PHP :: Bug #65382 :: Segfault in closure

Bug #65382	Segfault in closure_030.phpt
Submitted:	2013-08-03 12:45 UTC	Modified:	2013-08-12 06:54 UTC
From:	nikic@php.net	Assigned:	dmitry (profile)
Status:	Closed	Package:	Scripting Engine problem
PHP Version:	5.5.2RC1	OS:
Private report:	No	CVE-ID:	None

View Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	nikic@php.net
New email:
PHP Version:		OS:

New Comment:

[2013-08-03 12:45 UTC] nikic@php.net

Description:
------------
closure_030.phpt segfaults on Travis.

Short repro script:

<?php

$b = function() { };
$a = 'b';
$$a();
$b->__invoke();

Valgrind output:

~/dev/php-dev$ USE_ZEND_ALLOC=0 valgrind sapi/cli/php t22.php 
==2074== Memcheck, a memory error detector
==2074== Copyright (C) 2002-2011, and GNU GPL'd, by Julian Seward et al.
==2074== Using Valgrind-3.7.0 and LibVEX; rerun with -h for copyright info
==2074== Command: sapi/cli/php t22.php
==2074== 
==2074== Invalid read of size 1
==2074==    at 0x8260376: zval_call_destructor (zend_execute_API.c:203)
==2074==    by 0x8286B2D: zend_hash_reverse_apply (zend_hash.c:775)
==2074==    by 0x8260452: shutdown_destructors (zend_execute_API.c:217)
==2074==    by 0x8274BC3: zend_call_destructors (zend.c:923)
==2074==    by 0x81D6742: php_request_shutdown (main.c:1745)
==2074==    by 0x831EDD9: do_cli (php_cli.c:1177)
==2074==    by 0x831F6EC: main (php_cli.c:1378)
==2074==  Address 0x44828f4 is 12 bytes inside a block of size 20 free'd
==2074==    at 0x402B06C: free (in /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so)
==2074==    by 0x823C602: _efree (zend_alloc.c:2437)
==2074==    by 0x82AB651: i_zval_ptr_dtor (zend_execute.h:82)
==2074==    by 0x82B1AC3: zend_do_fcall_common_helper_SPEC (zend_vm_execute.h:630)
==2074==    by 0x82B1CD3: ZEND_DO_FCALL_BY_NAME_SPEC_HANDLER (zend_vm_execute.h:682)
==2074==    by 0x82B097E: execute_ex (zend_vm_execute.h:356)
==2074==    by 0x82B0A33: zend_execute (zend_vm_execute.h:381)
==2074==    by 0x827636C: zend_execute_scripts (zend.c:1316)
==2074==    by 0x81D85C6: php_execute_script (main.c:2484)
==2074==    by 0x831E192: do_cli (php_cli.c:994)
==2074==    by 0x831F6EC: main (php_cli.c:1378)
==2074== 
==2074== Invalid read of size 4
==2074==    at 0x825F4F3: zval_refcount_p (zend.h:397)
==2074==    by 0x826038A: zval_call_destructor (zend_execute_API.c:203)
==2074==    by 0x8286B2D: zend_hash_reverse_apply (zend_hash.c:775)
==2074==    by 0x8260452: shutdown_destructors (zend_execute_API.c:217)
==2074==    by 0x8274BC3: zend_call_destructors (zend.c:923)
==2074==    by 0x81D6742: php_request_shutdown (main.c:1745)
==2074==    by 0x831EDD9: do_cli (php_cli.c:1177)
==2074==    by 0x831F6EC: main (php_cli.c:1378)
==2074==  Address 0x44828f0 is 8 bytes inside a block of size 20 free'd
==2074==    at 0x402B06C: free (in /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so)
==2074==    by 0x823C602: _efree (zend_alloc.c:2437)
==2074==    by 0x82AB651: i_zval_ptr_dtor (zend_execute.h:82)
==2074==    by 0x82B1AC3: zend_do_fcall_common_helper_SPEC (zend_vm_execute.h:630)
==2074==    by 0x82B1CD3: ZEND_DO_FCALL_BY_NAME_SPEC_HANDLER (zend_vm_execute.h:682)
==2074==    by 0x82B097E: execute_ex (zend_vm_execute.h:356)
==2074==    by 0x82B0A33: zend_execute (zend_vm_execute.h:381)
==2074==    by 0x827636C: zend_execute_scripts (zend.c:1316)
==2074==    by 0x81D85C6: php_execute_script (main.c:2484)
==2074==    by 0x831E192: do_cli (php_cli.c:994)
==2074==    by 0x831F6EC: main (php_cli.c:1378)
==2074== 
... and so on

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2013-08-11 08:18 UTC] stas@php.net

-Assigned To: +Assigned To: dmitry

[2013-08-11 08:18 UTC] stas@php.net

Looks like refcount for $b is decremented twice in the last call - once in 
zend_leave_helper_SPEC and once when finishing zend_do_fcall_common_helper_SPEC, 
which causes $b to be destroyed. This code was added by Dmitry, so assigning this 
bug to him.

[2013-08-11 08:32 UTC] stas@php.net

Looks like consequence of 821d7169d9d575ceef71e69570b98519826ccb01 - prototype is 
being use as temp storage, but it is actually never reset. If I add:

op_array->prototype = NULL;

to zend_leave_helper_SPEC, it looks like it fixes the crash, but I'm not sure if 
it is the right thing to do (e.g. - what happens if such calls are nested?)

[2013-08-12 06:53 UTC] dmitry@php.net

Automatic comment on behalf of dmitry@zend.com
Revision: http://git.php.net/?p=php-src.git;a=commit;h=52dac3e8cda94c8f38287ec3c437d9450b31b527
Log: Fixed bug #65382 (Segfault in closure_030.phpt)

[2013-08-12 06:53 UTC] dmitry@php.net

-Status: Assigned +Status: Closed

[2013-08-12 06:54 UTC] dmitry@php.net

-Status: Closed +Status: Assigned

[2013-08-12 06:54 UTC] dmitry@php.net

I saw the problem only in master and it was related to "Improved IS_VAR operands fetching".

[2013-08-12 06:54 UTC] dmitry@php.net

-Status: Assigned +Status: Closed

[2013-08-12 06:54 UTC] dmitry@php.net

The fix for this bug has been committed.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.

 For Windows:

http://windows.php.net/snapshots/
 
Thank you for the report, and for helping us make PHP better.

[2013-11-17 09:30 UTC] laruence@php.net

Automatic comment on behalf of dmitry@zend.com
Revision: http://git.php.net/?p=php-src.git;a=commit;h=52dac3e8cda94c8f38287ec3c437d9450b31b527
Log: Fixed bug #65382 (Segfault in closure_030.phpt)

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2025 The PHP Group All rights reserved.	Last updated: Sat May 03 13:01:30 2025 UTC