php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #60536 Traits Segfault
Submitted: 2011-12-15 20:37 UTC Modified: 2011-12-19 04:08 UTC
From: scottmac@php.net Assigned: laruence
Status: Closed Package: Scripting Engine problem
PHP Version: 5.4SVN-2011-12-15 (SVN) OS: ubuntu 11.11
Private report: No CVE-ID:
 [2011-12-15 20:37 UTC] scottmac@php.net
Description:
------------
Following code crashes.



Test script:
---------------
<?php
trait T { private $x = 0; }
class X { use T; }
class Y extends X {
  use T;
  function x() { return ++$this->x; }
}
class Z extends Y {
  function z() { return ++$this->x; }
}
$a = new Z();
$a->x();


Patches

property008.phpt (last revision 2011-12-16 16:46 UTC) by gron@php.net)
property007.phpt (last revision 2011-12-16 16:19 UTC) by gron@php.net)
property006.phpt (last revision 2011-12-16 16:19 UTC) by gron@php.net)
property005.phpt (last revision 2011-12-16 16:19 UTC) by gron@php.net)
bug60536.phpt (last revision 2011-12-16 15:57 UTC) by laruence@php.net)
bug60536.patch (last revision 2011-12-16 15:54 UTC) by laruence@php.net)

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2011-12-15 20:38 UTC] scottmac@php.net
backtrace:

#0  0x0000000100289c71 in zend_mm_check_ptr (heap=0x101000000, ptr=0x100c4f730, 
silent=1, __zend_filename=0x1005476a8 "/Users/macvicar/dev/php-
src/branches/PHP_5_4/Zend/zend_vm_execute.h", __zend_lineno=10833, 
__zend_orig_filename=0x1005437a0 "/Users/macvicar/dev/php-
src/branches/PHP_5_4/Zend/zend_execute.h", __zend_orig_lineno=88) at 
zend_alloc.c:1380
#1  0x000000010028c1ad in _zend_mm_free_int (heap=0x101000000, p=0x100c4f730, 
__zend_filename=0x1005476a8 "/Users/macvicar/dev/php-
src/branches/PHP_5_4/Zend/zend_vm_execute.h", __zend_lineno=10833, 
__zend_orig_filename=0x1005437a0 "/Users/macvicar/dev/php-
src/branches/PHP_5_4/Zend/zend_execute.h", __zend_orig_lineno=88) at 
zend_alloc.c:2064
#2  0x000000010028de9d in _efree (ptr=0x100c4f730, __zend_filename=0x1005476a8 
"/Users/macvicar/dev/php-src/branches/PHP_5_4/Zend/zend_vm_execute.h", 
__zend_lineno=10833, __zend_orig_filename=0x1005437a0 "/Users/macvicar/dev/php-
src/branches/PHP_5_4/Zend/zend_execute.h", __zend_orig_lineno=88) at 
zend_alloc.c:2436
#3  0x00000001003742c8 in i_zval_ptr_dtor [inlined] () at 
/Users/macvicar/dev/php-src/branches/PHP_5_4/Zend/zend_execute.h:88
#4  0x00000001003742c8 in ZEND_RETURN_SPEC_VAR_HANDLER (execute_data=0x1009802f8) 
at zend_execute.h:10833
#5  0x000000010032a882 in execute (op_array=0x1009bad50) at zend_vm_execute.h:410
#6  0x00000001002d733b in zend_execute_scripts (type=8, retval=0x0, file_count=3) 
at zend.c:1272
#7  0x0000000100219973 in php_execute_script (primary_file=0x7fff5fbff170) at 
main.c:2476
 [2011-12-16 15:54 UTC] laruence@php.net
The following patch has been added/updated:

Patch Name: bug60536.patch
Revision:   1324050855
URL:        https://bugs.php.net/patch-display.php?bug=60536&patch=bug60536.patch&revision=1324050855
 [2011-12-16 15:57 UTC] laruence@php.net
The following patch has been added/updated:

Patch Name: bug60536.phpt
Revision:   1324051021
URL:        https://bugs.php.net/patch-display.php?bug=60536&patch=bug60536.phpt&revision=1324051021
 [2011-12-16 16:17 UTC] gron@php.net
Hi Laruence:

Your patch was also what I had thought of for the first moment, however, that is 
not actually fixing the bug.
The problem is another one. For some reason the property value does not get set 
properly. At least that is my current understanding.
This leads to either some inconsistent ref count, or an inappropriately shared 
zval. Haven't figured that out yet.

What you patch does is just changing the semantics of when properties are 
composed into the class.

That is also something that happens to be broken (inconsistent with normal 
inheritance).
I have updated tests that should describe the correct semantics for property 
handling.

If you see where I do something stupid with the zvals, please let me know.

Thanks
Stefan
 [2011-12-16 16:19 UTC] gron@php.net
The following patch has been added/updated:

Patch Name: property005.phpt
Revision:   1324052348
URL:        https://bugs.php.net/patch-display.php?bug=60536&patch=property005.phpt&revision=1324052348
 [2011-12-16 16:19 UTC] gron@php.net
The following patch has been added/updated:

Patch Name: property006.phpt
Revision:   1324052364
URL:        https://bugs.php.net/patch-display.php?bug=60536&patch=property006.phpt&revision=1324052364
 [2011-12-16 16:19 UTC] gron@php.net
The following patch has been added/updated:

Patch Name: property007.phpt
Revision:   1324052379
URL:        https://bugs.php.net/patch-display.php?bug=60536&patch=property007.phpt&revision=1324052379
 [2011-12-16 16:46 UTC] gron@php.net
The following patch has been added/updated:

Patch Name: property008.phpt
Revision:   1324054001
URL:        https://bugs.php.net/patch-display.php?bug=60536&patch=property008.phpt&revision=1324054001
 [2011-12-16 16:47 UTC] gron@php.net
property008.phpt demonstrates the actual issue.
 [2011-12-16 18:43 UTC] laruence@php.net
I hava another fix for this. I am going to ci it.
 [2011-12-16 18:43 UTC] laruence@php.net
-Status: Open +Status: Analyzed
 [2011-12-16 19:02 UTC] laruence@php.net
Automatic comment from SVN on behalf of laruence
Revision: http://svn.php.net/viewvc/?view=revision&amp;revision=321073
Log: Fixed bug #60536 (Traits Segfault)
# this is a tough one, I think I should explain
# Zend use zend_object-&gt;properties_table both as zval ** and zval ***
# if a zend_object-&gt;properties is not initialized, the properties_table is zval **
# while in rebuild_object_properties, zend will store the zval ** to zend_object-&gt;properties
# then stash the zval ***(ie, zobj-&gt;properties_table[0] is zval ** now) to  zobj-&gt;properties_table[0]
# so when a zend_object inherit form multi parent and these parent have a same property_info-&gt;offset
# properties, will result in a repeat zval **-&gt;zval ** transform, which will lead to a segmentfault
# *may be* this fix is not the best fix, we should not use this tricky way, and rewrite this mechanism.
 [2011-12-16 19:03 UTC] laruence@php.net
This bug has been fixed in SVN.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.

 For Windows:

http://windows.php.net/snapshots/
 
Thank you for the report, and for helping us make PHP better.


 [2011-12-16 19:03 UTC] laruence@php.net
-Status: Analyzed +Status: Closed -Assigned To: +Assigned To: laruence
 [2011-12-17 14:26 UTC] gron@php.net
Automatic comment from SVN on behalf of gron
Revision: http://svn.php.net/viewvc/?view=revision&amp;revision=321089
Log: Fixed inconsistent and broken handling of private properties in traits.
# The handling of private properties in classes is now consistent with private properties in traits.
# Perviously, privates could cause strict warnings, are were not properly merged into the class when
# the parent class had a private property of the same name. Now, we introduce it without notice,
# since it is a new and independent property, just like in normal classes.
# This problem was diagnosed while working on Bug #60536.
 [2011-12-18 18:31 UTC] tony2001@php.net
Valgrind complains about invalid read and writes in the tests:
http://dev.daylessday.org/diff/bug60536_001.mem
http://dev.daylessday.org/diff/bug60536_003.mem

So the problem is definitely not fixed yet.
 [2011-12-18 18:31 UTC] tony2001@php.net
-Status: Closed +Status: Re-Opened
 [2011-12-19 04:08 UTC] laruence@php.net
-Status: Re-Opened +Status: Closed
 [2011-12-19 04:08 UTC] laruence@php.net
this invalid read is not introduced by this fix, so let's keep this closed, 
I have filed a new one #60558, thanks
 [2011-12-19 16:47 UTC] laruence@php.net
Automatic comment from SVN on behalf of laruence
Revision: http://svn.php.net/viewvc/?view=revision&amp;revision=321166
Log: Fixed bug #60558 (Invalid read and writes)
Re-Fixed bug #60536 (Traits Segfault)
#Thanks to tony2001, I found the previous fix -r321089 is actually not a correct one.
#The key problem there is because the traits didn't correct set the property_info.offset
#for private properties. so here come the new fix.
 [2012-04-18 09:46 UTC] laruence@php.net
Automatic comment on behalf of laruence
Revision: http://git.php.net/?p=php-src.git;a=commit;h=c1d5a5d7ef24546bc272873348ee522da6a54f88
Log: Fixed bug #60558 (Invalid read and writes) Re-Fixed bug #60536 (Traits Segfault) #Thanks to tony2001, I found the previous fix -r321089 is actually not a correct one. #The key problem there is because the traits didn't correct set the property_info.offset #for private properties. so here come the new fix.
 [2012-04-18 09:46 UTC] laruence@php.net
Automatic comment on behalf of laruence
Revision: http://git.php.net/?p=php-src.git;a=commit;h=707f658c33b58841919384b3e204bd10443b44b0
Log: Fixed bug #60536 (Traits Segfault) # this is a tough one, I think I should explain # Zend use zend_object-&gt;properties_table both as zval ** and zval *** # if a zend_object-&gt;properties is not initialized, the properties_table is zval ** # while in rebuild_object_properties, zend will store the zval ** to zend_object-&gt;properties # then stash the zval ***(ie, zobj-&gt;properties_table[0] is zval ** now) to  zobj-&gt;properties_table[0] # so when a zend_object inherit form multi parent and these parent have a same property_info-&gt;offset # properties, will result in a repeat zval **-&gt;zval ** transform, which will lead to a segmentfault # *may be* this fix is not the best fix, we should not use this tricky way, and rewrite this mechanism.
 [2012-07-24 23:38 UTC] rasmus@php.net
Automatic comment on behalf of laruence
Revision: http://git.php.net/?p=php-src.git;a=commit;h=c1d5a5d7ef24546bc272873348ee522da6a54f88
Log: Fixed bug #60558 (Invalid read and writes) Re-Fixed bug #60536 (Traits Segfault) #Thanks to tony2001, I found the previous fix -r321089 is actually not a correct one. #The key problem there is because the traits didn't correct set the property_info.offset #for private properties. so here come the new fix.
 [2012-07-24 23:38 UTC] rasmus@php.net
Automatic comment on behalf of laruence
Revision: http://git.php.net/?p=php-src.git;a=commit;h=707f658c33b58841919384b3e204bd10443b44b0
Log: Fixed bug #60536 (Traits Segfault) # this is a tough one, I think I should explain # Zend use zend_object-&gt;properties_table both as zval ** and zval *** # if a zend_object-&gt;properties is not initialized, the properties_table is zval ** # while in rebuild_object_properties, zend will store the zval ** to zend_object-&gt;properties # then stash the zval ***(ie, zobj-&gt;properties_table[0] is zval ** now) to  zobj-&gt;properties_table[0] # so when a zend_object inherit form multi parent and these parent have a same property_info-&gt;offset # properties, will result in a repeat zval **-&gt;zval ** transform, which will lead to a segmentfault # *may be* this fix is not the best fix, we should not use this tricky way, and rewrite this mechanism.
 [2013-11-17 09:34 UTC] laruence@php.net
Automatic comment on behalf of laruence
Revision: http://git.php.net/?p=php-src.git;a=commit;h=c1d5a5d7ef24546bc272873348ee522da6a54f88
Log: Fixed bug #60558 (Invalid read and writes) Re-Fixed bug #60536 (Traits Segfault) #Thanks to tony2001, I found the previous fix -r321089 is actually not a correct one. #The key problem there is because the traits didn't correct set the property_info.offset #for private properties. so here come the new fix.
 [2013-11-17 09:34 UTC] laruence@php.net
Automatic comment on behalf of laruence
Revision: http://git.php.net/?p=php-src.git;a=commit;h=707f658c33b58841919384b3e204bd10443b44b0
Log: Fixed bug #60536 (Traits Segfault) # this is a tough one, I think I should explain # Zend use zend_object-&gt;properties_table both as zval ** and zval *** # if a zend_object-&gt;properties is not initialized, the properties_table is zval ** # while in rebuild_object_properties, zend will store the zval ** to zend_object-&gt;properties # then stash the zval ***(ie, zobj-&gt;properties_table[0] is zval ** now) to  zobj-&gt;properties_table[0] # so when a zend_object inherit form multi parent and these parent have a same property_info-&gt;offset # properties, will result in a repeat zval **-&gt;zval ** transform, which will lead to a segmentfault # *may be* this fix is not the best fix, we should not use this tricky way, and rewrite this mechanism.
 
PHP Copyright © 2001-2014 The PHP Group
All rights reserved.
Last updated: Thu Apr 17 18:02:13 2014 UTC