php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #61388 ReflectionObject:getProperties called on ArrayObject throws Segmentation Fault
Submitted: 2012-03-14 18:10 UTC Modified: 2012-03-18 18:23 UTC
Votes:1
Avg. Score:1.0 ± 0.0
Reproduced:1 of 1 (100.0%)
Same Version:0 (0.0%)
Same OS:0 (0.0%)
From: piotr dot nowak at onet dot eu Assigned: cataphract
Status: Closed Package: Reflection related
PHP Version: 5.4.0 OS: Linux (Ubuntu) x64
Private report: No CVE-ID:
 [2012-03-14 18:10 UTC] piotr dot nowak at onet dot eu
Description:
------------
When ReflectionObject::getProperty() method is called over ArrayObject instance the Segmentation Fault is thrown.

The problem appears only when getting public properties from the instance which was filled using simple brackets call (ex. $x[] = 'something') or numeric access (ex. $x[0] = 'something'). The problem will not appear when you use associative access (ex. $x['test'] = 'something').
Problem was seen on nginx+php_fpm but was also confirmed on the cli version.
Additionally the same code was working correctly from years - even on the last 5.3.10 version.

Some additional data:
* Php 5.4.0-1 for Ubuntu oneiric x86_64 was installed from Ondrej's launchpad https://launchpad.net/~ondrej/+archive/php5
The problem is reproducible in the default configuration.

Test script:
---------------
$x=new ArrayObject();
$x[] = 'test string'; //will cause reflectionobject segfault
$x[0] = 'test string'; //will cause reflectionobject segfault
$x['test'] = 'test string'; //will work
    
$refl = new ReflectionClass($x);
print_r($refl->getProperties()); //works (but returns nothing)

$reflObj = new ReflectionObject($x);
print_r($reflObj->getProperties(
        ReflectionProperty::IS_PRIVATE 
        | ReflectionProperty::IS_PROTECTED 
        | ReflectionProperty::IS_STATIC
    )); //works (but returns nothing)
print_r($reflObj->getProperties(ReflectionProperty::IS_PUBLIC)); //SEGFAULT
print_r($reflObj->getProperties()); //SEGFAULT


Expected result:
----------------
For shown example it should simply pass without SEGFAULT or throw an Exception / Fatal Error if something is wrong on my side.

I am using this method for analysing complicated objects (in this case it was a PropelObjectCollection object from Propel ORM).

Actual result:
--------------
Program received signal SIGSEGV, Segmentation fault.
0x000000000052e94d in _adddynproperty (pptr=0x7fffffffb830, num_args=40, args=0x7fffffffb738, 
    hash_key=0x7fffffffb720) at /build/buildd/php5-5.4.0/ext/reflection/php_reflection.c:3835
3835	/build/buildd/php5-5.4.0/ext/reflection/php_reflection.c: No such file or directory.
	in /build/buildd/php5-5.4.0/ext/reflection/php_reflection.c
(gdb) bt
#0  0x000000000052e94d in _adddynproperty (pptr=0x7fffffffb830, num_args=40, 
    args=0x7fffffffb738, hash_key=0x7fffffffb720)
    at /build/buildd/php5-5.4.0/ext/reflection/php_reflection.c:3835
#1  0x00000000006a9a2c in zend_hash_apply_with_arguments (ht=0x7ffff7fdabc8, 
    apply_func=0x52e900 <_adddynproperty>, num_args=2)
    at /build/buildd/php5-5.4.0/Zend/zend_hash.c:772
#2  0x000000000052d938 in zim_reflection_class_getProperties (ht=-134371384, 
    return_value=0x7ffff7fda970, return_value_ptr=0x7fffffffb738, this_ptr=0x7ffff7fda8c8, 
    return_value_used=-134370960)
    at /build/buildd/php5-5.4.0/ext/reflection/php_reflection.c:3876
#3  0x0000000000742b89 in zend_do_fcall_common_helper_SPEC (execute_data=0x7ffff7f9e060)
    at /build/buildd/php5-5.4.0/Zend/zend_vm_execute.h:642
#4  0x00000000006fcbef in execute (op_array=0x7ffff7fd2540)
    at /build/buildd/php5-5.4.0/Zend/zend_vm_execute.h:410
#5  0x000000000069ce90 in zend_execute_scripts (type=0, retval=0x8f7fd2448, file_count=3)
    at /build/buildd/php5-5.4.0/Zend/zend.c:1272
#6  0x000000000063c743 in php_execute_script (primary_file=0x0)
    at /build/buildd/php5-5.4.0/main/main.c:2473
#7  0x0000000000745221 in do_cli (argc=0, argv=0x7fffffffe50b)
    at /build/buildd/php5-5.4.0/sapi/cli/php_cli.c:983
#8  0x000000000042c843 in main (argc=32767, argv=0xd341f0)
    at /build/buildd/php5-5.4.0/sapi/cli/php_cli.c:1356
(gdb) frame 4
#4  0x00000000006fcbef in execute (op_array=0x7ffff7fd2540)
    at /build/buildd/php5-5.4.0/Zend/zend_vm_execute.h:410
410	/build/buildd/php5-5.4.0/Zend/zend_vm_execute.h: No such file or directory.
	in /build/buildd/php5-5.4.0/Zend/zend_vm_execute.h
(gdb) frame 3
#3  0x0000000000742b89 in zend_do_fcall_common_helper_SPEC (execute_data=0x7ffff7f9e060)
    at /build/buildd/php5-5.4.0/Zend/zend_vm_execute.h:642
642	in /build/buildd/php5-5.4.0/Zend/zend_vm_execute.h
(gdb) frame 2
#2  0x000000000052d938 in zim_reflection_class_getProperties (ht=-134371384, 
    return_value=0x7ffff7fda970, return_value_ptr=0x7fffffffb738, this_ptr=0x7ffff7fda8c8, 
    return_value_used=-134370960)
    at /build/buildd/php5-5.4.0/ext/reflection/php_reflection.c:3876
3876	/build/buildd/php5-5.4.0/ext/reflection/php_reflection.c: No such file or directory.
	in /build/buildd/php5-5.4.0/ext/reflection/php_reflection.c
(gdb) 


Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2012-03-14 23:16 UTC] piotr dot nowak at onet dot eu
-Operating System: Linux (Ubuntu) +Operating System: Linux (Ubuntu) x64
 [2012-03-14 23:16 UTC] piotr dot nowak at onet dot eu
To be sure that problem doesn't come from the used package, I have compiled the current version of 5.4 branch from SVN (revision #324259). It was compiled with completely default configuration (only --prefix=/tmp/php/php-5.4 was used).

GDB traces:

piotr@piotr-Vostro-430:/tmp/php/php-5.4/bin$ gdb ./php
GNU gdb (Ubuntu/Linaro 7.3-0ubuntu2) 7.3-2011.08
Copyright (C) 2011 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu".
For bug reporting instructions, please see:
<http://bugs.launchpad.net/gdb-linaro/>...
Reading symbols from /tmp/php/php-5.4/bin/php...done.
(gdb) run /tmp/bug.php 
Starting program: /tmp/php/php-5.4/bin/php /tmp/bug.php
Array
(
)
Array
(
)

Program received signal SIGSEGV, Segmentation fault.
0x000000000056b358 in _adddynproperty (pptr=<optimized out>, num_args=<optimized out>, args=0x7fffffffb698, 
    hash_key=0x7fffffffb680) at /tmp/php/php-src-5.4/ext/reflection/php_reflection.c:3835
3835		if (hash_key->arKey[0] == '\0') {
(gdb) bt
#0  0x000000000056b358 in _adddynproperty (pptr=<optimized out>, num_args=<optimized out>, 
    args=0x7fffffffb698, hash_key=0x7fffffffb680) at /tmp/php/php-src-5.4/ext/reflection/php_reflection.c:3835
#1  0x00000000006893cc in zend_hash_apply_with_arguments (ht=0x7ffff7fd72c0, 
    apply_func=0x56b310 <_adddynproperty>, num_args=2) at /tmp/php/php-src-5.4/Zend/zend_hash.c:772
#2  0x000000000056a401 in zim_reflection_class_getProperties (ht=<optimized out>, return_value=0x7ffff7fd7eb8, 
    return_value_ptr=<optimized out>, this_ptr=0x7ffff7fd7ee8, return_value_used=<optimized out>)
    at /tmp/php/php-src-5.4/ext/reflection/php_reflection.c:3876
#3  0x000000000071d1d9 in zend_do_fcall_common_helper_SPEC (execute_data=0x7ffff7fa2060)
    at /tmp/php/php-src-5.4/Zend/zend_vm_execute.h:642
#4  0x00000000006d960c in execute (op_array=0x7ffff7fd64a0) at /tmp/php/php-src-5.4/Zend/zend_vm_execute.h:410
#5  0x000000000067d205 in zend_execute_scripts (type=8, retval=0x0, file_count=3)
    at /tmp/php/php-src-5.4/Zend/zend.c:1272
#6  0x000000000061de28 in php_execute_script (primary_file=0x7fffffffde60)
    at /tmp/php/php-src-5.4/main/main.c:2473
#7  0x000000000071f6e7 in do_cli (argc=2, argv=0x7fffffffe238) at /tmp/php/php-src-5.4/sapi/cli/php_cli.c:983
#8  0x0000000000425590 in main (argc=2, argv=0x7fffffffe238) at /tmp/php/php-src-5.4/sapi/cli/php_cli.c:1356
(gdb) frame 0
#0  0x000000000056b358 in _adddynproperty (pptr=<optimized out>, num_args=<optimized out>, 
    args=0x7fffffffb698, hash_key=0x7fffffffb680) at /tmp/php/php-src-5.4/ext/reflection/php_reflection.c:3835
3835		if (hash_key->arKey[0] == '\0') {
(gdb) frame 1
#1  0x00000000006893cc in zend_hash_apply_with_arguments (ht=0x7ffff7fd72c0, 
    apply_func=0x56b310 <_adddynproperty>, num_args=2) at /tmp/php/php-src-5.4/Zend/zend_hash.c:772
772			result = apply_func(p->pData TSRMLS_CC, num_args, args, &hash_key);
(gdb) frame 2
#2  0x000000000056a401 in zim_reflection_class_getProperties (ht=<optimized out>, return_value=0x7ffff7fd7eb8, 
    return_value_ptr=<optimized out>, this_ptr=0x7ffff7fd7ee8, return_value_used=<optimized out>)
    at /tmp/php/php-src-5.4/ext/reflection/php_reflection.c:3876
3876			zend_hash_apply_with_arguments(properties TSRMLS_CC, (apply_func_args_t) _adddynproperty, 2, &ce, return_value);
(gdb) frame 3
#3  0x000000000071d1d9 in zend_do_fcall_common_helper_SPEC (execute_data=0x7ffff7fa2060)
    at /tmp/php/php-src-5.4/Zend/zend_vm_execute.h:642
642				fbc->internal_function.handler(opline->extended_value, ret->var.ptr, (fbc->common.fn_flags & ZEND_ACC_RETURN_REFERENCE) ? &ret->var.ptr : NULL, EX(object), RETURN_VALUE_USED(opline) TSRMLS_CC);
(gdb) frame 4
#4  0x00000000006d960c in execute (op_array=0x7ffff7fd64a0) at /tmp/php/php-src-5.4/Zend/zend_vm_execute.h:410
410			if ((ret = OPLINE->handler(execute_data TSRMLS_CC)) > 0) {
(gdb) frame 5
#5  0x000000000067d205 in zend_execute_scripts (type=8, retval=0x0, file_count=3)
    at /tmp/php/php-src-5.4/Zend/zend.c:1272
1272				zend_execute(EG(active_op_array) TSRMLS_CC);
(gdb) frame 6
#6  0x000000000061de28 in php_execute_script (primary_file=0x7fffffffde60)
    at /tmp/php/php-src-5.4/main/main.c:2473
2473			retval = (zend_execute_scripts(ZEND_REQUIRE TSRMLS_CC, NULL, 3, prepend_file_p, primary_file, append_file_p) == SUCCESS);
(gdb) frame 7
#7  0x000000000071f6e7 in do_cli (argc=2, argv=0x7fffffffe238) at /tmp/php/php-src-5.4/sapi/cli/php_cli.c:983
983					php_execute_script(&file_handle TSRMLS_CC);
(gdb) frame 8
#8  0x0000000000425590 in main (argc=2, argv=0x7fffffffe238) at /tmp/php/php-src-5.4/sapi/cli/php_cli.c:1356
1356				exit_status = do_cli(argc, argv TSRMLS_CC);
(gdb)
 [2012-03-18 17:32 UTC] cataphract@php.net
-Assigned To: +Assigned To: cataphract
 [2012-03-18 18:23 UTC] cataphract@php.net
This bug has been fixed in SVN.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.

 For Windows:

http://windows.php.net/snapshots/
 
Thank you for the report, and for helping us make PHP better.


 [2012-03-18 18:23 UTC] cataphract@php.net
-Status: Assigned +Status: Closed
 [2012-03-18 18:23 UTC] cataphract@php.net
Automatic comment from SVN on behalf of cataphract
Revision: http://svn.php.net/viewvc/?view=revision&amp;revision=324337
Log: - Fixed bug #61388 (ReflectionObject:getProperties() issues invalid reads
  when get_properties returns a hash table with (inaccessible) dynamic
  numeric properties).
 [2012-04-18 09:45 UTC] laruence@php.net
Automatic comment on behalf of cataphract
Revision: http://git.php.net/?p=php-src.git;a=commit;h=773bedb13d7c821ca13c8e5254113c457062d0a0
Log: - Fixed bug #61388 (ReflectionObject:getProperties() issues invalid reads   when get_properties returns a hash table with (inaccessible) dynamic   numeric properties).
 [2012-07-24 23:36 UTC] rasmus@php.net
Automatic comment on behalf of cataphract
Revision: http://git.php.net/?p=php-src.git;a=commit;h=773bedb13d7c821ca13c8e5254113c457062d0a0
Log: - Fixed bug #61388 (ReflectionObject:getProperties() issues invalid reads   when get_properties returns a hash table with (inaccessible) dynamic   numeric properties).
 [2013-11-17 09:33 UTC] laruence@php.net
Automatic comment on behalf of cataphract
Revision: http://git.php.net/?p=php-src.git;a=commit;h=773bedb13d7c821ca13c8e5254113c457062d0a0
Log: - Fixed bug #61388 (ReflectionObject:getProperties() issues invalid reads   when get_properties returns a hash table with (inaccessible) dynamic   numeric properties).
 
PHP Copyright © 2001-2014 The PHP Group
All rights reserved.
Last updated: Mon Apr 21 07:02:06 2014 UTC