php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #74673 Segfault when cast Reflection object to string with undefined constant
Submitted: 2017-05-30 13:55 UTC Modified: -
Votes:2
Avg. Score:3.5 ± 0.5
Reproduced:2 of 2 (100.0%)
Same Version:2 (100.0%)
Same OS:0 (0.0%)
From: luxifer666 at gmail dot com Assigned:
Status: Closed Package: Reflection related
PHP Version: 7.1.5 OS: Debian GNU/Linux 8.8 (jessie)
Private report: No CVE-ID:
 [2017-05-30 13:55 UTC] luxifer666 at gmail dot com
Description:
------------
I got a segfault when trying to cast a Reflection object (ReflectionClass or ReflectionMethod), with the class containing a method with an argument which defaults to an undefined constant. Without any error_handler it works well. If I add an error_handler that throws an exception, the script segfault.

PHP Version:
php -v
PHP 7.1.5-1+0~20170522123046.25+jessie~1.gbpb8686b (cli) (built: May 22 2017 13:49:15) ( NTS )
Copyright (c) 1997-2017 The PHP Group
Zend Engine v3.1.0, Copyright (c) 1998-2017 Zend Technologies
    with Zend OPcache v7.1.5-1+0~20170522123046.25+jessie~1.gbpb8686b, Copyright (c) 1999-2017, by Zend Technologies
    with Xdebug v2.5.1, Copyright (c) 2002-2017, by Derick Rethans

Modules:
php -m
[PHP Modules]
bcmath
calendar
Core
ctype
curl
date
dom
exif
fileinfo
filter
ftp
gd
gettext
gmp
hash
iconv
igbinary
intl
json
ldap
libxml
mbstring
mcrypt
memcached
msgpack
mysqli
mysqlnd
openssl
pcntl
pcre
PDO
pdo_mysql
pdo_sqlite
Phar
posix
readline
redis
Reflection
session
shmop
SimpleXML
soap
sockets
SPL
sqlite3
standard
sysvmsg
sysvsem
sysvshm
tokenizer
wddx
xdebug
xml
xmlreader
xmlwriter
xsl
Zend OPcache
zip
zlib

[Zend Modules]
Xdebug
Zend OPcache

I tried this script on 3v4l: https://3v4l.org/ekEkd#output it segfault. I tried it with the latest official docker image php:7.1-cli, it segfault to.

But I tried on mac and I got this output:
PHP Fatal error:  Method ReflectionClass::__toString() must not throw an exception, caught Exception:  in test.php on line 0

Debug:
Program received signal SIGSEGV, Segmentation fault.
0x00000000005c3d45 in _zval_get_string_func (op=op@entry=0x7fffffffa580) at ./Zend/zend_operators.c:891
891	./Zend/zend_operators.c: No such file or directory.
(gdb) zbacktrace
[0x7ffff5e130a0] ReflectionClass->__toString() [internal function]
[0x7fffffffa7f0] ???
[0x7ffff5e13030] (main) test.php:16
(gdb) bt
#0  0x00000000005c3d45 in _zval_get_string_func (op=op@entry=0x7fffffffa580) at ./Zend/zend_operators.c:891
#1  0x00000000004b753a in _zval_get_string (op=0x7fffffffa580) at ./Zend/zend_operators.h:276
#2  _parameter_string (str=str@entry=0x7fffffffa690, fptr=fptr@entry=0x7ffff5e035b8, arg_info=arg_info@entry=0x7fffdec32680, offset=offset@entry=0, required=required@entry=0, indent=<optimized out>)
    at ./ext/reflection/php_reflection.c:752
#3  0x00000000004b79e0 in _function_parameter_string (indent=0x7ffff5e6af18 "      ", fptr=0x7ffff5e035b8, str=0x7fffffffa690) at ./ext/reflection/php_reflection.c:781
#4  _function_string (str=str@entry=0x7fffffffa690, fptr=fptr@entry=0x7ffff5e035b8, scope=scope@entry=0x7ffff5e033c0, indent=0x7ffff5e6a518 "    ") at ./ext/reflection/php_reflection.c:916
#5  0x00000000004b84f3 in _class_string (str=str@entry=0x7fffffffa6f0, ce=ce@entry=0x7ffff5e033c0, obj=obj@entry=0x7ffff5e63080, indent=indent@entry=0x686418 "")
    at ./ext/reflection/php_reflection.c:608
#6  0x00000000004b9a9b in zim_reflection_class___toString (execute_data=<optimized out>, return_value=0x7fffffffa9b0) at ./ext/reflection/php_reflection.c:4070
#7  0x00007ffff59657d5 in xdebug_execute_internal (current_execute_data=0x7ffff5e130a0, return_value=0x7fffffffa9b0) at ./build-7.1/xdebug.c:2147
#8  0x00000000005bd2ca in zend_call_function (fci=fci@entry=0x7fffffffa910, fci_cache=fci_cache@entry=0x7fffffffa8e0) at ./Zend/zend_execute_API.c:871
#9  0x00000000005ec050 in zend_call_method (object=object@entry=0x7ffff5e13080, obj_ce=<optimized out>, obj_ce@entry=0xa60790, fn_proxy=fn_proxy@entry=0xa608c0,
    function_name=function_name@entry=0x6c8533 "__tostring", function_name_len=function_name_len@entry=10, retval_ptr=retval_ptr@entry=0x7fffffffa9b0, param_count=0, arg1=0x0, arg2=0x0)
    at ./Zend/zend_interfaces.c:99
#10 0x0000000000607c65 in zend_std_cast_object_tostring (readobj=0x7ffff5e13080, writeobj=0x7fffffffaa30, type=<optimized out>) at ./Zend/zend_object_handlers.c:1631
#11 0x00000000005c3c7e in _zval_get_string_func (op=op@entry=0x7ffff5e13080) at ./Zend/zend_operators.c:887
#12 0x000000000064cae1 in ZEND_ECHO_SPEC_CV_HANDLER () at ./Zend/zend_vm_execute.h:34709
#13 0x0000000000616aeb in execute_ex (ex=<optimized out>) at ./Zend/zend_vm_execute.h:429
#14 0x00007ffff5964cc6 in xdebug_execute_ex (execute_data=0x7ffff5e13030) at ./build-7.1/xdebug.c:1995
#15 0x00000000006730b0 in zend_execute (op_array=op_array@entry=0x7ffff5e80000, return_value=return_value@entry=0x0) at ./Zend/zend_vm_execute.h:474
#16 0x00000000005cd5f3 in zend_execute_scripts (type=type@entry=8, retval=retval@entry=0x0, file_count=file_count@entry=3) at ./Zend/zend.c:1476
#17 0x0000000000569590 in php_execute_script (primary_file=0x7fffffffd100) at ./main/main.c:2537
#18 0x000000000067532a in do_cli (argc=-23168, argv=0x7fffffffa520) at ./sapi/cli/php_cli.c:993
#19 0x0000000000444b42 in main (argc=-23168, argv=0x7fffffffa520) at ./sapi/cli/php_cli.c:1381

Test script:
---------------
<?php

set_error_handler(function() {
    throw new Exception();
});

class A
{
    public function method($test = UNKNOWN_CONSTANT)
    {
    }
}

$class = new ReflectionClass('A');

echo $class;

Expected result:
----------------
Notice: Use of undefined constant UNKNOWN_CONSTANT - assumed 'UNKNOWN_CONSTANT' in test.php on line 16
Class [ <user> class A ] {
  @@ test.php 7-12

  - Constants [0] {
  }

  - Static properties [0] {
  }

  - Static methods [0] {
  }

  - Properties [0] {
  }

  - Methods [1] {
    Method [ <user> public method method ] {
      @@ test.php 9 - 11

      - Parameters [1] {
        Parameter #0 [ <optional> $test = 'UNKNOWN_CONSTAN...' ]
      }
    }
  }
}

Actual result:
--------------
Program received signal SIGSEGV, Segmentation fault.

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2017-05-31 05:11 UTC] laruence@php.net
Automatic comment on behalf of laruence@gmail.com
Revision: http://git.php.net/?p=php-src.git;a=commit;h=9c5717d0decd56710129a5599fe5d38f82a7bab2
Log: Fixed bug #74673 (Segfault when cast Reflection object to string with undefined constant)
 [2017-05-31 05:11 UTC] laruence@php.net
-Status: Open +Status: Closed
 [2017-05-31 05:16 UTC] laruence@php.net
Automatic comment on behalf of laruence@gmail.com
Revision: http://git.php.net/?p=php-src.git;a=commit;h=9c5717d0decd56710129a5599fe5d38f82a7bab2
Log: Fixed bug #74673 (Segfault when cast Reflection object to string with undefined constant)
 
PHP Copyright © 2001-2017 The PHP Group
All rights reserved.
Last updated: Mon Jul 24 10:01:45 2017 UTC