Bug #50360 [Ver->Csd]: Crash on is_subclass_of() under special conditions (PHP_5_2 only!)

Thu, 23 Dec 2010 06:27:19 -0800 

Edit report at http://bugs.php.net/bug.php?id=50360&edit=1

 ID:                 50360
 Updated by:         il...@php.net
 Reported by:        mjomble at gmail dot com
 Summary:            Crash on is_subclass_of() under special conditions
                     (PHP_5_2 only!)
-Status:             Verified
+Status:             Closed
 Type:               Bug
 Package:            Reproducible crash
 Operating System:   *
 PHP Version:        5.2SVN-2009-12-02 (snap)
-Assigned To:        
+Assigned To:        iliaa
 Block user comment: N
 Private report:     N

 New Comment:

This bug has been fixed in SVN.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.
 
Thank you for the report, and for helping us make PHP better.

This is fixed in 5.3


Previous Comments:
------------------------------------------------------------------------
[2009-12-04 22:33:32] fel...@php.net

I can reproduce it on 5.2SVN.



==19457== Invalid read of size 4

==19457==    at 0x83BE343: is_a_impl (zend_builtin_functions.c:674)

==19457==    by 0x83BE585: zif_is_subclass_of
(zend_builtin_functions.c:712)

==19457==    by 0x83D5DFF: zend_do_fcall_common_helper_SPEC
(zend_vm_execute.h:200)

==19457==    by 0x83DCBA1: ZEND_DO_FCALL_SPEC_CONST_HANDLER
(zend_vm_execute.h:1740)

==19457==    by 0x83D5887: execute (zend_vm_execute.h:92)

==19457==    by 0x83D608C: zend_do_fcall_common_helper_SPEC
(zend_vm_execute.h:234)

==19457==    by 0x83D6F14: ZEND_DO_FCALL_BY_NAME_SPEC_HANDLER
(zend_vm_execute.h:322)

==19457==    by 0x83D5887: execute (zend_vm_execute.h:92)

==19457==    by 0x83AC175: zend_execute_scripts (zend.c:1134)

==19457==    by 0x8343300: php_execute_script (main.c:2035)

==19457==    by 0x8436388: main (php_cli.c:1162)

==19457==  Address 0x45e79f8 is 184 bytes inside a block of size 256
free'd

==19457==    at 0x4023E8C: realloc (vg_replace_malloc.c:429)

==19457==    by 0x8385ABD: _erealloc (zend_alloc.c:2319)

==19457==    by 0x83D685E: zend_ptr_stack_2_push (zend_ptr_stack.h:73)

==19457==    by 0x83D5A86: zend_do_fcall_common_helper_SPEC
(zend_vm_execute.h:148)

==19457==    by 0x83DCBA1: ZEND_DO_FCALL_SPEC_CONST_HANDLER
(zend_vm_execute.h:1740)

==19457==    by 0x83D5887: execute (zend_vm_execute.h:92)

==19457==    by 0x839C576: zend_call_function (zend_execute_API.c:1038)

==19457==    by 0x83C6139: zend_call_method (zend_interfaces.c:88)

==19457==    by 0x821D2AC: zif_spl_autoload_call (php_spl.c:382)

==19457==    by 0x839C7C9: zend_call_function (zend_execute_API.c:1052)

==19457==    by 0x839D0B9: zend_lookup_class_ex
(zend_execute_API.c:1145)

==19457==    by 0x839E2E4: zend_fetch_class (zend_execute_API.c:1560)

==19457==    by 0x83D8A70: ZEND_FETCH_CLASS_SPEC_CONST_HANDLER
(zend_vm_execute.h:650)

==19457==    by 0x83D5887: execute (zend_vm_execute.h:92)

==19457==    by 0x83E4B14: ZEND_INCLUDE_OR_EVAL_SPEC_TMP_HANDLER
(zend_vm_execute.h:4681)

==19457==    by 0x83D5887: execute (zend_vm_execute.h:92)

==19457==    by 0x839C576: zend_call_function (zend_execute_API.c:1038)

==19457==    by 0x83C6139: zend_call_method (zend_interfaces.c:88)

==19457==    by 0x821D2AC: zif_spl_autoload_call (php_spl.c:382)

==19457==    by 0x839C7C9: zend_call_function (zend_execute_API.c:1052)

==19457==    by 0x839D0B9: zend_lookup_class_ex
(zend_execute_API.c:1145)

==19457==    by 0x839D3BA: zend_lookup_class (zend_execute_API.c:1177)

==19457==    by 0x83BE2DE: is_a_impl (zend_builtin_functions.c:662)

==19457==    by 0x83BE585: zif_is_subclass_of
(zend_builtin_functions.c:712)

==19457==    by 0x83D5DFF: zend_do_fcall_common_helper_SPEC
(zend_vm_execute.h:200)

==19457==    by 0x83DCBA1: ZEND_DO_FCALL_SPEC_CONST_HANDLER
(zend_vm_execute.h:1740)

==19457==    by 0x83D5887: execute (zend_vm_execute.h:92)

==19457==    by 0x83D608C: zend_do_fcall_common_helper_SPEC
(zend_vm_execute.h:234)

==19457==    by 0x83D6F14: ZEND_DO_FCALL_BY_NAME_SPEC_HANDLER
(zend_vm_execute.h:322)

==19457==    by 0x83D5887: execute (zend_vm_execute.h:92)

==19457== 

==19457== Invalid read of size 4

==19457==    at 0x83BE374: is_a_impl (zend_builtin_functions.c:678)

==19457==    by 0x83BE585: zif_is_subclass_of
(zend_builtin_functions.c:712)

==19457==    by 0x83D5DFF: zend_do_fcall_common_helper_SPEC
(zend_vm_execute.h:200)

==19457==    by 0x83DCBA1: ZEND_DO_FCALL_SPEC_CONST_HANDLER
(zend_vm_execute.h:1740)

==19457==    by 0x83D5887: execute (zend_vm_execute.h:92)

==19457==    by 0x83D608C: zend_do_fcall_common_helper_SPEC
(zend_vm_execute.h:234)

==19457==    by 0x83D6F14: ZEND_DO_FCALL_BY_NAME_SPEC_HANDLER
(zend_vm_execute.h:322)

==19457==    by 0x83D5887: execute (zend_vm_execute.h:92)

==19457==    by 0x83AC175: zend_execute_scripts (zend.c:1134)

==19457==    by 0x8343300: php_execute_script (main.c:2035)

==19457==    by 0x8436388: main (php_cli.c:1162)

==19457==  Address 0x45e79fc is 188 bytes inside a block of size 256
free'd

==19457==    at 0x4023E8C: realloc (vg_replace_malloc.c:429)

==19457==    by 0x8385ABD: _erealloc (zend_alloc.c:2319)

==19457==    by 0x83D685E: zend_ptr_stack_2_push (zend_ptr_stack.h:73)

==19457==    by 0x83D5A86: zend_do_fcall_common_helper_SPEC
(zend_vm_execute.h:148)

==19457==    by 0x83DCBA1: ZEND_DO_FCALL_SPEC_CONST_HANDLER
(zend_vm_execute.h:1740)

==19457==    by 0x83D5887: execute (zend_vm_execute.h:92)

==19457==    by 0x839C576: zend_call_function (zend_execute_API.c:1038)

==19457==    by 0x83C6139: zend_call_method (zend_interfaces.c:88)

==19457==    by 0x821D2AC: zif_spl_autoload_call (php_spl.c:382)

==19457==    by 0x839C7C9: zend_call_function (zend_execute_API.c:1052)

==19457==    by 0x839D0B9: zend_lookup_class_ex
(zend_execute_API.c:1145)

==19457==    by 0x839E2E4: zend_fetch_class (zend_execute_API.c:1560)

==19457==    by 0x83D8A70: ZEND_FETCH_CLASS_SPEC_CONST_HANDLER
(zend_vm_execute.h:650)

==19457==    by 0x83D5887: execute (zend_vm_execute.h:92)

==19457==    by 0x83E4B14: ZEND_INCLUDE_OR_EVAL_SPEC_TMP_HANDLER
(zend_vm_execute.h:4681)

==19457==    by 0x83D5887: execute (zend_vm_execute.h:92)

==19457==    by 0x839C576: zend_call_function (zend_execute_API.c:1038)

==19457==    by 0x83C6139: zend_call_method (zend_interfaces.c:88)

==19457==    by 0x821D2AC: zif_spl_autoload_call (php_spl.c:382)

==19457==    by 0x839C7C9: zend_call_function (zend_execute_API.c:1052)

==19457==    by 0x839D0B9: zend_lookup_class_ex
(zend_execute_API.c:1145)

==19457==    by 0x839D3BA: zend_lookup_class (zend_execute_API.c:1177)

==19457==    by 0x83BE2DE: is_a_impl (zend_builtin_functions.c:662)

==19457==    by 0x83BE585: zif_is_subclass_of
(zend_builtin_functions.c:712)

==19457==    by 0x83D5DFF: zend_do_fcall_common_helper_SPEC
(zend_vm_execute.h:200)

==19457==    by 0x83DCBA1: ZEND_DO_FCALL_SPEC_CONST_HANDLER
(zend_vm_execute.h:1740)

==19457==    by 0x83D5887: execute (zend_vm_execute.h:92)

==19457==    by 0x83D608C: zend_do_fcall_common_helper_SPEC
(zend_vm_execute.h:234)

==19457==    by 0x83D6F14: ZEND_DO_FCALL_BY_NAME_SPEC_HANDLER
(zend_vm_execute.h:322)

==19457==    by 0x83D5887: execute (zend_vm_execute.h:92)

==19457== 

==19457== Invalid read of size 4

==19457==    at 0x83BE467: is_a_impl (zend_builtin_functions.c:680)

==19457==    by 0x83BE585: zif_is_subclass_of
(zend_builtin_functions.c:712)

==19457==    by 0x83D5DFF: zend_do_fcall_common_helper_SPEC
(zend_vm_execute.h:200)

==19457==    by 0x83DCBA1: ZEND_DO_FCALL_SPEC_CONST_HANDLER
(zend_vm_execute.h:1740)

==19457==    by 0x83D5887: execute (zend_vm_execute.h:92)

==19457==    by 0x83D608C: zend_do_fcall_common_helper_SPEC
(zend_vm_execute.h:234)

==19457==    by 0x83D6F14: ZEND_DO_FCALL_BY_NAME_SPEC_HANDLER
(zend_vm_execute.h:322)

==19457==    by 0x83D5887: execute (zend_vm_execute.h:92)

==19457==    by 0x83AC175: zend_execute_scripts (zend.c:1134)

==19457==    by 0x8343300: php_execute_script (main.c:2035)

==19457==    by 0x8436388: main (php_cli.c:1162)

==19457==  Address 0x45e79fc is 188 bytes inside a block of size 256
free'd

==19457==    at 0x4023E8C: realloc (vg_replace_malloc.c:429)

==19457==    by 0x8385ABD: _erealloc (zend_alloc.c:2319)

==19457==    by 0x83D685E: zend_ptr_stack_2_push (zend_ptr_stack.h:73)

==19457==    by 0x83D5A86: zend_do_fcall_common_helper_SPEC
(zend_vm_execute.h:148)

==19457==    by 0x83DCBA1: ZEND_DO_FCALL_SPEC_CONST_HANDLER
(zend_vm_execute.h:1740)

==19457==    by 0x83D5887: execute (zend_vm_execute.h:92)

==19457==    by 0x839C576: zend_call_function (zend_execute_API.c:1038)

==19457==    by 0x83C6139: zend_call_method (zend_interfaces.c:88)

==19457==    by 0x821D2AC: zif_spl_autoload_call (php_spl.c:382)

==19457==    by 0x839C7C9: zend_call_function (zend_execute_API.c:1052)

==19457==    by 0x839D0B9: zend_lookup_class_ex
(zend_execute_API.c:1145)

==19457==    by 0x839E2E4: zend_fetch_class (zend_execute_API.c:1560)

==19457==    by 0x83D8A70: ZEND_FETCH_CLASS_SPEC_CONST_HANDLER
(zend_vm_execute.h:650)

==19457==    by 0x83D5887: execute (zend_vm_execute.h:92)

==19457==    by 0x83E4B14: ZEND_INCLUDE_OR_EVAL_SPEC_TMP_HANDLER
(zend_vm_execute.h:4681)

==19457==    by 0x83D5887: execute (zend_vm_execute.h:92)

==19457==    by 0x839C576: zend_call_function (zend_execute_API.c:1038)

==19457==    by 0x83C6139: zend_call_method (zend_interfaces.c:88)

==19457==    by 0x821D2AC: zif_spl_autoload_call (php_spl.c:382)

==19457==    by 0x839C7C9: zend_call_function (zend_execute_API.c:1052)

==19457==    by 0x839D0B9: zend_lookup_class_ex
(zend_execute_API.c:1145)

==19457==    by 0x839D3BA: zend_lookup_class (zend_execute_API.c:1177)

==19457==    by 0x83BE2DE: is_a_impl (zend_builtin_functions.c:662)

==19457==    by 0x83BE585: zif_is_subclass_of
(zend_builtin_functions.c:712)

==19457==    by 0x83D5DFF: zend_do_fcall_common_helper_SPEC
(zend_vm_execute.h:200)

==19457==    by 0x83DCBA1: ZEND_DO_FCALL_SPEC_CONST_HANDLER
(zend_vm_execute.h:1740)

==19457==    by 0x83D5887: execute (zend_vm_execute.h:92)

==19457==    by 0x83D608C: zend_do_fcall_common_helper_SPEC
(zend_vm_execute.h:234)

==19457==    by 0x83D6F14: ZEND_DO_FCALL_BY_NAME_SPEC_HANDLER
(zend_vm_execute.h:322)

==19457==    by 0x83D5887: execute (zend_vm_execute.h:92)

==19457== 

==19457== Invalid read of size 4

==19457==    at 0x83BE46F: is_a_impl (zend_builtin_functions.c:680)

==19457==    by 0x83BE585: zif_is_subclass_of
(zend_builtin_functions.c:712)

==19457==    by 0x83D5DFF: zend_do_fcall_common_helper_SPEC
(zend_vm_execute.h:200)

==19457==    by 0x83DCBA1: ZEND_DO_FCALL_SPEC_CONST_HANDLER
(zend_vm_execute.h:1740)

==19457==    by 0x83D5887: execute (zend_vm_execute.h:92)

==19457==    by 0x83D608C: zend_do_fcall_common_helper_SPEC
(zend_vm_execute.h:234)

==19457==    by 0x83D6F14: ZEND_DO_FCALL_BY_NAME_SPEC_HANDLER
(zend_vm_execute.h:322)

==19457==    by 0x83D5887: execute (zend_vm_execute.h:92)

==19457==    by 0x83AC175: zend_execute_scripts (zend.c:1134)

==19457==    by 0x8343300: php_execute_script (main.c:2035)

==19457==    by 0x8436388: main (php_cli.c:1162)

==19457==  Address 0x45e79fc is 188 bytes inside a block of size 256
free'd

==19457==    at 0x4023E8C: realloc (vg_replace_malloc.c:429)

==19457==    by 0x8385ABD: _erealloc (zend_alloc.c:2319)

==19457==    by 0x83D685E: zend_ptr_stack_2_push (zend_ptr_stack.h:73)

==19457==    by 0x83D5A86: zend_do_fcall_common_helper_SPEC
(zend_vm_execute.h:148)

==19457==    by 0x83DCBA1: ZEND_DO_FCALL_SPEC_CONST_HANDLER
(zend_vm_execute.h:1740)

==19457==    by 0x83D5887: execute (zend_vm_execute.h:92)

==19457==    by 0x839C576: zend_call_function (zend_execute_API.c:1038)

==19457==    by 0x83C6139: zend_call_method (zend_interfaces.c:88)

==19457==    by 0x821D2AC: zif_spl_autoload_call (php_spl.c:382)

==19457==    by 0x839C7C9: zend_call_function (zend_execute_API.c:1052)

==19457==    by 0x839D0B9: zend_lookup_class_ex
(zend_execute_API.c:1145)

==19457==    by 0x839E2E4: zend_fetch_class (zend_execute_API.c:1560)

==19457==    by 0x83D8A70: ZEND_FETCH_CLASS_SPEC_CONST_HANDLER
(zend_vm_execute.h:650)

==19457==    by 0x83D5887: execute (zend_vm_execute.h:92)

==19457==    by 0x83E4B14: ZEND_INCLUDE_OR_EVAL_SPEC_TMP_HANDLER
(zend_vm_execute.h:4681)

==19457==    by 0x83D5887: execute (zend_vm_execute.h:92)

==19457==    by 0x839C576: zend_call_function (zend_execute_API.c:1038)

==19457==    by 0x83C6139: zend_call_method (zend_interfaces.c:88)

==19457==    by 0x821D2AC: zif_spl_autoload_call (php_spl.c:382)

==19457==    by 0x839C7C9: zend_call_function (zend_execute_API.c:1052)

==19457==    by 0x839D0B9: zend_lookup_class_ex
(zend_execute_API.c:1145)

==19457==    by 0x839D3BA: zend_lookup_class (zend_execute_API.c:1177)

==19457==    by 0x83BE2DE: is_a_impl (zend_builtin_functions.c:662)

==19457==    by 0x83BE585: zif_is_subclass_of
(zend_builtin_functions.c:712)

==19457==    by 0x83D5DFF: zend_do_fcall_common_helper_SPEC
(zend_vm_execute.h:200)

==19457==    by 0x83DCBA1: ZEND_DO_FCALL_SPEC_CONST_HANDLER
(zend_vm_execute.h:1740)

==19457==    by 0x83D5887: execute (zend_vm_execute.h:92)

==19457==    by 0x83D608C: zend_do_fcall_common_helper_SPEC
(zend_vm_execute.h:234)

==19457==    by 0x83D6F14: ZEND_DO_FCALL_BY_NAME_SPEC_HANDLER
(zend_vm_execute.h:322)

==19457==    by 0x83D5887: execute (zend_vm_execute.h:92)

------------------------------------------------------------------------


The remainder of the comments for this report are too long. To view
the rest of the comments, please view the bug report online at

    http://bugs.php.net/bug.php?id=50360


-- 
Edit this bug report at http://bugs.php.net/bug.php?id=50360&edit=1

Reply via email to