PHP :: Bug #68412 :: Infinite recursion with __call can make the program crash/segfault

Bug #68412	Infinite recursion with __call can make the program crash/segfault
Submitted:	2014-11-12 21:33 UTC	Modified:	2016-07-14 11:11 UTC
From:	drewparoski at gmail dot com	Assigned:	dmitry (profile)
Status:	Closed	Package:	Reproducible crash
PHP Version:	5.6.3RC1	OS:	CentOS Linux 6.3
Private report:	No	CVE-ID:	None

View Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	drewparoski at gmail dot com
New email:
PHP Version:		OS:

New Comment:

[2014-11-12 21:33 UTC] drewparoski at gmail dot com

Description:
------------
The test script I provided crashes on all versions of PHP 5 and PHP 7 (according to 3v4l.org). Here is the backtrace from PHP 5.5.8:

#0  0x00000000006ae6fe in zend_call_function (fci=0x7fffff7ff050,
    fci_cache=0x7fffff7ff0a0)
    at /data/users/andrewparoski/php-5.5.8/Zend/zend_execute_API.c:766
#1  0x00000000006d4f17 in zend_call_method (object_pp=0x7fffff7ff178,
    obj_ce=<optimized out>, fn_proxy=0x7ffff7fdb8c8,
    function_name=0xaac5a2 "__call", function_name_len=<optimized out>,
    retval_ptr_ptr=0x7fffff7ff188, param_count=2, arg1=0x7fffeff10158,
    arg2=0x7fffeff100d0)
    at /data/users/andrewparoski/php-5.5.8/Zend/zend_interfaces.c:97
#2  0x00000000006e355d in zend_std_call_user_call (ht=<optimized out>,
    return_value=0x7fffeff100a0, return_value_ptr=<optimized out>,
    this_ptr=0x7fffeff10070, return_value_used=<optimized out>)
    at /data/users/andrewparoski/php-5.5.8/Zend/zend_object_handlers.c:896
#3  0x000000000073e6b3 in zend_do_fcall_common_helper_SPEC (
    execute_data=<optimized out>)
    at /data/users/andrewparoski/php-5.5.8/Zend/zend_vm_execute.h:550
#4  0x000000000072ff50 in execute_ex (execute_data=0x7fffeff6cd50)
    at /data/users/andrewparoski/php-5.5.8/Zend/zend_vm_execute.h:363
#5  0x00000000006af00e in zend_call_function (fci=0x7fffff7ff430,
    fci_cache=<optimized out>)
    at /data/users/andrewparoski/php-5.5.8/Zend/zend_execute_API.c:939
#6  0x00000000006d4f17 in zend_call_method (object_pp=0x7fffff7ff558,
    obj_ce=<optimized out>, fn_proxy=0x7ffff7fdb8c8,
---Type <return> to continue, or q <return> to quit---
    function_name=0xaac5a2 "__call", function_name_len=<optimized out>,
    retval_ptr_ptr=0x7fffff7ff568, param_count=2, arg1=0x7fffeff0ffc8,
    arg2=0x7fffeff0ff40)
    at /data/users/andrewparoski/php-5.5.8/Zend/zend_interfaces.c:97
#7  0x00000000006e355d in zend_std_call_user_call (ht=<optimized out>,
    return_value=0x7fffeff0ff10, return_value_ptr=<optimized out>,
    this_ptr=0x7fffeff0fee0, return_value_used=<optimized out>)
    at /data/users/andrewparoski/php-5.5.8/Zend/zend_object_handlers.c:896
#8  0x000000000073e6b3 in zend_do_fcall_common_helper_SPEC (
    execute_data=<optimized out>)
    at /data/users/andrewparoski/php-5.5.8/Zend/zend_vm_execute.h:550
#9  0x000000000072ff50 in execute_ex (execute_data=0x7fffeff6cc00)
    at /data/users/andrewparoski/php-5.5.8/Zend/zend_vm_execute.h:363
#10 0x00000000006af00e in zend_call_function (fci=0x7fffff7ff810,
    fci_cache=<optimized out>)
    at /data/users/andrewparoski/php-5.5.8/Zend/zend_execute_API.c:939
#11 0x00000000006d4f17 in zend_call_method (object_pp=0x7fffff7ff938,
    obj_ce=<optimized out>, fn_proxy=0x7ffff7fdb8c8,
    function_name=0xaac5a2 "__call", function_name_len=<optimized out>,
    retval_ptr_ptr=0x7fffff7ff948, param_count=2, arg1=0x7fffeff0fe38,
    arg2=0x7fffeff0fdb0)
    at /data/users/andrewparoski/php-5.5.8/Zend/zend_interfaces.c:97
#12 0x00000000006e355d in zend_std_call_user_call (ht=<optimized out>,
---Type <return> to continue, or q <return> to quit---
    return_value=0x7fffeff0fd80, return_value_ptr=<optimized out>,
    this_ptr=0x7fffeff0fd50, return_value_used=<optimized out>)
    at /data/users/andrewparoski/php-5.5.8/Zend/zend_object_handlers.c:896
#13 0x000000000073e6b3 in zend_do_fcall_common_helper_SPEC (
    execute_data=<optimized out>)
    at /data/users/andrewparoski/php-5.5.8/Zend/zend_vm_execute.h:550
#14 0x000000000072ff50 in execute_ex (execute_data=0x7fffeff6cab0)
    at /data/users/andrewparoski/php-5.5.8/Zend/zend_vm_execute.h:363
#15 0x00000000006af00e in zend_call_function (fci=0x7fffff7ffbf0,
    fci_cache=<optimized out>)
    at /data/users/andrewparoski/php-5.5.8/Zend/zend_execute_API.c:939
#16 0x00000000006d4f17 in zend_call_method (object_pp=0x7fffff7ffd18,
    obj_ce=<optimized out>, fn_proxy=0x7ffff7fdb8c8,
    function_name=0xaac5a2 "__call", function_name_len=<optimized out>,
    retval_ptr_ptr=0x7fffff7ffd28, param_count=2, arg1=0x7fffeff0fca8,
    arg2=0x7fffeff0fc20)
    at /data/users/andrewparoski/php-5.5.8/Zend/zend_interfaces.c:97
#17 0x00000000006e355d in zend_std_call_user_call (ht=<optimized out>,
    return_value=0x7fffeff0fbf0, return_value_ptr=<optimized out>,
    this_ptr=0x7fffeff0fbc0, return_value_used=<optimized out>)
    at /data/users/andrewparoski/php-5.5.8/Zend/zend_object_handlers.c:896

Test script:
---------------
<?php
class C {
  public function __call($x, $y) {
    global $z;
    $z->bar();
  }
}
$z = new C;
function main() {
  global $z;
  $z->foo();
}
main();

Expected result:
----------------
Fatal error: Stack overflow in <filename> on line <linenumber>

Actual result:
--------------
Segmentation fault

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2016-07-14 11:11 UTC] dmitry@php.net

-Status: Open +Status: Closed -Assigned To: +Assigned To: dmitry

[2016-07-14 11:11 UTC] dmitry@php.net

This is fixed in PHP-7.0, invoking __call() through "trampoline".

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2025 The PHP Group All rights reserved.	Last updated: Mon Oct 27 13:00:01 2025 UTC