PHP :: Bug #62084 :: Segfault during inheritance check on method

Bug #62084	Segfault during inheritance check on method
Submitted:	2012-05-21 02:27 UTC	Modified:	2012-05-22 05:51 UTC
From:	victor dot kupriyanov at gmail dot com	Assigned:	sebastian (profile)
Status:	Closed	Package:	Scripting Engine problem
PHP Version:	5.4.3	OS:	Any
Private report:	No	CVE-ID:	None

View Add Comment Developer Edit

Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.

php.net Username: php.net Password:

Quick Fix:	(description)
	Block user comment
Status:		Assign to:
Package:
Bug Type:
Summary:
From:	victor dot kupriyanov at gmail dot com
New email:
PHP Version:		OS:

New/Additional Comment:

[2012-05-21 02:27 UTC] victor dot kupriyanov at gmail dot com

Description:
------------
When inherited method has different type hinting information for the method parameters and E_STRICT error reporting level is set - PHP tries to report method declaration incompatibility and segfaults on attempt to dereference a null pointer.

Test script:
---------------
<?php

class A {}

class B {
public function b(A $a) {}
}

class C extends B {
public function b($a) {}
}

$a = new C();

Expected result:
----------------
Valid message explaining that inherited method has a different signature.

Actual result:
--------------
$ php a.php 
Segmentation fault (core dumped)

...

(gdb) bt
#0  zend_get_function_declaration (fptr=0x0)
    at /usr/src/debug/php-5.4.3/Zend/zend_compile.c:3046
#1  0x00000000005a2479 in do_inheritance_check_on_method (child=
    0x7ffff7fc3558, parent=0x7ffff7fc3f18)
    at /usr/src/debug/php-5.4.3/Zend/zend_compile.c:3267
#2  0x00000000005a2665 in do_inherit_method_check (
    child_function_table=<value optimized out>, parent=<value optimized out>, 
    hash_key=<value optimized out>, child_ce=0x7ffff7fc3310)
    at /usr/src/debug/php-5.4.3/Zend/zend_compile.c:3288
#3  0x00000000005d3cf1 in zend_hash_replace_checker_wrapper (target=
    0x7ffff7fc3338, source=<value optimized out>, pCopyConstructor=
    0x5a7bc0 <do_inherit_method>, size=240, pMergeSource=
    0x5a2620 <do_inherit_method_check>, pParam=0x7ffff7fc3310)
    at /usr/src/debug/php-5.4.3/Zend/zend_hash.c:878
#4  zend_hash_merge_ex (target=0x7ffff7fc3338, source=<value optimized out>, 
    pCopyConstructor=0x5a7bc0 <do_inherit_method>, size=240, pMergeSource=
    0x5a2620 <do_inherit_method_check>, pParam=0x7ffff7fc3310)
    at /usr/src/debug/php-5.4.3/Zend/zend_hash.c:892
#5  0x00000000005a850b in zend_do_inheritance (ce=0x7ffff7fc3310, parent_ce=
    0x7ffff7fc2ff8) at /usr/src/debug/php-5.4.3/Zend/zend_compile.c:3519
#6  0x00000000005a962c in do_bind_inherited_class (
    op_array=<value optimized out>, opline=<value optimized out>, class_table=
    0xdf4c30, parent_ce=0x7ffff7fc2ff8, compile_time=1 '\001')
    at /usr/src/debug/php-5.4.3/Zend/zend_compile.c:4569
#7  0x00000000005a985a in zend_do_early_binding ()
    at /usr/src/debug/php-5.4.3/Zend/zend_compile.c:4626
#8  0x000000000058c1ca in zendparse ()
    at /usr/src/debug/php-5.4.3/Zend/zend_language_parser.c:3547
#9  0x000000000058fa0d in compile_file (file_handle=0x7fffffffdec0, 
    type=<value optimized out>) at Zend/zend_language_scanner.l:579
#10 0x00007fffeb6d4042 in phar_compile_file (file_handle=0x7fffffffdec0, type=
    8) at /usr/src/debug/php-5.4.3/ext/phar/phar.c:3391
#11 0x00007ffff1d8101d in xdebug_compile_file (
    file_handle=<value optimized out>, type=<value optimized out>)
    at /usr/src/debug/php-pecl-xdebug-2.2.0/xdebug-2.2.0/xdebug.c:1537
#12 0x00000000005c70ca in zend_execute_scripts (type=8, retval=0x0, file_count=
    3) at /usr/src/debug/php-5.4.3/Zend/zend.c:1264
#13 0x0000000000566cc3 in php_execute_script (primary_file=0x7fffffffdec0)
    at /usr/src/debug/php-5.4.3/main/main.c:2473
#14 0x0000000000672395 in do_cli (argc=2, argv=0x7fffffffe1f8)
    at /usr/src/debug/php-5.4.3/sapi/cli/php_cli.c:983
#15 0x0000000000672cbc in main (argc=2, argv=0x7fffffffe1f8)
    at /usr/src/debug/php-5.4.3/sapi/cli/php_cli.c:1356

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports

[2012-05-21 02:39 UTC] felipe@php.net

I can't reproduce it. Try disabling the xdebug and testing it again.

[2012-05-21 02:39 UTC] felipe@php.net

-Status: Open +Status: Feedback

[2012-05-21 02:39 UTC] felipe@php.net

-Package: *Compile Issues +Package: Scripting Engine problem

[2012-05-21 02:54 UTC] victor dot kupriyanov at gmail dot com

Ok, I disabled xdebug:

$ php -m
[PHP Modules]
apc
bcmath
bz2
calendar
Core
ctype
curl
date
dba
dom
enchant
ereg
exif
fileinfo
filter
ftp
gd
gettext
gmp
hash
iconv
imagick
imap
intl
json
ldap
libxml
mbstring
mcrypt
mhash
mssql
mysql
mysqli
odbc
openssl
pcntl
pcre
PDO
pdo_dblib
pdo_mysql
PDO_ODBC
pdo_pgsql
pdo_sqlite
pgsql
Phar
posix
pspell
readline
recode
Reflection
session
shmop
SimpleXML
snmp
soap
sockets
SPL
sqlite3
ssh2
standard
sysvmsg
sysvsem
sysvshm
tidy
tokenizer
wddx
xml
xmlreader
xmlrpc
xmlwriter
xsl
zip
zlib

[Zend Modules]

Still got the same stacktrace:


$ gdb php
GNU gdb (GDB) Fedora (7.2-52.fc14)
...

(gdb) set args a.php
(gdb) r
Starting program: /usr/bin/php a.php
[Thread debugging using libthread_db enabled]
[New Thread 0x7fffe89f9700 (LWP 6709)]
[Thread 0x7fffe89f9700 (LWP 6709) exited]

Program received signal SIGSEGV, Segmentation fault.
zend_get_function_declaration (fptr=0x0) at /usr/src/debug/php-
5.4.3/Zend/zend_compile.c:3046
3046		if (fptr->op_array.fn_flags & ZEND_ACC_RETURN_REFERENCE) {
(gdb) bt
#0  zend_get_function_declaration (fptr=0x0) at /usr/src/debug/php-
5.4.3/Zend/zend_compile.c:3046
#1  0x00000000005a2479 in do_inheritance_check_on_method (child=0x7ffff7fc05e0, 
parent=0x7ffff7fc1000) at /usr/src/debug/php-5.4.3/Zend/zend_compile.c:3267
#2  0x00000000005a2665 in do_inherit_method_check (child_function_table=<value 
optimized out>, parent=<value optimized out>, hash_key=<value optimized out>, 
child_ce=
    0x7ffff7fc0398) at /usr/src/debug/php-5.4.3/Zend/zend_compile.c:3288
#3  0x00000000005d3cf1 in zend_hash_replace_checker_wrapper 
(target=0x7ffff7fc03c0, source=<value optimized out>, pCopyConstructor=0x5a7bc0 
<do_inherit_method>, size=240, 
    pMergeSource=0x5a2620 <do_inherit_method_check>, pParam=0x7ffff7fc0398) at 
/usr/src/debug/php-5.4.3/Zend/zend_hash.c:878
#4  zend_hash_merge_ex (target=0x7ffff7fc03c0, source=<value optimized out>, 
pCopyConstructor=0x5a7bc0 <do_inherit_method>, size=240, pMergeSource=
    0x5a2620 <do_inherit_method_check>, pParam=0x7ffff7fc0398) at 
/usr/src/debug/php-5.4.3/Zend/zend_hash.c:892
#5  0x00000000005a850b in zend_do_inheritance (ce=0x7ffff7fc0398, 
parent_ce=0x7ffff7fc00e0) at /usr/src/debug/php-5.4.3/Zend/zend_compile.c:3519
#6  0x00000000005a962c in do_bind_inherited_class (op_array=<value optimized 
out>, opline=<value optimized out>, class_table=0xdf4c30, 
parent_ce=0x7ffff7fc00e0, 
    compile_time=1 '\001') at /usr/src/debug/php-5.4.3/Zend/zend_compile.c:4569
#7  0x00000000005a985a in zend_do_early_binding () at /usr/src/debug/php-
5.4.3/Zend/zend_compile.c:4626
#8  0x000000000058c1ca in zendparse () at /usr/src/debug/php-
5.4.3/Zend/zend_language_parser.c:3547
#9  0x000000000058fa0d in compile_file (file_handle=0x7fffffffdec0, type=<value 
optimized out>) at Zend/zend_language_scanner.l:579
#10 0x00007fffeb906042 in phar_compile_file (file_handle=0x7fffffffdec0, type=8) 
at /usr/src/debug/php-5.4.3/ext/phar/phar.c:3391
#11 0x00000000005c70ca in zend_execute_scripts (type=8, retval=0x0, 
file_count=3) at /usr/src/debug/php-5.4.3/Zend/zend.c:1264
#12 0x0000000000566cc3 in php_execute_script (primary_file=0x7fffffffdec0) at 
/usr/src/debug/php-5.4.3/main/main.c:2473
#13 0x0000000000672395 in do_cli (argc=2, argv=0x7fffffffe1f8) at 
/usr/src/debug/php-5.4.3/sapi/cli/php_cli.c:983
#14 0x0000000000672cbc in main (argc=2, argv=0x7fffffffe1f8) at 
/usr/src/debug/php-5.4.3/sapi/cli/php_cli.c:1356

I checked also on Windows build, and another Linux distribution with the same 
effect.

[2012-05-21 02:54 UTC] victor dot kupriyanov at gmail dot com

-Status: Feedback +Status: Open

[2012-05-21 03:07 UTC] felipe@php.net

-Status: Open +Status: Feedback

[2012-05-21 03:07 UTC] felipe@php.net

Please try using this snapshot:

  http://snaps.php.net/php5.4-latest.tar.gz
 
For Windows:

  http://windows.php.net/snapshots/

[2012-05-21 03:28 UTC] victor dot kupriyanov at gmail dot com

I can not reproduce the bug on custom build from the specified snapshot:


$ /tmp/php5.4/bin/php a.php
PHP Strict Standards:  Declaration of C::b() should be compatible with B::b(A 
$a) in /tmp/a.php on line 13

Strict Standards: Declaration of C::b() should be compatible with B::b(A $a) in 
/tmp/a.php on line 13
PHP Catchable fatal error:  Argument 1 passed to B::b() must be an instance of 
A, none given, called in /tmp/a.php on line 16 and defined in /tmp/a.php on line 
8

Catchable fatal error: Argument 1 passed to B::b() must be an instance of A, 
none given, called in /tmp/a.php on line 16 and defined in /tmp/a.php on line 8

$ /tmp/php5.4/bin/php -m
[PHP Modules]
apc
Core
ctype
date
dom
ereg
fileinfo
filter
hash
iconv
json
libxml
pcre
PDO
pdo_sqlite
Phar
posix
Reflection
session
SimpleXML
SPL
sqlite3
standard
tokenizer
xml
xmlreader
xmlwriter

[Zend Modules]

So you may assume it is fixed or invalid.

[2012-05-21 03:28 UTC] victor dot kupriyanov at gmail dot com

-Status: Feedback +Status: Open

[2012-05-21 08:14 UTC] arjen at react dot com

5.2.0 - 5.2.17, 5.3.0 - 5.3.13 returns correct error.
5.4.0 - 5.4.3 generates segfault.

See http://3v4l.org/fMMr3

[2012-05-21 11:10 UTC] laruence@php.net

The bug seems like #61761 , it has already been fixed in trunk,  but seems RM 
didn't pick it into 5.4.3 before it was released. 

thanks

[2012-05-22 05:51 UTC] sebastian@php.net

The issue is fixed in the PHP-5.4 branch now:

➜  ~  php -v
PHP 5.4.5-dev (cli) (built: May 22 2012 07:49:01) (DEBUG)
Copyright (c) 1997-2012 The PHP Group
Zend Engine v2.4.0, Copyright (c) 1998-2012 Zend Technologies
    with Xdebug v2.3.0dev, Copyright (c) 2002-2012, by Derick Rethans

➜  ~  cat /tmp/test.php 
<?php

class A {}

class B {
public function b(A $a) {}
}

class C extends B {
public function b($a) {}
}

$a = new C();

➜  ~  php /tmp/test.php 

Strict standards: Declaration of C::b() should be compatible with B::b(A $a) in /tmp/test.php on line 11


Catchable fatal error: Argument 1 passed to B::b() must be an instance of A, none given, called in /tmp/test.php on line 13 and defined in /tmp/test.php on line 6

Call Stack:
    0.0003     297728   1. {main}() /tmp/test.php:0
    0.0004     298672   2. B->b() /tmp/test.php:13

[2012-05-22 05:51 UTC] sebastian@php.net

-Status: Open +Status: Closed -Assigned To: +Assigned To: sebastian

[2012-05-22 05:51 UTC] sebastian@php.net

This bug has been fixed in SVN.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.

 For Windows:

http://windows.php.net/snapshots/
 
Thank you for the report, and for helping us make PHP better.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Sat May 18 13:01:32 2024 UTC