segfault using __set

[rbro]

Thanks for keeping php-excel maintained over the years.

I'm running into a segfault when extending the ExcelBook class where that class has a __set() method. I first thought this was a PHP issue and entered php/php-src#13134, but I believe now it's specific to php-excel. I tried it both with @Jan-E's branch at https://github.com/Jan-E/php_excel/tree/php7_with_pulls and @do-io's https://github.com/doPhp/excel. I'm able to reproduce both with PHP 8.2.15 and 8.3.2.

To reproduce, create a script test.php with the below:

<?php
class abc extends \ExcelBook
{
	public function __set($name, $value)
	{

	}
}

$a = new abc;
?>

and then run it with:

export USE_ZEND_ALLOC=0
php test.php

When this runs, I get errors such as:

free(): invalid pointer
Aborted (core dumped)

or

Fatal glibc error: malloc.c:4169 (_int_malloc): assertion failed: (unsigned long) (size) >= (unsigned long) (nb)
Aborted (core dumped)

Thanks for your help.

[do-io]

Have you used Valgrind to see the output and when the pointer is freed along with the USE_ZEND_ALLOC=0?

Additionally, did you happen see this with other a particular libxl version? Have you tried this with libxl 4.x?

[rbro]

Thanks, I am running LibXL 3.8.2. Below is the output when I ran it through valgrind. This is using the php7_with_pulls branch.

==152808== Memcheck, a memory error detector
==152808== Copyright (C) 2002-2022, and GNU GPL'd, by Julian Seward et al.
==152808== Using Valgrind-3.21.0 and LibVEX; rerun with -h for copyright info
==152808== Command: php test.php
==152808== Parent PID: 145234
==152808==
==152808== Warning: set address range perms: large range [0x11000000, 0x31000000) (defined)
==152808== Invalid write of size 8
==152808==    at 0x5B422C: zend_object_std_init (in /usr/bin/php)
==152808==    by 0x5EF977E: excel_object_new_book (excel.c:264)
==152808==    by 0x52388B: object_init_ex (in /usr/bin/php)
==152808==    by 0x560104: ??? (in /usr/bin/php)
==152808==    by 0x58C29D: execute_ex (in /usr/bin/php)
==152808==    by 0x595FE4: zend_execute (in /usr/bin/php)
==152808==    by 0x520BAF: zend_execute_scripts (in /usr/bin/php)
==152808==    by 0x4B4719: php_execute_script (in /usr/bin/php)
==152808==    by 0x60E572: ??? (in /usr/bin/php)
==152808==    by 0x34A18B: ??? (in /usr/bin/php)
==152808==    by 0x510AEAF: (below main) (in /usr/lib64/libc.so.6)
==152808==  Address 0x3111cf08 is 8 bytes after a block of size 48 alloc'd
==152808==    at 0x484482F: malloc (vg_replace_malloc.c:431)
==152808==    by 0x4EED7C: __zend_malloc (in /usr/bin/php)
==152808==    by 0x4F3D73: _ecalloc (in /usr/bin/php)
==152808==    by 0x5EF976C: excel_object_new_book (excel.c:260)
==152808==    by 0x52388B: object_init_ex (in /usr/bin/php)
==152808==    by 0x560104: ??? (in /usr/bin/php)
==152808==    by 0x58C29D: execute_ex (in /usr/bin/php)
==152808==    by 0x595FE4: zend_execute (in /usr/bin/php)
==152808==    by 0x520BAF: zend_execute_scripts (in /usr/bin/php)
==152808==    by 0x4B4719: php_execute_script (in /usr/bin/php)
==152808==    by 0x60E572: ??? (in /usr/bin/php)
==152808==    by 0x34A18B: ??? (in /usr/bin/php)
==152808==    by 0x510AEAF: (below main) (in /usr/lib64/libc.so.6)
==152808==
==152808== Invalid read of size 1
==152808==    at 0x5B4368: zend_object_std_dtor (in /usr/bin/php)
==152808==    by 0x5EF9728: excel_book_object_free_storage (excel.c:248)
==152808==    by 0x5B9217: zend_objects_store_del (in /usr/bin/php)
==152808==    by 0x534E1B: zend_hash_reverse_apply (in /usr/bin/php)
==152808==    by 0x50F1B4: ??? (in /usr/bin/php)
==152808==    by 0x520824: zend_call_destructors (in /usr/bin/php)
==152808==    by 0x4B33B4: php_request_shutdown (in /usr/bin/php)
==152808==    by 0x60DEEB: ??? (in /usr/bin/php)
==152808==    by 0x34A18B: ??? (in /usr/bin/php)
==152808==    by 0x510AEAF: (below main) (in /usr/lib64/libc.so.6)
==152808==  Address 0x3111cf08 is 8 bytes after a block of size 48 alloc'd
==152808==    at 0x484482F: malloc (vg_replace_malloc.c:431)
==152808==    by 0x4EED7C: __zend_malloc (in /usr/bin/php)
==152808==    by 0x4F3D73: _ecalloc (in /usr/bin/php)
==152808==    by 0x5EF976C: excel_object_new_book (excel.c:260)
==152808==    by 0x52388B: object_init_ex (in /usr/bin/php)
==152808==    by 0x560104: ??? (in /usr/bin/php)
==152808==    by 0x58C29D: execute_ex (in /usr/bin/php)
==152808==    by 0x595FE4: zend_execute (in /usr/bin/php)
==152808==    by 0x520BAF: zend_execute_scripts (in /usr/bin/php)
==152808==    by 0x4B4719: php_execute_script (in /usr/bin/php)
==152808==    by 0x60E572: ??? (in /usr/bin/php)
==152808==    by 0x34A18B: ??? (in /usr/bin/php)
==152808==    by 0x510AEAF: (below main) (in /usr/lib64/libc.so.6)
==152808==
==152808== Warning: set address range perms: large range [0x11000000, 0x31000000) (noaccess)
==152808==
==152808== HEAP SUMMARY:
==152808==     in use at exit: 206,735 bytes in 1,534 blocks
==152808==   total heap usage: 91,076 allocs, 89,542 frees, 51,799,821 bytes allocated
==152808==
==152808== LEAK SUMMARY:
==152808==    definitely lost: 3,051 bytes in 15 blocks
==152808==    indirectly lost: 1,794 bytes in 9 blocks
==152808==      possibly lost: 0 bytes in 0 blocks
==152808==    still reachable: 201,890 bytes in 1,510 blocks
==152808==         suppressed: 0 bytes in 0 blocks
==152808== Rerun with --leak-check=full to see details of leaked memory
==152808==
==152808== For lists of detected and suppressed errors, rerun with: -s
==152808== ERROR SUMMARY: 2 errors from 2 contexts (suppressed: 0 from 0)

[rbro]

I just tried with LibXL 4.2.0 and got the same segfault.

[xperseguers]

FYI, this is what I get:

free(): invalid next size (fast)
Aborted

PHP 8.2.22 with LibXL 4.3.0.14