php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #73583 Segfaults when conditionally declared class and function have the same name
Submitted: 2016-11-22 23:29 UTC Modified: 2016-11-23 06:23 UTC
Votes:1
Avg. Score:5.0 ± 0.0
Reproduced:1 of 1 (100.0%)
Same Version:1 (100.0%)
Same OS:1 (100.0%)
From: weirdan at gmail dot com Assigned:
Status: Closed Package: opcache
PHP Version: 7.1.0RC6 OS: Linux CentOS 7
Private report: No CVE-ID:
 [2016-11-22 23:29 UTC] weirdan at gmail dot com
Description:
------------
When a function and a class have the same name in a conditional section (such as 'if (!function_exists('a')) { function a() {} class a {} }' php (with opcache enabled) segfaults.

It doesn't crash if the same code appears outside the condition. It doesn't crash when opcache is disabled. It doesn't crash when names differ.

Test script:
---------------
<?php
if (true) {
    class A { }
    function A() { }
}
?>

Expected result:
----------------
No output, no segfaults

Actual result:
--------------
[root@stage30 current]# php -n -d zend_extension=opcache.so -d opcache.enable_cli=1 q.php                                                                                                      
Segmentation fault (core dumped)
[root@stage30 current]# gdb `which php` /tmp/core-php.10991 
GNU gdb (GDB) Red Hat Enterprise Linux 7.6.1-80.el7
Copyright (C) 2013 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-redhat-linux-gnu".
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>...
Reading symbols from /usr/bin/php...Reading symbols from /usr/lib/debug/usr/bin/php.debug...done.
done.
[New LWP 10991]
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib64/libthread_db.so.1".
Core was generated by `php -n -d zend_extension=opcache.so -d opcache.enable_cli=1 q.php'.
Program terminated with signal 11, Segmentation fault.
#0  0x00007fa9fe586558 in memcpy (__len=208, __src=0x0, __dest=0x7fa9f9e02620) at /usr/include/bits/string3.h:51
51        return __builtin___memcpy_chk (__dest, __src, __len, __bos0 (__dest));
(gdb) bt
#0  0x00007fa9fe586558 in memcpy (__len=208, __src=0x0, __dest=0x7fa9f9e02620) at /usr/include/bits/string3.h:51
#1  do_bind_function (op_array=<optimized out>, opline=<optimized out>, function_table=0x7fa9ffc4cf80, compile_time=compile_time@entry=0 '\000')
    at /usr/src/debug/php-7.1.0RC6/Zend/zend_compile.c:1073
#2  0x00007fa9fe600113 in ZEND_DECLARE_FUNCTION_SPEC_HANDLER () at /usr/src/debug/php-7.1.0RC6/Zend/zend_vm_execute.h:1620
#3  0x00007fa9fe5ef41b in execute_ex (ex=<optimized out>) at /usr/src/debug/php-7.1.0RC6/Zend/zend_vm_execute.h:429
#4  0x00007fa9fe597829 in dtrace_execute_ex (execute_data=<optimized out>) at /usr/src/debug/php-7.1.0RC6/Zend/zend_dtrace.c:83
#5  0x00007fa9fe642db4 in zend_execute (op_array=op_array@entry=0x7fa9f9e83000, return_value=return_value@entry=0x0) at /usr/src/debug/php-7.1.0RC6/Zend/zend_vm_execute.h:474
#6  0x00007fa9fe5a7eb3 in zend_execute_scripts (type=type@entry=8, retval=retval@entry=0x0, file_count=file_count@entry=3) at /usr/src/debug/php-7.1.0RC6/Zend/zend.c:1464
#7  0x00007fa9fe545fa8 in php_execute_script (primary_file=primary_file@entry=0x7fffcda609c0) at /usr/src/debug/php-7.1.0RC6/main/main.c:2533
#8  0x00007fa9fe645058 in do_cli (argc=7, argv=0x7fa9ffc4ce40) at /usr/src/debug/php-7.1.0RC6/sapi/cli/php_cli.c:990
#9  0x00007fa9fe42392f in main (argc=7, argv=0x7fa9ffc4ce40) at /usr/src/debug/php-7.1.0RC6/sapi/cli/php_cli.c:1378


Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2016-11-23 06:23 UTC] laruence@php.net
introduced after https://github.com/php/php-src/commit/88eae43f

thanks
 [2016-11-23 06:28 UTC] laruence@php.net
Automatic comment on behalf of laruence@gmail.com
Revision: http://git.php.net/?p=php-src.git;a=commit;h=a0b28434ccaafadfdd39a0b51eab5aa4dd693291
Log: Fixed bug #73583 (Segfaults when conditionally declared class and function have the same name)
 [2016-11-23 06:28 UTC] laruence@php.net
-Status: Open +Status: Closed
 [2016-11-30 23:14 UTC] davey@php.net
Automatic comment on behalf of laruence@gmail.com
Revision: http://git.php.net/?p=php-src.git;a=commit;h=a0b28434ccaafadfdd39a0b51eab5aa4dd693291
Log: Fixed bug #73583 (Segfaults when conditionally declared class and function have the same name)
 
PHP Copyright © 2001-2017 The PHP Group
All rights reserved.
Last updated: Tue Jul 25 16:01:42 2017 UTC