PHP :: Bug #77631 :: ReflectionClass->isSubclassOf crashes in PHP 7.4 for anonymous class

Bug #77631	ReflectionClass->isSubclassOf crashes in PHP 7.4 for anonymous class
Submitted:	2019-02-18 03:05 UTC	Modified:	2019-02-18 08:19 UTC
From:	tandre@php.net	Assigned:
Status:	Closed	Package:	Reproducible crash
PHP Version:	Next Minor Version	OS:	Linux
Private report:	No	CVE-ID:	None

View Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	tandre@php.net
New email:
PHP Version:		OS:

New Comment:

[2019-02-18 03:05 UTC] tandre@php.net

Description:
------------
This was initially reproduced by cloning https://github.com/Microsoft/tolerant-php-parser , running `composer.phar install`, and running `vendor/bin/phpunit tests/ParserGrammerTest.php`.

I narrowed the bug down to the below test script. This crashes in both non-debug NTS and a debug ZTS build in PHP-7.4 (built today with 5b15908ed7d1765c1776b40ffc58092044aa1332, introduced somewhere before that).

instance_ce has invalid data. This might be caused by the test script using a ReflectionClass for an anonymous class where no instances have been created.

```
Checking for class@anonymous/path/to/php-src/test.php0x7ffff7fd405d

Program received signal SIGSEGV, Segmentation fault.
0x0000000000b31505 in instanceof_class (instance_ce=0x4, ce=0x7fffe4b69c18) at /path/to/php-src/Zend/zend_operators.c:2285
warning: Source file is more recent than executable.
2285                    instance_ce = instance_ce->parent;
(gdb) bt
#0  0x0000000000b31505 in instanceof_class (instance_ce=0x4, ce=0x7fffe4b69c18) at /path/to/php-src/Zend/zend_operators.c:2285
#1  0x0000000000b3168d in instanceof_function (instance_ce=0x7fffecc06740, ce=0x7fffe4b69c18) at /path/to/php-src/Zend/zend_operators.c:2330
#2  0x00000000007be3af in zim_reflection_class_isSubclassOf (execute_data=0x7fffecc171a0, return_value=0x7fffecc17110) at /path/to/php-src/ext/reflection/php_reflection.c:4991
#3  0x0000000000bb451d in ZEND_DO_FCALL_SPEC_RETVAL_USED_HANDLER () at /path/to/php-src/Zend/zend_vm_execute.h:1104
#4  0x0000000000c36376 in execute_ex (ex=0x7fffecc17020) at /path/to/php-src/Zend/zend_vm_execute.h:61540
#5  0x0000000000c3c999 in zend_execute (op_array=0x7fffecc73400, return_value=0x0) at /path/to/php-src/Zend/zend_vm_execute.h:67944
#6  0x0000000000b3a5a0 in zend_execute_scripts (type=8, retval=0x0, file_count=3) at /path/to/php-src/Zend/zend.c:1639
#7  0x0000000000a72dfd in php_execute_script (primary_file=0x7fffffffc680) at /path/to/php-src/main/main.c:2633
#8  0x0000000000c3fa52 in do_cli (argc=2, argv=0x181f030) at /path/to/php-src/sapi/cli/php_cli.c:992
#9  0x0000000000c40e9d in main (argc=2, argv=0x181f030) at /path/to/php-src/sapi/cli/php_cli.c:1384
```

Test script:
---------------
<?php
class X {
    public static function main() {
        return new class() extends Base {};
    }
}
class Base {}
call_user_func(function() {
    $base = Base::class;
    foreach (get_declared_classes() as $class) {
        if (strpos($class, 'class@anonymous') === false) {
            continue;
        }
        echo "Checking for $class\n";
        flush();
        $rc = new ReflectionClass($class);
        var_export($rc->isSubclassOf($base));  // Segfaults on this line
    }
});


Expected result:
----------------
Does not segfault, prints Checking for class@anonymouspath...false (like earlier php versions do)

Actual result:
--------------
Segfaults because of the call to isSubclassOf

Patches

Pull Requests

Pull requests:

Fix class crash in isSubclassOf when using unbound anonymous classes (php-src/3847)

History

AllCommentsChangesGit/SVN commitsRelated reports

[2019-02-18 08:19 UTC] nikic@php.net

The actual bug here is that get_declared_classes() exposes anonymous classes that haven't been bound yet. The code currently only handles unbound ordinary classes.

[2019-02-18 14:50 UTC] tandre@php.net

The following pull request has been associated:

Patch Name: Fix class crash in isSubclassOf when using unbound anonymous classes
On GitHub:  https://github.com/php/php-src/pull/3847
Patch:      https://github.com/php/php-src/pull/3847.patch

[2019-02-19 09:07 UTC] nikic@php.net

Automatic comment on behalf of tysonandre775@hotmail.com
Revision: http://git.php.net/?p=php-src.git;a=commit;h=12ffee57d6adf38f8dd8b39ea7f7a5e4c462d358
Log: Fixed bug #77631

[2019-02-19 09:07 UTC] nikic@php.net

-Status: Open +Status: Closed

[2019-02-19 09:11 UTC] nikic@php.net

Automatic comment on behalf of tysonandre775@hotmail.com
Revision: http://git.php.net/?p=php-src.git;a=commit;h=12ffee57d6adf38f8dd8b39ea7f7a5e4c462d358
Log: Fixed bug #77631

[2020-04-14 20:04 UTC] ahwelp at universo dot univates dot br

Related To: Bug #79474

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Fri Dec 27 16:01:29 2024 UTC