php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #78787 Segfault with trait overriding inherited private shadow property
Submitted: 2019-11-06 10:13 UTC Modified: 2019-11-06 11:50 UTC
From: shariefjamiel at gmail dot com Assigned:
Status: Closed Package: Reflection related
PHP Version: 7.3.11 OS: mac/linux
Private report: No CVE-ID: None
 [2019-11-06 10:13 UTC] shariefjamiel at gmail dot com
Description:
------------
I am getting a segfault 11 when running PHPunit 8 or analysing code with PHPStan, i have been able recreate for PHPUnit but not PHPStan. (but the fix resolves both of them)

PHP 7.3.11 (cli) (built: Oct 24 2019 11:29:52) ( NTS )
PHPUnit 8.4.2

This appears to be caused reflecting multiple files in PHP 7.3 (not 7.2 or 7.4)

Source code:
https://github.com/jamielsharief/php-bug-segfault-11

1. download source
2. type composer install

Full explanation and gdb backtrace https://github.com/jamielsharief/php-bug-segfault-11/blob/master/README.md

Test script:
---------------
vendor/bin/phpunit tests

Expected result:
----------------
OK (3 tests, 3 assertions)

Actual result:
--------------
Segmentation fault: 11

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2019-11-06 10:15 UTC] shariefjamiel at gmail dot com
This appears to be caused reflecting multiple files with traits in PHP 7.3 (not 7.2 or 7.4)
 [2019-11-06 11:33 UTC] nikic@php.net
-Status: Open +Status: Verified
 [2019-11-06 11:33 UTC] nikic@php.net
Valgrind:

==4029== Invalid read of size 4
==4029==    at 0xA84D40: zend_string_release_ex (zend_string.h:284)
==4029==    by 0xA8B45C: zend_do_traits_property_binding (zend_inheritance.c:1600)
==4029==    by 0xA8BC61: zend_do_bind_traits (zend_inheritance.c:1755)
==4029==    by 0xA9AD48: ZEND_BIND_TRAITS_SPEC_HANDLER (zend_vm_execute.h:1682)
==4029==    by 0xB050EC: execute_ex (zend_vm_execute.h:55565)
==4029==    by 0xB0A5EA: zend_execute (zend_vm_execute.h:60901)
==4029==    by 0xA2E83A: zend_execute_scripts (zend.c:1568)
==4029==    by 0x993D7F: php_execute_script (main.c:2639)
==4029==    by 0xB0D3FA: do_cli (php_cli.c:997)
==4029==    by 0xB0E571: main (php_cli.c:1389)
==4029==  Address 0x1121ac44 is 4 bytes inside a block of size 64 free'd
==4029==    at 0x4C30D3B: free (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==4029==    by 0x9F5E3C: _efree (zend_alloc.c:2515)
==4029==    by 0xA84E0B: zend_string_release_ex (zend_string.h:291)
==4029==    by 0xA8B45C: zend_do_traits_property_binding (zend_inheritance.c:1600)
==4029==    by 0xA8BC61: zend_do_bind_traits (zend_inheritance.c:1755)
==4029==    by 0xA9AD48: ZEND_BIND_TRAITS_SPEC_HANDLER (zend_vm_execute.h:1682)
==4029==    by 0xB050EC: execute_ex (zend_vm_execute.h:55565)
==4029==    by 0xB0A5EA: zend_execute (zend_vm_execute.h:60901)
==4029==    by 0xA2E83A: zend_execute_scripts (zend.c:1568)
==4029==    by 0x993D7F: php_execute_script (main.c:2639)
==4029==    by 0xB0D3FA: do_cli (php_cli.c:997)
==4029==    by 0xB0E571: main (php_cli.c:1389)
==4029==  Block was alloc'd at
==4029==    at 0x4C2FB0F: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==4029==    by 0x9F6AE4: __zend_malloc (zend_alloc.c:2908)
==4029==    by 0x9F5D95: _emalloc (zend_alloc.c:2501)
==4029==    by 0x9CE681: zend_string_alloc (zend_string.h:133)
==4029==    by 0x9CE6F1: zend_string_init (zend_string.h:155)
==4029==    by 0x9D5D2B: lex_scan (zend_language_scanner.l:2109)
==4029==    by 0x9FC4D0: zendlex (zend_compile.c:1703)
==4029==    by 0x9C9623: zendparse (zend_language_parser.c:4211)
==4029==    by 0x9D0391: zend_compile (zend_language_scanner.l:587)
==4029==    by 0x9D0605: compile_file (zend_language_scanner.l:637)
==4029==    by 0x712706: phar_compile_file (phar.c:3348)
==4029==    by 0x9D0736: compile_filename (zend_language_scanner.l:662)
 [2019-11-06 11:43 UTC] nikic@php.net
Reduced test case:

<?php
  
trait T {
    private $prop;
}
class C1 {
    /** Doc comment */
    private $prop;
}
class C2 extends C1 {
}
class C3 extends C2 {
    use T;
}

C3 has an inherited, non-duplicated shadow property that we're trying to release. I've fixed something similar before, but apparently not for the trait binding case.

Doesn't occur on 7.2 because shadow properties were duplicate there, doesn't occur on 7.4 because it does not use shadow properties.
 [2019-11-06 11:50 UTC] nikic@php.net
-Summary: PHP 7.3 Segfault 11 Reflection/Trait +Summary: Segfault with trait overriding inherited private shadow property
 [2019-11-06 11:53 UTC] nikic@php.net
Automatic comment on behalf of nikita.ppv@gmail.com
Revision: http://git.php.net/?p=php-src.git;a=commit;h=6d4965febdb1745444e7a3408fa7c01bcfc52b68
Log: Fixed bug #78787
 [2019-11-06 11:53 UTC] nikic@php.net
-Status: Verified +Status: Closed
 
PHP Copyright © 2001-2020 The PHP Group
All rights reserved.
Last updated: Wed Feb 26 07:01:26 2020 UTC