php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #33116 crash when assigning class name to global variable in __autoload
Submitted: 2005-05-24 05:07 UTC Modified: 2005-05-26 16:28 UTC
From: segv74 at gmail dot com Assigned: dmitry
Status: Closed Package: Reproducible crash
PHP Version: 5.0.3 OS: linux 2.4.28
Private report: No CVE-ID:
 [2005-05-24 05:07 UTC] segv74 at gmail dot com
Description:
------------
following codes produce wrong output. I think this bug is related with php's internal reference counter.
If I change assign $class to "$class" (comment 1), It product correct outputs.

If I turn on comment 2(comment 1 is off), debug mode php client crashes. gdb backtrace is here.

(gdb) bt
#0  0x4029db87 in memcpy () from /lib/libc.so.6
#1  0x0825a1a3 in _mem_block_check (ptr=0xbfffbd84, silent=0, __zend_filename=0x8435640 "/jocoso/install/tmp/APACHESO/php-5.0.3/Zend/zend_variables.c", __zend_lineno=193,
    __zend_orig_filename=0x8434900 "/jocoso/install/tmp/APACHESO/php-5.0.3/Zend/zend_execute.h", __zend_orig_lineno=61) at /jocoso/install/tmp/APACHESO/php-5.0.3/Zend/zend_alloc.c:722
#2  0x0825a15e in _mem_block_check (ptr=0xbfffbd84, silent=1, __zend_filename=0x8435640 "/jocoso/install/tmp/APACHESO/php-5.0.3/Zend/zend_variables.c", __zend_lineno=193,
    __zend_orig_filename=0x8434900 "/jocoso/install/tmp/APACHESO/php-5.0.3/Zend/zend_execute.h", __zend_orig_lineno=61) at /jocoso/install/tmp/APACHESO/php-5.0.3/Zend/zend_alloc.c:714
#3  0x08259294 in _efree (ptr=0xbfffbd84, __zend_filename=0x8435640 "/jocoso/install/tmp/APACHESO/php-5.0.3/Zend/zend_variables.c", __zend_lineno=193,
    __zend_orig_filename=0x8434900 "/jocoso/install/tmp/APACHESO/php-5.0.3/Zend/zend_execute.h", __zend_orig_lineno=61) at /jocoso/install/tmp/APACHESO/php-5.0.3/Zend/zend_alloc.c:265
#4  0x08269504 in safe_free_zval_ptr_rel (p=0xbfffbd84, __zend_filename=0x8435640 "/jocoso/install/tmp/APACHESO/php-5.0.3/Zend/zend_variables.c", __zend_lineno=193,
    __zend_orig_filename=0x8434980 "/jocoso/install/tmp/APACHESO/php-5.0.3/Zend/zend_execute_API.c", __zend_orig_lineno=393) at /jocoso/install/tmp/APACHESO/php-5.0.3/Zend/zend_execute.h:61
#5  0x08266a41 in _zval_ptr_dtor (zval_ptr=0x852b0d8, __zend_filename=0x8435640 "/jocoso/install/tmp/APACHESO/php-5.0.3/Zend/zend_variables.c", __zend_lineno=193)
    at /jocoso/install/tmp/APACHESO/php-5.0.3/Zend/zend_execute_API.c:393
#6  0x08273aa5 in _zval_ptr_dtor_wrapper (zval_ptr=0x852b0d8) at /jocoso/install/tmp/APACHESO/php-5.0.3/Zend/zend_variables.c:193
#7  0x0827e61a in zend_hash_destroy (ht=0x852a814) at /jocoso/install/tmp/APACHESO/php-5.0.3/Zend/zend_hash.c:519
#8  0x08273649 in _zval_dtor (zvalue=0x852b97c, __zend_filename=0x8434980 "/jocoso/install/tmp/APACHESO/php-5.0.3/Zend/zend_execute_API.c", __zend_lineno=392)
    at /jocoso/install/tmp/APACHESO/php-5.0.3/Zend/zend_variables.c:52
#9  0x08266a1a in _zval_ptr_dtor (zval_ptr=0x851b208, __zend_filename=0x8435640 "/jocoso/install/tmp/APACHESO/php-5.0.3/Zend/zend_variables.c", __zend_lineno=193)
    at /jocoso/install/tmp/APACHESO/php-5.0.3/Zend/zend_execute_API.c:392
#10 0x08273aa5 in _zval_ptr_dtor_wrapper (zval_ptr=0x851b208) at /jocoso/install/tmp/APACHESO/php-5.0.3/Zend/zend_variables.c:193
#11 0x0827e8d0 in zend_hash_apply_deleter (ht=0x849f8f0, p=0x851b1fc) at /jocoso/install/tmp/APACHESO/php-5.0.3/Zend/zend_hash.c:574
#12 0x0827eb58 in zend_hash_graceful_reverse_destroy (ht=0x849f8f0) at /jocoso/install/tmp/APACHESO/php-5.0.3/Zend/zend_hash.c:640
#13 0x08266071 in shutdown_executor () at /jocoso/install/tmp/APACHESO/php-5.0.3/Zend/zend_execute_API.c:208
#14 0x082754c3 in zend_deactivate () at /jocoso/install/tmp/APACHESO/php-5.0.3/Zend/zend.c:818
#15 0x082272cb in php_request_shutdown (dummy=0x0) at /jocoso/install/tmp/APACHESO/php-5.0.3/main/main.c:1212
#16 0x082af690 in main (argc=2, argv=0xbfffe3a4) at /jocoso/install/tmp/APACHESO/php-5.0.3/sapi/cli/php_cli.c:1046
(gdb) up
...
#11 0x0827e8d0 in zend_hash_apply_deleter (ht=0x849f8f0, p=0x851b1fc) at /jocoso/install/tmp/APACHESO/php-5.0.3/Zend/zend_hash.c:574
574                     ht->pDestructor(p->pData);
(gdb) print *p
$1 = {h = 1695326377, nKeyLength = 8, pData = 0x851b208, pDataPtr = 0x852b97c, pListNext = 0x0, pListLast = 0x85255fc, pNext = 0x0, pLast = 0x0, arKey = "i"}
(gdb) print (char *)&*p->arKey
$3 = 0x851b21c "include"



Reproduce code:
---------------
test.php ==================================
<?
function __autoload($class)
{
  $GLOBALS['include'][] = $class;
  //$GLOBALS['include'][] = "$class"; <-- change to this line produce correct output (comment 1)

  include_once "$class.inc";
}

$a = new DefClass;
//$a = new UndefClass; <-- crashes, when turn off this comment (comment 2)

print_r($GLOBALS['include']);
?>

DefClass.inc ==================================
<? class DefClass{} ?>


Expected result:
----------------
Array
(
    [0] => DefClass
)


Actual result:
--------------
Array
(
    [0] => 139613932
)


Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2005-05-24 09:56 UTC] segv74 at gmail dot com
php5-STABLE-latest.tar.gz shows same buggy results too.

(gdb) bt
#0  0x08170036 in _efree (ptr=0xbfffd040) at /home/ssw/work/php5-STABLE-200505240632/Zend/zend_alloc.c:281
#1  0x08189ae8 in zend_hash_destroy (ht=0x827ca24) at /home/ssw/work/php5-STABLE-200505240632/Zend/zend_hash.c:519
#2  0x081821d7 in _zval_dtor (zvalue=0x827ca8c) at /home/ssw/work/php5-STABLE-200505240632/Zend/zend_variables.c:52
#3  0x08179b48 in _zval_ptr_dtor (zval_ptr=0x827cab8) at /home/ssw/work/php5-STABLE-200505240632/Zend/zend_execute_API.c:400
#4  0x08189bb8 in zend_hash_clean (ht=0x827c89c) at /home/ssw/work/php5-STABLE-200505240632/Zend/zend_hash.c:545
#5  0x0817c79e in zend_cleanup_class_data (pce=0x827e08c) at /home/ssw/work/php5-STABLE-200505240632/Zend/zend_opcode.c:139
#6  0x08189dd8 in zend_hash_apply (ht=0x81ffdb0, apply_func=0x817c770 <zend_cleanup_class_data>) at /home/ssw/work/php5-STABLE-200505240632/Zend/zend_hash.c:664
#7  0x0817988c in shutdown_executor () at /home/ssw/work/php5-STABLE-200505240632/Zend/zend_execute_API.c:257
#8  0x081834c5 in zend_deactivate () at /home/ssw/work/php5-STABLE-200505240632/Zend/zend.c:824
#9  0x0814d326 in php_request_shutdown (dummy=0x0) at /home/ssw/work/php5-STABLE-200505240632/main/main.c:1224
#10 0x081ad55c in main (argc=2, argv=0xbffff654) at /home/ssw/work/php5-STABLE-200505240632/sapi/cgi/cgi_main.c:1640
(gdb) up
...

#4  0x08189bb8 in zend_hash_clean (ht=0x827c89c) at /home/ssw/work/php5-STABLE-200505240632/Zend/zend_hash.c:545
545                         ht->pDestructor(q->pData);
(gdb) print (char *)&*q.arKey
$6 = 0x827cacc "included_classes"
 [2005-05-24 09:59 UTC] segv74 at gmail dot com
last backtrace data of gdb was  slightly diffrent examples.
( using static member variables instead of $GLOBALS )
but, both two source cause segment fault and produce wrong output on php snapshot.
 [2005-05-24 10:02 UTC] sniper@php.net
Please try using this CVS snapshot:

  http://snaps.php.net/php5-latest.tar.gz
 
For Windows:
 
  http://snaps.php.net/win32/php5-win32-latest.zip

This one has some other (propably) related bugs fixed.
So please try it out too.

 [2005-05-26 03:29 UTC] segv74 at gmail dot com
patch below seems works fine.

$ diff Zend/zend_execute_API.c zend_execute_API.c
911c911
<       zval class_name, *class_name_ptr = &class_name;
---
>       zval *class_name_ptr;
950,951c950,951
<       INIT_PZVAL(class_name_ptr);
<       ZVAL_STRINGL(class_name_ptr, name, name_length, 0);
---
>       MAKE_STD_ZVAL(class_name_ptr);
>       ZVAL_STRINGL(class_name_ptr, name, name_length, 1);
 [2005-05-26 16:28 UTC] dmitry@php.net
Fixed in CVS HEAD and PHP_5_0.
 
PHP Copyright © 2001-2014 The PHP Group
All rights reserved.
Last updated: Thu Apr 17 01:01:56 2014 UTC