.so.1
7f038b814000-7f038b815000 rw-p 00016000 09:01 285898                     /lib/libgcc_s.so.1
7f038b815000-7f038b9c6000 r--p 00000000 09:01 261814                     /usr/lib/locale/locale-archive
7f038b9c6000-7f038bb10000 r-xp 00000000 09:01 288347                     /lib/libc-2.7.so
7f038bb10000-7f038bd0f000 ---p 0014a000 09:01 288347                     /lib/libc-2.7.so
7f038bd0f000-7f038bd12000 r--p 00149000 09:01 288347                     /lib/libc-2.7.so
7f038bd12000-7f038bd14000 rw-p 0014c000 09:01 288347                     /lib/libc-2.7.so
7f038bd14000-7f038bd19000 rw-p 7f038bd14000 00:00 0
7f038bd19000-7f038bd2e000 r-xp 00000000 09:01 288291                     /lib/libnsl-2.7.so
7f038bd2e000-7f038bf2d000 ---p 00015000 09:01 288291                     /lib/libnsl-2.7.so
7f038bf2d000-7f038bf2f000 rw-p 00014000 09:01 288291                     /lib/libnsl-2.7.so
7f038bf2f000-7f038bf31000 rw-p 7f038bf2f000 00:00 0
7f038bf31000-7f038bf33000 r-xp 00000000 09:01 288283                     /lib/libdl-2.7.so
7f038bf33000-7f038c133000 ---p 00002000 09:01 288283                     /lib/libdl-2.7.so
7f038c133000-7f038c135000 rw-p 00002000 09:01 288283                     /lib/libdl-2.7.so
7f038c135000-7f038c1b7000 r-xp 00000000 09:01 301994                     /lib/libm-2.7.so
7f038c1b7000-7f038c3b6000 ---p 00082000 09:01 301994                     /lib/libm-2.7.so
7f038c3b6000-7f038c3b8000 rw-p 00081000 09:01 301994                     /lib/libm-2.7.so
7f038c3b8000-7f038c3c8000 r-xp 00000000 09:01 301990                     /lib/libresolv-2.7.so
7f038c3c8000-7f038c5c8000 ---p 00010000 09:01 301990                     /lib/libresolv-2.7.so
7f038c5c8000-7f038c5ca000 rw-p 00010000 09:01 301990                     /lib/libresolv-2.7.so
7f038c5ca000-7f038c5cc000 rw-p 7f038c5ca000 00:00 0
7f038c5cc000-7f038c5d4000 r-xp 00000000 09:01 288290                     /lib/libcrypt-2.7.so
7f038c5d4000-7f038c7d4000 ---p 00008000 09:01 288290                     /lib/libcrypt-2.7.so
7f038c7d4000-7f038c7d6000 rw-p 00008000 09:01 288290                     /lib/libcrypt-2.7.so
7f038c7d6000-7f038c804000 rw-p 7f038c7d6000 00:00 0
7f038c804000-7f038c820000 r-xp 00000000 09:01 288285                     /lib/ld-2.7.so
7f038ca0a000-7f038ca0e000 rw-p 7f038ca0a000 00:00 0
7f038ca19000-7f038ca1a000 rw-p 7f038ca19000 00:00 0
7f038ca1c000-7f038ca1f000 rw-p 7f038ca1c000 00:00 0
7f038ca1f000-7f038ca21000 rw-p 0001b000 09:01 288285                     /lib/ld-2.7.so
7fff94a0b000-7fff94a20000 rw-p 7ffffffea000 00:00 0                      [stack]
7fff94bfe000-7fff94bff000 r-xp 7fff94bfe000 00:00 0                      [vdso]
ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0                  [vsyscall]
Abort


And valgrind outputs this :
==12485== Memcheck, a memory error detector.
==12485== Copyright (C) 2002-2007, and GNU GPL'd, by Julian Seward et al.
==12485== Using LibVEX rev 1854, a library for dynamic binary translation.
==12485== Copyright (C) 2004-2007, and GNU GPL'd, by OpenWorks LLP.
==12485== Using valgrind-3.3.1-Debian, a dynamic binary instrumentation framework.
==12485== Copyright (C) 2000-2007, and GNU GPL'd, by Julian Seward et al.
==12485== For more details, rerun with: -v
==12485==
==12485== Invalid write of size 1
==12485==    at 0x585F25: zend_std_read_property (zend_object_handlers.c:333)
==12485==    by 0x5A796E: zend_fetch_property_address_read_helper_SPEC_VAR_CONST (zend_vm_execute.h:9107)
==12485==    by 0x5A7AE6: ZEND_FETCH_OBJ_R_SPEC_VAR_CONST_HANDLER (zend_vm_execute.h:9130)
==12485==    by 0x58AE3A: execute (zend_vm_execute.h:92)
==12485==    by 0x562D40: zend_execute_scripts (zend.c:1134)
==12485==    by 0x50B98C: php_execute_script (main.c:2011)
==12485==    by 0x5E635D: main (php_cli.c:1134)
==12485==  Address 0x5db37d8 is 0 bytes inside a block of size 5 free'd
==12485==    at 0x4C20B6E: free (vg_replace_malloc.c:323)
==12485==    by 0x5430AC: _efree (zend_alloc.c:2293)
==12485==    by 0x56FF50: zend_hash_destroy (zend_hash.c:529)
==12485==    by 0x584837: zend_object_std_dtor (zend_objects.c:41)
==12485==    by 0x584C71: zend_objects_free_object_storage (zend_objects.c:122)
==12485==    by 0x588E46: zend_objects_store_del_ref_by_handle (zend_objects_API.c:206)
==12485==    by 0x588C9E: zend_objects_store_del_ref (zend_objects_API.c:168)
==12485==    by 0x560748: _zval_dtor_func (zend_variables.c:52)
==12485==    by 0x551772: _zval_dtor (zend_variables.h:35)
==12485==    by 0x551986: _zval_ptr_dtor (zend_execute_API.c:414)
==12485==    by 0x554323: zend_call_function (zend_execute_API.c:1040)
==12485==    by 0x57C4A1: zend_call_method (zend_interfaces.c:88)
==12485==
==12485== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 8 from 1)
==12485== malloc/free: in use at exit: 0 bytes in 0 blocks.
==12485== malloc/free: 4,998 allocs, 4,998 frees, 1,397,127 bytes allocated.
==12485== For counts of detected errors, rerun with: -v
==12485== All heap blocks were freed -- no leaks are possible. 

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2008-10-17 02:14 UTC] crrodriguez at opensuse dot org
I think dmitry is the right person to look at this bug.. can someone assign this bug to him please ? ;-)
 [2008-10-17 10:26 UTC] dmitry@php.net
This bug has been fixed in CVS.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.
 
Thank you for the report, and for helping us make PHP better.


 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Thu Nov 21 15:01:30 2024 UTC