php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #72191 Segmentation Fault on recursively call class static function
Submitted: 2016-05-11 06:10 UTC Modified: 2021-02-11 17:37 UTC
Votes:1
Avg. Score:1.0 ± 0.0
Reproduced:0 of 0 (0.0%)
From: kir dot 9 dot pro at gmail dot com Assigned: cmb (profile)
Status: Closed Package: Class/Object related
PHP Version: 5.6.21 OS: win/nix
Private report: No CVE-ID: None
 [2016-05-11 06:10 UTC] kir dot 9 dot pro at gmail dot com
Description:
------------
In 7 versions the mistake doesn't appear, to povidimy because of other principle of work with memory. 
Probably it is possible to solve a problem check of value of a stack (ESP) by recursive/dynamic calls.

tested on <= 5.6.21 versions




Test script:
---------------
<?php
class A{
    public static function __callStatic($name, $arguments){
        self::inf();
    }
}

$b = new A;
$b::hello();
?> 

Expected result:
----------------
Fatal error, as it is made in 7 versions.


Actual result:
--------------
root@de:/tmp/php-5.6.21# sapi/cli/php -v
PHP 5.6.21 (cli) (built: May 10 2016 19:37:58) 
Copyright (c) 1997-2016 The PHP Group
Zend Engine v2.6.0, Copyright (c) 1998-2016 Zend Technologies




root@de:/tmp/php-5.6.21/sapi/cli# gdb --args php -f /tmp/1.php
GNU gdb (Debian 7.7.1+dfsg-5) 7.7.1
Copyright (C) 2014 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>.
Find the GDB manual and other documentation resources online at:
<http://www.gnu.org/software/gdb/documentation/>.
For help, type "help".
Type "apropos word" to search for commands related to "word"...
Reading symbols from php...done.
(gdb) display/10i $rip
(gdb) set heigth 0
No symbol "heigth" in current context.
(gdb) set height 0
(gdb) r
Starting program: /tmp/php-5.6.21/sapi/cli/php -f /tmp/1.php
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".

Program received signal SIGSEGV, Segmentation fault.
0x00000000006a7156 in _zend_mm_alloc_int (heap=0xea81c0, size=72) at /tmp/php-5.6.21/Zend/zend_alloc.c:1881
1881	{
1: x/10i $rip
=> 0x6a7156 <_zend_mm_alloc_int+6>:	push   %r12
   0x6a7158 <_zend_mm_alloc_int+8>:	mov    %rsi,%r13
   0x6a715b <_zend_mm_alloc_int+11>:	push   %rbp
   0x6a715c <_zend_mm_alloc_int+12>:	push   %rbx
   0x6a715d <_zend_mm_alloc_int+13>:	mov    %rdi,%r12
   0x6a7160 <_zend_mm_alloc_int+16>:	sub    $0x18,%rsp
   0x6a7164 <_zend_mm_alloc_int+20>:	cmp    $0xf,%rsi
   0x6a7168 <_zend_mm_alloc_int+24>:	jbe    0x6a71f0 <_zend_mm_alloc_int+160>
   0x6a716e <_zend_mm_alloc_int+30>:	lea    0x7fdb93(%rip),%rax        # 0xea4d08 <zend_block_interruptions>
   0x6a7175 <_zend_mm_alloc_int+37>:	lea    0x17(%rsi),%rbp

(gdb) set logging on
(gdb) bt full


backtrace file (25Mb): http://rnsd.ru/down/php-bt-z8f02lds_fas.txt




Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2021-02-11 17:37 UTC] cmb@php.net
-Status: Open +Status: Closed -Assigned To: +Assigned To: cmb
 [2021-02-11 17:37 UTC] cmb@php.net
> In 7 versions the mistake doesn't appear, […]

The this ticket is obsolete[1].

[1] <https://www.php.net/supported-versions.php>
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Sun Nov 10 12:01:30 2024 UTC