php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #69579 Invalid free in extension trait
Submitted: 2015-05-06 02:20 UTC Modified: 2015-07-10 14:33 UTC
From: jbboehr at gmail dot com Assigned:
Status: Closed Package: Unknown/Other Function
PHP Version: master-Git-2015-05-06 (Git) OS: Ubuntu 14.04
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.
(description)
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: jbboehr at gmail dot com
New email:
PHP Version: OS:

 

 [2015-05-06 02:20 UTC] jbboehr at gmail dot com
Description:
------------
Tangentially related to https://bugs.php.net/bug.php?id=69566

I've been working on a PHP extension that includes a trait: https://github.com/jbboehr/php-psr/tree/php7

On git master, I get a sigabort.

I'm not sure why normal traits don't get the invalid free; maybe they're all allocated by arena.

In zend_add_trait_method, the internal function struct is not the same size as a user function, so valgrind outputs an invalid read warning.

As an aside, assuming allowing traits in an extension is something that should be supported, it might be ideal to have at least one internal trait somewhere to catch these sort of issues, but that's outside the scope of this bug report.

Test script:
---------------
Unfortunately, it's in an extension, so to reproduce compile https://github.com/jbboehr/php-psr/tree/php7 and run
TEST_PHP_ARGS=-m make test

Actual result:
--------------
Valgrind output:

==15151== Invalid read of size 8
==15151==    at 0x8FA68D: zend_traits_copy_functions (zend_inheritance.c:1184)
==15151==    by 0x8FB15F: zend_do_traits_method_binding (zend_inheritance.c:1387)
==15151==    by 0x8FBA08: zend_do_bind_traits (zend_inheritance.c:1588)
==15151==    by 0x907AD1: ZEND_BIND_TRAITS_SPEC_HANDLER (zend_vm_execute.h:1451)
==15151==    by 0x903F0F: execute_ex (zend_vm_execute.h:394)
==15151==    by 0x9040D3: zend_execute (zend_vm_execute.h:434)
==15151==    by 0x8A73B4: zend_execute_scripts (zend.c:1389)
==15151==    by 0x7F79CA: php_execute_script (main.c:2468)
==15151==    by 0x972711: do_cli (php_cli.c:967)
==15151==    by 0x973A30: main (php_cli.c:1334)
==15151==  Address 0xd919a70 is 0 bytes after a block of size 64 alloc'd
==15151==    at 0x4C2AB80: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==15151==    by 0x8B1B93: zend_register_functions (zend_API.c:2272)
==15151==    by 0x8B31C1: do_register_internal_class (zend_API.c:2687)
==15151==    by 0x8B33AD: zend_register_internal_class (zend_API.c:2735)
==15151==    by 0xE247F2E: php_psr_register_LoggerTrait (psr.c:308)
==15151==    by 0xE24823C: zm_startup_psr (psr.c:360)
==15151==    by 0x8B0362: zend_startup_module_ex (zend_API.c:1878)
==15151==    by 0x8B03E0: zend_startup_module_zval (zend_API.c:1893)
==15151==    by 0x8BE50F: zend_hash_apply (zend_hash.c:1437)
==15151==    by 0x8B09F7: zend_startup_modules (zend_API.c:2004)
==15151==    by 0x7F6ECD: php_module_startup (main.c:2190)
==15151==    by 0x97136A: php_cli_startup (php_cli.c:419)
==15151== 
==15151== Invalid free() / delete / delete[] / realloc()
==15151==    at 0x4C2BDEC: free (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==15151==    by 0x892466: zend_function_dtor (zend_opcode.c:128)
==15151==    by 0x8BDA20: zend_hash_destroy (zend_hash.c:1182)
==15151==    by 0x892DD5: destroy_zend_class (zend_opcode.c:285)
==15151==    by 0x8BD103: _zend_hash_del_el_ex (zend_hash.c:938)
==15151==    by 0x8BD1E3: _zend_hash_del_el (zend_hash.c:962)
==15151==    by 0x8BE978: zend_hash_reverse_apply (zend_hash.c:1532)
==15151==    by 0x88BFFF: shutdown_executor (zend_execute_API.c:351)
==15151==    by 0x8A5C7A: zend_deactivate (zend.c:964)
==15151==    by 0x7F60C1: php_request_shutdown (main.c:1806)
==15151==    by 0x973110: do_cli (php_cli.c:1135)
==15151==    by 0x973A30: main (php_cli.c:1334)
==15151==  Address 0xd9bb498 is 4,568 bytes inside a block of size 65,536 alloc'd
==15151==    at 0x4C2AB80: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==15151==    by 0x86E752: _emalloc (zend_alloc.c:2195)
==15151==    by 0x870240: zend_arena_create (zend_arena.h:36)
==15151==    by 0x8714A1: init_compiler (zend_compile.c:324)
==15151==    by 0x8A5ACD: zend_activate (zend.c:940)
==15151==    by 0x7F4F3D: php_request_startup (main.c:1564)
==15151==    by 0x972542: do_cli (php_cli.c:938)
==15151==    by 0x973A30: main (php_cli.c:1334)
==15151== 


Patches

extension_trait_issue_2.patch (last revision 2015-05-06 02:20 UTC by jbboehr at gmail dot com)

Add a Patch

Pull Requests

Pull requests:

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2015-07-07 17:30 UTC] jbboehr at gmail dot com
I found a hack-ey workaround, so previous commit can reproduce:
https://github.com/jbboehr/php-psr/commit/a21297aabb936b7b0c22b4cc216affbc99f3be33
 [2015-07-10 14:33 UTC] laruence@php.net
the invalid read part is fixed in : https://github.com/php/php-src/commit/8e709d7f5d30d35397a31eb4ba3e836772c6eb0d

thanks
 [2016-09-22 03:29 UTC] jbboehr at gmail dot com
I sent a new PR2139 that includes the change from PR1262, plus a test case and an internal test trait.

> If you are fixing a bug, then please submit your PR against the lowest branch of PHP that the bug affects

https://github.com/php/php-src/pull/2139/commits/0f5e99876a42aff4da5adba78be82d4ffd71c517 works in 7.0, but https://github.com/php/php-src/pull/2139/commits/fe9b40cb632e1428a12b6c4d53968021934019f6 needs https://github.com/php/php-src/commit/2ee73ee094ab33b917e350b7171a543bd2b24947

I set up a Travis build to demonstrate what happens without the code:
https://travis-ci.org/jbboehr/php-psr/jobs/161807370#L956
https://travis-ci.org/jbboehr/php-psr/jobs/161807373#L954
 [2016-09-22 10:36 UTC] nikic@php.net
Automatic comment on behalf of jbboehr@gmail.com
Revision: http://git.php.net/?p=php-src.git;a=commit;h=8e313becf4190a8cdc4ef52a1efdbce475f51ae0
Log: Fix bug #69579
 [2016-09-22 10:36 UTC] nikic@php.net
-Status: Open +Status: Closed
 [2016-09-22 10:39 UTC] nikic@php.net
Automatic comment on behalf of jbboehr@gmail.com
Revision: http://git.php.net/?p=php-src.git;a=commit;h=68e602ff0a31f1c90ba3ad8717ae3a86d10854c7
Log: Fix bug #69579
 [2016-10-17 10:08 UTC] bwoebi@php.net
Automatic comment on behalf of jbboehr@gmail.com
Revision: http://git.php.net/?p=php-src.git;a=commit;h=68e602ff0a31f1c90ba3ad8717ae3a86d10854c7
Log: Fix bug #69579
 [2016-10-17 10:08 UTC] bwoebi@php.net
Automatic comment on behalf of jbboehr@gmail.com
Revision: http://git.php.net/?p=php-src.git;a=commit;h=8e313becf4190a8cdc4ef52a1efdbce475f51ae0
Log: Fix bug #69579
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Fri Mar 29 09:01:28 2024 UTC