PHP :: Bug #72101 :: crash on complex code

Bug #72101	crash on complex code
Submitted:	2016-04-25 10:30 UTC	Modified:	2016-04-25 10:31 UTC
From:	tony2001@php.net	Assigned:	dmitry (profile)
Status:	Closed	Package:	Reproducible crash
PHP Version:	7.0Git-2016-04-25 (Git)	OS:	*
Private report:	No	CVE-ID:	None

View Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	tony2001@php.net
New email:
PHP Version:		OS:

New Comment:

[2016-04-25 10:30 UTC] tony2001@php.net

Description:
------------
PHP tries to dereference NULL pointer and crashes when executing attached piece of code.

Test script:
---------------
<?php
class PHPUnit_Framework_MockObject_Stub_ReturnCallback {
    protected $callback;
    public function __construct($callback) {
        $this->callback = $callback;
    }
    public function invoke($invocation) {
        return call_user_func_array($this->callback, $invocation->parameters);
    }
}

class PHPUnit_Framework_MockObject_InvocationMocker {
    protected $matchers = [];
    public function addMatcher( $matcher) {
        $this->matchers[] = $matcher;
    }
    public function invoke( $invocation) {
        foreach ($this->matchers as $match) {
            $match->invoked($invocation);
        }
    }
}

class PHPUnit_Framework_MockObject_Matcher {
    public $stub = null;
    public function invoked($invocation) {
        return $this->stub->invoke($invocation);
    }
}

class MethodCallbackByReference {
    public function bar(&$a, &$b, $c) {
        Legacy::bar($a, $b, $c);
    }
    public function callback(&$a, &$b, $c) {
        $b = 1;
    }
}
class PHPUnit_Framework_MockObject_Invocation_Static {
    public $parameters;
    public function __construct(array $parameters) {
        $this->parameters = $parameters;
    }
}

class Mock_MethodCallbackByReference_7b180d26 extends MethodCallbackByReference {
    public $inv_mocker;
    public function bar(&$a, &$b, $c) {
        $arguments = array($a, $b, $c);
        $result = $this->inv_mocker->invoke(
            new PHPUnit_Framework_MockObject_Invocation_Static(
                $arguments
            )
        );
        return $result;
    }
}

set_error_handler(function() {
//    var_dump(func_get_args());
    DoesNotExists::$nope = true;
}, E_ALL | E_STRICT);

$foo = new Mock_MethodCallbackByReference_7b180d26();
$InvMocker = new PHPUnit_Framework_MockObject_InvocationMocker();
$foo->inv_mocker = $InvMocker;
$OuterMatcher = new PHPUnit_Framework_MockObject_Matcher();
$InvMocker->addMatcher($OuterMatcher);
$OuterMatcher->methodNameMatcher = null;
$OuterMatcher->stub = new PHPUnit_Framework_MockObject_Stub_ReturnCallback([$foo, 'callback']);
$a = $b = $c = 0;
$foo->bar($a, $b, $c);


Expected result:
----------------
.

Actual result:
--------------
Program received signal SIGSEGV, Segmentation fault.
0x00000000006812a3 in zend_object_release (obj=0x0) at /local/git/php-src/Zend/zend_objects_API.h:77
77              if (--GC_REFCOUNT(obj) == 0) {
Missing separate debuginfos, use: zypper install libz1-debuginfo-1.2.8-5.1.2.x86_64
(gdb) bt
#0  0x00000000006812a3 in zend_object_release (obj=0x0) at /local/git/php-src/Zend/zend_objects_API.h:77
#1  0x00000000006890bb in cleanup_unfinished_calls (execute_data=0x7ffff6615520, op_num=4) at /local/git/php-src/Zend/zend_execute.c:2547
#2  0x000000000068c5bd in ZEND_HANDLE_EXCEPTION_SPEC_HANDLER () at /local/git/php-src/Zend/zend_vm_execute.h:1495
#3  0x0000000000689473 in execute_ex (ex=0x7ffff6615030) at /local/git/php-src/Zend/zend_vm_execute.h:414
#4  0x0000000000689555 in zend_execute (op_array=0x7ffff6687000, return_value=0x0) at /local/git/php-src/Zend/zend_vm_execute.h:458
#5  0x0000000000631dbf in zend_execute_scripts (type=8, retval=0x0, file_count=3) at /local/git/php-src/Zend/zend.c:1427
#6  0x00000000005ae6b2 in php_execute_script (primary_file=0x7fffffffd8e0) at /local/git/php-src/main/main.c:2494
#7  0x00000000006eb0f8 in do_cli (argc=2, argv=0xb08be0) at /local/git/php-src/sapi/cli/php_cli.c:974
#8  0x00000000006ebf78 in main (argc=2, argv=0xb08be0) at /local/git/php-src/sapi/cli/php_cli.c:1344
(gdb) f 1
#1  0x00000000006890bb in cleanup_unfinished_calls (execute_data=0x7ffff6615520, op_num=4) at /local/git/php-src/Zend/zend_execute.c:2547
2547 OBJ_RELEASE(Z_OBJ(call->This));
(gdb) list
2542                                            }
2543                                            if (GC_REFCOUNT(Z_OBJ(call->This)) == 1) {
2544 zend_object_store_ctor_failed(Z_OBJ(call->This));
2545                                            }
2546                                    }
2547 OBJ_RELEASE(Z_OBJ(call->This));
2548                            }
2549                            if (call->func->common.fn_flags & ZEND_ACC_CLOSURE) {
2550 zend_object_release((zend_object *) call->func->common.prototype);
2551                            } else if (call->func->common.fn_flags & ZEND_ACC_CALL_VIA_TRAMPOLINE) {

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2016-04-25 10:31 UTC] tony2001@php.net

-Status: Open +Status: Assigned -Assigned To: +Assigned To: dmitry

[2016-04-25 11:15 UTC] dmitry@php.net

Automatic comment on behalf of dmitry@zend.com
Revision: http://git.php.net/?p=php-src.git;a=commit;h=92233dd736a883c34d5769081a9c0ff6d9f264f7
Log: Fixed bug #72101 (crash on complex code)

[2016-04-25 11:15 UTC] dmitry@php.net

-Status: Assigned +Status: Closed

[2016-07-20 11:31 UTC] davey@php.net

Automatic comment on behalf of dmitry@zend.com
Revision: http://git.php.net/?p=php-src.git;a=commit;h=92233dd736a883c34d5769081a9c0ff6d9f264f7
Log: Fixed bug #72101 (crash on complex code)

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Tue Dec 03 17:01:29 2024 UTC