php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #73288 Segfault in __clone > Exception.toString > __get
Submitted: 2016-10-11 09:26 UTC Modified: 2016-10-11 12:47 UTC
From: sjon at hortensius dot net Assigned:
Status: Closed Package: Reproducible crash
PHP Version: 7.1.0RC3 OS:
Private report: No CVE-ID:
 [2016-10-11 09:26 UTC] sjon at hortensius dot net
Description:
------------
We started testing a large codebase in 7.1.0RC3 and found a segfault, reduced to the testcase below. It does NOT segfault in a debug-build.

Test script:
---------------
<?php

class AAAAAAAAAAAAAA
{
        public function __get($name)
        {
                throw new React_UnknownEntryException;
        }
}

function g($class) {
        eval('class ' . $class . ' extends React_Exception {}');
        
        return true;
}

class React_Exception extends Exception
{
        public function __toString()
        {        
                try
                {
                        $registry = new AAAAAAAAAAAAAA;
                        return $registry->Translate->getTranslation('waa');
                }
                catch (Throwable $e)
                {
                        // ignore
                }
        }
}

class NoClone {
        public function __clone() {
                throw new React_CloneException;
        }
}

class UUUUUUUUUUUUUUUUUU
{
        public function __get($name)
        {
                return new NoClone;
        }
}

class Test
{
        public function testClone()
        {
                $u = new UUUUUUUUUUUUUUUUUU;
                $b = clone $u->x;
        }
}

spl_autoload_unregister('spl_autoload');
spl_autoload_register('g');
$t = new Test;
$t->testClone();

Expected result:
----------------
Warning: React_CloneException::__toString() must return a string in Unknown on line 0

Fatal error: Uncaught 
  thrown in test.php on line 35


Actual result:
--------------
Program received signal SIGSEGV, Segmentation fault.
0x0000000000657540 in _emalloc ()
(gdb) bt
#0  0x0000000000657540 in _emalloc ()
#1  0x0000000000672344 in zend_string_tolower ()
#2  0x0000000000659f59 in ?? ()
#3  0x00000000006668e4 in ?? ()
#4  0x0000000000667078 in ?? ()
#5  0x000000000066967a in ?? ()
#6  0x00000000006696cf in ?? ()
#7  0x0000000000641b82 in ?? ()
#8  0x0000000000643698 in compile_string ()
#9  0x00000000006dc77e in ?? ()
#10 0x0000000000715ed3 in ?? ()
#11 0x00000000006c230b in execute_ex ()
#12 0x000000000066cb41 in zend_call_function ()
#13 0x0000000000697fab in zend_call_method ()
#14 0x0000000000559bfc in ?? ()
#15 0x000000000066c9f7 in zend_call_function ()
#16 0x000000000066cf85 in zend_lookup_class_ex ()
#17 0x000000000066d898 in zend_fetch_class_by_name ()
#18 0x0000000000716c97 in ?? ()
#19 0x00000000006c230b in execute_ex ()
#20 0x000000000066cb41 in zend_call_function ()
#21 0x0000000000697fab in zend_call_method ()
#22 0x00000000006b2d9a in ?? ()
#23 0x00000000006b48b2 in ?? ()
#24 0x00000000006f300c in ?? ()
#25 0x00000000006c230b in execute_ex ()
#26 0x000000000066cb41 in zend_call_function ()
#27 0x0000000000697fab in zend_call_method ()
#28 0x00000000004318a0 in zend_exception_error ()
#29 0x000000000067b40c in zend_execute_scripts ()
#30 0x000000000061bbab in php_execute_script ()
#31 0x000000000071daac in ?? ()
#32 0x0000000000433a2f in ?? ()
#33 0x00007ffff6219291 in __libc_start_main () from /usr/lib/libc.so.6
#34 0x0000000000433b6a in _start ()


Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2016-10-11 09:26 UTC] sjon at hortensius dot net
Valgrind output:

HEAP SUMMARY:
    in use at exit: 75,050 bytes in 30 blocks
  total heap usage: 18,462 allocs, 18,432 frees, 2,864,926 bytes allocated

328 (152 direct, 176 indirect) bytes in 1 blocks are definitely lost in loss record 26 of 30
   at 0x4C29BBE: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
   by 0x8BDB48: __zend_malloc (zend_alloc.c:2822)
   by 0x8BCDC3: _emalloc (zend_alloc.c:2402)
   by 0x939FCB: zend_objects_new (zend_objects.c:171)
   by 0x91B52E: zend_default_exception_new_ex (zend_exceptions.c:208)
   by 0x91B7DF: zend_default_exception_new (zend_exceptions.c:242)
   by 0x8F7BBB: _object_and_properties_init (zend_API.c:1302)
   by 0x8F7C10: _object_init_ex (zend_API.c:1310)
   by 0x957880: ZEND_NEW_SPEC_CONST_HANDLER (zend_vm_execute.h:3188)
   by 0x950891: execute_ex (zend_vm_execute.h:429)
   by 0x8DA784: zend_call_function (zend_execute_API.c:826)
   by 0x918F75: zend_call_method (zend_interfaces.c:102)
   by 0x93A4DE: zend_objects_clone_members (zend_objects.c:240)
   by 0x93A53D: zend_objects_clone_obj (zend_objects.c:255)
   by 0x9BEA5E: ZEND_CLONE_SPEC_TMPVAR_HANDLER (zend_vm_execute.h:51504)
   by 0x950891: execute_ex (zend_vm_execute.h:429)
   by 0x9509A2: zend_execute (zend_vm_execute.h:474)
   by 0x8F1F7F: zend_execute_scripts (zend.c:1464)
   by 0x861326: php_execute_script (main.c:2533)
   by 0x9D1F82: do_cli (php_cli.c:990)
   by 0x9D2F4C: main (php_cli.c:1378)

1,052 (208 direct, 844 indirect) bytes in 1 blocks are definitely lost in loss record 29 of 30
   at 0x4C29BBE: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
   by 0x8BDB48: __zend_malloc (zend_alloc.c:2822)
   by 0x8BCDC3: _emalloc (zend_alloc.c:2402)
   by 0x8991A8: zend_compile (zend_language_scanner.l:590)
   by 0x899380: compile_file (zend_language_scanner.l:633)
   by 0x732A56: phar_compile_file (phar.c:3305)
   by 0x8F1F11: zend_execute_scripts (zend.c:1458)
   by 0x861326: php_execute_script (main.c:2533)
   by 0x9D1F82: do_cli (php_cli.c:990)
   by 0x9D2F4C: main (php_cli.c:1378)

LEAK SUMMARY:
   definitely lost: 360 bytes in 2 blocks
   indirectly lost: 1,020 bytes in 7 blocks
     possibly lost: 0 bytes in 0 blocks
   still reachable: 73,670 bytes in 21 blocks
        suppressed: 0 bytes in 0 blocks
 [2016-10-11 12:47 UTC] sjon at hortensius dot net
FYI; rewriting __clone to throw a plain Exception results in another segfault; with the following BT:

0x0000000000657540 in _emalloc ()
0x00000000006b28f8 in zend_objects_new ()
0x000000000067da61 in _object_and_properties_init ()
0x0000000000716aec in ?? ()
0x00000000006c230b in execute_ex ()
0x000000000071b8a8 in zend_execute ()
0x000000000067b395 in zend_execute_scripts ()
0x000000000061bbab in php_execute_script ()
0x000000000071daac in ?? ()
0x0000000000433a2f in ?? ()
0x00007ffff6219291 in __libc_start_main () from /usr/lib/libc.so.6
0x0000000000433b6a in _start ()

I cannot reduce this to a simpler testcase
 [2016-10-12 08:08 UTC] laruence@php.net
Automatic comment on behalf of laruence@gmail.com
Revision: http://git.php.net/?p=php-src.git;a=commit;h=d19898b2981c839f0758571c1b83052111634154
Log: Fixed bug #73288 (Segfault in __clone &gt; Exception.toString &gt; __get)
 [2016-10-12 08:08 UTC] laruence@php.net
-Status: Open +Status: Closed
 [2016-10-14 01:02 UTC] ab@php.net
Automatic comment on behalf of laruence@gmail.com
Revision: http://git.php.net/?p=php-src.git;a=commit;h=c9274d20b73658d2e560f6a79b6b7c3bbb935e3e
Log: Fixed bug #73288 (Segfault in __clone &gt; Exception.toString &gt; __get)
 [2016-10-14 02:23 UTC] ab@php.net
Automatic comment on behalf of laruence@gmail.com
Revision: http://git.php.net/?p=php-src.git;a=commit;h=c9274d20b73658d2e560f6a79b6b7c3bbb935e3e
Log: Fixed bug #73288 (Segfault in __clone &gt; Exception.toString &gt; __get)
 [2016-10-17 10:07 UTC] bwoebi@php.net
Automatic comment on behalf of laruence@gmail.com
Revision: http://git.php.net/?p=php-src.git;a=commit;h=c9274d20b73658d2e560f6a79b6b7c3bbb935e3e
Log: Fixed bug #73288 (Segfault in __clone &gt; Exception.toString &gt; __get)
 [2017-01-12 09:12 UTC] krakjoe@php.net
Automatic comment on behalf of laruence@gmail.com
Revision: http://git.php.net/?p=php-src.git;a=commit;h=d19898b2981c839f0758571c1b83052111634154
Log: Fixed bug #73288 (Segfault in __clone &gt; Exception.toString &gt; __get)
 
PHP Copyright © 2001-2017 The PHP Group
All rights reserved.
Last updated: Sun Apr 30 22:01:36 2017 UTC