php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #45805 user error handler crashes
Submitted: 2008-08-13 06:44 UTC Modified: 2008-08-13 07:23 UTC
From: sebastian@php.net Assigned: dmitry
Status: Closed Package: Reproducible crash
PHP Version: 5.3CVS-2008-08-13 (CVS) OS: Linux
Private report: No CVE-ID:
 [2008-08-13 06:44 UTC] sebastian@php.net
Description:
------------
The attached PHP script segfaults with both PHP_5_2 and PHP_5_3.

Reproduce code:
---------------
<?php
class PHPUnit_Util_ErrorHandler
{
    public static function handleError($errno, $errstr, $errfile, $errline)
    {
        throw new RuntimeException;
    }
}

class A {
    public function getX() {
        return NULL;
    }
}

class B {
    public function foo() {
        $obj    = new A;
        $source = &$obj->getX();
    }

    public function bar() {
        $m = new ReflectionMethod('B', 'foo');
        $m->invoke($this);
    }
}

set_error_handler(
  array('PHPUnit_Util_ErrorHandler', 'handleError'), E_ALL | E_STRICT
);
            
$o = new B;
$o->bar();
?>

Actual result:
--------------
sb@ubuntu ~ % gdb php
GNU gdb 6.8-debian
Copyright (C) 2008 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "i486-linux-gnu"...
(gdb) r test.php
Starting program: /usr/local/php-5.3/bin/php test.php
[Thread debugging using libthread_db enabled]
[New Thread 0xb77fc6b0 (LWP 21404)]

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0xb77fc6b0 (LWP 21404)]
0x085674c0 in _get_zval_ptr_var (node=0x8a5546c, Ts=0x8c0f888, should_free=0xbfe03efc, tsrm_ls=0x8a53070)
    at /usr/local/src/php/php-5.3/Zend/zend_execute.c:197
197                     if (T->str_offset.str->type != IS_STRING
(gdb) bt
#0  0x085674c0 in _get_zval_ptr_var (node=0x8a5546c, Ts=0x8c0f888, should_free=0xbfe03efc, tsrm_ls=0x8a53070)
    at /usr/local/src/php/php-5.3/Zend/zend_execute.c:197
#1  0x085c65fa in ZEND_ASSIGN_SPEC_CV_VAR_HANDLER (execute_data=0x8c0f82c, tsrm_ls=0x8a53070)
    at /usr/local/src/php/php-5.3/Zend/zend_vm_execute.h:27470
#2  0x085c69fd in ZEND_ASSIGN_REF_SPEC_CV_VAR_HANDLER (execute_data=0x8c0f82c, tsrm_ls=0x8a53070)
    at /usr/local/src/php/php-5.3/Zend/zend_vm_execute.h:27515
#3  0x085628ec in execute (op_array=0x8be2214, tsrm_ls=0x8a53070) at /usr/local/src/php/php-5.3/Zend/zend_vm_execute.h:104
#4  0x08523d5e in zend_call_function (fci=0xbfe04144, fci_cache=0xbfe04168, tsrm_ls=0x8a53070)
    at /usr/local/src/php/php-5.3/Zend/zend_execute_API.c:876
#5  0x08237261 in zim_reflection_method_invoke (ht=1, return_value=0x8be3e5c, return_value_ptr=0x0, this_ptr=0x8be0854, 
    return_value_used=0, tsrm_ls=0x8a53070) at /usr/local/src/php/php-5.3/ext/reflection/php_reflection.c:2510
#6  0x085639bf in zend_do_fcall_common_helper_SPEC (execute_data=0x8c0f738, tsrm_ls=0x8a53070)
    at /usr/local/src/php/php-5.3/Zend/zend_vm_execute.h:315
#7  0x08564a4f in ZEND_DO_FCALL_BY_NAME_SPEC_HANDLER (execute_data=0x8c0f738, tsrm_ls=0x8a53070)
    at /usr/local/src/php/php-5.3/Zend/zend_vm_execute.h:428
#8  0x085628ec in execute (op_array=0x8be2b68, tsrm_ls=0x8a53070) at /usr/local/src/php/php-5.3/Zend/zend_vm_execute.h:104
#9  0x085347e4 in zend_execute_scripts (type=8, tsrm_ls=0x8a53070, retval=0x0, file_count=3)
    at /usr/local/src/php/php-5.3/Zend/zend.c:1199
#10 0x084ad611 in php_execute_script (primary_file=0xbfe06630, tsrm_ls=0x8a53070)
    at /usr/local/src/php/php-5.3/main/main.c:2073
#11 0x085d19a4 in main (argc=2, argv=0xbfe067a4) at /usr/local/src/php/php-5.3/sapi/cli/php_cli.c:1132

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2008-08-13 07:23 UTC] dmitry@php.net
This bug has been fixed in CVS.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.
 
Thank you for the report, and for helping us make PHP better.


 
PHP Copyright © 2001-2014 The PHP Group
All rights reserved.
Last updated: Fri Apr 18 10:03:03 2014 UTC