PHP :: Bug #50360 :: Crash on is_subclass_of() under special conditions (PHP_5

Bug #50360

Crash on is_subclass_of() under special conditions (PHP_5_2 only!)

Submitted:

2009-12-02 13:57 UTC

Modified:

2010-12-23 15:27 UTC

Votes:	4
Avg. Score:	4.5 ± 0.5
Reproduced:	4 of 4 (100.0%)
Same Version:	3 (75.0%)
Same OS:	3 (75.0%)

From:

mjomble at gmail dot com

Assigned:

iliaa (profile)

Status:

Closed

Package:

Reproducible crash

PHP Version:

5.2SVN-2009-12-02 (snap)

OS:

Private report:

CVE-ID:

None

View Add Comment Developer Edit

[2009-12-02 13:57 UTC] mjomble at gmail dot com

Description:
------------
The issue seems similar to bug #46753, but with a much more compact reproduce code: 3 files; ~75 lines in total; no external dependencies.

I've managed to reproduce the crash with the same code in 5.2.2, 5.2.11, 5.2.12RC3 and the 5.2 snapshot from 2009-12-02.

It doesn't happen with 5.3.0 or 5.3.1, at least with this code.

Factors that determine whether the crash occurs or not include:

* Use of is_subclass_of() vs instanceof
* Custom autoloader
* A random function call in the autoloader function
* Either the "width" or depth of the callstack at the time is_subclass_of() is called. In the provided reproduce code, there's a shallow call stack, but a large number of parameters. The crash could also be reproduced with fewer parameters, but a deeper call stack.
* The number of methods in a specific class.

See the comments in the reproduce code for more details on small code changes that can cause the crash not to occur.

Reproduce code:
---------------
http://files.rtedev.com/phpbug.zip

The code is in three separate files. Putting the classes in fewer files will change the autoloader's behavior so that the crash will not occur.

Extract the zip into a folder and run

php run.php

This should crash the PHP CLI.

Expected result:
----------------
"Done" should be printed to standard output.

Actual result:
--------------
Backtrace from Microsoft Debug Diagnostic Tools

Thread 0 - System ID 5108
Entry point   php!mainCRTStartup

Function                                      Arg 1         Arg 2         Arg 3

php5ts!is_a_impl+b6                           019029ac      0190f9e0      00000000
php5ts!zif_is_subclass_of+25                  00000002      0190f9e0      00000000
php5ts!zend_do_fcall_common_helper_SPEC+7ab   00c0faf0      00312600      0190e818
php5ts!ZEND_DO_FCALL_SPEC_CONST_HANDLER+e5    00000000      003126d8      00c0fbf4
php5ts!execute+1c5                            0190f328      003126d8      00000000
php5ts!zend_do_fcall_common_helper_SPEC+8ca   00c0fb98      00312601      1001c6c5
php5ts!ZEND_DO_FCALL_BY_NAME_SPEC_HANDLER+15  00c0fb98      003126d8      003126d8
php5ts!execute+1c5                            0190d210      003126d8      00000000
php5ts!zend_execute_scripts+107               00000008      003126d8      00000000
php5ts!php_execute_script+20d                 00c0fe90      003126d8      00000000
php!main+bca                                  00000002      00312630      003116a0
php!mainCRTStartup+e3                         7ffd4000      00c0ffd4      779119bb
kernel32!BaseThreadInitThunk+e                7ffd4000      7dc79c3d      00000000
ntdll!__RtlUserThreadStart+23                 00402f72      7ffd4000      00000000
ntdll!_RtlUserThreadStart+1b                  00402f72      7ffd4000      00000000

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports

[2009-12-02 13:59 UTC] jani@php.net

Thank you for this bug report. To properly diagnose the problem, we
need a short but complete example script to be able to reproduce
this bug ourselves. 

A proper reproducing script starts with <?php and ends with ?>,
is max. 10-20 lines long and does not require any external 
resources such as databases, etc. If the script requires a 
database to demonstrate the issue, please make sure it creates 
all necessary tables, stored procedures etc.

Please avoid embedding huge scripts into the report.

ONE file, thank you. Use something else than zipped file.

[2009-12-02 14:01 UTC] mjomble at gmail dot com

The crash can't be reproduced with a single file as that would not invoke the autoloader.

[2009-12-04 22:33 UTC] felipe@php.net

I can reproduce it on 5.2SVN.

==19457== Invalid read of size 4
==19457==    at 0x83BE343: is_a_impl (zend_builtin_functions.c:674)
==19457==    by 0x83BE585: zif_is_subclass_of (zend_builtin_functions.c:712)
==19457==    by 0x83D5DFF: zend_do_fcall_common_helper_SPEC (zend_vm_execute.h:200)
==19457==    by 0x83DCBA1: ZEND_DO_FCALL_SPEC_CONST_HANDLER (zend_vm_execute.h:1740)
==19457==    by 0x83D5887: execute (zend_vm_execute.h:92)
==19457==    by 0x83D608C: zend_do_fcall_common_helper_SPEC (zend_vm_execute.h:234)
==19457==    by 0x83D6F14: ZEND_DO_FCALL_BY_NAME_SPEC_HANDLER (zend_vm_execute.h:322)
==19457==    by 0x83D5887: execute (zend_vm_execute.h:92)
==19457==    by 0x83AC175: zend_execute_scripts (zend.c:1134)
==19457==    by 0x8343300: php_execute_script (main.c:2035)
==19457==    by 0x8436388: main (php_cli.c:1162)
==19457==  Address 0x45e79f8 is 184 bytes inside a block of size 256 free'd
==19457==    at 0x4023E8C: realloc (vg_replace_malloc.c:429)
==19457==    by 0x8385ABD: _erealloc (zend_alloc.c:2319)
==19457==    by 0x83D685E: zend_ptr_stack_2_push (zend_ptr_stack.h:73)
==19457==    by 0x83D5A86: zend_do_fcall_common_helper_SPEC (zend_vm_execute.h:148)
==19457==    by 0x83DCBA1: ZEND_DO_FCALL_SPEC_CONST_HANDLER (zend_vm_execute.h:1740)
==19457==    by 0x83D5887: execute (zend_vm_execute.h:92)
==19457==    by 0x839C576: zend_call_function (zend_execute_API.c:1038)
==19457==    by 0x83C6139: zend_call_method (zend_interfaces.c:88)
==19457==    by 0x821D2AC: zif_spl_autoload_call (php_spl.c:382)
==19457==    by 0x839C7C9: zend_call_function (zend_execute_API.c:1052)
==19457==    by 0x839D0B9: zend_lookup_class_ex (zend_execute_API.c:1145)
==19457==    by 0x839E2E4: zend_fetch_class (zend_execute_API.c:1560)
==19457==    by 0x83D8A70: ZEND_FETCH_CLASS_SPEC_CONST_HANDLER (zend_vm_execute.h:650)
==19457==    by 0x83D5887: execute (zend_vm_execute.h:92)
==19457==    by 0x83E4B14: ZEND_INCLUDE_OR_EVAL_SPEC_TMP_HANDLER (zend_vm_execute.h:4681)
==19457==    by 0x83D5887: execute (zend_vm_execute.h:92)
==19457==    by 0x839C576: zend_call_function (zend_execute_API.c:1038)
==19457==    by 0x83C6139: zend_call_method (zend_interfaces.c:88)
==19457==    by 0x821D2AC: zif_spl_autoload_call (php_spl.c:382)
==19457==    by 0x839C7C9: zend_call_function (zend_execute_API.c:1052)
==19457==    by 0x839D0B9: zend_lookup_class_ex (zend_execute_API.c:1145)
==19457==    by 0x839D3BA: zend_lookup_class (zend_execute_API.c:1177)
==19457==    by 0x83BE2DE: is_a_impl (zend_builtin_functions.c:662)
==19457==    by 0x83BE585: zif_is_subclass_of (zend_builtin_functions.c:712)
==19457==    by 0x83D5DFF: zend_do_fcall_common_helper_SPEC (zend_vm_execute.h:200)
==19457==    by 0x83DCBA1: ZEND_DO_FCALL_SPEC_CONST_HANDLER (zend_vm_execute.h:1740)
==19457==    by 0x83D5887: execute (zend_vm_execute.h:92)
==19457==    by 0x83D608C: zend_do_fcall_common_helper_SPEC (zend_vm_execute.h:234)
==19457==    by 0x83D6F14: ZEND_DO_FCALL_BY_NAME_SPEC_HANDLER (zend_vm_execute.h:322)
==19457==    by 0x83D5887: execute (zend_vm_execute.h:92)
==19457== 
==19457== Invalid read of size 4
==19457==    at 0x83BE374: is_a_impl (zend_builtin_functions.c:678)
==19457==    by 0x83BE585: zif_is_subclass_of (zend_builtin_functions.c:712)
==19457==    by 0x83D5DFF: zend_do_fcall_common_helper_SPEC (zend_vm_execute.h:200)
==19457==    by 0x83DCBA1: ZEND_DO_FCALL_SPEC_CONST_HANDLER (zend_vm_execute.h:1740)
==19457==    by 0x83D5887: execute (zend_vm_execute.h:92)
==19457==    by 0x83D608C: zend_do_fcall_common_helper_SPEC (zend_vm_execute.h:234)
==19457==    by 0x83D6F14: ZEND_DO_FCALL_BY_NAME_SPEC_HANDLER (zend_vm_execute.h:322)
==19457==    by 0x83D5887: execute (zend_vm_execute.h:92)
==19457==    by 0x83AC175: zend_execute_scripts (zend.c:1134)
==19457==    by 0x8343300: php_execute_script (main.c:2035)
==19457==    by 0x8436388: main (php_cli.c:1162)
==19457==  Address 0x45e79fc is 188 bytes inside a block of size 256 free'd
==19457==    at 0x4023E8C: realloc (vg_replace_malloc.c:429)
==19457==    by 0x8385ABD: _erealloc (zend_alloc.c:2319)
==19457==    by 0x83D685E: zend_ptr_stack_2_push (zend_ptr_stack.h:73)
==19457==    by 0x83D5A86: zend_do_fcall_common_helper_SPEC (zend_vm_execute.h:148)
==19457==    by 0x83DCBA1: ZEND_DO_FCALL_SPEC_CONST_HANDLER (zend_vm_execute.h:1740)
==19457==    by 0x83D5887: execute (zend_vm_execute.h:92)
==19457==    by 0x839C576: zend_call_function (zend_execute_API.c:1038)
==19457==    by 0x83C6139: zend_call_method (zend_interfaces.c:88)
==19457==    by 0x821D2AC: zif_spl_autoload_call (php_spl.c:382)
==19457==    by 0x839C7C9: zend_call_function (zend_execute_API.c:1052)
==19457==    by 0x839D0B9: zend_lookup_class_ex (zend_execute_API.c:1145)
==19457==    by 0x839E2E4: zend_fetch_class (zend_execute_API.c:1560)
==19457==    by 0x83D8A70: ZEND_FETCH_CLASS_SPEC_CONST_HANDLER (zend_vm_execute.h:650)
==19457==    by 0x83D5887: execute (zend_vm_execute.h:92)
==19457==    by 0x83E4B14: ZEND_INCLUDE_OR_EVAL_SPEC_TMP_HANDLER (zend_vm_execute.h:4681)
==19457==    by 0x83D5887: execute (zend_vm_execute.h:92)
==19457==    by 0x839C576: zend_call_function (zend_execute_API.c:1038)
==19457==    by 0x83C6139: zend_call_method (zend_interfaces.c:88)
==19457==    by 0x821D2AC: zif_spl_autoload_call (php_spl.c:382)
==19457==    by 0x839C7C9: zend_call_function (zend_execute_API.c:1052)
==19457==    by 0x839D0B9: zend_lookup_class_ex (zend_execute_API.c:1145)
==19457==    by 0x839D3BA: zend_lookup_class (zend_execute_API.c:1177)
==19457==    by 0x83BE2DE: is_a_impl (zend_builtin_functions.c:662)
==19457==    by 0x83BE585: zif_is_subclass_of (zend_builtin_functions.c:712)
==19457==    by 0x83D5DFF: zend_do_fcall_common_helper_SPEC (zend_vm_execute.h:200)
==19457==    by 0x83DCBA1: ZEND_DO_FCALL_SPEC_CONST_HANDLER (zend_vm_execute.h:1740)
==19457==    by 0x83D5887: execute (zend_vm_execute.h:92)
==19457==    by 0x83D608C: zend_do_fcall_common_helper_SPEC (zend_vm_execute.h:234)
==19457==    by 0x83D6F14: ZEND_DO_FCALL_BY_NAME_SPEC_HANDLER (zend_vm_execute.h:322)
==19457==    by 0x83D5887: execute (zend_vm_execute.h:92)
==19457== 
==19457== Invalid read of size 4
==19457==    at 0x83BE467: is_a_impl (zend_builtin_functions.c:680)
==19457==    by 0x83BE585: zif_is_subclass_of (zend_builtin_functions.c:712)
==19457==    by 0x83D5DFF: zend_do_fcall_common_helper_SPEC (zend_vm_execute.h:200)
==19457==    by 0x83DCBA1: ZEND_DO_FCALL_SPEC_CONST_HANDLER (zend_vm_execute.h:1740)
==19457==    by 0x83D5887: execute (zend_vm_execute.h:92)
==19457==    by 0x83D608C: zend_do_fcall_common_helper_SPEC (zend_vm_execute.h:234)
==19457==    by 0x83D6F14: ZEND_DO_FCALL_BY_NAME_SPEC_HANDLER (zend_vm_execute.h:322)
==19457==    by 0x83D5887: execute (zend_vm_execute.h:92)
==19457==    by 0x83AC175: zend_execute_scripts (zend.c:1134)
==19457==    by 0x8343300: php_execute_script (main.c:2035)
==19457==    by 0x8436388: main (php_cli.c:1162)
==19457==  Address 0x45e79fc is 188 bytes inside a block of size 256 free'd
==19457==    at 0x4023E8C: realloc (vg_replace_malloc.c:429)
==19457==    by 0x8385ABD: _erealloc (zend_alloc.c:2319)
==19457==    by 0x83D685E: zend_ptr_stack_2_push (zend_ptr_stack.h:73)
==19457==    by 0x83D5A86: zend_do_fcall_common_helper_SPEC (zend_vm_execute.h:148)
==19457==    by 0x83DCBA1: ZEND_DO_FCALL_SPEC_CONST_HANDLER (zend_vm_execute.h:1740)
==19457==    by 0x83D5887: execute (zend_vm_execute.h:92)
==19457==    by 0x839C576: zend_call_function (zend_execute_API.c:1038)
==19457==    by 0x83C6139: zend_call_method (zend_interfaces.c:88)
==19457==    by 0x821D2AC: zif_spl_autoload_call (php_spl.c:382)
==19457==    by 0x839C7C9: zend_call_function (zend_execute_API.c:1052)
==19457==    by 0x839D0B9: zend_lookup_class_ex (zend_execute_API.c:1145)
==19457==    by 0x839E2E4: zend_fetch_class (zend_execute_API.c:1560)
==19457==    by 0x83D8A70: ZEND_FETCH_CLASS_SPEC_CONST_HANDLER (zend_vm_execute.h:650)
==19457==    by 0x83D5887: execute (zend_vm_execute.h:92)
==19457==    by 0x83E4B14: ZEND_INCLUDE_OR_EVAL_SPEC_TMP_HANDLER (zend_vm_execute.h:4681)
==19457==    by 0x83D5887: execute (zend_vm_execute.h:92)
==19457==    by 0x839C576: zend_call_function (zend_execute_API.c:1038)
==19457==    by 0x83C6139: zend_call_method (zend_interfaces.c:88)
==19457==    by 0x821D2AC: zif_spl_autoload_call (php_spl.c:382)
==19457==    by 0x839C7C9: zend_call_function (zend_execute_API.c:1052)
==19457==    by 0x839D0B9: zend_lookup_class_ex (zend_execute_API.c:1145)
==19457==    by 0x839D3BA: zend_lookup_class (zend_execute_API.c:1177)
==19457==    by 0x83BE2DE: is_a_impl (zend_builtin_functions.c:662)
==19457==    by 0x83BE585: zif_is_subclass_of (zend_builtin_functions.c:712)
==19457==    by 0x83D5DFF: zend_do_fcall_common_helper_SPEC (zend_vm_execute.h:200)
==19457==    by 0x83DCBA1: ZEND_DO_FCALL_SPEC_CONST_HANDLER (zend_vm_execute.h:1740)
==19457==    by 0x83D5887: execute (zend_vm_execute.h:92)
==19457==    by 0x83D608C: zend_do_fcall_common_helper_SPEC (zend_vm_execute.h:234)
==19457==    by 0x83D6F14: ZEND_DO_FCALL_BY_NAME_SPEC_HANDLER (zend_vm_execute.h:322)
==19457==    by 0x83D5887: execute (zend_vm_execute.h:92)
==19457== 
==19457== Invalid read of size 4
==19457==    at 0x83BE46F: is_a_impl (zend_builtin_functions.c:680)
==19457==    by 0x83BE585: zif_is_subclass_of (zend_builtin_functions.c:712)
==19457==    by 0x83D5DFF: zend_do_fcall_common_helper_SPEC (zend_vm_execute.h:200)
==19457==    by 0x83DCBA1: ZEND_DO_FCALL_SPEC_CONST_HANDLER (zend_vm_execute.h:1740)
==19457==    by 0x83D5887: execute (zend_vm_execute.h:92)
==19457==    by 0x83D608C: zend_do_fcall_common_helper_SPEC (zend_vm_execute.h:234)
==19457==    by 0x83D6F14: ZEND_DO_FCALL_BY_NAME_SPEC_HANDLER (zend_vm_execute.h:322)
==19457==    by 0x83D5887: execute (zend_vm_execute.h:92)
==19457==    by 0x83AC175: zend_execute_scripts (zend.c:1134)
==19457==    by 0x8343300: php_execute_script (main.c:2035)
==19457==    by 0x8436388: main (php_cli.c:1162)
==19457==  Address 0x45e79fc is 188 bytes inside a block of size 256 free'd
==19457==    at 0x4023E8C: realloc (vg_replace_malloc.c:429)
==19457==    by 0x8385ABD: _erealloc (zend_alloc.c:2319)
==19457==    by 0x83D685E: zend_ptr_stack_2_push (zend_ptr_stack.h:73)
==19457==    by 0x83D5A86: zend_do_fcall_common_helper_SPEC (zend_vm_execute.h:148)
==19457==    by 0x83DCBA1: ZEND_DO_FCALL_SPEC_CONST_HANDLER (zend_vm_execute.h:1740)
==19457==    by 0x83D5887: execute (zend_vm_execute.h:92)
==19457==    by 0x839C576: zend_call_function (zend_execute_API.c:1038)
==19457==    by 0x83C6139: zend_call_method (zend_interfaces.c:88)
==19457==    by 0x821D2AC: zif_spl_autoload_call (php_spl.c:382)
==19457==    by 0x839C7C9: zend_call_function (zend_execute_API.c:1052)
==19457==    by 0x839D0B9: zend_lookup_class_ex (zend_execute_API.c:1145)
==19457==    by 0x839E2E4: zend_fetch_class (zend_execute_API.c:1560)
==19457==    by 0x83D8A70: ZEND_FETCH_CLASS_SPEC_CONST_HANDLER (zend_vm_execute.h:650)
==19457==    by 0x83D5887: execute (zend_vm_execute.h:92)
==19457==    by 0x83E4B14: ZEND_INCLUDE_OR_EVAL_SPEC_TMP_HANDLER (zend_vm_execute.h:4681)
==19457==    by 0x83D5887: execute (zend_vm_execute.h:92)
==19457==    by 0x839C576: zend_call_function (zend_execute_API.c:1038)
==19457==    by 0x83C6139: zend_call_method (zend_interfaces.c:88)
==19457==    by 0x821D2AC: zif_spl_autoload_call (php_spl.c:382)
==19457==    by 0x839C7C9: zend_call_function (zend_execute_API.c:1052)
==19457==    by 0x839D0B9: zend_lookup_class_ex (zend_execute_API.c:1145)
==19457==    by 0x839D3BA: zend_lookup_class (zend_execute_API.c:1177)
==19457==    by 0x83BE2DE: is_a_impl (zend_builtin_functions.c:662)
==19457==    by 0x83BE585: zif_is_subclass_of (zend_builtin_functions.c:712)
==19457==    by 0x83D5DFF: zend_do_fcall_common_helper_SPEC (zend_vm_execute.h:200)
==19457==    by 0x83DCBA1: ZEND_DO_FCALL_SPEC_CONST_HANDLER (zend_vm_execute.h:1740)
==19457==    by 0x83D5887: execute (zend_vm_execute.h:92)
==19457==    by 0x83D608C: zend_do_fcall_common_helper_SPEC (zend_vm_execute.h:234)
==19457==    by 0x83D6F14: ZEND_DO_FCALL_BY_NAME_SPEC_HANDLER (zend_vm_execute.h:322)
==19457==    by 0x83D5887: execute (zend_vm_execute.h:92)

[2010-12-23 15:27 UTC] iliaa@php.net

-Status: Verified +Status: Closed -Assigned To: +Assigned To: iliaa

[2010-12-23 15:27 UTC] iliaa@php.net

This bug has been fixed in SVN.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.
 
Thank you for the report, and for helping us make PHP better.

This is fixed in 5.3

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Mon May 06 09:01:30 2024 UTC