Bug #60701 [Com]: __toString() which stores $this reference triggers segfault (with fix!)

pada at hrz dot tu-chemnitz dot de Mon, 13 Feb 2012 11:48:54 -0800

Edit report at https://bugs.php.net/bug.php?id=60701&edit=1


 ID:                 60701
 Comment by:         pada at hrz dot tu-chemnitz dot de
 Reported by:        daan at react dot com
 Summary:            __toString() which stores $this reference triggers
                     segfault (with fix!)
 Status:             Assigned
 Type:               Bug
 Package:            Reproducible crash
 Operating System:   CentOS
 PHP Version:        5.3.8
 Assigned To:        dmitry
 Block user comment: N
 Private report:     N

 New Comment:

@sjon: Now, I retried with the original Test script from daan.
This patch works for me too, thanks :)


Previous Comments:
------------------------------------------------------------------------
[2012-02-13 19:16:25] sjon at hortensius dot net

@andrew at localcoast dot net
Did you try to remove all __toString methods from your application? If that 
didn't fix it you are experiencing another bug and will probably need to 
generate 
a small reproducing script yourself

@pada at hrz dot tu-chemnitz dot de

your problem has nothing to do with this bug, You are simply demonstrating a 
recursive loop.

------------------------------------------------------------------------
[2012-02-13 18:00:01] pada at hrz dot tu-chemnitz dot de

This patch does not work for me. I'm still experiencing SegFaults with the 
following code on CentOS 6.0 with php 5.3.3 and 
https://bugs.php.net/patch-display.php?bug_id=60701&patch=bug60701.patch&revision=1327066212
 applied.

Test-Script:

<?php
class C{function f(){$this->o=new O();return$this->o;}function 
__destruct(){}}class O{function __toString(){$this->$this;}}$c=new 
C();$o=$c->f();trim($o);
?>

With the patch applied, I'm still getting SegFaults in 
/var/log/httpd/error_log, but no coredumps any more. This is very strange, 
since coredumping is correctly configured and with other reproducer scripts 
from other bugs I'm getting coredumps.

------------------------------------------------------------------------
[2012-02-11 00:49:07] andrew at localcoast dot net

I can produce a similar issue on PHP 5.3.10 on Ubuntu 10.04 LTS x86_64 with the 
patch applied. However, the initial test script provided in the first comment 
runs without trouble.


Here's the backtrace for the issue I am having:

http://paste2.org/p/1900387
#0  0x00007f71fa9b8d11 in gc_zval_possible_root (zv=0x7f7201483740) at 
/home/andrew/.Applications/build/php-5.3.10-patched/Zend/zend_gc.c:143
#1  0x00007f71fa9a777b in zend_hash_destroy (ht=0x7f7201496908) at 
/home/andrew/.Applications/build/php-5.3.10-patched/Zend/zend_hash.c:529
        p = 0x7f7201497c58
#2  0x00007f71fa9ba379 in zend_object_std_dtor (object=0x7f7201497428) at 
/home/andrew/.Applications/build/php-5.3.10-patched/Zend/zend_objects.c:45
#3  0x00007f71fa9ba399 in zend_objects_free_object_storage 
(object=0x7f7201483740) at 
/home/andrew/.Applications/build/php-5.3.10-patched/Zend/zend_objects.c:126
#4  0x00007f71fa9bdba8 in zend_objects_store_free_object_storage 
(objects=0x7f71fb162a18) at 
/home/andrew/.Applications/build/php-5.3.10-patched/Zend/zend_objects_API.c:92
        i = 626
#5  0x00007f71fa98ebfb in shutdown_executor () at 
/home/andrew/.Applications/build/php-5.3.10-patched/Zend/zend_execute_API.c:304
        __bailout = {{__jmpbuf = {140127520564832, -3282099667358606386, 
140127614418320, 0, -4294967295, 140127589456664, -3211606770996110386, 
-3282099660654535730}, __mask_was_saved = 0, __saved_mask = {__val = 
{140127612053568, 96, 140127512287676, 
                140127629890216, 140127638595144, 88, 140127512287676, 592, 
140127512287676, 140127520566336, 140127520563352, 140127520564648, 0, 
18446744069414584321, 140127512403989, 140127520566336}}}}
#6  0x00007f71fa99b612 in zend_deactivate () at 
/home/andrew/.Applications/build/php-5.3.10-patched/Zend/zend.c:891
#7  0x00007f71fa947ad5 in php_request_shutdown (dummy=<value optimized out>) at 
/home/andrew/.Applications/build/php-5.3.10-patched/main/main.c:1661
        report_memleaks = 1 '\001'
#8  0x00007f71faa24a97 in php_apache_request_dtor (r=<value optimized out>) at 
/home/andrew/.Applications/build/php-5.3.10-patched/sapi/apache2handler/sapi_apache2.c:509
#9  php_handler (r=<value optimized out>) at 
/home/andrew/.Applications/build/php-5.3.10-patched/sapi/apache2handler/sapi_apache2.c:681
        ctx = 0x7f7200ae5840
        conf = 0x7f7200689c98
        brigade = 0x7f7200ae6658
        bucket = <value optimized out>
        rv = <value optimized out>
        parent_req = 0x0
#10 0x00007f71ff0e3280 in ap_run_handler (r=0x7f7200ae3d90) at 
/build/buildd/apache2-2.2.14/server/config.c:159
        n = 6
        rv = -2039876096
#11 0x00007f71ff0e6be8 in ap_invoke_handler (r=0x7f7200ae3d90) at 
/build/buildd/apache2-2.2.14/server/config.c:373
        handler = 0x7f7200ad61d8 "Xa\255"
        result = 11362776
        old_handler = 0x7f7200792ec8 "application/x-httpd-php"
        ignore = <value optimized out>
#12 0x00007f71ff0f45fc in ap_internal_redirect (new_uri=<value optimized out>, 
r=<value optimized out>) at 
/build/buildd/apache2-2.2.14/modules/http/http_request.c:501
        new = 0x7f7200ae3d90
        access_status = -2039876096
#13 0x00007f71f664dc95 in ?? () from /usr/lib/apache2/modules/mod_rewrite.so
No symbol table info available.
#14 0x00007f71ff0e3280 in ap_run_handler (r=0x7f7200ad61d8) at 
/build/buildd/apache2-2.2.14/server/config.c:159
        n = 7
        rv = -2039876096
#15 0x00007f71ff0e6be8 in ap_invoke_handler (r=0x7f7200ad61d8) at 
/build/buildd/apache2-2.2.14/server/config.c:373
        handler = 0x0
        result = 0
        old_handler = 0x7f71f6651e58 "redirect-handler"
        ignore = <value optimized out>
#16 0x00007f71ff0f47d8 in ap_process_request (r=0x7f7200ad61d8) at 
/build/buildd/apache2-2.2.14/modules/http/http_request.c:282
        access_status = -2039876096
#17 0x00007f71ff0f1688 in ap_process_http_connection (c=0x7f7200ad0118) at 
/build/buildd/apache2-2.2.14/modules/http/http_core.c:190
        r = 0x7f7200ad61d8
        csd = 0x0
#18 0x00007f71ff0eae38 in ap_run_process_connection (c=0x7f7200ad0118) at 
/build/buildd/apache2-2.2.14/server/connection.c:43
        n = 2
        rv = -2039876096
#19 0x00007f71ff0f97a7 in child_main (child_num_arg=<value optimized out>) at 
/build/buildd/apache2-2.2.14/server/mpm/prefork/prefork.c:662
        current_conn = <value optimized out>
        csd = 0x7f7200acff28
        ptrans = 0x7f7200acfea8
        allocator = 0x7f7200acdda0
        status = <value optimized out>
        i = <value optimized out>
        lr = <value optimized out>
        pollset = 0x7f7200acdfc8
        sbh = 0x7f7200acdfc0
        bucket_alloc = 0x7f7200ad4148
        last_poll_idx = 0
#20 0x00007f71ff0f9a76 in make_child (s=0x7f72005dc938, slot=0) at 
/build/buildd/apache2-2.2.14/server/mpm/prefork/prefork.c:702
#21 0x00007f71ff0fa0c3 in ap_mpm_run (_pconf=<value optimized out>, plog=<value 
optimized out>, s=<value optimized out>) at 
/build/buildd/apache2-2.2.14/server/mpm/prefork/prefork.c:978
        index = <value optimized out>
        remaining_children_to_start = <value optimized out>
        rv = <value optimized out>
#22 0x00007f71ff0cf350 in main (argc=2, argv=0x7fff211385d8) at 
/build/buildd/apache2-2.2.14/server/main.c:742
        c = 88 'X'
        configtestonly = <value optimized out>
        confname = 0x7f71ff0fc08b "/etc/apache2/apache2.conf"
        def_server_root = 0x7f71ff0ffca3 ""
        temp_error_log = 0x0
        error = <value optimized out>
        process = 0x7f72005d4220
        server_conf = 0x7f72005dc938
        pglobal = 0x7f72005d4128
        pconf = 0x7f72005d6138
        plog = 0x7f720060a2d8
        ptemp = 0x7f72005de178
        pcommands = 0x7f72005d8148
        opt = 0x7f72005d8240
        rv = <value optimized out>
        mod = <value optimized out>
        optarg = 0x0

And my PHP compile time options:

./configure --prefix=/opt/php5.3.10 --with-apxs2=/usr/bin/apxs2  
--with-config-file-scan-dir=/etc/php5/apache2/ 
--with-config-file-path=/etc/php5/apache2/ --with-mysql --with-pdo-mysql 
--enable-mbstring --with-mcrypt --with-mysqli --with-gd --with-curl 
--enable-exif --enable-ftp --enable-sockets --with-openssl

Using Xdebug's tracing features, I found that the last series of calls that 
were made were to ->__destruct() on our abstract model class. The code within 
our __destruct() sets instance variable arrays to new arrays, and sets object 
references to null.

When PHP is compiled with debug mode (--enable-debug) enabled, the issue can 
not be reproduced.

------------------------------------------------------------------------
[2012-01-25 09:20:11] daan at react dot com

Working patch fix now included! (tm)

------------------------------------------------------------------------
[2012-01-20 13:28:42] hans at rakers dot org

This bug is caused by zend_std_cast_object_tostring() not checking the refcount 
of readobj when readobj==writeobj. It calls INIT_PZVAL(writeobj) without 
checking the refcount first, causing any further references to this zval to get 
corrupted (in this case, the 'test' property of StringableObject).

My patch against 5.3 is attached.

------------------------------------------------------------------------


The remainder of the comments for this report are too long. To view
the rest of the comments, please view the bug report online at

    https://bugs.php.net/bug.php?id=60701


-- 
Edit this bug report at https://bugs.php.net/bug.php?id=60701&edit=1

Bug #60701 [Com]: __toString() which stores $this reference triggers segfault (with fix!)

Reply via email to