php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #70987 static::class within Closure::call() causes segfault
Submitted: 2015-11-27 14:40 UTC Modified: 2015-11-27 15:11 UTC
Votes:1
Avg. Score:5.0 ± 0.0
Reproduced:1 of 1 (100.0%)
Same Version:1 (100.0%)
Same OS:1 (100.0%)
From: ajf at ajf dot me Assigned: ajf
Status: Closed Package: Reproducible crash
PHP Version: 7.0.0RC8 OS: OS X 10.11
Private report: No CVE-ID:
 [2015-11-27 14:40 UTC] ajf at ajf dot me
Description:
------------
Specific to Closure::call(). Using Closure::bindTo() and then calling the resulting closure does not produce the same issue. Issue does not occur when using some other return value. Issue is not specific to returning static::class, can also happen if assigned to a variable.

Issue exists in all versions of PHP 7 so far: https://3v4l.org/8vZhA. I've personally reproduced this issue on the current PHP master and PHP-7.0 branch.

Test script:
---------------
<?php

class foo {}
$bar = function () {
    return static::class;
};

var_dump($bar->call(new foo));

?>

Expected result:
----------------
string(3) "foo"

Actual result:
--------------
Segmentation fault

valgrind backtrace:

==76755== Invalid read of size 8
==76755==    at 0x1003A5983: ZEND_FETCH_CLASS_NAME_SPEC_HANDLER (in sapi/cli/php)
==76755==    by 0x1003391C3: execute_ex (in sapi/cli/php)
==76755==    by 0x1002B4DDD: zend_call_function (in sapi/cli/php)
==76755==    by 0x1003143A5: zim_Closure_call (in sapi/cli/php)
==76755==    by 0x100364136: ZEND_DO_FCALL_SPEC_HANDLER (in sapi/cli/php)
==76755==    by 0x1003391C3: execute_ex (in sapi/cli/php)
==76755==    by 0x10033932F: zend_execute (in sapi/cli/php)
==76755==    by 0x1002B6125: zend_eval_stringl (in sapi/cli/php)
==76755==    by 0x1002B63A0: zend_eval_stringl_ex (in sapi/cli/php)
==76755==    by 0x1002B6442: zend_eval_string_ex (in sapi/cli/php)
==76755==    by 0x1003CC905: do_cli (in sapi/cli/php)
==76755==    by 0x1003CB60D: main (in sapi/cli/php)
==76755==  Address 0x8 is not stack'd, malloc'd or (recently) free'd
==76755== 
==76755== 
==76755== Process terminating with default action of signal 11 (SIGSEGV)
==76755==  Access not within mapped region at address 0x8
==76755==    at 0x1003A5983: ZEND_FETCH_CLASS_NAME_SPEC_HANDLER (in sapi/cli/php)
==76755==    by 0x1003391C3: execute_ex (in sapi/cli/php)
==76755==    by 0x1002B4DDD: zend_call_function (in sapi/cli/php)
==76755==    by 0x1003143A5: zim_Closure_call (in sapi/cli/php)
==76755==    by 0x100364136: ZEND_DO_FCALL_SPEC_HANDLER (in sapi/cli/php)
==76755==    by 0x1003391C3: execute_ex (in sapi/cli/php)
==76755==    by 0x10033932F: zend_execute (in sapi/cli/php)
==76755==    by 0x1002B6125: zend_eval_stringl (in sapi/cli/php)
==76755==    by 0x1002B63A0: zend_eval_stringl_ex (in sapi/cli/php)
==76755==    by 0x1002B6442: zend_eval_string_ex (in sapi/cli/php)
==76755==    by 0x1003CC905: do_cli (in sapi/cli/php)
==76755==    by 0x1003CB60D: main (in sapi/cli/php)

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2015-11-27 14:45 UTC] ajf@php.net
GDB backtrace:

#0  0x00000001003a5983 in ZEND_FETCH_CLASS_NAME_SPEC_HANDLER (
    execute_data=0x1020131f0) at Zend/zend_vm_execute.h:1713
#1  0x00000001003391c4 in execute_ex (ex=0x1020131f0)
    at Zend/zend_vm_execute.h:417
#2  0x00000001002b4dde in zend_call_function (fci=0x7fff5fbfeae0, 
    fci_cache=0x7fff5fbfeab8) at Zend/zend_execute_API.c:854
#3  0x00000001003143a6 in zim_Closure_call (execute_data=0x102013180, 
    return_value=0x1020130f0) at Zend/zend_closures.c:172
#4  0x0000000100364137 in ZEND_DO_FCALL_SPEC_HANDLER (execute_data=0x102013030)
    at Zend/zend_vm_execute.h:842
#5  0x00000001003391c4 in execute_ex (ex=0x102013030)
    at Zend/zend_vm_execute.h:417
#6  0x0000000100339330 in zend_execute (op_array=0x102074300, 
    return_value=0x7fff5fbfecb0) at Zend/zend_vm_execute.h:458
#7  0x00000001002b6126 in zend_eval_stringl (
    str=0x100702fc0 "class foo {} $bar = (function () { return static::class; }); var_dump($bar->call(new foo));", str_len=91, retval_ptr=0x0, 
    string_name=0x1004d6ed1 "Command line code")
    at Zend/zend_execute_API.c:1125
#8  0x00000001002b63a1 in zend_eval_stringl_ex (
    str=0x100702fc0 "class foo {} $bar = (function () { return static::class; }); var_dump($bar->call(new foo));", str_len=91, retval_ptr=0x0, 
    string_name=0x1004d6ed1 "Command line code", handle_exceptions=1)
    at Zend/zend_execute_API.c:1166
#9  0x00000001002b6443 in zend_eval_string_ex (
    str=0x100702fc0 "class foo {} $bar = (function () { return static::class; }); var_dump($bar->call(new foo));", retval_ptr=0x0, 
    string_name=0x1004d6ed1 "Command line code", handle_exceptions=1)
    at Zend/zend_execute_API.c:1177
#10 0x00000001003cc906 in do_cli (argc=3, argv=0x100702f10)
    at sapi/cli/php_cli.c:1005
#11 0x00000001003cb60e in main (argc=3, argv=0x100702f10)
    at sapi/cli/php_cli.c:1345
 [2015-11-27 14:54 UTC] ajf@php.net
Problem line of zend_vm_execute.h (generated from identical line in zend_vm_def.h) is:
    ZVAL_STR_COPY(EX_VAR(opline->result.var), EX(called_scope)->name);

Debug printf reveals that EX(called_scope) is NULL here. So it's a simple NULL pointer dereference bug.
 [2015-11-27 15:11 UTC] ajf@php.net
-Status: Open +Status: Closed -Assigned To: +Assigned To: ajf
 [2015-11-27 15:11 UTC] ajf@php.net
The fix for this bug has been committed.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.

 For Windows:

http://windows.php.net/snapshots/
 
Thank you for the report, and for helping us make PHP better.

Fixed in https://github.com/php/php-src/commit/8907da99b83204958cb2308ec12aa9e490372150
 
PHP Copyright © 2001-2017 The PHP Group
All rights reserved.
Last updated: Sun Feb 19 11:01:37 2017 UTC