Bug #51329 [Com]: call_user_func_array() crashes with autoload in recursive calls

Fri, 19 Mar 2010 03:38:59 -0700 

Edit report at http://bugs.php.net/bug.php?id=51329&edit=1

 ID:               51329
 Comment by:       gergely dot fabian at radix-technologies dot com
 Reported by:      gergely dot fabian at radix-technologies dot com
 Summary:          call_user_func_array() crashes with autoload in
                   recursive calls
 Status:           Open
 Type:             Bug
 Package:          Reproducible crash
 Operating System: Ubuntu
 PHP Version:      5.2.13

 New Comment:

I managed to reproduce this bug (I guess it's the same) in another way,
which is a lot closer to our original test case (that was about having a
given number of calls in the call stack causing later autoload of
call_user_func_array() to fail, but if we had more number of calls in
call stack, then there was no segfault).

This code will have a segfault in the 25th call (it mainly depends on
the number of parameters given to "callback"). If we miss calling
call_user_func_array() in the 25th recursion (and simply make another
recursion) then later call_user_func_array() calls will be ok. I guess
making a simple recursion at 25th steps mask (or fixes) the bug in the
call stack.



<?php

$limit = 25; // till when to autoload classes

// change $limit2 to 25, and P25's autoload will be missed (and an
additional callback will be called before next autoloading)

// then there is no segmentation fault, and it runs till 50

$limit2 = 24; // re-enable autoloading after this limit

$limit3 = 50; // iterate till this

for($i = 1; $i <= $limit3; $i++){

  $f = "<?php

echo \"P$i loaded\\n\";

class P$i{

  public static function execute_me(){

    return \"P$i executed\\n\";

  }

}";

  file_put_contents("P$i.class.php", $f);

}

function __autoload($class_name) {

    require_once $class_name . '.class.php';

}

function callback($limit, $limit2, $i = 1){

  global $limit3;

  echo "Calling callback $i\n";

  if ($i < $limit || $i > $limit2)  // enable some $i where we won't
autoload

  {

    //class_exists("P$i");

    echo call_user_func_array(array("P$i", 'execute_me'), array());

  }

  if ($i < $limit3) callback($limit, $limit2, $i+1);

}

callback($limit, $limit2);


Previous Comments:
------------------------------------------------------------------------
[2010-03-19 10:29:56] gergely dot fabian at radix-technologies dot com

Description:
------------
PHP 5.2.13 (cli) (built: Mar 19 2010 09:37:12) (configured with
./configure --prefix=$HOME --enable-debug)

2.6.31-20-generic #58-Ubuntu SMP Fri Mar 12 04:38:19 UTC 2010 x86_64
GNU/Linux



Calling class methods with call_user_func_array() in a recursive
call-chain - if call_user_func_array() autoloads the subsequent class on
each step - will cause a Segmentation fault (if the recursion is enough
deep).



If I run the sample script then I'll get a Segmentation fault at 31st
call.

This was reproducible both on PHP 5.2.13 and 5.2.10-2ubuntu6.4.

There is no segfault though if call_user_func_array() is preceded by a
call to class_exists().

Test script:
---------------
$limit = 50;

for($i = 1; $i <= $limit; $i++){

  $f = "<?php

echo \"P$i loaded\\n\";

class P$i{

  public static function execute_me(){

    return \"P$i executed\\n\";

  }

}";

  file_put_contents("P$i.class.php", $f);

}

function __autoload($class_name) {

    require_once $class_name . '.class.php';

}

function callback($limit, $i = 1){

  //class_exists("P$i");

  echo call_user_func_array(array("P$i", 'execute_me'), array());

  if($i < $limit) callback($limit, $i+1);

}

callback($limit);

Expected result:
----------------
P1 loaded

P1 executed

P2 loaded

P2 executed

P3 loaded

P3 executed

...

...

P50 loaded

P50 executed

Actual result:
--------------
P1 loaded

P1 executed

P2 loaded

P2 executed

P3 loaded

P3 executed

...

...

P30 loaded

P30 executed

P31 loaded

Segmentation fault (writing memory)



This is the gdb backtrace:



Core was generated by `php call_user_func_array_bug.php'.

Program terminated with signal 11, Segmentation fault.

#0  0x0000000000586ee9 in zif_call_user_func_array (ht=<value optimized
out>, return_value=0x1d5adf8, return_value_ptr=<value optimized out>, 

    this_ptr=<value optimized out>, return_value_used=<value optimized
out>) at /home/user/opt/php-5.2.13/ext/standard/basic_functions.c:5201

5201            func_params_ht = Z_ARRVAL_PP(params);

(gdb) bt

#0  0x0000000000586ee9 in zif_call_user_func_array (ht=<value optimized
out>, return_value=0x1d5adf8, return_value_ptr=<value optimized out>, 

    this_ptr=<value optimized out>, return_value_used=<value optimized
out>) at /home/user/opt/php-5.2.13/ext/standard/basic_functions.c:5201

#1  0x00000000006526b0 in zend_do_fcall_common_helper_SPEC
(execute_data=0x7fff1e2611b0) at
/home/user/opt/php-5.2.13/Zend/zend_vm_execute.h:200

#2  0x000000000064df04 in execute (op_array=0x1d414a0) at
/home/user/opt/php-5.2.13/Zend/zend_vm_execute.h:92

#3  0x0000000000652056 in zend_do_fcall_common_helper_SPEC
(execute_data=0x7fff1e261490) at
/home/user/opt/php-5.2.13/Zend/zend_vm_execute.h:234

#4  0x000000000064df04 in execute (op_array=0x1d414a0) at
/home/user/opt/php-5.2.13/Zend/zend_vm_execute.h:92

#5  0x0000000000652056 in zend_do_fcall_common_helper_SPEC
(execute_data=0x7fff1e261770) at
/home/user/opt/php-5.2.13/Zend/zend_vm_execute.h:234

#6  0x000000000064df04 in execute (op_array=0x1d414a0) at
/home/user/opt/php-5.2.13/Zend/zend_vm_execute.h:92

#7  0x0000000000652056 in zend_do_fcall_common_helper_SPEC
(execute_data=0x7fff1e261a50) at
/home/user/opt/php-5.2.13/Zend/zend_vm_execute.h:234

#8  0x000000000064df04 in execute (op_array=0x1d414a0) at
/home/user/opt/php-5.2.13/Zend/zend_vm_execute.h:92

#9  0x0000000000652056 in zend_do_fcall_common_helper_SPEC
(execute_data=0x7fff1e261d30) at
/home/user/opt/php-5.2.13/Zend/zend_vm_execute.h:234

#10 0x000000000064df04 in execute (op_array=0x1d414a0) at
/home/user/opt/php-5.2.13/Zend/zend_vm_execute.h:92

#11 0x0000000000652056 in zend_do_fcall_common_helper_SPEC
(execute_data=0x7fff1e262010) at
/home/user/opt/php-5.2.13/Zend/zend_vm_execute.h:234

#12 0x000000000064df04 in execute (op_array=0x1d414a0) at
/home/user/opt/php-5.2.13/Zend/zend_vm_execute.h:92

#13 0x0000000000652056 in zend_do_fcall_common_helper_SPEC
(execute_data=0x7fff1e2622f0) at
/home/user/opt/php-5.2.13/Zend/zend_vm_execute.h:234

#14 0x000000000064df04 in execute (op_array=0x1d414a0) at
/home/user/opt/php-5.2.13/Zend/zend_vm_execute.h:92

#15 0x0000000000652056 in zend_do_fcall_common_helper_SPEC
(execute_data=0x7fff1e2625d0) at
/home/user/opt/php-5.2.13/Zend/zend_vm_execute.h:234

#16 0x000000000064df04 in execute (op_array=0x1d414a0) at
/home/user/opt/php-5.2.13/Zend/zend_vm_execute.h:92

#17 0x0000000000652056 in zend_do_fcall_common_helper_SPEC
(execute_data=0x7fff1e2628b0) at
/home/user/opt/php-5.2.13/Zend/zend_vm_execute.h:234

#18 0x000000000064df04 in execute (op_array=0x1d414a0) at
/home/user/opt/php-5.2.13/Zend/zend_vm_execute.h:92

#19 0x0000000000652056 in zend_do_fcall_common_helper_SPEC
(execute_data=0x7fff1e262b90) at
/home/user/opt/php-5.2.13/Zend/zend_vm_execute.h:234

#20 0x000000000064df04 in execute (op_array=0x1d414a0) at
/home/user/opt/php-5.2.13/Zend/zend_vm_execute.h:92

#21 0x0000000000652056 in zend_do_fcall_common_helper_SPEC
(execute_data=0x7fff1e262e70) at
/home/user/opt/php-5.2.13/Zend/zend_vm_execute.h:234

#22 0x000000000064df04 in execute (op_array=0x1d414a0) at
/home/user/opt/php-5.2.13/Zend/zend_vm_execute.h:92

#23 0x0000000000652056 in zend_do_fcall_common_helper_SPEC
(execute_data=0x7fff1e263150) at
/home/user/opt/php-5.2.13/Zend/zend_vm_execute.h:234

#24 0x000000000064df04 in execute (op_array=0x1d414a0) at
/home/user/opt/php-5.2.13/Zend/zend_vm_execute.h:92

#25 0x0000000000652056 in zend_do_fcall_common_helper_SPEC
(execute_data=0x7fff1e263430) at
/home/user/opt/php-5.2.13/Zend/zend_vm_execute.h:234

#26 0x000000000064df04 in execute (op_array=0x1d414a0) at
/home/user/opt/php-5.2.13/Zend/zend_vm_execute.h:92

#27 0x0000000000652056 in zend_do_fcall_common_helper_SPEC
(execute_data=0x7fff1e263710) at
/home/user/opt/php-5.2.13/Zend/zend_vm_execute.h:234

#28 0x000000000064df04 in execute (op_array=0x1d414a0) at
/home/user/opt/php-5.2.13/Zend/zend_vm_execute.h:92

#29 0x0000000000652056 in zend_do_fcall_common_helper_SPEC
(execute_data=0x7fff1e2639f0) at
/home/user/opt/php-5.2.13/Zend/zend_vm_execute.h:234

#30 0x000000000064df04 in execute (op_array=0x1d414a0) at
/home/user/opt/php-5.2.13/Zend/zend_vm_execute.h:92

#31 0x0000000000652056 in zend_do_fcall_common_helper_SPEC
(execute_data=0x7fff1e263cd0) at
/home/user/opt/php-5.2.13/Zend/zend_vm_execute.h:234

#32 0x000000000064df04 in execute (op_array=0x1d414a0) at
/home/user/opt/php-5.2.13/Zend/zend_vm_execute.h:92

#33 0x0000000000652056 in zend_do_fcall_common_helper_SPEC
(execute_data=0x7fff1e263fb0) at
/home/user/opt/php-5.2.13/Zend/zend_vm_execute.h:234

#34 0x000000000064df04 in execute (op_array=0x1d414a0) at
/home/user/opt/php-5.2.13/Zend/zend_vm_execute.h:92

#35 0x0000000000652056 in zend_do_fcall_common_helper_SPEC
(execute_data=0x7fff1e264290) at
/home/user/opt/php-5.2.13/Zend/zend_vm_execute.h:234

#36 0x000000000064df04 in execute (op_array=0x1d414a0) at
/home/user/opt/php-5.2.13/Zend/zend_vm_execute.h:92

#37 0x0000000000652056 in zend_do_fcall_common_helper_SPEC
(execute_data=0x7fff1e264570) at
/home/user/opt/php-5.2.13/Zend/zend_vm_execute.h:234

#38 0x000000000064df04 in execute (op_array=0x1d414a0) at
/home/user/opt/php-5.2.13/Zend/zend_vm_execute.h:92

#39 0x0000000000652056 in zend_do_fcall_common_helper_SPEC
(execute_data=0x7fff1e264850) at
/home/user/opt/php-5.2.13/Zend/zend_vm_execute.h:234

#40 0x000000000064df04 in execute (op_array=0x1d414a0) at
/home/user/opt/php-5.2.13/Zend/zend_vm_execute.h:92

#41 0x0000000000652056 in zend_do_fcall_common_helper_SPEC
(execute_data=0x7fff1e264b30) at
/home/user/opt/php-5.2.13/Zend/zend_vm_execute.h:234

#42 0x000000000064df04 in execute (op_array=0x1d414a0) at
/home/user/opt/php-5.2.13/Zend/zend_vm_execute.h:92

#43 0x0000000000652056 in zend_do_fcall_common_helper_SPEC
(execute_data=0x7fff1e264e10) at
/home/user/opt/php-5.2.13/Zend/zend_vm_execute.h:234

#44 0x000000000064df04 in execute (op_array=0x1d414a0) at
/home/user/opt/php-5.2.13/Zend/zend_vm_execute.h:92

#45 0x0000000000652056 in zend_do_fcall_common_helper_SPEC
(execute_data=0x7fff1e2650f0) at
/home/user/opt/php-5.2.13/Zend/zend_vm_execute.h:234

#46 0x000000000064df04 in execute (op_array=0x1d414a0) at
/home/user/opt/php-5.2.13/Zend/zend_vm_execute.h:92

#47 0x0000000000652056 in zend_do_fcall_common_helper_SPEC
(execute_data=0x7fff1e2653d0) at
/home/user/opt/php-5.2.13/Zend/zend_vm_execute.h:234

#48 0x000000000064df04 in execute (op_array=0x1d414a0) at
/home/user/opt/php-5.2.13/Zend/zend_vm_execute.h:92

#49 0x0000000000652056 in zend_do_fcall_common_helper_SPEC
(execute_data=0x7fff1e2656b0) at
/home/user/opt/php-5.2.13/Zend/zend_vm_execute.h:234

#50 0x000000000064df04 in execute (op_array=0x1d414a0) at
/home/user/opt/php-5.2.13/Zend/zend_vm_execute.h:92

#51 0x0000000000652056 in zend_do_fcall_common_helper_SPEC
(execute_data=0x7fff1e265990) at
/home/user/opt/php-5.2.13/Zend/zend_vm_execute.h:234

#52 0x000000000064df04 in execute (op_array=0x1d414a0) at
/home/user/opt/php-5.2.13/Zend/zend_vm_execute.h:92

#53 0x0000000000652056 in zend_do_fcall_common_helper_SPEC
(execute_data=0x7fff1e265c70) at
/home/user/opt/php-5.2.13/Zend/zend_vm_execute.h:234

#54 0x000000000064df04 in execute (op_array=0x1d414a0) at
/home/user/opt/php-5.2.13/Zend/zend_vm_execute.h:92

#55 0x0000000000652056 in zend_do_fcall_common_helper_SPEC
(execute_data=0x7fff1e265f50) at
/home/user/opt/php-5.2.13/Zend/zend_vm_execute.h:234

#56 0x000000000064df04 in execute (op_array=0x1d414a0) at
/home/user/opt/php-5.2.13/Zend/zend_vm_execute.h:92

#57 0x0000000000652056 in zend_do_fcall_common_helper_SPEC
(execute_data=0x7fff1e266230) at
/home/user/opt/php-5.2.13/Zend/zend_vm_execute.h:234

#58 0x000000000064df04 in execute (op_array=0x1d414a0) at
/home/user/opt/php-5.2.13/Zend/zend_vm_execute.h:92

#59 0x0000000000652056 in zend_do_fcall_common_helper_SPEC
(execute_data=0x7fff1e266510) at
/home/user/opt/php-5.2.13/Zend/zend_vm_execute.h:234

#60 0x000000000064df04 in execute (op_array=0x1d414a0) at
/home/user/opt/php-5.2.13/Zend/zend_vm_execute.h:92

#61 0x0000000000652056 in zend_do_fcall_common_helper_SPEC
(execute_data=0x7fff1e2667f0) at
/home/user/opt/php-5.2.13/Zend/zend_vm_execute.h:234

#62 0x000000000064df04 in execute (op_array=0x1d414a0) at
/home/user/opt/php-5.2.13/Zend/zend_vm_execute.h:92

#63 0x0000000000652056 in zend_do_fcall_common_helper_SPEC
(execute_data=0x7fff1e266b30) at
/home/user/opt/php-5.2.13/Zend/zend_vm_execute.h:234

#64 0x000000000064df04 in execute (op_array=0x1d12c20) at
/home/user/opt/php-5.2.13/Zend/zend_vm_execute.h:92

#65 0x000000000062b96a in zend_execute_scripts (type=<value optimized
out>, retval=0x0, file_count=3) at
/home/user/opt/php-5.2.13/Zend/zend.c:1134

#66 0x00000000005ea9d3 in php_execute_script (primary_file=<value
optimized out>) at /home/user/opt/php-5.2.13/main/main.c:2036

#67 0x000000000069a1e7 in main (argc=<value optimized out>, argv=<value
optimized out>) at /home/user/opt/php-5.2.13/sapi/cli/php_cli.c:1165


------------------------------------------------------------------------



-- 
Edit this bug report at http://bugs.php.net/bug.php?id=51329&edit=1

Reply via email to