php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #79818 BIND_STATIC frees old variable value too early
Submitted: 2020-07-09 05:39 UTC Modified: 2020-07-10 12:35 UTC
From: changochen1 at gmail dot com Assigned:
Status: Closed Package: Scripting Engine problem
PHP Version: 8.0Git-2020-07-09 (Git) OS:
Private report: No CVE-ID: None
 [2020-07-09 05:39 UTC] changochen1 at gmail dot com
Description:
------------
Stack dump:
---
==201947==ERROR: MemorySanitizer: SEGV on unknown address 0x00000000007f (pc 0x0000016a6cbe bp 0x000000000031 sp 0x7ffcf03b0220 T201947)
==201947==The signal is caused by a READ memory access.
==201947==Hint: address points to the zero page.
    #0 0x16a6cbd in _build_trace_args /home/yongheng/php_clean/Zend/zend_exceptions.c:513:30
    #1 0x16a6cbd in _build_trace_string /home/yongheng/php_clean/Zend/zend_exceptions.c:569
    #2 0x16a6cbd in zim_Exception_getTraceAsString /home/yongheng/php_clean/Zend/zend_exceptions.c:611
    #3 0x132af62 in zend_call_function /home/yongheng/php_clean/Zend/zend_execute_API.c
    #4 0x16a9be0 in zim_Exception___toString /home/yongheng/php_clean/Zend/zend_exceptions.c:663:3
    #5 0x132af62 in zend_call_function /home/yongheng/php_clean/Zend/zend_execute_API.c
    #6 0x132d1b8 in zend_call_known_function /home/yongheng/php_clean/Zend/zend_execute_API.c:871:15
    #7 0x169b93c in zend_call_known_instance_method /home/yongheng/php_clean/Zend/zend_API.h:576:2
    #8 0x169b93c in zend_call_known_instance_method_with_0_params /home/yongheng/php_clean/Zend/zend_API.h:582
    #9 0x169b93c in zend_exception_error /home/yongheng/php_clean/Zend/zend_exceptions.c:923
    #10 0x13840ba in zend_execute_scripts /home/yongheng/php_clean/Zend/zend.c:1674:12
    #11 0x10ee2f9 in php_execute_script /home/yongheng/php_clean/main/main.c:2537:14
    #12 0x178c81f in do_cli /home/yongheng/php_clean/sapi/cli/php_cli.c:955:5
    #13 0x1788c0f in main /home/yongheng/php_clean/sapi/cli/php_cli.c:1353:18
    #14 0x7f040b509b96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310
    #15 0x43f9d9 in _start (/home/yongheng/php_clean/bld/sapi/cli/php+0x43f9d9)

MemorySanitizer can not provide additional info.
SUMMARY: MemorySanitizer: SEGV /home/yongheng/php_clean/Zend/zend_exceptions.c:513:30 in _build_trace_args
==201947==ABORTING
---

Test script:
---------------
<?
function b ( $a ){
    switch ( [ $c ] ) {
        case header_register_callback ( function () {} )  ;
        static $a =   d  ;
    }
}
b ( function () { }) ;


Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2020-07-10 12:29 UTC] nikic@php.net
-Status: Open +Status: Verified
 [2020-07-10 12:29 UTC] nikic@php.net
Reduced:

<?php
function test($a) {
    static $a = UNDEFINED;
}
test(new stdClass);

==295225== Invalid read of size 4
==295225==    at 0x9C7F55: zend_gc_addref (zend_types.h:1158)
==295225==    by 0x9C8051: zval_addref_p (zend_types.h:1193)
==295225==    by 0x9D03E0: debug_backtrace_get_args (zend_builtin_functions.c:1619)
==295225==    by 0x9D192A: zend_fetch_debug_backtrace (zend_builtin_functions.c:2002)
==295225==    by 0xA5A370: zend_default_exception_new_ex (zend_exceptions.c:230)
==295225==    by 0xA5A606: zend_default_exception_new (zend_exceptions.c:261)
==295225==    by 0x9B22A5: _object_and_properties_init (zend_API.c:1381)
==295225==    by 0x9B231B: object_init_ex (zend_API.c:1395)
==295225==    by 0xA5D342: zend_throw_exception_zstr (zend_exceptions.c:837)
==295225==    by 0xA5D483: zend_throw_exception (zend_exceptions.c:857)
==295225==    by 0x9AB478: zend_throw_error (zend.c:1546)
==295225==    by 0x990EA6: zend_get_constant_ex (zend_constants.c:459)
==295225==  Address 0x8ebf930 is 0 bytes inside a block of size 40 free'd
==295225==    at 0x483CA3F: free (in /usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so)
==295225==    by 0x9712D8: _efree_custom (zend_alloc.c:2426)
==295225==    by 0x97142F: _efree (zend_alloc.c:2546)
==295225==    by 0xA848EF: zend_objects_store_del (zend_objects_API.c:197)
==295225==    by 0x9A773D: rc_dtor_func (zend_variables.c:57)
==295225==    by 0x9D3F96: i_zval_ptr_dtor (zend_variables.h:44)
==295225==    by 0xA451E3: ZEND_BIND_STATIC_SPEC_CV_UNUSED_HANDLER (zend_vm_execute.h:45228)
==295225==    by 0xA518A0: execute_ex (zend_vm_execute.h:56053)
==295225==    by 0xA51E6E: zend_execute (zend_vm_execute.h:56361)
==295225==    by 0x9ABBF5: zend_execute_scripts (zend.c:1667)
==295225==    by 0x9127DB: php_execute_script (main.c:2537)
==295225==    by 0xA90DD3: do_cli (php_cli.c:951)
==295225==  Block was alloc'd at
==295225==    at 0x483B7F3: malloc (in /usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so)
==295225==    by 0x97241D: __zend_malloc (zend_alloc.c:2992)
==295225==    by 0x971267: _malloc_custom (zend_alloc.c:2417)
==295225==    by 0x9713B1: _emalloc (zend_alloc.c:2536)
==295225==    by 0xA7D7CB: zend_objects_new (zend_objects.c:174)
==295225==    by 0x9B2236: _object_and_properties_init (zend_API.c:1372)
==295225==    by 0x9B231B: object_init_ex (zend_API.c:1395)
==295225==    by 0x9F394D: ZEND_NEW_SPEC_CONST_UNUSED_HANDLER (zend_vm_execute.h:8885)
==295225==    by 0xA4DC4F: execute_ex (zend_vm_execute.h:52982)
==295225==    by 0xA51E6E: zend_execute (zend_vm_execute.h:56361)
==295225==    by 0x9ABBF5: zend_execute_scripts (zend.c:1667)
==295225==    by 0x9127DB: php_execute_script (main.c:2537)
 [2020-07-10 12:35 UTC] nikic@php.net
-Summary: Segmentation fault in _build_trace_args +Summary: BIND_STATIC frees old variable value too early
 [2020-07-10 12:37 UTC] nikic@php.net
Automatic comment on behalf of nikita.ppv@gmail.com
Revision: http://git.php.net/?p=php-src.git;a=commit;h=6556846754b6b513d7ce74d2ebd2f21a61252074
Log: Fixed bug #79818
 [2020-07-10 12:37 UTC] nikic@php.net
-Status: Verified +Status: Closed
 
PHP Copyright © 2001-2020 The PHP Group
All rights reserved.
Last updated: Mon Nov 30 12:01:23 2020 UTC