PHP :: Bug #78456 :: Segfault when serializing SplDoublyLinkedList

Bug #78456	Segfault when serializing SplDoublyLinkedList
Submitted:	2019-08-25 20:10 UTC	Modified:	2019-08-26 09:05 UTC
From:	edgaras dot janusauskas at gmail dot com	Assigned:	nikic (profile)
Status:	Closed	Package:	Reproducible crash
PHP Version:	7.4.0beta4	OS:	Windows, Ubuntu
Private report:	No	CVE-ID:	None

View Add Comment Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If this is not your bug, you can add a comment by following this link.
If this is your bug, but you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	edgaras dot janusauskas at gmail dot com
New email:
PHP Version:		OS:

New Comment:

[2019-08-25 20:10 UTC] edgaras dot janusauskas at gmail dot com

Description:
------------
PHP 7.4 crashes while running CakePHP test suite on Travis CI.
PHP 7.3 and below is OK.

It crashes in test while unserializing class which extends IteratorIterator and implements Serializable, and also uses SplDoublyLinkedList.

https://github.com/cakephp/cakephp/blob/3.8.2/tests/TestCase/Collection/CollectionTest.php#L2383-L2390

I've tried to reduce test to short vanilla PHP script, I were not able.
Install cakephp/collection:3.8.2 via composer.

Test script:
---------------
composer require cakephp/collection

require 'vendor/autoload.php';

$collection = new \Cake\Collection\Collection([1, 2, 3]);
$serialized = serialize($collection);
$unserialized = unserialize($serialized); // crash


Expected result:
----------------
Object is unserialized successfully.

Actual result:
--------------
Backtrace when running on PHP 7.4.0beta4 (cli) (built: Aug 21 2019 08:53:45) ( NTS Visual C++ 2017 x64 ):

Access violation - code c0000005 (first chance)

00 php7!zend_mm_alloc_small
01 php7!zend_mm_alloc_heap
02 php7!_emalloc
03 php7!_zend_new_array
04 php7!php_var_unserialize_internal
05 php7!process_nested_data
06 php7!php_var_unserialize_internal
07 php7!process_nested_data
08 php7!object_common
09 php7!php_var_unserialize_internal
0a php7!php_var_unserialize
0b php7!zif_unserialize
0c php7!ZEND_DO_FCALL_BY_NAME_SPEC_RETVAL_USED_HANDLER
0d php7!execute_ex
0e php7!zend_call_function
0f php7!zend_call_method
10 php7!zend_user_unserialize
11 php7!object_custom
12 php7!php_var_unserialize_internal
13 php7!php_var_unserialize
14 php7!zif_unserialize
15 php7!ZEND_DO_FCALL_BY_NAME_SPEC_RETVAL_USED_HANDLER
16 php7!execute_ex
17 php7!zend_call_function
18 php7!zend_call_method
19 php7!zend_user_unserialize
1a php7!object_custom
1b php7!php_var_unserialize_internal
1c php7!php_var_unserialize
1d php7!zif_unserialize
1e php7!ZEND_DO_ICALL_SPEC_RETVAL_USED_HANDLER
1f php7!execute_ex
20 php7!zend_execute
21 php7!zend_execute_scripts
22 php7!php_execute_script
23 php!sapi_cli_single_write
24 php!sapi_cli_single_write
25 php!sapi_cli_single_write
26 KERNEL32!BaseThreadInitThunk
27 ntdll!RtlUserThreadStart

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports

[2019-08-26 08:59 UTC] nikic@php.net

-Status: Open +Status: Verified

[2019-08-26 08:59 UTC] nikic@php.net

Valgrind:

==12831== Invalid read of size 4
==12831==    at 0x6CC564: zend_gc_addref (zend_types.h:1030)
==12831==    by 0x6CCF6F: spl_ptr_llist_pop (spl_dllist.c:258)
==12831==    by 0x6CD211: spl_dllist_object_free_storage (spl_dllist.c:353)
==12831==    by 0x9897A8: zend_objects_store_del (zend_objects_API.c:194)
==12831==    by 0x92C536: rc_dtor_func (zend_variables.c:57)
==12831==    by 0x92C4B9: i_zval_ptr_dtor (zend_variables.h:44)
==12831==    by 0x92C6CB: zval_ptr_dtor (zend_variables.c:84)
==12831==    by 0x948778: zend_hash_destroy (zend_hash.c:1541)
==12831==    by 0x7AED5A: php_var_serialize_destroy (var.c:1140)
==12831==    by 0x7AF083: zif_serialize (var.c:1162)
==12831==    by 0x9A4989: ZEND_DO_ICALL_SPEC_RETVAL_USED_HANDLER (zend_vm_execute.h:1319)
==12831==    by 0xA090C9: execute_ex (zend_vm_execute.h:53453)
==12831==  Address 0x1250a474 is 4 bytes inside a block of size 56 free'd
==12831==    at 0x4C30D3B: free (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==12831==    by 0x8F5528: _efree_custom (zend_alloc.c:2411)
==12831==    by 0x8F5669: _efree (zend_alloc.c:2531)
==12831==    by 0x948C2A: zend_array_destroy (zend_hash.c:1637)
==12831==    by 0x92C536: rc_dtor_func (zend_variables.c:57)
==12831==    by 0x9437CC: i_zval_ptr_dtor (zend_variables.h:44)
==12831==    by 0x948AC0: zend_array_destroy (zend_hash.c:1611)
==12831==    by 0x92C536: rc_dtor_func (zend_variables.c:57)
==12831==    by 0x9437CC: i_zval_ptr_dtor (zend_variables.h:44)
==12831==    by 0x948AC0: zend_array_destroy (zend_hash.c:1611)
==12831==    by 0x92C536: rc_dtor_func (zend_variables.c:57)
==12831==    by 0x92C4B9: i_zval_ptr_dtor (zend_variables.h:44)
==12831==  Block was alloc'd at
==12831==    at 0x4C2FB0F: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==12831==    by 0x8F6569: __zend_malloc (zend_alloc.c:2961)
==12831==    by 0x8F54C1: _malloc_custom (zend_alloc.c:2402)
==12831==    by 0x8F55EF: _emalloc (zend_alloc.c:2521)
==12831==    by 0x94408D: _zend_new_array (zend_hash.c:256)
==12831==    by 0x9C9ACF: ZEND_INIT_ARRAY_SPEC_TMP_CONST_HANDLER (zend_vm_execute.h:18754)
==12831==    by 0xA0ACAF: execute_ex (zend_vm_execute.h:55273)
==12831==    by 0x917723: zend_call_function (zend_execute_API.c:820)
==12831==    by 0x95D553: zend_call_method (zend_interfaces.c:103)
==12831==    by 0x95E49F: zend_user_serialize (zend_interfaces.c:441)
==12831==    by 0x7AE415: php_var_serialize_intern (var.c:987)
==12831==    by 0x7AEC2A: php_var_serialize (var.c:1114)

[2019-08-26 09:05 UTC] nikic@php.net

-Summary: Segfault when unserializing iterator +Summary: Segfault when serializing SplDoublyLinkedList -Status: Verified +Status: Assigned -Assigned To: +Assigned To: nikic

[2019-08-26 09:05 UTC] nikic@php.net

<?php
$dllist = new SplDoublyLinkedList();
$dllist->push(new stdClass);
var_dump(serialize($dllist));

Missing refcount increment in the __serialize() implementation...

[2019-08-26 09:10 UTC] nikic@php.net

Automatic comment on behalf of nikita.ppv@gmail.com
Revision: http://git.php.net/?p=php-src.git;a=commit;h=9483c507725637a45704d5983f3eaf7ca37875c9
Log: Fixed bug #78456

[2019-08-26 09:10 UTC] nikic@php.net

-Status: Assigned +Status: Closed

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Thu Apr 18 05:01:28 2024 UTC