PHP :: Bug #28589 :: Segfault in Reflection API

Bug #28589

Segfault in Reflection API

Submitted:

2004-05-31 09:43 UTC

Modified:

2004-05-31 23:38 UTC

Votes:	1
Avg. Score:	5.0 ± 0.0
Reproduced:	0 of 0 (0.0%)

From:

sb at sebastian-bergmann dot de

Assigned:

Status:

Closed

Package:

Reproducible crash

PHP Version:

5CVS-2004-05-31 (dev)

OS:

Linux 2.4.23

Private report:

CVE-ID:

None

View Add Comment Developer Edit

[2004-05-31 09:43 UTC] sb at sebastian-bergmann dot de

Description:
------------
The code below causes PHP to segfault on Windows but not on Linux.

Reproduce code:
---------------
<?php
class UML_Class extends ReflectionClass {
}

print ReflectionClass::export('UML_Class');
?>


Expected result:
----------------
I expect the code not to cause a PHP segfault.

Actual result:
--------------
php5ts_debug.dll!_class_string(_string * str=0x0012e984, _zend_class_entry * ce=0x00bb2f20, _zval_struct * obj=0x00000000, char * indent=0x10631249, void * * * tsrm_ls=0x00a82800)  Zeile 271 + 0x9	C
php5ts_debug.dll!zif_reflection_class___toString(int ht=0, _zval_struct * return_value=0x00bb1ed8, _zval_struct * this_ptr=0x0012f308, int return_value_used=1, void * * * tsrm_ls=0x00a82800)  Zeile 2020 + 0x1d	C
php5ts_debug.dll!zend_call_function(_zend_fcall_info * fci=0x0012ed28, _zend_fcall_info_cache * fci_cache=0x00000000, void * * * tsrm_ls=0x00a82800)  Zeile 853 + 0x4b	C
php5ts_debug.dll!call_user_function_ex(_hashtable * function_table=0x00000000, _zval_struct * * object_pp=0x0012ee94, _zval_struct * function_name=0x00bb1cf8, _zval_struct * * retval_ptr_ptr=0x0012ee7c, unsigned int param_count=0, _zval_struct * * * params=0x00000000, int no_separation=0, _hashtable * symbol_table=0x00000000, void * * * tsrm_ls=0x00a82800)  Zeile 550 + 0xf	C
php5ts_debug.dll!zif_reflection_export(int ht=2, _zval_struct * return_value=0x00bb1d48, _zval_struct * this_ptr=0x00000000, int return_value_used=1, void * * * tsrm_ls=0x00a82800)  Zeile 1037 + 0x1f	C
php5ts_debug.dll!zend_call_function(_zend_fcall_info * fci=0x0012f260, _zend_fcall_info_cache * fci_cache=0x00000000, void * * * tsrm_ls=0x00a82800)  Zeile 853 + 0x4b	C
php5ts_debug.dll!_reflection_export(int ht=1, _zval_struct * return_value=0x00bb1c50, _zval_struct * this_ptr=0x00000000, int return_value_used=1, void * * * tsrm_ls=0x00a82800, _zend_class_entry * ce_ptr=0x00bed198, int ctor_argc=1)  Zeile 995 + 0x12	C
php5ts_debug.dll!zif_reflection_class_export(int ht=1, _zval_struct * return_value=0x00bb1c50, _zval_struct * this_ptr=0x00000000, int return_value_used=1, void * * * tsrm_ls=0x00a82800)  Zeile 1887 + 0x21	C
php5ts_debug.dll!zend_do_fcall_common_helper(_zend_execute_data * execute_data=0x0012f744, _zend_op * opline=0x00bb18c0, _zend_op_array * op_array=0x00bb1490, void * * * tsrm_ls=0x00a82800)  Zeile 2699 + 0x32	C
php5ts_debug.dll!zend_do_fcall_by_name_handler(_zend_execute_data * execute_data=0x0012f744, _zend_op * opline=0x00bb18c0, _zend_op_array * op_array=0x00bb1490, void * * * tsrm_ls=0x00a82800)  Zeile 2810 + 0x15	C
php5ts_debug.dll!execute(_zend_op_array * op_array=0x00bb1490, void * * * tsrm_ls=0x00a82800)  Zeile 1391 + 0x17	C
php5ts_debug.dll!zend_execute_scripts(int type=8, void * * * tsrm_ls=0x00a82800, _zval_struct * * retval=0x00000000, int file_count=3, ...)  Zeile 1061 + 0x21	C
php5ts_debug.dll!php_execute_script(_zend_file_handle * primary_file=0x0012ff2c, void * * * tsrm_ls=0x00a82800)  Zeile 1627 + 0x1b	C
php.exe!main(int argc=2, char * * argv=0x00a84fc0)  Zeile 943 + 0x13	C
php.exe!mainCRTStartup()  Zeile 398 + 0x11	C
kernel32.dll!77e614c7() 	
ntdll.dll!77f844a8()

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports

[2004-05-31 09:53 UTC] sebastian@php.net

The following simpler code causes a segfault, too:

<?php
class Test {}

print ReflectionClass::export('Test');
?>

[2004-05-31 10:10 UTC] tony2001@php.net

Tested second example under Linux.

Program received signal SIGSEGV, Segmentation fault.
0x403f1d8c in _class_string (str=0xbfffbd80, ce=0x80e8e10, obj=0x0, indent=0x4044889c "")
    at /home/tony/CVS/php-src_debug/Zend/zend_reflection_api.c:271
271                     string_printf(str, ":%s", ce->module->name);
(gdb) bt
#0  0x403f1d8c in _class_string (str=0xbfffbd80, ce=0x80e8e10, obj=0x0, indent=0x4044889c "")
    at /home/tony/CVS/php-src_debug/Zend/zend_reflection_api.c:271
#1  0x403f7d43 in zif_reflection_class___toString (ht=0, return_value=0x80e5968, this_ptr=0xbfffc110, return_value_used=1)
    at /home/tony/CVS/php-src_debug/Zend/zend_reflection_api.c:2020
#2  0x403ca2bf in zend_call_function (fci=0xbfffbec0, fci_cache=0x0) at /home/tony/CVS/php-src_debug/Zend/zend_execute_API.c:853
#3  0x403c904c in call_user_function_ex (function_table=0x0, object_pp=0xbfffbf3c, function_name=0x80e41d4,
    retval_ptr_ptr=0xbfffbf34, param_count=0, params=0x0, no_separation=0, symbol_table=0x0)
    at /home/tony/CVS/php-src_debug/Zend/zend_execute_API.c:550
#4  0x403f4560 in zif_reflection_export (ht=2, return_value=0x80e6ff0, this_ptr=0x0, return_value_used=1)
    at /home/tony/CVS/php-src_debug/Zend/zend_reflection_api.c:1037
#5  0x403ca2bf in zend_call_function (fci=0xbfffc0a0, fci_cache=0x0) at /home/tony/CVS/php-src_debug/Zend/zend_execute_API.c:853
#6  0x403f42aa in _reflection_export (ht=1, return_value=0x80e1dd4, this_ptr=0x0, return_value_used=1, ce_ptr=0x811d9a0,
    ctor_argc=1) at /home/tony/CVS/php-src_debug/Zend/zend_reflection_api.c:995
#7  0x403f74a1 in zif_reflection_class_export (ht=1, return_value=0x80e1dd4, this_ptr=0x0, return_value_used=1)
    at /home/tony/CVS/php-src_debug/Zend/zend_reflection_api.c:1887
#8  0x40402508 in zend_do_fcall_common_helper (execute_data=0xbfffcf80, opline=0x80f07e4, op_array=0x80e654c)
    at /home/tony/CVS/php-src_debug/Zend/zend_execute.c:2699
#9  0x40402be4 in zend_do_fcall_by_name_handler (execute_data=0xbfffcf80, opline=0x80f07e4, op_array=0x80e654c)
    at /home/tony/CVS/php-src_debug/Zend/zend_execute.c:2810
#10 0x403fe5d2 in execute (op_array=0x80e654c) at /home/tony/CVS/php-src_debug/Zend/zend_execute.c:1391
#11 0x403d70d6 in zend_execute_scripts (type=8, retval=0x0, file_count=3) at /home/tony/CVS/php-src_debug/Zend/zend.c:1058
#12 0x4038a07a in php_execute_script (primary_file=0xbffff310) at /home/tony/CVS/php-src_debug/main/main.c:1632
#13 0x4040b39e in apache_php_module_main (r=0x81abd14, display_source_mode=0)
    at /home/tony/CVS/php-src_debug/sapi/apache/sapi_apache.c:54
#14 0x4040c419 in send_php (r=0x81abd14, display_source_mode=0, filename=0x81ac27c "/www/index.php")
    at /home/tony/CVS/php-src_debug/sapi/apache/mod_php5.c:621
#15 0x4040c4aa in send_parsed_php (r=0x81abd14) at /home/tony/CVS/php-src_debug/sapi/apache/mod_php5.c:636
#16 0x08074542 in ap_invoke_handler ()
#17 0x0808a56a in process_request_internal ()
#18 0x0808a9d4 in ap_internal_redirect ()
#19 0x0806024a in handle_dir ()
#20 0x08074542 in ap_invoke_handler ()
#21 0x0808a56a in process_request_internal ()
#22 0x0808a5c7 in ap_process_request ()
#23 0x08080f80 in child_main ()
#24 0x08081132 in make_child ()
#25 0x080812b1 in startup_children ()
#26 0x0808199b in standalone_main ()
#27 0x08082235 in main ()
#28 0x4010faf7 in __libc_start_main () from /lib/i686/libc.so.6

[2004-05-31 23:38 UTC] helly@php.net

This bug has been fixed in CVS.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.
 
Thank you for the report, and for helping us make PHP better.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Mon May 06 05:01:31 2024 UTC