PHP :: Bug #77631 :: ReflectionClass->isSubclassOf crashes in PHP 7.4 for anonymous class

Bug #77631	ReflectionClass->isSubclassOf crashes in PHP 7.4 for anonymous class
Submitted:	2019-02-18 03:05 UTC	Modified:	2019-02-18 08:19 UTC
From:	tandre@php.net	Assigned:
Status:	Closed	Package:	Reproducible crash
PHP Version:	Next Minor Version	OS:	Linux
Private report:	No	CVE-ID:	None

View Add Comment Developer Edit

[2019-02-18 03:05 UTC] tandre@php.net

Description:
------------
This was initially reproduced by cloning https://github.com/Microsoft/tolerant-php-parser , running `composer.phar install`, and running `vendor/bin/phpunit tests/ParserGrammerTest.php`.

I narrowed the bug down to the below test script. This crashes in both non-debug NTS and a debug ZTS build in PHP-7.4 (built today with 5b15908ed7d1765c1776b40ffc58092044aa1332, introduced somewhere before that).

instance_ce has invalid data. This might be caused by the test script using a ReflectionClass for an anonymous class where no instances have been created.

```
Checking for class@anonymous/path/to/php-src/test.php0x7ffff7fd405d

Program received signal SIGSEGV, Segmentation fault.
0x0000000000b31505 in instanceof_class (instance_ce=0x4, ce=0x7fffe4b69c18) at /path/to/php-src/Zend/zend_operators.c:2285
warning: Source file is more recent than executable.
2285                    instance_ce = instance_ce->parent;
(gdb) bt
#0  0x0000000000b31505 in instanceof_class (instance_ce=0x4, ce=0x7fffe4b69c18) at /path/to/php-src/Zend/zend_operators.c:2285
#1  0x0000000000b3168d in instanceof_function (instance_ce=0x7fffecc06740, ce=0x7fffe4b69c18) at /path/to/php-src/Zend/zend_operators.c:2330
#2  0x00000000007be3af in zim_reflection_class_isSubclassOf (execute_data=0x7fffecc171a0, return_value=0x7fffecc17110) at /path/to/php-src/ext/reflection/php_reflection.c:4991
#3  0x0000000000bb451d in ZEND_DO_FCALL_SPEC_RETVAL_USED_HANDLER () at /path/to/php-src/Zend/zend_vm_execute.h:1104
#4  0x0000000000c36376 in execute_ex (ex=0x7fffecc17020) at /path/to/php-src/Zend/zend_vm_execute.h:61540
#5  0x0000000000c3c999 in zend_execute (op_array=0x7fffecc73400, return_value=0x0) at /path/to/php-src/Zend/zend_vm_execute.h:67944
#6  0x0000000000b3a5a0 in zend_execute_scripts (type=8, retval=0x0, file_count=3) at /path/to/php-src/Zend/zend.c:1639
#7  0x0000000000a72dfd in php_execute_script (primary_file=0x7fffffffc680) at /path/to/php-src/main/main.c:2633
#8  0x0000000000c3fa52 in do_cli (argc=2, argv=0x181f030) at /path/to/php-src/sapi/cli/php_cli.c:992
#9  0x0000000000c40e9d in main (argc=2, argv=0x181f030) at /path/to/php-src/sapi/cli/php_cli.c:1384
```

Test script:
---------------
<?php
class X {
    public static function main() {
        return new class() extends Base {};
    }
}
class Base {}
call_user_func(function() {
    $base = Base::class;
    foreach (get_declared_classes() as $class) {
        if (strpos($class, 'class@anonymous') === false) {
            continue;
        }
        echo "Checking for $class\n";
        flush();
        $rc = new ReflectionClass($class);
        var_export($rc->isSubclassOf($base));  // Segfaults on this line
    }
});


Expected result:
----------------
Does not segfault, prints Checking for class@anonymouspath...false (like earlier php versions do)

Actual result:
--------------
Segfaults because of the call to isSubclassOf

Patches

Add a Patch

Pull Requests

Pull requests:

Fix class crash in isSubclassOf when using unbound anonymous classes (php-src/3847)

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports

[2019-02-18 08:19 UTC] nikic@php.net

The actual bug here is that get_declared_classes() exposes anonymous classes that haven't been bound yet. The code currently only handles unbound ordinary classes.

[2019-02-18 14:50 UTC] tandre@php.net

The following pull request has been associated:

Patch Name: Fix class crash in isSubclassOf when using unbound anonymous classes
On GitHub:  https://github.com/php/php-src/pull/3847
Patch:      https://github.com/php/php-src/pull/3847.patch

[2019-02-19 09:07 UTC] nikic@php.net

Automatic comment on behalf of tysonandre775@hotmail.com
Revision: http://git.php.net/?p=php-src.git;a=commit;h=12ffee57d6adf38f8dd8b39ea7f7a5e4c462d358
Log: Fixed bug #77631

[2019-02-19 09:07 UTC] nikic@php.net

-Status: Open +Status: Closed

[2019-02-19 09:11 UTC] nikic@php.net

Automatic comment on behalf of tysonandre775@hotmail.com
Revision: http://git.php.net/?p=php-src.git;a=commit;h=12ffee57d6adf38f8dd8b39ea7f7a5e4c462d358
Log: Fixed bug #77631

[2020-04-14 20:04 UTC] ahwelp at universo dot univates dot br

Related To: Bug #79474

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Thu Apr 18 07:01:27 2024 UTC