Edit report at https://bugs.php.net/bug.php?id=61388&edit=1
ID: 61388 Updated by: cataphr...@php.net Reported by: piotr dot nowak at onet dot eu Summary: ReflectionObject:getProperties called on ArrayObject throws Segmentation Fault -Status: Assigned +Status: Closed Type: Bug Package: Reflection related Operating System: Linux (Ubuntu) x64 PHP Version: 5.4.0 Assigned To: cataphract Block user comment: N Private report: N New Comment: This bug has been fixed in SVN. Snapshots of the sources are packaged every three hours; this change will be in the next snapshot. You can grab the snapshot at http://snaps.php.net/. For Windows: http://windows.php.net/snapshots/ Thank you for the report, and for helping us make PHP better. Previous Comments: ------------------------------------------------------------------------ [2012-03-18 18:23:29] cataphr...@php.net Automatic comment from SVN on behalf of cataphract Revision: http://svn.php.net/viewvc/?view=revision&revision=324337 Log: - Fixed bug #61388 (ReflectionObject:getProperties() issues invalid reads when get_properties returns a hash table with (inaccessible) dynamic numeric properties). ------------------------------------------------------------------------ [2012-03-14 23:16:45] piotr dot nowak at onet dot eu To be sure that problem doesn't come from the used package, I have compiled the current version of 5.4 branch from SVN (revision #324259). It was compiled with completely default configuration (only --prefix=/tmp/php/php-5.4 was used). GDB traces: piotr@piotr-Vostro-430:/tmp/php/php-5.4/bin$ gdb ./php GNU gdb (Ubuntu/Linaro 7.3-0ubuntu2) 7.3-2011.08 Copyright (C) 2011 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html> This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Type "show copying" and "show warranty" for details. This GDB was configured as "x86_64-linux-gnu". For bug reporting instructions, please see: <http://bugs.launchpad.net/gdb-linaro/>... Reading symbols from /tmp/php/php-5.4/bin/php...done. (gdb) run /tmp/bug.php Starting program: /tmp/php/php-5.4/bin/php /tmp/bug.php Array ( ) Array ( ) Program received signal SIGSEGV, Segmentation fault. 0x000000000056b358 in _adddynproperty (pptr=<optimized out>, num_args=<optimized out>, args=0x7fffffffb698, hash_key=0x7fffffffb680) at /tmp/php/php-src-5.4/ext/reflection/php_reflection.c:3835 3835 if (hash_key->arKey[0] == '\0') { (gdb) bt #0 0x000000000056b358 in _adddynproperty (pptr=<optimized out>, num_args=<optimized out>, args=0x7fffffffb698, hash_key=0x7fffffffb680) at /tmp/php/php-src-5.4/ext/reflection/php_reflection.c:3835 #1 0x00000000006893cc in zend_hash_apply_with_arguments (ht=0x7ffff7fd72c0, apply_func=0x56b310 <_adddynproperty>, num_args=2) at /tmp/php/php-src-5.4/Zend/zend_hash.c:772 #2 0x000000000056a401 in zim_reflection_class_getProperties (ht=<optimized out>, return_value=0x7ffff7fd7eb8, return_value_ptr=<optimized out>, this_ptr=0x7ffff7fd7ee8, return_value_used=<optimized out>) at /tmp/php/php-src-5.4/ext/reflection/php_reflection.c:3876 #3 0x000000000071d1d9 in zend_do_fcall_common_helper_SPEC (execute_data=0x7ffff7fa2060) at /tmp/php/php-src-5.4/Zend/zend_vm_execute.h:642 #4 0x00000000006d960c in execute (op_array=0x7ffff7fd64a0) at /tmp/php/php-src-5.4/Zend/zend_vm_execute.h:410 #5 0x000000000067d205 in zend_execute_scripts (type=8, retval=0x0, file_count=3) at /tmp/php/php-src-5.4/Zend/zend.c:1272 #6 0x000000000061de28 in php_execute_script (primary_file=0x7fffffffde60) at /tmp/php/php-src-5.4/main/main.c:2473 #7 0x000000000071f6e7 in do_cli (argc=2, argv=0x7fffffffe238) at /tmp/php/php-src-5.4/sapi/cli/php_cli.c:983 #8 0x0000000000425590 in main (argc=2, argv=0x7fffffffe238) at /tmp/php/php-src-5.4/sapi/cli/php_cli.c:1356 (gdb) frame 0 #0 0x000000000056b358 in _adddynproperty (pptr=<optimized out>, num_args=<optimized out>, args=0x7fffffffb698, hash_key=0x7fffffffb680) at /tmp/php/php-src-5.4/ext/reflection/php_reflection.c:3835 3835 if (hash_key->arKey[0] == '\0') { (gdb) frame 1 #1 0x00000000006893cc in zend_hash_apply_with_arguments (ht=0x7ffff7fd72c0, apply_func=0x56b310 <_adddynproperty>, num_args=2) at /tmp/php/php-src-5.4/Zend/zend_hash.c:772 772 result = apply_func(p->pData TSRMLS_CC, num_args, args, &hash_key); (gdb) frame 2 #2 0x000000000056a401 in zim_reflection_class_getProperties (ht=<optimized out>, return_value=0x7ffff7fd7eb8, return_value_ptr=<optimized out>, this_ptr=0x7ffff7fd7ee8, return_value_used=<optimized out>) at /tmp/php/php-src-5.4/ext/reflection/php_reflection.c:3876 3876 zend_hash_apply_with_arguments(properties TSRMLS_CC, (apply_func_args_t) _adddynproperty, 2, &ce, return_value); (gdb) frame 3 #3 0x000000000071d1d9 in zend_do_fcall_common_helper_SPEC (execute_data=0x7ffff7fa2060) at /tmp/php/php-src-5.4/Zend/zend_vm_execute.h:642 642 fbc->internal_function.handler(opline->extended_value, ret->var.ptr, (fbc->common.fn_flags & ZEND_ACC_RETURN_REFERENCE) ? &ret->var.ptr : NULL, EX(object), RETURN_VALUE_USED(opline) TSRMLS_CC); (gdb) frame 4 #4 0x00000000006d960c in execute (op_array=0x7ffff7fd64a0) at /tmp/php/php-src-5.4/Zend/zend_vm_execute.h:410 410 if ((ret = OPLINE->handler(execute_data TSRMLS_CC)) > 0) { (gdb) frame 5 #5 0x000000000067d205 in zend_execute_scripts (type=8, retval=0x0, file_count=3) at /tmp/php/php-src-5.4/Zend/zend.c:1272 1272 zend_execute(EG(active_op_array) TSRMLS_CC); (gdb) frame 6 #6 0x000000000061de28 in php_execute_script (primary_file=0x7fffffffde60) at /tmp/php/php-src-5.4/main/main.c:2473 2473 retval = (zend_execute_scripts(ZEND_REQUIRE TSRMLS_CC, NULL, 3, prepend_file_p, primary_file, append_file_p) == SUCCESS); (gdb) frame 7 #7 0x000000000071f6e7 in do_cli (argc=2, argv=0x7fffffffe238) at /tmp/php/php-src-5.4/sapi/cli/php_cli.c:983 983 php_execute_script(&file_handle TSRMLS_CC); (gdb) frame 8 #8 0x0000000000425590 in main (argc=2, argv=0x7fffffffe238) at /tmp/php/php-src-5.4/sapi/cli/php_cli.c:1356 1356 exit_status = do_cli(argc, argv TSRMLS_CC); (gdb) ------------------------------------------------------------------------ [2012-03-14 18:10:43] piotr dot nowak at onet dot eu Description: ------------ When ReflectionObject::getProperty() method is called over ArrayObject instance the Segmentation Fault is thrown. The problem appears only when getting public properties from the instance which was filled using simple brackets call (ex. $x[] = 'something') or numeric access (ex. $x[0] = 'something'). The problem will not appear when you use associative access (ex. $x['test'] = 'something'). Problem was seen on nginx+php_fpm but was also confirmed on the cli version. Additionally the same code was working correctly from years - even on the last 5.3.10 version. Some additional data: * Php 5.4.0-1 for Ubuntu oneiric x86_64 was installed from Ondrej's launchpad https://launchpad.net/~ondrej/+archive/php5 The problem is reproducible in the default configuration. Test script: --------------- $x=new ArrayObject(); $x[] = 'test string'; //will cause reflectionobject segfault $x[0] = 'test string'; //will cause reflectionobject segfault $x['test'] = 'test string'; //will work $refl = new ReflectionClass($x); print_r($refl->getProperties()); //works (but returns nothing) $reflObj = new ReflectionObject($x); print_r($reflObj->getProperties( ReflectionProperty::IS_PRIVATE | ReflectionProperty::IS_PROTECTED | ReflectionProperty::IS_STATIC )); //works (but returns nothing) print_r($reflObj->getProperties(ReflectionProperty::IS_PUBLIC)); //SEGFAULT print_r($reflObj->getProperties()); //SEGFAULT Expected result: ---------------- For shown example it should simply pass without SEGFAULT or throw an Exception / Fatal Error if something is wrong on my side. I am using this method for analysing complicated objects (in this case it was a PropelObjectCollection object from Propel ORM). Actual result: -------------- Program received signal SIGSEGV, Segmentation fault. 0x000000000052e94d in _adddynproperty (pptr=0x7fffffffb830, num_args=40, args=0x7fffffffb738, hash_key=0x7fffffffb720) at /build/buildd/php5-5.4.0/ext/reflection/php_reflection.c:3835 3835 /build/buildd/php5-5.4.0/ext/reflection/php_reflection.c: No such file or directory. in /build/buildd/php5-5.4.0/ext/reflection/php_reflection.c (gdb) bt #0 0x000000000052e94d in _adddynproperty (pptr=0x7fffffffb830, num_args=40, args=0x7fffffffb738, hash_key=0x7fffffffb720) at /build/buildd/php5-5.4.0/ext/reflection/php_reflection.c:3835 #1 0x00000000006a9a2c in zend_hash_apply_with_arguments (ht=0x7ffff7fdabc8, apply_func=0x52e900 <_adddynproperty>, num_args=2) at /build/buildd/php5-5.4.0/Zend/zend_hash.c:772 #2 0x000000000052d938 in zim_reflection_class_getProperties (ht=-134371384, return_value=0x7ffff7fda970, return_value_ptr=0x7fffffffb738, this_ptr=0x7ffff7fda8c8, return_value_used=-134370960) at /build/buildd/php5-5.4.0/ext/reflection/php_reflection.c:3876 #3 0x0000000000742b89 in zend_do_fcall_common_helper_SPEC (execute_data=0x7ffff7f9e060) at /build/buildd/php5-5.4.0/Zend/zend_vm_execute.h:642 #4 0x00000000006fcbef in execute (op_array=0x7ffff7fd2540) at /build/buildd/php5-5.4.0/Zend/zend_vm_execute.h:410 #5 0x000000000069ce90 in zend_execute_scripts (type=0, retval=0x8f7fd2448, file_count=3) at /build/buildd/php5-5.4.0/Zend/zend.c:1272 #6 0x000000000063c743 in php_execute_script (primary_file=0x0) at /build/buildd/php5-5.4.0/main/main.c:2473 #7 0x0000000000745221 in do_cli (argc=0, argv=0x7fffffffe50b) at /build/buildd/php5-5.4.0/sapi/cli/php_cli.c:983 #8 0x000000000042c843 in main (argc=32767, argv=0xd341f0) at /build/buildd/php5-5.4.0/sapi/cli/php_cli.c:1356 (gdb) frame 4 #4 0x00000000006fcbef in execute (op_array=0x7ffff7fd2540) at /build/buildd/php5-5.4.0/Zend/zend_vm_execute.h:410 410 /build/buildd/php5-5.4.0/Zend/zend_vm_execute.h: No such file or directory. in /build/buildd/php5-5.4.0/Zend/zend_vm_execute.h (gdb) frame 3 #3 0x0000000000742b89 in zend_do_fcall_common_helper_SPEC (execute_data=0x7ffff7f9e060) at /build/buildd/php5-5.4.0/Zend/zend_vm_execute.h:642 642 in /build/buildd/php5-5.4.0/Zend/zend_vm_execute.h (gdb) frame 2 #2 0x000000000052d938 in zim_reflection_class_getProperties (ht=-134371384, return_value=0x7ffff7fda970, return_value_ptr=0x7fffffffb738, this_ptr=0x7ffff7fda8c8, return_value_used=-134370960) at /build/buildd/php5-5.4.0/ext/reflection/php_reflection.c:3876 3876 /build/buildd/php5-5.4.0/ext/reflection/php_reflection.c: No such file or directory. in /build/buildd/php5-5.4.0/ext/reflection/php_reflection.c (gdb) ------------------------------------------------------------------------ -- Edit this bug report at https://bugs.php.net/bug.php?id=61388&edit=1