php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #65382 Segfault in closure_030.phpt
Submitted: 2013-08-03 12:45 UTC Modified: 2013-08-12 06:54 UTC
From: nikic@php.net Assigned: dmitry (profile)
Status: Closed Package: Scripting Engine problem
PHP Version: 5.5.2RC1 OS:
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.
(description)
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: nikic@php.net
New email:
PHP Version: OS:

 

 [2013-08-03 12:45 UTC] nikic@php.net 
Description:
------------
closure_030.phpt segfaults on Travis.

Short repro script:

<?php

$b = function() { };
$a = 'b';
$$a();
$b->__invoke();

Valgrind output:

~/dev/php-dev$ USE_ZEND_ALLOC=0 valgrind sapi/cli/php t22.php 
==2074== Memcheck, a memory error detector
==2074== Copyright (C) 2002-2011, and GNU GPL'd, by Julian Seward et al.
==2074== Using Valgrind-3.7.0 and LibVEX; rerun with -h for copyright info
==2074== Command: sapi/cli/php t22.php
==2074== 
==2074== Invalid read of size 1
==2074==    at 0x8260376: zval_call_destructor (zend_execute_API.c:203)
==2074==    by 0x8286B2D: zend_hash_reverse_apply (zend_hash.c:775)
==2074==    by 0x8260452: shutdown_destructors (zend_execute_API.c:217)
==2074==    by 0x8274BC3: zend_call_destructors (zend.c:923)
==2074==    by 0x81D6742: php_request_shutdown (main.c:1745)
==2074==    by 0x831EDD9: do_cli (php_cli.c:1177)
==2074==    by 0x831F6EC: main (php_cli.c:1378)
==2074==  Address 0x44828f4 is 12 bytes inside a block of size 20 free'd
==2074==    at 0x402B06C: free (in /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so)
==2074==    by 0x823C602: _efree (zend_alloc.c:2437)
==2074==    by 0x82AB651: i_zval_ptr_dtor (zend_execute.h:82)
==2074==    by 0x82B1AC3: zend_do_fcall_common_helper_SPEC (zend_vm_execute.h:630)
==2074==    by 0x82B1CD3: ZEND_DO_FCALL_BY_NAME_SPEC_HANDLER (zend_vm_execute.h:682)
==2074==    by 0x82B097E: execute_ex (zend_vm_execute.h:356)
==2074==    by 0x82B0A33: zend_execute (zend_vm_execute.h:381)
==2074==    by 0x827636C: zend_execute_scripts (zend.c:1316)
==2074==    by 0x81D85C6: php_execute_script (main.c:2484)
==2074==    by 0x831E192: do_cli (php_cli.c:994)
==2074==    by 0x831F6EC: main (php_cli.c:1378)
==2074== 
==2074== Invalid read of size 4
==2074==    at 0x825F4F3: zval_refcount_p (zend.h:397)
==2074==    by 0x826038A: zval_call_destructor (zend_execute_API.c:203)
==2074==    by 0x8286B2D: zend_hash_reverse_apply (zend_hash.c:775)
==2074==    by 0x8260452: shutdown_destructors (zend_execute_API.c:217)
==2074==    by 0x8274BC3: zend_call_destructors (zend.c:923)
==2074==    by 0x81D6742: php_request_shutdown (main.c:1745)
==2074==    by 0x831EDD9: do_cli (php_cli.c:1177)
==2074==    by 0x831F6EC: main (php_cli.c:1378)
==2074==  Address 0x44828f0 is 8 bytes inside a block of size 20 free'd
==2074==    at 0x402B06C: free (in /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so)
==2074==    by 0x823C602: _efree (zend_alloc.c:2437)
==2074==    by 0x82AB651: i_zval_ptr_dtor (zend_execute.h:82)
==2074==    by 0x82B1AC3: zend_do_fcall_common_helper_SPEC (zend_vm_execute.h:630)
==2074==    by 0x82B1CD3: ZEND_DO_FCALL_BY_NAME_SPEC_HANDLER (zend_vm_execute.h:682)
==2074==    by 0x82B097E: execute_ex (zend_vm_execute.h:356)
==2074==    by 0x82B0A33: zend_execute (zend_vm_execute.h:381)
==2074==    by 0x827636C: zend_execute_scripts (zend.c:1316)
==2074==    by 0x81D85C6: php_execute_script (main.c:2484)
==2074==    by 0x831E192: do_cli (php_cli.c:994)
==2074==    by 0x831F6EC: main (php_cli.c:1378)
==2074== 
... and so on

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2013-08-11 08:18 UTC] stas@php.net
-Assigned To: +Assigned To: dmitry
 [2013-08-11 08:18 UTC] stas@php.net 
Looks like refcount for $b is decremented twice in the last call - once in 
zend_leave_helper_SPEC and once when finishing zend_do_fcall_common_helper_SPEC, 
which causes $b to be destroyed. This code was added by Dmitry, so assigning this 
bug to him.
 [2013-08-11 08:32 UTC] stas@php.net 
Looks like consequence of 821d7169d9d575ceef71e69570b98519826ccb01 - prototype is 
being use as temp storage, but it is actually never reset. If I add:

op_array->prototype = NULL;

to zend_leave_helper_SPEC, it looks like it fixes the crash, but I'm not sure if 
it is the right thing to do (e.g. - what happens if such calls are nested?)
 [2013-08-12 06:53 UTC] dmitry@php.net 
Automatic comment on behalf of dmitry@zend.com
Revision: http://git.php.net/?p=php-src.git;a=commit;h=52dac3e8cda94c8f38287ec3c437d9450b31b527
Log: Fixed bug #65382 (Segfault in closure_030.phpt)
 [2013-08-12 06:53 UTC] dmitry@php.net
-Status: Assigned +Status: Closed
 [2013-08-12 06:54 UTC] dmitry@php.net
-Status: Closed +Status: Assigned
 [2013-08-12 06:54 UTC] dmitry@php.net 
I saw the problem only in master and it was related to "Improved IS_VAR operands fetching".
 [2013-08-12 06:54 UTC] dmitry@php.net
-Status: Assigned +Status: Closed
 [2013-08-12 06:54 UTC] dmitry@php.net 
The fix for this bug has been committed.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.

 For Windows:

http://windows.php.net/snapshots/
 
Thank you for the report, and for helping us make PHP better.
 [2013-11-17 09:30 UTC] laruence@php.net 
Automatic comment on behalf of dmitry@zend.com
Revision: http://git.php.net/?p=php-src.git;a=commit;h=52dac3e8cda94c8f38287ec3c437d9450b31b527
Log: Fixed bug #65382 (Segfault in closure_030.phpt)
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Sat Apr 20 09:01:28 2024 UTC