php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #69579 Invalid free in extension trait
Submitted: 2015-05-06 02:20 UTC Modified: 2015-07-10 14:33 UTC
From: jbboehr at gmail dot com Assigned:
Status: Closed Package: Unknown/Other Function
PHP Version: master-Git-2015-05-06 (Git) OS: Ubuntu 14.04
Private report: No CVE-ID:
 [2015-05-06 02:20 UTC] jbboehr at gmail dot com
Description:
------------
Tangentially related to https://bugs.php.net/bug.php?id=69566

I've been working on a PHP extension that includes a trait: https://github.com/jbboehr/php-psr/tree/php7

On git master, I get a sigabort.

I'm not sure why normal traits don't get the invalid free; maybe they're all allocated by arena.

In zend_add_trait_method, the internal function struct is not the same size as a user function, so valgrind outputs an invalid read warning.

As an aside, assuming allowing traits in an extension is something that should be supported, it might be ideal to have at least one internal trait somewhere to catch these sort of issues, but that's outside the scope of this bug report.

Test script:
---------------
Unfortunately, it's in an extension, so to reproduce compile https://github.com/jbboehr/php-psr/tree/php7 and run
TEST_PHP_ARGS=-m make test

Actual result:
--------------
Valgrind output:

==15151== Invalid read of size 8
==15151==    at 0x8FA68D: zend_traits_copy_functions (zend_inheritance.c:1184)
==15151==    by 0x8FB15F: zend_do_traits_method_binding (zend_inheritance.c:1387)
==15151==    by 0x8FBA08: zend_do_bind_traits (zend_inheritance.c:1588)
==15151==    by 0x907AD1: ZEND_BIND_TRAITS_SPEC_HANDLER (zend_vm_execute.h:1451)
==15151==    by 0x903F0F: execute_ex (zend_vm_execute.h:394)
==15151==    by 0x9040D3: zend_execute (zend_vm_execute.h:434)
==15151==    by 0x8A73B4: zend_execute_scripts (zend.c:1389)
==15151==    by 0x7F79CA: php_execute_script (main.c:2468)
==15151==    by 0x972711: do_cli (php_cli.c:967)
==15151==    by 0x973A30: main (php_cli.c:1334)
==15151==  Address 0xd919a70 is 0 bytes after a block of size 64 alloc'd
==15151==    at 0x4C2AB80: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==15151==    by 0x8B1B93: zend_register_functions (zend_API.c:2272)
==15151==    by 0x8B31C1: do_register_internal_class (zend_API.c:2687)
==15151==    by 0x8B33AD: zend_register_internal_class (zend_API.c:2735)
==15151==    by 0xE247F2E: php_psr_register_LoggerTrait (psr.c:308)
==15151==    by 0xE24823C: zm_startup_psr (psr.c:360)
==15151==    by 0x8B0362: zend_startup_module_ex (zend_API.c:1878)
==15151==    by 0x8B03E0: zend_startup_module_zval (zend_API.c:1893)
==15151==    by 0x8BE50F: zend_hash_apply (zend_hash.c:1437)
==15151==    by 0x8B09F7: zend_startup_modules (zend_API.c:2004)
==15151==    by 0x7F6ECD: php_module_startup (main.c:2190)
==15151==    by 0x97136A: php_cli_startup (php_cli.c:419)
==15151== 
==15151== Invalid free() / delete / delete[] / realloc()
==15151==    at 0x4C2BDEC: free (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==15151==    by 0x892466: zend_function_dtor (zend_opcode.c:128)
==15151==    by 0x8BDA20: zend_hash_destroy (zend_hash.c:1182)
==15151==    by 0x892DD5: destroy_zend_class (zend_opcode.c:285)
==15151==    by 0x8BD103: _zend_hash_del_el_ex (zend_hash.c:938)
==15151==    by 0x8BD1E3: _zend_hash_del_el (zend_hash.c:962)
==15151==    by 0x8BE978: zend_hash_reverse_apply (zend_hash.c:1532)
==15151==    by 0x88BFFF: shutdown_executor (zend_execute_API.c:351)
==15151==    by 0x8A5C7A: zend_deactivate (zend.c:964)
==15151==    by 0x7F60C1: php_request_shutdown (main.c:1806)
==15151==    by 0x973110: do_cli (php_cli.c:1135)
==15151==    by 0x973A30: main (php_cli.c:1334)
==15151==  Address 0xd9bb498 is 4,568 bytes inside a block of size 65,536 alloc'd
==15151==    at 0x4C2AB80: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==15151==    by 0x86E752: _emalloc (zend_alloc.c:2195)
==15151==    by 0x870240: zend_arena_create (zend_arena.h:36)
==15151==    by 0x8714A1: init_compiler (zend_compile.c:324)
==15151==    by 0x8A5ACD: zend_activate (zend.c:940)
==15151==    by 0x7F4F3D: php_request_startup (main.c:1564)
==15151==    by 0x972542: do_cli (php_cli.c:938)
==15151==    by 0x973A30: main (php_cli.c:1334)
==15151== 


Patches

extension_trait_issue_2.patch (last revision 2015-05-06 02:20 UTC) by jbboehr at gmail dot com)

Add a Patch

Pull Requests

Pull requests:

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2015-07-07 17:30 UTC] jbboehr at gmail dot com
I found a hack-ey workaround, so previous commit can reproduce:
https://github.com/jbboehr/php-psr/commit/a21297aabb936b7b0c22b4cc216affbc99f3be33
 [2015-07-10 14:33 UTC] laruence@php.net
the invalid read part is fixed in : https://github.com/php/php-src/commit/8e709d7f5d30d35397a31eb4ba3e836772c6eb0d

thanks
 [2016-09-22 03:29 UTC] jbboehr at gmail dot com
I sent a new PR2139 that includes the change from PR1262, plus a test case and an internal test trait.

> If you are fixing a bug, then please submit your PR against the lowest branch of PHP that the bug affects

https://github.com/php/php-src/pull/2139/commits/0f5e99876a42aff4da5adba78be82d4ffd71c517 works in 7.0, but https://github.com/php/php-src/pull/2139/commits/fe9b40cb632e1428a12b6c4d53968021934019f6 needs https://github.com/php/php-src/commit/2ee73ee094ab33b917e350b7171a543bd2b24947

I set up a Travis build to demonstrate what happens without the code:
https://travis-ci.org/jbboehr/php-psr/jobs/161807370#L956
https://travis-ci.org/jbboehr/php-psr/jobs/161807373#L954
 [2016-09-22 10:36 UTC] nikic@php.net
Automatic comment on behalf of jbboehr@gmail.com
Revision: http://git.php.net/?p=php-src.git;a=commit;h=8e313becf4190a8cdc4ef52a1efdbce475f51ae0
Log: Fix bug #69579
 [2016-09-22 10:36 UTC] nikic@php.net
-Status: Open +Status: Closed
 [2016-09-22 10:39 UTC] nikic@php.net
Automatic comment on behalf of jbboehr@gmail.com
Revision: http://git.php.net/?p=php-src.git;a=commit;h=68e602ff0a31f1c90ba3ad8717ae3a86d10854c7
Log: Fix bug #69579
 [2016-10-17 10:08 UTC] bwoebi@php.net
Automatic comment on behalf of jbboehr@gmail.com
Revision: http://git.php.net/?p=php-src.git;a=commit;h=68e602ff0a31f1c90ba3ad8717ae3a86d10854c7
Log: Fix bug #69579
 [2016-10-17 10:08 UTC] bwoebi@php.net
Automatic comment on behalf of jbboehr@gmail.com
Revision: http://git.php.net/?p=php-src.git;a=commit;h=8e313becf4190a8cdc4ef52a1efdbce475f51ae0
Log: Fix bug #69579
 
PHP Copyright © 2001-2017 The PHP Group
All rights reserved.
Last updated: Sat Apr 29 07:01:45 2017 UTC