|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #77631 ReflectionClass->isSubclassOf crashes in PHP 7.4 for anonymous class
Submitted: 2019-02-18 03:05 UTC Modified: 2019-02-18 08:19 UTC
From: Assigned:
Status: Closed Package: Reproducible crash
PHP Version: Next Minor Version OS: Linux
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.
Block user comment
Status: Assign to:
Bug Type:
New email:
PHP Version: OS:


 [2019-02-18 03:05 UTC]
This was initially reproduced by cloning , running `composer.phar install`, and running `vendor/bin/phpunit tests/ParserGrammerTest.php`.

I narrowed the bug down to the below test script. This crashes in both non-debug NTS and a debug ZTS build in PHP-7.4 (built today with 5b15908ed7d1765c1776b40ffc58092044aa1332, introduced somewhere before that).

instance_ce has invalid data. This might be caused by the test script using a ReflectionClass for an anonymous class where no instances have been created.

Checking for class@anonymous/path/to/php-src/test.php0x7ffff7fd405d

Program received signal SIGSEGV, Segmentation fault.
0x0000000000b31505 in instanceof_class (instance_ce=0x4, ce=0x7fffe4b69c18) at /path/to/php-src/Zend/zend_operators.c:2285
warning: Source file is more recent than executable.
2285                    instance_ce = instance_ce->parent;
(gdb) bt
#0  0x0000000000b31505 in instanceof_class (instance_ce=0x4, ce=0x7fffe4b69c18) at /path/to/php-src/Zend/zend_operators.c:2285
#1  0x0000000000b3168d in instanceof_function (instance_ce=0x7fffecc06740, ce=0x7fffe4b69c18) at /path/to/php-src/Zend/zend_operators.c:2330
#2  0x00000000007be3af in zim_reflection_class_isSubclassOf (execute_data=0x7fffecc171a0, return_value=0x7fffecc17110) at /path/to/php-src/ext/reflection/php_reflection.c:4991
#3  0x0000000000bb451d in ZEND_DO_FCALL_SPEC_RETVAL_USED_HANDLER () at /path/to/php-src/Zend/zend_vm_execute.h:1104
#4  0x0000000000c36376 in execute_ex (ex=0x7fffecc17020) at /path/to/php-src/Zend/zend_vm_execute.h:61540
#5  0x0000000000c3c999 in zend_execute (op_array=0x7fffecc73400, return_value=0x0) at /path/to/php-src/Zend/zend_vm_execute.h:67944
#6  0x0000000000b3a5a0 in zend_execute_scripts (type=8, retval=0x0, file_count=3) at /path/to/php-src/Zend/zend.c:1639
#7  0x0000000000a72dfd in php_execute_script (primary_file=0x7fffffffc680) at /path/to/php-src/main/main.c:2633
#8  0x0000000000c3fa52 in do_cli (argc=2, argv=0x181f030) at /path/to/php-src/sapi/cli/php_cli.c:992
#9  0x0000000000c40e9d in main (argc=2, argv=0x181f030) at /path/to/php-src/sapi/cli/php_cli.c:1384

Test script:
class X {
    public static function main() {
        return new class() extends Base {};
class Base {}
call_user_func(function() {
    $base = Base::class;
    foreach (get_declared_classes() as $class) {
        if (strpos($class, 'class@anonymous') === false) {
        echo "Checking for $class\n";
        $rc = new ReflectionClass($class);
        var_export($rc->isSubclassOf($base));  // Segfaults on this line

Expected result:
Does not segfault, prints Checking for class@anonymouspath...false (like earlier php versions do)

Actual result:
Segfaults because of the call to isSubclassOf


Add a Patch

Pull Requests

Pull requests:

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2019-02-18 08:19 UTC]
The actual bug here is that get_declared_classes() exposes anonymous classes that haven't been bound yet. The code currently only handles unbound ordinary classes.
 [2019-02-18 14:50 UTC]
The following pull request has been associated:

Patch Name: Fix class crash in isSubclassOf when using unbound anonymous classes
On GitHub:
 [2019-02-19 09:07 UTC]
Automatic comment on behalf of
Log: Fixed bug #77631
 [2019-02-19 09:07 UTC]
-Status: Open +Status: Closed
 [2019-02-19 09:11 UTC]
Automatic comment on behalf of
Log: Fixed bug #77631
PHP Copyright © 2001-2020 The PHP Group
All rights reserved.
Last updated: Fri Apr 10 10:01:24 2020 UTC