|
|
php.net | support | documentation | report a bug | advanced search | search howto | statistics | random bug | login |
[2015-11-27 14:40 UTC] ajf at ajf dot me
Description: ------------ Specific to Closure::call(). Using Closure::bindTo() and then calling the resulting closure does not produce the same issue. Issue does not occur when using some other return value. Issue is not specific to returning static::class, can also happen if assigned to a variable. Issue exists in all versions of PHP 7 so far: https://3v4l.org/8vZhA. I've personally reproduced this issue on the current PHP master and PHP-7.0 branch. Test script: --------------- <?php class foo {} $bar = function () { return static::class; }; var_dump($bar->call(new foo)); ?> Expected result: ---------------- string(3) "foo" Actual result: -------------- Segmentation fault valgrind backtrace: ==76755== Invalid read of size 8 ==76755== at 0x1003A5983: ZEND_FETCH_CLASS_NAME_SPEC_HANDLER (in sapi/cli/php) ==76755== by 0x1003391C3: execute_ex (in sapi/cli/php) ==76755== by 0x1002B4DDD: zend_call_function (in sapi/cli/php) ==76755== by 0x1003143A5: zim_Closure_call (in sapi/cli/php) ==76755== by 0x100364136: ZEND_DO_FCALL_SPEC_HANDLER (in sapi/cli/php) ==76755== by 0x1003391C3: execute_ex (in sapi/cli/php) ==76755== by 0x10033932F: zend_execute (in sapi/cli/php) ==76755== by 0x1002B6125: zend_eval_stringl (in sapi/cli/php) ==76755== by 0x1002B63A0: zend_eval_stringl_ex (in sapi/cli/php) ==76755== by 0x1002B6442: zend_eval_string_ex (in sapi/cli/php) ==76755== by 0x1003CC905: do_cli (in sapi/cli/php) ==76755== by 0x1003CB60D: main (in sapi/cli/php) ==76755== Address 0x8 is not stack'd, malloc'd or (recently) free'd ==76755== ==76755== ==76755== Process terminating with default action of signal 11 (SIGSEGV) ==76755== Access not within mapped region at address 0x8 ==76755== at 0x1003A5983: ZEND_FETCH_CLASS_NAME_SPEC_HANDLER (in sapi/cli/php) ==76755== by 0x1003391C3: execute_ex (in sapi/cli/php) ==76755== by 0x1002B4DDD: zend_call_function (in sapi/cli/php) ==76755== by 0x1003143A5: zim_Closure_call (in sapi/cli/php) ==76755== by 0x100364136: ZEND_DO_FCALL_SPEC_HANDLER (in sapi/cli/php) ==76755== by 0x1003391C3: execute_ex (in sapi/cli/php) ==76755== by 0x10033932F: zend_execute (in sapi/cli/php) ==76755== by 0x1002B6125: zend_eval_stringl (in sapi/cli/php) ==76755== by 0x1002B63A0: zend_eval_stringl_ex (in sapi/cli/php) ==76755== by 0x1002B6442: zend_eval_string_ex (in sapi/cli/php) ==76755== by 0x1003CC905: do_cli (in sapi/cli/php) ==76755== by 0x1003CB60D: main (in sapi/cli/php) PatchesPull RequestsHistoryAllCommentsChangesGit/SVN commits
|
|||||||||||||||||||||||||||||||||||||
Copyright © 2001-2024 The PHP GroupAll rights reserved. |
Last updated: Thu Nov 21 13:01:29 2024 UTC |
GDB backtrace: #0 0x00000001003a5983 in ZEND_FETCH_CLASS_NAME_SPEC_HANDLER ( execute_data=0x1020131f0) at Zend/zend_vm_execute.h:1713 #1 0x00000001003391c4 in execute_ex (ex=0x1020131f0) at Zend/zend_vm_execute.h:417 #2 0x00000001002b4dde in zend_call_function (fci=0x7fff5fbfeae0, fci_cache=0x7fff5fbfeab8) at Zend/zend_execute_API.c:854 #3 0x00000001003143a6 in zim_Closure_call (execute_data=0x102013180, return_value=0x1020130f0) at Zend/zend_closures.c:172 #4 0x0000000100364137 in ZEND_DO_FCALL_SPEC_HANDLER (execute_data=0x102013030) at Zend/zend_vm_execute.h:842 #5 0x00000001003391c4 in execute_ex (ex=0x102013030) at Zend/zend_vm_execute.h:417 #6 0x0000000100339330 in zend_execute (op_array=0x102074300, return_value=0x7fff5fbfecb0) at Zend/zend_vm_execute.h:458 #7 0x00000001002b6126 in zend_eval_stringl ( str=0x100702fc0 "class foo {} $bar = (function () { return static::class; }); var_dump($bar->call(new foo));", str_len=91, retval_ptr=0x0, string_name=0x1004d6ed1 "Command line code") at Zend/zend_execute_API.c:1125 #8 0x00000001002b63a1 in zend_eval_stringl_ex ( str=0x100702fc0 "class foo {} $bar = (function () { return static::class; }); var_dump($bar->call(new foo));", str_len=91, retval_ptr=0x0, string_name=0x1004d6ed1 "Command line code", handle_exceptions=1) at Zend/zend_execute_API.c:1166 #9 0x00000001002b6443 in zend_eval_string_ex ( str=0x100702fc0 "class foo {} $bar = (function () { return static::class; }); var_dump($bar->call(new foo));", retval_ptr=0x0, string_name=0x1004d6ed1 "Command line code", handle_exceptions=1) at Zend/zend_execute_API.c:1177 #10 0x00000001003cc906 in do_cli (argc=3, argv=0x100702f10) at sapi/cli/php_cli.c:1005 #11 0x00000001003cb60e in main (argc=3, argv=0x100702f10) at sapi/cli/php_cli.c:1345Problem line of zend_vm_execute.h (generated from identical line in zend_vm_def.h) is: ZVAL_STR_COPY(EX_VAR(opline->result.var), EX(called_scope)->name); Debug printf reveals that EX(called_scope) is NULL here. So it's a simple NULL pointer dereference bug.