PHP :: Bug #81353 :: segfault with preloading and statically bound closure

Bug #81353

segfault with preloading and statically bound closure

Submitted:

2021-08-12 17:46 UTC

Modified:

2021-08-16 12:50 UTC

Votes:	1
Avg. Score:	1.0 ± 0.0
Reproduced:	0 of 1 (0.0%)

From:

mike@php.net

Assigned:

Status:

Closed

Package:

opcache

PHP Version:

7.4Git

OS:

Linux, macOS

Private report:

CVE-ID:

None

View Add Comment Developer Edit

[2021-08-12 17:46 UTC] mike@php.net

Description:
------------
Probable ingredients:

* preloading
* big set of files to cache
* strict_types
* error_handler receiving NULL as 4th parameter
* monolog

Test script:
---------------
git clone https://github.com/m6w6/php-crash-preload-error_handler
cd php-crash-preload-error_handler
composer install
./run.sh

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports

[2021-08-12 17:56 UTC] mike@php.net

Sorry, read "4th parameter" as if 0-indexed -- i.e. as `errcontext` (5th param)

[2021-08-16 05:58 UTC] mike@php.net

-Package: Reproducible crash +Package: opcache

[2021-08-16 06:17 UTC] mike@php.net

ASAN backtrace:

    frame #5: 0x0000000100dd7bf4 php`zend_gc_refcount(p=0x0000000106452ca0) at zend_types.h:1025:12
    frame #6: 0x0000000100daa98c php`ZEND_BIND_STATIC_SPEC_CV_UNUSED_HANDLER(execute_data=0x0000000110604f20) at zend_vm_execute.h:46571:13
    frame #7: 0x0000000100c16514 php`execute_ex(ex=0x0000000110604f20) at zend_vm_execute.h:53291:7
    frame #8: 0x0000000100a915d4 php`zend_call_function(fci=0x000000016fdf8a70, fci_cache=0x000000016fdf8ad0) at zend_execute_API.c:820:3
    frame #9: 0x00000001005b1354 php`zif_spl_autoload_call(execute_data=0x0000000110604ec0, return_value=0x000000016fdf9ce0) at php_spl.c:452:4
    frame #10: 0x0000000100a91890 php`zend_call_function(fci=0x000000016fdf9d00, fci_cache=0x000000016fdf9d60) at zend_execute_API.c:833:4
    frame #11: 0x0000000100a93878 php`zend_lookup_class_ex(name=0x000000010647da80, key=0x000000010647da20, flags=512) at zend_execute_API.c:1002:7
    frame #12: 0x0000000100a960ac php`zend_fetch_class_by_name(class_name=0x000000010647da80, key=0x000000010647da20, fetch_type=512) at zend_execute_API.c:1433:19
    frame #13: 0x0000000100ce0b24 php`ZEND_NEW_SPEC_CONST_UNUSED_HANDLER(execute_data=0x0000000110604b80) at zend_vm_execute.h:9255:9
    frame #14: 0x0000000100c16514 php`execute_ex(ex=0x0000000110604820) at zend_vm_execute.h:53291:7
    frame #15: 0x0000000100a915d4 php`zend_call_function(fci=0x000000016fdfb4a0, fci_cache=0x000000016fdfa830) at zend_execute_API.c:820:3
    frame #16: 0x0000000100a8f3b8 php`_call_user_function_ex(object=0x0000000000000000, function_name=0x000000016fdfb7b0, retval_ptr=0x000000016fdfb790, param_count=5, params=0x000000016fdfb720, no_separation=1) at zend_execute_API.c:645:9
    frame #17: 0x0000000100adf620 php`zend_error_va_list(type=2, error_filename="/private/tmp/php-crash-preload-error_handler/vendor/google/apiclient/src/aliases.php", error_lineno=64, format="Can't preload already declared class %s", args="ؿF\U00000006\U00000001") at zend.c:1380:8
    frame #18: 0x0000000100add888 php`zend_error_at(type=2, filename="/private/tmp/php-crash-preload-error_handler/vendor/google/apiclient/src/aliases.php", lineno=64, format="Can't preload already declared class %s") at zend.c:1483:2
    frame #19: 0x0000000107c21ce4 opcache.so`preload_link at ZendAccelerator.c:3809:5
    frame #20: 0x0000000107c1d9fc opcache.so`accel_preload(config="/tmp/php-crash-preload-error_handler/index.php") at ZendAccelerator.c:4503:4
    frame #21: 0x0000000107c18058 opcache.so`accel_finish_startup at ZendAccelerator.c:4830:8
    frame #22: 0x0000000107c14ee8 opcache.so`accel_post_startup at ZendAccelerator.c:3059:9
    frame #23: 0x0000000100adbbb8 php`zend_post_startup at zend.c:1009:7
    frame #24: 0x0000000100909c80 php`php_module_startup(sf=0x00000001017b3ae0, additional_modules=0x0000000000000000, num_additional_modules=0) at main.c:2397:6
    frame #25: 0x0000000100e0f108 php`php_cli_startup(sapi_module=0x00000001017b3ae0) at php_cli.c:410:6
    frame #26: 0x0000000100e0b80c php`main(argc=7, argv=0x000000016fdff078) at php_cli.c:1327:6

[2021-08-16 06:18 UTC] mike@php.net

-PHP Version: 7.4.22 +PHP Version: 7.4Git

[2021-08-16 07:20 UTC] mike@php.net

Looks like it has to do with the static arrays and calling Closure::bind() with a class scope in composer's autoload_static.

[2021-08-16 07:51 UTC] mike@php.net

ASAN report:

2021-08-16 09:47:50.462931+0200 php[45131:2277503] ==45131==ERROR: AddressSanitizer: heap-use-after-free on address 0x000106452ca0 at pc 0x000100dd7b74 bp 0x00016fdf7650 sp 0x00016fdf7648
2021-08-16 09:47:50.462937+0200 php[45131:2277503] READ of size 4 at 0x000106452ca0 thread T0
2021-08-16 09:47:50.462942+0200 php[45131:2277503]     #0 0x100dd7b70 in zend_gc_refcount zend_types.h:1025
2021-08-16 09:47:50.462946+0200 php[45131:2277503]     #1 0x100daa908 in ZEND_BIND_STATIC_SPEC_CV_UNUSED_HANDLER zend_vm_execute.h:46571
2021-08-16 09:47:50.462950+0200 php[45131:2277503]     #2 0x100c16490 in execute_ex zend_vm_execute.h:53291
2021-08-16 09:47:50.462954+0200 php[45131:2277503]     #3 0x100a91504 in zend_call_function zend_execute_API.c:820
2021-08-16 09:47:50.462958+0200 php[45131:2277503]     #4 0x1005b1284 in zif_spl_autoload_call php_spl.c:452
2021-08-16 09:47:50.462962+0200 php[45131:2277503]     #5 0x100a917c0 in zend_call_function zend_execute_API.c:833
2021-08-16 09:47:50.462966+0200 php[45131:2277503]     #6 0x100a937a8 in zend_lookup_class_ex zend_execute_API.c:1002
2021-08-16 09:47:50.462970+0200 php[45131:2277503]     #7 0x100a95fdc in zend_fetch_class_by_name zend_execute_API.c:1433
2021-08-16 09:47:50.462974+0200 php[45131:2277503]     #8 0x100ce0aa0 in ZEND_NEW_SPEC_CONST_UNUSED_HANDLER zend_vm_execute.h:9255
2021-08-16 09:47:50.462978+0200 php[45131:2277503]     #9 0x100c16490 in execute_ex zend_vm_execute.h:53291
2021-08-16 09:47:50.462982+0200 php[45131:2277503]     #10 0x100a91504 in zend_call_function zend_execute_API.c:820
2021-08-16 09:47:50.462986+0200 php[45131:2277503]     #11 0x100a8f2e8 in _call_user_function_ex zend_execute_API.c:645
2021-08-16 09:47:50.462993+0200 php[45131:2277503]     #12 0x100adf550 in zend_error_va_list zend.c:1380
2021-08-16 09:47:50.462998+0200 php[45131:2277503]     #13 0x100add7b8 in zend_error_at zend.c:1483
2021-08-16 09:47:50.463001+0200 php[45131:2277503]     #14 0x107c21ce0 in preload_link ZendAccelerator.c:3809
2021-08-16 09:47:50.463005+0200 php[45131:2277503]     #15 0x107c1d9f8 in accel_preload ZendAccelerator.c:4503
2021-08-16 09:47:50.463009+0200 php[45131:2277503]     #16 0x107c18054 in accel_finish_startup ZendAccelerator.c:4830
2021-08-16 09:47:50.463013+0200 php[45131:2277503]     #17 0x107c14ee4 in accel_post_startup ZendAccelerator.c:3059
2021-08-16 09:47:50.463016+0200 php[45131:2277503]     #18 0x100adbae8 in zend_post_startup zend.c:1009
2021-08-16 09:47:50.463020+0200 php[45131:2277503]     #19 0x100909bb0 in php_module_startup main.c:2397
2021-08-16 09:47:50.463024+0200 php[45131:2277503]     #20 0x100e0f084 in php_cli_startup php_cli.c:410
2021-08-16 09:47:50.463027+0200 php[45131:2277503]     #21 0x100e0b788 in main php_cli.c:1327
2021-08-16 09:47:50.463031+0200 php[45131:2277503]     #22 0x1a119542c in start+0x0 (libdyld.dylib:arm64e+0x1842c)
2021-08-16 09:47:50.463034+0200 php[45131:2277503] 
2021-08-16 09:47:50.463038+0200 php[45131:2277503] 0x000106452ca0 is located 0 bytes inside of 56-byte region [0x000106452ca0,0x000106452cd8)
2021-08-16 09:47:50.463042+0200 php[45131:2277503] freed by thread T0 here:
2021-08-16 09:47:50.463045+0200 php[45131:2277503]     #0 0x10213f2b4 in wrap_free+0x98 (libclang_rt.asan_osx_dynamic.dylib:arm64e+0x3f2b4)
2021-08-16 09:47:50.463049+0200 php[45131:2277503]     #1 0x100a1f280 in _efree_custom zend_alloc.c:2426
2021-08-16 09:47:50.463053+0200 php[45131:2277503]     #2 0x100a1f138 in _efree zend_alloc.c:2546
2021-08-16 09:47:50.463057+0200 php[45131:2277503]     #3 0x100b2e790 in zend_array_destroy zend_hash.c:1637
2021-08-16 09:47:50.463060+0200 php[45131:2277503]     #4 0x100a9fee8 in destroy_op_array zend_opcode.c:428
2021-08-16 09:47:50.463064+0200 php[45131:2277503]     #5 0x100b9d90c in zend_closure_free_storage zend_closures.c:474
2021-08-16 09:47:50.463075+0200 php[45131:2277503]     #6 0x100bebdd0 in zend_objects_store_free_object_storage zend_objects_API.c:104
2021-08-16 09:47:50.463079+0200 php[45131:2277503]     #7 0x107c1ca58 in accel_preload ZendAccelerator.c:4435
2021-08-16 09:47:50.463083+0200 php[45131:2277503]     #8 0x107c18054 in accel_finish_startup ZendAccelerator.c:4830
2021-08-16 09:47:50.463087+0200 php[45131:2277503]     #9 0x107c14ee4 in accel_post_startup ZendAccelerator.c:3059
2021-08-16 09:47:50.463090+0200 php[45131:2277503]     #10 0x100adbae8 in zend_post_startup zend.c:1009
2021-08-16 09:47:50.463094+0200 php[45131:2277503]     #11 0x100909bb0 in php_module_startup main.c:2397
2021-08-16 09:47:50.463098+0200 php[45131:2277503]     #12 0x100e0f084 in php_cli_startup php_cli.c:410
2021-08-16 09:47:50.463102+0200 php[45131:2277503]     #13 0x100e0b788 in main php_cli.c:1327
2021-08-16 09:47:50.463105+0200 php[45131:2277503]     #14 0x1a119542c in start+0x0 (libdyld.dylib:arm64e+0x1842c)
2021-08-16 09:47:50.463109+0200 php[45131:2277503] 
2021-08-16 09:47:50.463112+0200 php[45131:2277503] previously allocated by thread T0 here:
2021-08-16 09:47:50.463116+0200 php[45131:2277503]     #0 0x10213f178 in wrap_malloc+0x94 (libclang_rt.asan_osx_dynamic.dylib:arm64e+0x3f178)
2021-08-16 09:47:50.463120+0200 php[45131:2277503]     #1 0x100a1f9a0 in __zend_malloc zend_alloc.c:2982
2021-08-16 09:47:50.463123+0200 php[45131:2277503]     #2 0x100a1f080 in _malloc_custom zend_alloc.c:2417
2021-08-16 09:47:50.463127+0200 php[45131:2277503]     #3 0x100a1ef28 in _emalloc zend_alloc.c:2536
2021-08-16 09:47:50.463131+0200 php[45131:2277503]     #4 0x100b22ab4 in zend_array_dup zend_hash.c:2047
2021-08-16 09:47:50.463134+0200 php[45131:2277503]     #5 0x100b996fc in zend_create_closure zend_closures.c:704
2021-08-16 09:47:50.463138+0200 php[45131:2277503]     #6 0x100d725c0 in ZEND_DECLARE_LAMBDA_FUNCTION_SPEC_CONST_UNUSED_HANDLER zend_vm_execute.h:9548
2021-08-16 09:47:50.463142+0200 php[45131:2277503]     #7 0x100c16490 in execute_ex zend_vm_execute.h:53291
2021-08-16 09:47:50.463146+0200 php[45131:2277503]     #8 0x100c16930 in zend_execute zend_vm_execute.h:57593
2021-08-16 09:47:50.463150+0200 php[45131:2277503]     #9 0x107c1c690 in accel_preload ZendAccelerator.c:4372
2021-08-16 09:47:50.463153+0200 php[45131:2277503]     #10 0x107c18054 in accel_finish_startup ZendAccelerator.c:4830
2021-08-16 09:47:50.463157+0200 php[45131:2277503]     #11 0x107c14ee4 in accel_post_startup ZendAccelerator.c:3059
2021-08-16 09:47:50.463161+0200 php[45131:2277503]     #12 0x100adbae8 in zend_post_startup zend.c:1009
2021-08-16 09:47:50.463164+0200 php[45131:2277503]     #13 0x100909bb0 in php_module_startup main.c:2397
2021-08-16 09:47:50.463168+0200 php[45131:2277503]     #14 0x100e0f084 in php_cli_startup php_cli.c:410
2021-08-16 09:47:50.463171+0200 php[45131:2277503]     #15 0x100e0b788 in main php_cli.c:1327
2021-08-16 09:47:50.463175+0200 php[45131:2277503]     #16 0x1a119542c in start+0x0 (libdyld.dylib:arm64e+0x1842c)

[2021-08-16 08:41 UTC] mike@php.net

-Summary: segfault with preloading and error_handler +Summary: segfault with preloading and statically bound closure

[2021-08-16 12:50 UTC] nikic@php.net

-Status: Open +Status: Verified

[2021-08-16 12:50 UTC] nikic@php.net

We should be unsetting user defined error handlers before preloading.

[2021-08-16 13:06 UTC] git@php.net

Automatic comment on behalf of nikic
Revision: https://github.com/php/php-src/commit/d1e956ff31f607209e16a1e1ea9aff3702bdfe5b
Log: Fixed bug #81353

[2021-08-16 13:06 UTC] git@php.net

-Status: Verified +Status: Closed

[2021-10-18 19:40 UTC] danderson at acromedia dot com

Segfaults are still happening with PHP (FPM) 8.0.11 from Remi's repo on RedHat Enterprise 7.8 (php-opcache-8.0.11-1.el7.remi.x86_64). 

Disabling the opcache module stops the segfaults.

I'm happy to provide full environment info in a DM if needed.

[2021-10-28 20:49 UTC] mhemmings at nwtel dot ca

Disabling opcache does resolve the issue
Can provide a full core dump if necessary

#0  0x000056097c093c06 in _emalloc_56 ()
#1  0x000056097c0c6059 in _zend_new_array_0 ()
#2  0x000056097c021195 in zif_explode ()
#3  0x000056097c13c708 in execute_ex ()
#4  0x000056097c0abdf6 in zend_call_function ()
#5  0x000056097bfb4a0c in zif_spl_autoload_call ()
#6  0x000056097c0abcd2 in zend_call_function ()
#7  0x000056097c0ac2cd in zend_lookup_class_ex ()
#8  0x000056097c0acb4c in zend_fetch_class_by_name ()
#9  0x000056097c11f0a7 in ZEND_NEW_SPEC_CONST_UNUSED_HANDLER ()
#10 0x000056097c13a45a in execute_ex ()
#11 0x000056097c141a21 in zend_execute ()
#12 0x000056097c0ba793 in zend_execute_scripts ()
#13 0x000056097c058f10 in php_execute_script ()
#14 0x000056097bec3e69 in main ()

[2021-10-28 20:50 UTC] mhemmings at nwtel dot ca

Sorry, related to my above

opcache 7.4.24-1.el7.remi from Remi's Repo RHEL 7.8

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Fri Apr 19 14:01:30 2024 UTC