php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #77631 ReflectionClass->isSubclassOf crashes in PHP 7.4 for anonymous class
Submitted: 2019-02-18 03:05 UTC Modified: 2019-02-18 08:19 UTC
From: tandre@php.net Assigned:
Status: Closed Package: Reproducible crash
PHP Version: Next Minor Version OS: Linux
Private report: No CVE-ID: None
 [2019-02-18 03:05 UTC] tandre@php.net
Description:
------------
This was initially reproduced by cloning https://github.com/Microsoft/tolerant-php-parser , running `composer.phar install`, and running `vendor/bin/phpunit tests/ParserGrammerTest.php`.

I narrowed the bug down to the below test script. This crashes in both non-debug NTS and a debug ZTS build in PHP-7.4 (built today with 5b15908ed7d1765c1776b40ffc58092044aa1332, introduced somewhere before that).

instance_ce has invalid data. This might be caused by the test script using a ReflectionClass for an anonymous class where no instances have been created.

```
Checking for class@anonymous/path/to/php-src/test.php0x7ffff7fd405d

Program received signal SIGSEGV, Segmentation fault.
0x0000000000b31505 in instanceof_class (instance_ce=0x4, ce=0x7fffe4b69c18) at /path/to/php-src/Zend/zend_operators.c:2285
warning: Source file is more recent than executable.
2285                    instance_ce = instance_ce->parent;
(gdb) bt
#0  0x0000000000b31505 in instanceof_class (instance_ce=0x4, ce=0x7fffe4b69c18) at /path/to/php-src/Zend/zend_operators.c:2285
#1  0x0000000000b3168d in instanceof_function (instance_ce=0x7fffecc06740, ce=0x7fffe4b69c18) at /path/to/php-src/Zend/zend_operators.c:2330
#2  0x00000000007be3af in zim_reflection_class_isSubclassOf (execute_data=0x7fffecc171a0, return_value=0x7fffecc17110) at /path/to/php-src/ext/reflection/php_reflection.c:4991
#3  0x0000000000bb451d in ZEND_DO_FCALL_SPEC_RETVAL_USED_HANDLER () at /path/to/php-src/Zend/zend_vm_execute.h:1104
#4  0x0000000000c36376 in execute_ex (ex=0x7fffecc17020) at /path/to/php-src/Zend/zend_vm_execute.h:61540
#5  0x0000000000c3c999 in zend_execute (op_array=0x7fffecc73400, return_value=0x0) at /path/to/php-src/Zend/zend_vm_execute.h:67944
#6  0x0000000000b3a5a0 in zend_execute_scripts (type=8, retval=0x0, file_count=3) at /path/to/php-src/Zend/zend.c:1639
#7  0x0000000000a72dfd in php_execute_script (primary_file=0x7fffffffc680) at /path/to/php-src/main/main.c:2633
#8  0x0000000000c3fa52 in do_cli (argc=2, argv=0x181f030) at /path/to/php-src/sapi/cli/php_cli.c:992
#9  0x0000000000c40e9d in main (argc=2, argv=0x181f030) at /path/to/php-src/sapi/cli/php_cli.c:1384
```

Test script:
---------------
<?php
class X {
    public static function main() {
        return new class() extends Base {};
    }
}
class Base {}
call_user_func(function() {
    $base = Base::class;
    foreach (get_declared_classes() as $class) {
        if (strpos($class, 'class@anonymous') === false) {
            continue;
        }
        echo "Checking for $class\n";
        flush();
        $rc = new ReflectionClass($class);
        var_export($rc->isSubclassOf($base));  // Segfaults on this line
    }
});


Expected result:
----------------
Does not segfault, prints Checking for class@anonymouspath...false (like earlier php versions do)

Actual result:
--------------
Segfaults because of the call to isSubclassOf

Patches

Pull Requests

Pull requests:

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2019-02-18 08:19 UTC] nikic@php.net
The actual bug here is that get_declared_classes() exposes anonymous classes that haven't been bound yet. The code currently only handles unbound ordinary classes.
 [2019-02-18 14:50 UTC] tandre@php.net
The following pull request has been associated:

Patch Name: Fix class crash in isSubclassOf when using unbound anonymous classes
On GitHub:  https://github.com/php/php-src/pull/3847
Patch:      https://github.com/php/php-src/pull/3847.patch
 [2019-02-19 09:07 UTC] nikic@php.net
Automatic comment on behalf of tysonandre775@hotmail.com
Revision: http://git.php.net/?p=php-src.git;a=commit;h=12ffee57d6adf38f8dd8b39ea7f7a5e4c462d358
Log: Fixed bug #77631
 [2019-02-19 09:07 UTC] nikic@php.net
-Status: Open +Status: Closed
 [2019-02-19 09:11 UTC] nikic@php.net
Automatic comment on behalf of tysonandre775@hotmail.com
Revision: http://git.php.net/?p=php-src.git;a=commit;h=12ffee57d6adf38f8dd8b39ea7f7a5e4c462d358
Log: Fixed bug #77631
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Thu Dec 26 23:01:28 2024 UTC