PHP :: Bug #70918 :: Segfault using static outside of class scope

Bug #70918	Segfault using static outside of class scope
Submitted:	2015-11-15 02:06 UTC	Modified:	2015-11-16 10:21 UTC
From:	leigh@php.net	Assigned:	laruence (profile)
Status:	Closed	Package:	Reproducible crash
PHP Version:	master-Git-2015-11-15 (Git)	OS:	Linux
Private report:	No	CVE-ID:	None

View Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	leigh@php.net
New email:
PHP Version:		OS:

New Comment:

[2015-11-15 02:06 UTC] leigh@php.net

Description:
------------
Using static outside of a class scope causes a segfault in git master. 7.0 is _not_ affected.

https://3v4l.org/nOblY

Test script:
---------------
<?php

static::x;

Expected result:
----------------
Fatal error: Cannot access static:: when no class scope is active in ....

Actual result:
--------------
Program received signal SIGSEGV, Segmentation fault.
0x0000000000d99464 in zend_hash_find_bucket (ht=0xb0, ht@entry=0x7ffff6855430, ht=0xb0, ht@entry=0x7ffff6855430, key=0x7ffff6855380) at /home/leigh/php-src/Zend/zend_hash.c:437
437             nIndex = h | ht->nTableMask;
(gdb) bt
#0  0x0000000000d99464 in zend_hash_find_bucket (ht=0xb0, ht@entry=0x7ffff6855430, ht=0xb0, ht@entry=0x7ffff6855430, key=0x7ffff6855380) at /home/leigh/php-src/Zend/zend_hash.c:437
#1  zend_hash_find (ht=ht@entry=0xb0, key=0x7ffff6855380) at /home/leigh/php-src/Zend/zend_hash.c:1890
#2  0x0000000000edddf8 in ZEND_FETCH_CLASS_CONSTANT_SPEC_UNUSED_CONST_HANDLER () at /home/leigh/php-src/Zend/zend_vm_execute.h:23918
#3  0x0000000000ec3ff3 in execute_ex (ex=<optimized out>) at /home/leigh/php-src/Zend/zend_vm_execute.h:414
#4  0x00000000010b8d7b in zend_execute (op_array=op_array@entry=0x7ffff687e000, return_value=return_value@entry=0x0) at /home/leigh/php-src/Zend/zend_vm_execute.h:458
#5  0x0000000000cc5abc in zend_execute_scripts (type=type@entry=8, retval=retval@entry=0x0, file_count=-159305680, file_count@entry=3) at /home/leigh/php-src/Zend/zend.c:1428
#6  0x0000000000a85968 in php_execute_script (primary_file=0x7fffffffd2d0) at /home/leigh/php-src/main/main.c:2471
#7  0x00000000010c0911 in do_cli (argc=176, argv=0x7ffff6855380) at /home/leigh/php-src/sapi/cli/php_cli.c:974
#8  0x000000000042ff61 in main (argc=176, argv=0x7ffff6855380) at /home/leigh/php-src/sapi/cli/php_cli.c:1345

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2015-11-15 02:42 UTC] laruence@php.net

Automatic comment on behalf of laruence@gmail.com
Revision: http://git.php.net/?p=php-src.git;a=commit;h=06fe956460f93041abdaf4a12ccde43d317fa20c
Log: Fixed Bug #70918 (Segfault using static outside of class scope)

[2015-11-15 02:42 UTC] laruence@php.net

-Status: Open +Status: Closed

[2015-11-16 09:41 UTC] leigh@php.net

-Status: Closed +Status: Re-Opened

[2015-11-16 09:41 UTC] leigh@php.net

Hi Laruence, while fuzzing after your patch I found some more issues with static outside of class scope.

new static;
static::$i;
static::x();

Can you think of any other handlers that also need updating?



leigh@zaru:~/php-src$ git log -n 1 06fe95
commit 06fe956460f93041abdaf4a12ccde43d317fa20c
Author: Xinchen Hui <laruence@gmail.com>
Date:   Sat Nov 14 18:41:55 2015 -0800

    Fixed Bug #70918 (Segfault using static outside of class scope)



(gdb) r -r 'new static;'
Starting program: /home/leigh/php-src/sapi/cli/php -r 'new static;'
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".

Program received signal SIGSEGV, Segmentation fault.
_object_init_ex (arg=arg@entry=0x7fffffffcea0, class_type=class_type@entry=0x0)
    at /home/leigh/php-src/Zend/zend_API.c:1296
1296		return _object_and_properties_init(arg, class_type, 0 ZEND_FILE_LINE_RELAY_CC);
(gdb) bt
#0  _object_init_ex (arg=arg@entry=0x7fffffffcea0, class_type=class_type@entry=0x0)
    at /home/leigh/php-src/Zend/zend_API.c:1296
#1  0x000000000109e2f0 in ZEND_NEW_SPEC_UNUSED_HANDLER ()
    at /home/leigh/php-src/Zend/zend_vm_execute.h:22572
#2  0x0000000000ec40a3 in execute_ex (ex=<optimized out>)
    at /home/leigh/php-src/Zend/zend_vm_execute.h:414
#3  0x00000000010b8deb in zend_execute (op_array=op_array@entry=0x7ffff687e000, 
    return_value=return_value@entry=0x7fffffffcf70)
    at /home/leigh/php-src/Zend/zend_vm_execute.h:458
#4  0x0000000000c65d4f in zend_eval_stringl (str=str@entry=0x14fca40 "new static;", str_len=11, 
    retval_ptr=retval_ptr@entry=0x0, string_name=0x7ffff6812030 " \215O\001", 
    string_name@entry=0x1273b67 "Command line code")
    at /home/leigh/php-src/Zend/zend_execute_API.c:1125
#5  0x0000000000c66293 in zend_eval_stringl_ex (handle_exceptions=1, 
    string_name=0x1273b67 "Command line code", retval_ptr=0x0, str_len=<optimized out>, 
    str=0x14fca40 "new static;") at /home/leigh/php-src/Zend/zend_execute_API.c:1166
#6  zend_eval_string_ex (str=0x14fca40 "new static;", retval_ptr=0x0, 
    string_name=0x1273b67 "Command line code", handle_exceptions=1)
    at /home/leigh/php-src/Zend/zend_execute_API.c:1177
#7  0x00000000010c0237 in do_cli (argc=-12640, argv=0x0)
    at /home/leigh/php-src/sapi/cli/php_cli.c:1005
#8  0x000000000042ff61 in main (argc=-12640, argv=0x0)
    at /home/leigh/php-src/sapi/cli/php_cli.c:1345



(gdb) r -r 'static::$i;'
Starting program: /home/leigh/php-src/sapi/cli/php -r 'static::$i;'
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".

Program received signal SIGSEGV, Segmentation fault.
0x0000000000d99514 in zend_hash_find_bucket (ht=0x78, ht@entry=0xf0, ht=0x78, ht@entry=0xf0, 
    key=key@entry=0x7ffff6854420) at /home/leigh/php-src/Zend/zend_hash.c:437
437		nIndex = h | ht->nTableMask;
(gdb) bt
#0  0x0000000000d99514 in zend_hash_find_bucket (ht=0x78, ht@entry=0xf0, ht=0x78, ht@entry=0xf0, 
    key=key@entry=0x7ffff6854420) at /home/leigh/php-src/Zend/zend_hash.c:437
#1  zend_hash_find (ht=ht@entry=0x78, key=key@entry=0x7ffff6854420)
    at /home/leigh/php-src/Zend/zend_hash.c:1890
#2  0x0000000000ea3564 in zend_hash_find_ptr (key=0x7ffff6854420, key@entry=0x0, ht=0x78)
    at /home/leigh/php-src/Zend/zend_hash.h:670
#3  zend_std_get_static_property (ce=ce@entry=0x0, 
    property_name=property_name@entry=0x7ffff6854420, silent=silent@entry=0 '\000')
    at /home/leigh/php-src/Zend/zend_object_handlers.c:1270
#4  0x000000000102d325 in zend_fetch_static_prop_helper_SPEC_CONST_UNUSED (type=0)
    at /home/leigh/php-src/Zend/zend_vm_execute.h:7309
#5  ZEND_FETCH_STATIC_PROP_R_SPEC_CONST_UNUSED_HANDLER ()
    at /home/leigh/php-src/Zend/zend_vm_execute.h:7337
#6  0x0000000000ec40a3 in execute_ex (ex=<optimized out>)
    at /home/leigh/php-src/Zend/zend_vm_execute.h:414
#7  0x00000000010b8deb in zend_execute (op_array=op_array@entry=0x7ffff687e000, 
    return_value=return_value@entry=0x7fffffffcf70)
    at /home/leigh/php-src/Zend/zend_vm_execute.h:458
#8  0x0000000000c65d4f in zend_eval_stringl (str=str@entry=0x14fca40 "static::$i;", str_len=11, 
    retval_ptr=retval_ptr@entry=0x0, string_name=0x7ffff6812030 " \215O\001", 
    string_name@entry=0x1273b67 "Command line code")
    at /home/leigh/php-src/Zend/zend_execute_API.c:1125
#9  0x0000000000c66293 in zend_eval_stringl_ex (handle_exceptions=1, 
    string_name=0x1273b67 "Command line code", retval_ptr=0x0, str_len=<optimized out>, 
    str=0x14fca40 "static::$i;") at /home/leigh/php-src/Zend/zend_execute_API.c:1166
#10 zend_eval_string_ex (str=0x14fca40 "static::$i;", retval_ptr=0x0, 
    string_name=0x1273b67 "Command line code", handle_exceptions=1)
    at /home/leigh/php-src/Zend/zend_execute_API.c:1177
#11 0x00000000010c0237 in do_cli (argc=120, argv=0x7ffff6854420)
    at /home/leigh/php-src/sapi/cli/php_cli.c:1005
#12 0x000000000042ff61 in main (argc=120, argv=0x7ffff6854420)
    at /home/leigh/php-src/sapi/cli/php_cli.c:1345



(gdb) r -r 'static::x();'
Starting program: /home/leigh/php-src/sapi/cli/php -r 'static::x();'
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".

Program received signal SIGSEGV, Segmentation fault.
ZEND_INIT_STATIC_METHOD_CALL_SPEC_UNUSED_CONST_HANDLER ()
    at /home/leigh/php-src/Zend/zend_vm_execute.h:23762
23762			if (ce->get_static_method) {
(gdb) bt
#0  ZEND_INIT_STATIC_METHOD_CALL_SPEC_UNUSED_CONST_HANDLER ()
    at /home/leigh/php-src/Zend/zend_vm_execute.h:23762
#1  0x0000000000ec40a3 in execute_ex (ex=<optimized out>)
    at /home/leigh/php-src/Zend/zend_vm_execute.h:414
#2  0x00000000010b8deb in zend_execute (op_array=op_array@entry=0x7ffff687e000, 
    return_value=return_value@entry=0x7fffffffcf80)
    at /home/leigh/php-src/Zend/zend_vm_execute.h:458
#3  0x0000000000c65d4f in zend_eval_stringl (str=str@entry=0x14fca40 "static::x();", str_len=12, 
    retval_ptr=retval_ptr@entry=0x0, string_name=0x7ffff6812030 " \215O\001", 
    string_name@entry=0x1273b67 "Command line code")
    at /home/leigh/php-src/Zend/zend_execute_API.c:1125
#4  0x0000000000c66293 in zend_eval_stringl_ex (handle_exceptions=1, 
    string_name=0x1273b67 "Command line code", retval_ptr=0x0, str_len=<optimized out>, 
    str=0x14fca40 "static::x();") at /home/leigh/php-src/Zend/zend_execute_API.c:1166
#5  zend_eval_string_ex (str=0x14fca40 "static::x();", retval_ptr=0x0, 
    string_name=0x1273b67 "Command line code", handle_exceptions=1)
    at /home/leigh/php-src/Zend/zend_execute_API.c:1177
#6  0x00000000010c0237 in do_cli (argc=-159379392, argv=0x0)
    at /home/leigh/php-src/sapi/cli/php_cli.c:1005
#7  0x000000000042ff61 in main (argc=-159379392, argv=0x0)
    at /home/leigh/php-src/sapi/cli/php_cli.c:1345

[2015-11-16 09:41 UTC] leigh@php.net

Related To: Bug #70918

[2015-11-16 10:09 UTC] laruence@php.net

-Assigned To: +Assigned To: laruence

[2015-11-16 10:21 UTC] laruence@php.net

-Status: Re-Opened +Status: Closed

[2015-11-16 10:21 UTC] laruence@php.net

they should be fixed in : https://github.com/php/php-src/commit/7d80ab2e12df9bca5f393a195c86f177022ce04d

thanks :)

[2016-04-18 09:30 UTC] bwoebi@php.net

Automatic comment on behalf of laruence@gmail.com
Revision: http://git.php.net/?p=php-src.git;a=commit;h=06fe956460f93041abdaf4a12ccde43d317fa20c
Log: Fixed Bug #70918 (Segfault using static outside of class scope)

[2016-07-20 11:35 UTC] davey@php.net

Automatic comment on behalf of laruence@gmail.com
Revision: http://git.php.net/?p=php-src.git;a=commit;h=06fe956460f93041abdaf4a12ccde43d317fa20c
Log: Fixed Bug #70918 (Segfault using static outside of class scope)

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2025 The PHP Group All rights reserved.	Last updated: Sun Jul 06 06:01:34 2025 UTC