PHP :: Bug #33389 :: double free() when exporting a ReflectionClass

Bug #33389	double free() when exporting a ReflectionClass
Submitted:	2005-06-18 00:32 UTC	Modified:	2005-06-27 23:54 UTC
From:	antony at zend dot com	Assigned:	helly (profile)
Status:	Closed	Package:	Scripting Engine problem
PHP Version:	5CVS-2005-06-19	OS:	*
Private report:	No	CVE-ID:	None

View Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	antony at zend dot com
New email:
PHP Version:		OS:

New Comment:

[2005-06-18 00:32 UTC] antony at zend dot com

Description:
------------
Memory related errors while freeing resources after export()ing certain ReflectionClass object.
Tested with latest 5.1-CVS and 5.0.5-CVS.
See details below.

Reproduce code:
---------------
<?php
class Test {
    function foo($arg2=false) {
    }
    function bar() {
    }
}

Reflection::export(new ReflectionClass('Test'));
?>

Expected result:
----------------
.

Actual result:
--------------
With Zend MM enabled:

Warning: String is not zero-terminated (Z*Z*) (source: /usr/src/dev/php-src_head/Zend/zend_variables.h:35) in Unknown on line 0
[Sat Jun 18 02:20:58 2005]  Script:  'index.php'
---------------------------------------
/usr/src/dev/php-src_head/Zend/zend_variables.h(35) : Block 0x0845EAE8 status:
/usr/src/dev/php-src_head/Zend/zend_variables.c(36) : Actual location (location was relayed)
Beginning:      Cached (allocated on /usr/src/dev/php-src_head/Zend/zend.c:205, 1 bytes)
      End:      OK
---------------------------------------

With Zend MM disabled:

Warning: String is not zero-terminated &#65533;&#65533;@) (source: /usr/src/dev/clean/php-src_head/Zend/zend_variables.h:35) in Unknown on line 0
*** glibc detected *** double free or corruption (!prev): 0x08382470 ***

Valgrind output:

==17469== Invalid read of size 1
==17469==    at 0x81AC287: _zval_dtor_func (zend_variables.c:35)
==17469==    by 0x81A5ED0: _zval_dtor (zend_variables.h:35)
==17469==    by 0x81A58B4: destroy_op_array (zend_opcode.c:236)
==17469==    by 0x81A54ED: destroy_zend_function (zend_opcode.c:109)
==17469==    by 0x81A5503: zend_function_dtor (zend_opcode.c:121)
==17469==    by 0x81B4FCB: zend_hash_destroy (zend_hash.c:519)
==17469==    by 0x81A5628: destroy_zend_class (zend_opcode.c:164)
==17469==    by 0x81B4F05: zend_hash_del_key_or_index (zend_hash.c:490)
==17469==    by 0x81B55C6: zend_hash_reverse_apply (zend_hash.c:736)
==17469==    by 0x81A1828: shutdown_executor (zend_execute_API.c:264)
==17469==  Address 0x1BDA99C5 is 5 bytes inside a block of size 6 free'd
==17469==    at 0x1B9060B1: free (in /usr/lib/valgrind/vgpreload_memcheck.so)
==17469==    by 0x81A1DBD: zval_update_constant (zend_execute_API.c:442)
==17469==    by 0x81C76D9: _parameter_string (zend_reflection_api.c:565)
==17469==    by 0x81C7884: _function_parameter_string (zend_reflection_api.c:601)
==17469==    by 0x81C7B39: _function_string (zend_reflection_api.c:670)
==17469==    by 0x81C741D: _class_string (zend_reflection_api.c:486)
==17469==    by 0x81CC8FF: zif_reflection_class___toString (zend_reflection_api.c:2477)
==17469==    by 0x81A31BE: zend_call_function (zend_execute_API.c:867)
==17469==    by 0x81A2279: call_user_function_ex (zend_execute_API.c:555)
==17469==    by 0x81C8E62: zif_reflection_export (zend_reflection_api.c:1127)
==17469==
==17469== Invalid free() / delete / delete[]
==17469==    at 0x1B9060B1: free (in /usr/lib/valgrind/vgpreload_memcheck.so)
==17469==    by 0x81AC2BD: _zval_dtor_func (zend_variables.c:36)
==17469==    by 0x81A5ED0: _zval_dtor (zend_variables.h:35)
==17469==    by 0x81A58B4: destroy_op_array (zend_opcode.c:236)
==17469==    by 0x81A54ED: destroy_zend_function (zend_opcode.c:109)
==17469==    by 0x81A5503: zend_function_dtor (zend_opcode.c:121)
==17469==    by 0x81B4FCB: zend_hash_destroy (zend_hash.c:519)
==17469==    by 0x81A5628: destroy_zend_class (zend_opcode.c:164)
==17469==    by 0x81B4F05: zend_hash_del_key_or_index (zend_hash.c:490)
==17469==    by 0x81B55C6: zend_hash_reverse_apply (zend_hash.c:736)
==17469==  Address 0x1BDA99C0 is 0 bytes inside a block of size 6 free'd
==17469==    at 0x1B9060B1: free (in /usr/lib/valgrind/vgpreload_memcheck.so)
==17469==    by 0x81A1DBD: zval_update_constant (zend_execute_API.c:442)
==17469==    by 0x81C76D9: _parameter_string (zend_reflection_api.c:565)
==17469==    by 0x81C7884: _function_parameter_string (zend_reflection_api.c:601)
==17469==    by 0x81C7B39: _function_string (zend_reflection_api.c:670)
==17469==    by 0x81C741D: _class_string (zend_reflection_api.c:486)
==17469==    by 0x81CC8FF: zif_reflection_class___toString (zend_reflection_api.c:2477)
==17469==    by 0x81A31BE: zend_call_function (zend_execute_API.c:867)
==17469==    by 0x81A2279: call_user_function_ex (zend_execute_API.c:555)
==17469==    by 0x81C8E62: zif_reflection_export (zend_reflection_api.c:1127)

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2005-06-18 02:00 UTC] sniper@php.net

This only happens when there is an optional parameter in a method and ONLY if that optional value for the parameter is null or any constant.

[2005-06-18 03:08 UTC] sniper@php.net

constants are shown by their value, not name (expected?)
booleans are not shown at all.

[2005-06-20 03:38 UTC] helly@php.net

This bug has been fixed in CVS.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.
 
Thank you for the report, and for helping us make PHP better.

[2005-06-21 16:01 UTC] dmitry@php.net

The bug is not completly fixed.

1) It is still exists in PHP_5_0.

2) The test file in HEAD fails because constant is substituted by its value.

3) Array argument give a memory leak

<?php
class Test {
  function foo($arg=array(a=>b)) {}
} 
Reflection::export(new ReflectionClass('Test'));
?>

/home/dmitry/php/php5/Zend/zend.c(214) :  Freeing 0x084384CC (6 bytes)

[2005-06-21 18:00 UTC] sniper@php.net

assigned back to Marcus.

[2005-06-27 23:54 UTC] sniper@php.net

Seems to be fixed, I can't reproduce any of the things anymore which Dmitry mentioned. (and we don't really care if it exists in PHP_5_0)

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2025 The PHP Group All rights reserved.	Last updated: Sun Feb 02 12:01:30 2025 UTC