php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #72191 Segmentation Fault on recursively call class static function
Submitted: 2016-05-11 06:10 UTC Modified: -
From: kir dot 9 dot pro at gmail dot com Assigned:
Status: Open Package: Class/Object related
PHP Version: 5.6.21 OS: win/nix
Private report: No CVE-ID: None
Have you experienced this issue?
Rate the importance of this bug to you:

 [2016-05-11 06:10 UTC] kir dot 9 dot pro at gmail dot com
Description:
------------
In 7 versions the mistake doesn't appear, to povidimy because of other principle of work with memory. 
Probably it is possible to solve a problem check of value of a stack (ESP) by recursive/dynamic calls.

tested on <= 5.6.21 versions




Test script:
---------------
<?php
class A{
    public static function __callStatic($name, $arguments){
        self::inf();
    }
}

$b = new A;
$b::hello();
?> 

Expected result:
----------------
Fatal error, as it is made in 7 versions.


Actual result:
--------------
root@de:/tmp/php-5.6.21# sapi/cli/php -v
PHP 5.6.21 (cli) (built: May 10 2016 19:37:58) 
Copyright (c) 1997-2016 The PHP Group
Zend Engine v2.6.0, Copyright (c) 1998-2016 Zend Technologies




root@de:/tmp/php-5.6.21/sapi/cli# gdb --args php -f /tmp/1.php
GNU gdb (Debian 7.7.1+dfsg-5) 7.7.1
Copyright (C) 2014 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>.
Find the GDB manual and other documentation resources online at:
<http://www.gnu.org/software/gdb/documentation/>.
For help, type "help".
Type "apropos word" to search for commands related to "word"...
Reading symbols from php...done.
(gdb) display/10i $rip
(gdb) set heigth 0
No symbol "heigth" in current context.
(gdb) set height 0
(gdb) r
Starting program: /tmp/php-5.6.21/sapi/cli/php -f /tmp/1.php
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".

Program received signal SIGSEGV, Segmentation fault.
0x00000000006a7156 in _zend_mm_alloc_int (heap=0xea81c0, size=72) at /tmp/php-5.6.21/Zend/zend_alloc.c:1881
1881	{
1: x/10i $rip
=> 0x6a7156 <_zend_mm_alloc_int+6>:	push   %r12
   0x6a7158 <_zend_mm_alloc_int+8>:	mov    %rsi,%r13
   0x6a715b <_zend_mm_alloc_int+11>:	push   %rbp
   0x6a715c <_zend_mm_alloc_int+12>:	push   %rbx
   0x6a715d <_zend_mm_alloc_int+13>:	mov    %rdi,%r12
   0x6a7160 <_zend_mm_alloc_int+16>:	sub    $0x18,%rsp
   0x6a7164 <_zend_mm_alloc_int+20>:	cmp    $0xf,%rsi
   0x6a7168 <_zend_mm_alloc_int+24>:	jbe    0x6a71f0 <_zend_mm_alloc_int+160>
   0x6a716e <_zend_mm_alloc_int+30>:	lea    0x7fdb93(%rip),%rax        # 0xea4d08 <zend_block_interruptions>
   0x6a7175 <_zend_mm_alloc_int+37>:	lea    0x17(%rsi),%rbp

(gdb) set logging on
(gdb) bt full


backtrace file (25Mb): http://rnsd.ru/down/php-bt-z8f02lds_fas.txt




Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 
PHP Copyright © 2001-2019 The PHP Group
All rights reserved.
Last updated: Sat Feb 23 12:01:25 2019 UTC