php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #72101 crash on complex code
Submitted: 2016-04-25 10:30 UTC Modified: 2016-04-25 10:31 UTC
From: tony2001@php.net Assigned: dmitry
Status: Closed Package: Reproducible crash
PHP Version: 7.0Git-2016-04-25 (Git) OS: *
Private report: No CVE-ID:
 [2016-04-25 10:30 UTC] tony2001@php.net
Description:
------------
PHP tries to dereference NULL pointer and crashes when executing attached piece of code.

Test script:
---------------
<?php
class PHPUnit_Framework_MockObject_Stub_ReturnCallback {
    protected $callback;
    public function __construct($callback) {
        $this->callback = $callback;
    }
    public function invoke($invocation) {
        return call_user_func_array($this->callback, $invocation->parameters);
    }
}

class PHPUnit_Framework_MockObject_InvocationMocker {
    protected $matchers = [];
    public function addMatcher( $matcher) {
        $this->matchers[] = $matcher;
    }
    public function invoke( $invocation) {
        foreach ($this->matchers as $match) {
            $match->invoked($invocation);
        }
    }
}

class PHPUnit_Framework_MockObject_Matcher {
    public $stub = null;
    public function invoked($invocation) {
        return $this->stub->invoke($invocation);
    }
}

class MethodCallbackByReference {
    public function bar(&$a, &$b, $c) {
        Legacy::bar($a, $b, $c);
    }
    public function callback(&$a, &$b, $c) {
        $b = 1;
    }
}
class PHPUnit_Framework_MockObject_Invocation_Static {
    public $parameters;
    public function __construct(array $parameters) {
        $this->parameters = $parameters;
    }
}

class Mock_MethodCallbackByReference_7b180d26 extends MethodCallbackByReference {
    public $inv_mocker;
    public function bar(&$a, &$b, $c) {
        $arguments = array($a, $b, $c);
        $result = $this->inv_mocker->invoke(
            new PHPUnit_Framework_MockObject_Invocation_Static(
                $arguments
            )
        );
        return $result;
    }
}

set_error_handler(function() {
//    var_dump(func_get_args());
    DoesNotExists::$nope = true;
}, E_ALL | E_STRICT);

$foo = new Mock_MethodCallbackByReference_7b180d26();
$InvMocker = new PHPUnit_Framework_MockObject_InvocationMocker();
$foo->inv_mocker = $InvMocker;
$OuterMatcher = new PHPUnit_Framework_MockObject_Matcher();
$InvMocker->addMatcher($OuterMatcher);
$OuterMatcher->methodNameMatcher = null;
$OuterMatcher->stub = new PHPUnit_Framework_MockObject_Stub_ReturnCallback([$foo, 'callback']);
$a = $b = $c = 0;
$foo->bar($a, $b, $c);


Expected result:
----------------
.

Actual result:
--------------
Program received signal SIGSEGV, Segmentation fault.
0x00000000006812a3 in zend_object_release (obj=0x0) at /local/git/php-src/Zend/zend_objects_API.h:77
77              if (--GC_REFCOUNT(obj) == 0) {
Missing separate debuginfos, use: zypper install libz1-debuginfo-1.2.8-5.1.2.x86_64
(gdb) bt
#0  0x00000000006812a3 in zend_object_release (obj=0x0) at /local/git/php-src/Zend/zend_objects_API.h:77
#1  0x00000000006890bb in cleanup_unfinished_calls (execute_data=0x7ffff6615520, op_num=4) at /local/git/php-src/Zend/zend_execute.c:2547
#2  0x000000000068c5bd in ZEND_HANDLE_EXCEPTION_SPEC_HANDLER () at /local/git/php-src/Zend/zend_vm_execute.h:1495
#3  0x0000000000689473 in execute_ex (ex=0x7ffff6615030) at /local/git/php-src/Zend/zend_vm_execute.h:414
#4  0x0000000000689555 in zend_execute (op_array=0x7ffff6687000, return_value=0x0) at /local/git/php-src/Zend/zend_vm_execute.h:458
#5  0x0000000000631dbf in zend_execute_scripts (type=8, retval=0x0, file_count=3) at /local/git/php-src/Zend/zend.c:1427
#6  0x00000000005ae6b2 in php_execute_script (primary_file=0x7fffffffd8e0) at /local/git/php-src/main/main.c:2494
#7  0x00000000006eb0f8 in do_cli (argc=2, argv=0xb08be0) at /local/git/php-src/sapi/cli/php_cli.c:974
#8  0x00000000006ebf78 in main (argc=2, argv=0xb08be0) at /local/git/php-src/sapi/cli/php_cli.c:1344
(gdb) f 1
#1  0x00000000006890bb in cleanup_unfinished_calls (execute_data=0x7ffff6615520, op_num=4) at /local/git/php-src/Zend/zend_execute.c:2547
2547 OBJ_RELEASE(Z_OBJ(call->This));
(gdb) list
2542                                            }
2543                                            if (GC_REFCOUNT(Z_OBJ(call->This)) == 1) {
2544 zend_object_store_ctor_failed(Z_OBJ(call->This));
2545                                            }
2546                                    }
2547 OBJ_RELEASE(Z_OBJ(call->This));
2548                            }
2549                            if (call->func->common.fn_flags & ZEND_ACC_CLOSURE) {
2550 zend_object_release((zend_object *) call->func->common.prototype);
2551                            } else if (call->func->common.fn_flags & ZEND_ACC_CALL_VIA_TRAMPOLINE) {

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2016-04-25 10:31 UTC] tony2001@php.net
-Status: Open +Status: Assigned -Assigned To: +Assigned To: dmitry
 [2016-04-25 11:15 UTC] dmitry@php.net
Automatic comment on behalf of dmitry@zend.com
Revision: http://git.php.net/?p=php-src.git;a=commit;h=92233dd736a883c34d5769081a9c0ff6d9f264f7
Log: Fixed bug #72101 (crash on complex code)
 [2016-04-25 11:15 UTC] dmitry@php.net
-Status: Assigned +Status: Closed
 [2016-07-20 11:31 UTC] davey@php.net
Automatic comment on behalf of dmitry@zend.com
Revision: http://git.php.net/?p=php-src.git;a=commit;h=92233dd736a883c34d5769081a9c0ff6d9f264f7
Log: Fixed bug #72101 (crash on complex code)
 
PHP Copyright © 2001-2017 The PHP Group
All rights reserved.
Last updated: Thu Apr 27 05:04:09 2017 UTC