View Issue Details
ID | Project | Category | View Status | Date Submitted | Last Update |
---|---|---|---|---|---|
0001091 | Xdebug | Uncategorized | public | 2014-11-26 21:45 | 2021-04-14 16:10 |
Reporter | hakon | Assigned To | derick | ||
Priority | normal | Severity | major | Reproducibility | always |
Status | closed | Resolution | no change required | ||
OS | Linux | ||||
Product Version | 2.2.6 | ||||
Summary | 0001091: Memory corruption when throwing a message that overrides the 'message' property | ||||
Description | If a class extending Exception declares a $message property, throwing it causes use-after-free issues leading to memory corruption and random segfaults. | ||||
Steps To Reproduce | $ php --version $ cat test_message.php class Foo extends \Exception { try { $ USE_ZEND_ALLOC=0 valgrind sapi/cli/php test_message.php ==10603== Memcheck, a memory error detector | ||||
Tags | No tags attached. | ||||
Attached Files | valgrind_output.txt (12,736 bytes)
==10726== Memcheck, a memory error detector ==10726== Copyright (C) 2002-2013, and GNU GPL'd, by Julian Seward et al. ==10726== Using Valgrind-3.10.0 and LibVEX; rerun with -h for copyright info ==10726== Command: sapi/cli/php test_message.php ==10726== ==10726== Invalid read of size 4 ==10726== at 0x71580E: zval_delref_p (zend.h:411) ==10726== by 0x71580E: i_zval_ptr_dtor (zend_execute.h:76) ==10726== by 0x71580E: _zval_ptr_dtor (zend_execute_API.c:427) ==10726== by 0x71B676: destroy_zend_class (zend_opcode.c:283) ==10726== by 0x73C3C2: i_zend_hash_bucket_delete (zend_hash.c:182) ==10726== by 0x73C3C2: zend_hash_bucket_delete (zend_hash.c:192) ==10726== by 0x73E2FA: zend_hash_reverse_apply (zend_hash.c:733) ==10726== by 0x7153C0: shutdown_executor (zend_execute_API.c:303) ==10726== by 0x72BC77: zend_deactivate (zend.c:963) ==10726== by 0x69EB81: php_request_shutdown (main.c:1884) ==10726== by 0x84BE73: do_cli (php_cli.c:1177) ==10726== by 0x84C567: main (php_cli.c:1378) ==10726== Address 0x113f8730 is 16 bytes inside a block of size 32 free'd ==10726== at 0x4C2B200: free (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so) ==10726== by 0x6F4B02: _efree (zend_alloc.c:2437) ==10726== by 0x71586E: i_zval_ptr_dtor (zend_execute.h:80) ==10726== by 0x71586E: _zval_ptr_dtor (zend_execute_API.c:427) ==10726== by 0x73DC39: zend_hash_destroy (zend_hash.c:548) ==10726== by 0x75E857: zend_object_std_dtor (zend_objects.c:44) ==10726== by 0x75ECC4: zend_objects_free_object_storage (zend_objects.c:137) ==10726== by 0x768A90: zend_objects_store_del_ref_by_handle_ex (zend_objects_API.c:226) ==10726== by 0x768789: zend_objects_store_del_ref (zend_objects_API.c:178) ==10726== by 0x7299BD: _zval_dtor_func (zend_variables.c:57) ==10726== by 0x715862: _zval_dtor (zend_variables.h:35) ==10726== by 0x715862: i_zval_ptr_dtor (zend_execute.h:79) ==10726== by 0x715862: _zval_ptr_dtor (zend_execute_API.c:427) ==10726== by 0x73C3C2: i_zend_hash_bucket_delete (zend_hash.c:182) ==10726== by 0x73C3C2: zend_hash_bucket_delete (zend_hash.c:192) ==10726== by 0x73E2FA: zend_hash_reverse_apply (zend_hash.c:733) ==10726== ==10726== Invalid write of size 4 ==10726== at 0x715818: zval_delref_p (zend.h:411) ==10726== by 0x715818: i_zval_ptr_dtor (zend_execute.h:76) ==10726== by 0x715818: _zval_ptr_dtor (zend_execute_API.c:427) ==10726== by 0x71B676: destroy_zend_class (zend_opcode.c:283) ==10726== by 0x73C3C2: i_zend_hash_bucket_delete (zend_hash.c:182) ==10726== by 0x73C3C2: zend_hash_bucket_delete (zend_hash.c:192) ==10726== by 0x73E2FA: zend_hash_reverse_apply (zend_hash.c:733) ==10726== by 0x7153C0: shutdown_executor (zend_execute_API.c:303) ==10726== by 0x72BC77: zend_deactivate (zend.c:963) ==10726== by 0x69EB81: php_request_shutdown (main.c:1884) ==10726== by 0x84BE73: do_cli (php_cli.c:1177) ==10726== by 0x84C567: main (php_cli.c:1378) ==10726== Address 0x113f8730 is 16 bytes inside a block of size 32 free'd ==10726== at 0x4C2B200: free (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so) ==10726== by 0x6F4B02: _efree (zend_alloc.c:2437) ==10726== by 0x71586E: i_zval_ptr_dtor (zend_execute.h:80) ==10726== by 0x71586E: _zval_ptr_dtor (zend_execute_API.c:427) ==10726== by 0x73DC39: zend_hash_destroy (zend_hash.c:548) ==10726== by 0x75E857: zend_object_std_dtor (zend_objects.c:44) ==10726== by 0x75ECC4: zend_objects_free_object_storage (zend_objects.c:137) ==10726== by 0x768A90: zend_objects_store_del_ref_by_handle_ex (zend_objects_API.c:226) ==10726== by 0x768789: zend_objects_store_del_ref (zend_objects_API.c:178) ==10726== by 0x7299BD: _zval_dtor_func (zend_variables.c:57) ==10726== by 0x715862: _zval_dtor (zend_variables.h:35) ==10726== by 0x715862: i_zval_ptr_dtor (zend_execute.h:79) ==10726== by 0x715862: _zval_ptr_dtor (zend_execute_API.c:427) ==10726== by 0x73C3C2: i_zend_hash_bucket_delete (zend_hash.c:182) ==10726== by 0x73C3C2: zend_hash_bucket_delete (zend_hash.c:192) ==10726== by 0x73E2FA: zend_hash_reverse_apply (zend_hash.c:733) ==10726== ==10726== Invalid read of size 4 ==10726== at 0x71581F: zval_delref_p (zend.h:411) ==10726== by 0x71581F: i_zval_ptr_dtor (zend_execute.h:76) ==10726== by 0x71581F: _zval_ptr_dtor (zend_execute_API.c:427) ==10726== by 0x71B676: destroy_zend_class (zend_opcode.c:283) ==10726== by 0x73C3C2: i_zend_hash_bucket_delete (zend_hash.c:182) ==10726== by 0x73C3C2: zend_hash_bucket_delete (zend_hash.c:192) ==10726== by 0x73E2FA: zend_hash_reverse_apply (zend_hash.c:733) ==10726== by 0x7153C0: shutdown_executor (zend_execute_API.c:303) ==10726== by 0x72BC77: zend_deactivate (zend.c:963) ==10726== by 0x69EB81: php_request_shutdown (main.c:1884) ==10726== by 0x84BE73: do_cli (php_cli.c:1177) ==10726== by 0x84C567: main (php_cli.c:1378) ==10726== Address 0x113f8730 is 16 bytes inside a block of size 32 free'd ==10726== at 0x4C2B200: free (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so) ==10726== by 0x6F4B02: _efree (zend_alloc.c:2437) ==10726== by 0x71586E: i_zval_ptr_dtor (zend_execute.h:80) ==10726== by 0x71586E: _zval_ptr_dtor (zend_execute_API.c:427) ==10726== by 0x73DC39: zend_hash_destroy (zend_hash.c:548) ==10726== by 0x75E857: zend_object_std_dtor (zend_objects.c:44) ==10726== by 0x75ECC4: zend_objects_free_object_storage (zend_objects.c:137) ==10726== by 0x768A90: zend_objects_store_del_ref_by_handle_ex (zend_objects_API.c:226) ==10726== by 0x768789: zend_objects_store_del_ref (zend_objects_API.c:178) ==10726== by 0x7299BD: _zval_dtor_func (zend_variables.c:57) ==10726== by 0x715862: _zval_dtor (zend_variables.h:35) ==10726== by 0x715862: i_zval_ptr_dtor (zend_execute.h:79) ==10726== by 0x715862: _zval_ptr_dtor (zend_execute_API.c:427) ==10726== by 0x73C3C2: i_zend_hash_bucket_delete (zend_hash.c:182) ==10726== by 0x73C3C2: zend_hash_bucket_delete (zend_hash.c:192) ==10726== by 0x73E2FA: zend_hash_reverse_apply (zend_hash.c:733) ==10726== ==10726== Invalid read of size 4 ==10726== at 0x71587D: zval_refcount_p (zend.h:399) ==10726== by 0x71587D: i_zval_ptr_dtor (zend_execute.h:82) ==10726== by 0x71587D: _zval_ptr_dtor (zend_execute_API.c:427) ==10726== by 0x71B676: destroy_zend_class (zend_opcode.c:283) ==10726== by 0x73C3C2: i_zend_hash_bucket_delete (zend_hash.c:182) ==10726== by 0x73C3C2: zend_hash_bucket_delete (zend_hash.c:192) ==10726== by 0x73E2FA: zend_hash_reverse_apply (zend_hash.c:733) ==10726== by 0x7153C0: shutdown_executor (zend_execute_API.c:303) ==10726== by 0x72BC77: zend_deactivate (zend.c:963) ==10726== by 0x69EB81: php_request_shutdown (main.c:1884) ==10726== by 0x84BE73: do_cli (php_cli.c:1177) ==10726== by 0x84C567: main (php_cli.c:1378) ==10726== Address 0x113f8730 is 16 bytes inside a block of size 32 free'd ==10726== at 0x4C2B200: free (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so) ==10726== by 0x6F4B02: _efree (zend_alloc.c:2437) ==10726== by 0x71586E: i_zval_ptr_dtor (zend_execute.h:80) ==10726== by 0x71586E: _zval_ptr_dtor (zend_execute_API.c:427) ==10726== by 0x73DC39: zend_hash_destroy (zend_hash.c:548) ==10726== by 0x75E857: zend_object_std_dtor (zend_objects.c:44) ==10726== by 0x75ECC4: zend_objects_free_object_storage (zend_objects.c:137) ==10726== by 0x768A90: zend_objects_store_del_ref_by_handle_ex (zend_objects_API.c:226) ==10726== by 0x768789: zend_objects_store_del_ref (zend_objects_API.c:178) ==10726== by 0x7299BD: _zval_dtor_func (zend_variables.c:57) ==10726== by 0x715862: _zval_dtor (zend_variables.h:35) ==10726== by 0x715862: i_zval_ptr_dtor (zend_execute.h:79) ==10726== by 0x715862: _zval_ptr_dtor (zend_execute_API.c:427) ==10726== by 0x73C3C2: i_zend_hash_bucket_delete (zend_hash.c:182) ==10726== by 0x73C3C2: zend_hash_bucket_delete (zend_hash.c:192) ==10726== by 0x73E2FA: zend_hash_reverse_apply (zend_hash.c:733) ==10726== ==10726== Invalid read of size 1 ==10726== at 0x7158A1: gc_zval_check_possible_root (zend_gc.h:182) ==10726== by 0x7158A1: i_zval_ptr_dtor (zend_execute.h:86) ==10726== by 0x7158A1: _zval_ptr_dtor (zend_execute_API.c:427) ==10726== by 0x71B676: destroy_zend_class (zend_opcode.c:283) ==10726== by 0x73C3C2: i_zend_hash_bucket_delete (zend_hash.c:182) ==10726== by 0x73C3C2: zend_hash_bucket_delete (zend_hash.c:192) ==10726== by 0x73E2FA: zend_hash_reverse_apply (zend_hash.c:733) ==10726== by 0x7153C0: shutdown_executor (zend_execute_API.c:303) ==10726== by 0x72BC77: zend_deactivate (zend.c:963) ==10726== by 0x69EB81: php_request_shutdown (main.c:1884) ==10726== by 0x84BE73: do_cli (php_cli.c:1177) ==10726== by 0x84C567: main (php_cli.c:1378) ==10726== Address 0x113f8734 is 20 bytes inside a block of size 32 free'd ==10726== at 0x4C2B200: free (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so) ==10726== by 0x6F4B02: _efree (zend_alloc.c:2437) ==10726== by 0x71586E: i_zval_ptr_dtor (zend_execute.h:80) ==10726== by 0x71586E: _zval_ptr_dtor (zend_execute_API.c:427) ==10726== by 0x73DC39: zend_hash_destroy (zend_hash.c:548) ==10726== by 0x75E857: zend_object_std_dtor (zend_objects.c:44) ==10726== by 0x75ECC4: zend_objects_free_object_storage (zend_objects.c:137) ==10726== by 0x768A90: zend_objects_store_del_ref_by_handle_ex (zend_objects_API.c:226) ==10726== by 0x768789: zend_objects_store_del_ref (zend_objects_API.c:178) ==10726== by 0x7299BD: _zval_dtor_func (zend_variables.c:57) ==10726== by 0x715862: _zval_dtor (zend_variables.h:35) ==10726== by 0x715862: i_zval_ptr_dtor (zend_execute.h:79) ==10726== by 0x715862: _zval_ptr_dtor (zend_execute_API.c:427) ==10726== by 0x73C3C2: i_zend_hash_bucket_delete (zend_hash.c:182) ==10726== by 0x73C3C2: zend_hash_bucket_delete (zend_hash.c:192) ==10726== by 0x73E2FA: zend_hash_reverse_apply (zend_hash.c:733) ==10726== ==10726== Invalid read of size 1 ==10726== at 0x7158AD: gc_zval_check_possible_root (zend_gc.h:182) ==10726== by 0x7158AD: i_zval_ptr_dtor (zend_execute.h:86) ==10726== by 0x7158AD: _zval_ptr_dtor (zend_execute_API.c:427) ==10726== by 0x71B676: destroy_zend_class (zend_opcode.c:283) ==10726== by 0x73C3C2: i_zend_hash_bucket_delete (zend_hash.c:182) ==10726== by 0x73C3C2: zend_hash_bucket_delete (zend_hash.c:192) ==10726== by 0x73E2FA: zend_hash_reverse_apply (zend_hash.c:733) ==10726== by 0x7153C0: shutdown_executor (zend_execute_API.c:303) ==10726== by 0x72BC77: zend_deactivate (zend.c:963) ==10726== by 0x69EB81: php_request_shutdown (main.c:1884) ==10726== by 0x84BE73: do_cli (php_cli.c:1177) ==10726== by 0x84C567: main (php_cli.c:1378) ==10726== Address 0x113f8734 is 20 bytes inside a block of size 32 free'd ==10726== at 0x4C2B200: free (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so) ==10726== by 0x6F4B02: _efree (zend_alloc.c:2437) ==10726== by 0x71586E: i_zval_ptr_dtor (zend_execute.h:80) ==10726== by 0x71586E: _zval_ptr_dtor (zend_execute_API.c:427) ==10726== by 0x73DC39: zend_hash_destroy (zend_hash.c:548) ==10726== by 0x75E857: zend_object_std_dtor (zend_objects.c:44) ==10726== by 0x75ECC4: zend_objects_free_object_storage (zend_objects.c:137) ==10726== by 0x768A90: zend_objects_store_del_ref_by_handle_ex (zend_objects_API.c:226) ==10726== by 0x768789: zend_objects_store_del_ref (zend_objects_API.c:178) ==10726== by 0x7299BD: _zval_dtor_func (zend_variables.c:57) ==10726== by 0x715862: _zval_dtor (zend_variables.h:35) ==10726== by 0x715862: i_zval_ptr_dtor (zend_execute.h:79) ==10726== by 0x715862: _zval_ptr_dtor (zend_execute_API.c:427) ==10726== by 0x73C3C2: i_zend_hash_bucket_delete (zend_hash.c:182) ==10726== by 0x73C3C2: zend_hash_bucket_delete (zend_hash.c:192) ==10726== by 0x73E2FA: zend_hash_reverse_apply (zend_hash.c:733) ==10726== ==10726== ==10726== HEAP SUMMARY: ==10726== in use at exit: 456 bytes in 14 blocks ==10726== total heap usage: 30,123 allocs, 30,109 frees, 4,459,702 bytes allocated ==10726== ==10726== LEAK SUMMARY: ==10726== definitely lost: 160 bytes in 5 blocks ==10726== indirectly lost: 176 bytes in 5 blocks ==10726== possibly lost: 0 bytes in 0 blocks ==10726== still reachable: 120 bytes in 4 blocks ==10726== suppressed: 0 bytes in 0 blocks ==10726== Rerun with --leak-check=full to see details of leaked memory ==10726== ==10726== For counts of detected and suppressed errors, rerun with: -v ==10726== ERROR SUMMARY: 6 errors from 6 contexts (suppressed: 0 from 0) | ||||
Operating System | Arch Linux | ||||
PHP Version | 5.6.0-5.6.4 | ||||
|
Just letting you know that I can reproduce this... no clue about a fix though (yet)! |
|
I can reproduce this with PHP 5.5 and 5.6, but not with 7.0 or 7.1. |
|
Is this issue still relevant to you? |
|
Closing this, as it is missing requested feedback. |
Date Modified | Username | Field | Change |
---|---|---|---|
2014-11-26 21:45 | hakon | New Issue | |
2014-11-26 21:45 | hakon | File Added: valgrind_output.txt | |
2014-11-26 21:47 | hakon | File Added: test_message.php | |
2014-11-28 11:33 | derick | Note Added: 0002918 | |
2016-07-31 12:36 | derick | Category | Usage problems => Usage problems (Crashes) |
2016-07-31 12:38 | derick | Category | Usage problems (Crashes) => Usage problems (Wrong Results) |
2016-11-29 23:51 | derick | Note Added: 0003852 | |
2016-11-29 23:51 | derick | Assigned To | => derick |
2016-11-29 23:51 | derick | Status | new => confirmed |
2020-03-12 16:35 | derick | Category | Usage problems (Wrong Results) => Variable Display |
2020-03-12 16:38 | derick | Category | Variable Display => Uncategorized |
2021-03-17 09:39 | derick | Status | confirmed => feedback |
2021-03-17 09:39 | derick | Note Added: 0005772 | |
2021-04-14 16:10 | derick | Status | feedback => closed |
2021-04-14 16:10 | derick | Resolution | open => no change required |
2021-04-14 16:10 | derick | Note Added: 0005846 |