|
|
php.net | support | documentation | report a bug | advanced search | search howto | statistics | random bug | login |
[2017-03-24 22:59 UTC] brian dot carpenter at gmail dot com
Description:
------------
Segfault found in PHP 7.2.0-dev (git 37da80b) on Debian 8.x x64, built with afl-gcc.
Test script:
---------------
<?${$o{8}=8}{$o{8}.=0}?><?${$o{8}.=0}<${$o{8}.=0}=0?><?0==${$o{8}.=0}<${$o{8}.=0}.Q?><?$$o{$o{8}.=0}=${$o{8}.=0}=$$o=Q?><?${${0}}=$$o{$o{8}.=0}=$$$o=0?>
or
https://drive.google.com/file/d/0B3Tl4QiWJUt8V2hiQ2FDYmlRZ1U/view?usp=sharing
Expected result:
----------------
No crash.
Actual result:
--------------
==387==ERROR: AddressSanitizer: SEGV on unknown address 0x7f9b69800000 (pc 0x000001b8c308 sp 0x7ffd5005a7b0 bp 0x7f9b6a25f248 T0)
#0 0x1b8c307 in i_zval_ptr_dtor /root/php-git/Zend/zend_variables.h:48
#1 0x1b8c307 in zend_unclean_zval_ptr_dtor /root/php-git/Zend/zend_execute_API.c:212
#2 0x1cc4b3a in _zend_hash_del_el_ex /root/php-git/Zend/zend_hash.c:997
#3 0x1cc4b3a in _zend_hash_del_el /root/php-git/Zend/zend_hash.c:1020
#4 0x1cc4b3a in zend_hash_graceful_reverse_destroy /root/php-git/Zend/zend_hash.c:1476
#5 0x1b8f83c in shutdown_executor /root/php-git/Zend/zend_execute_API.c:281
#6 0x1c1e1d4 in zend_deactivate /root/php-git/Zend/zend.c:1060
#7 0x192f468 in php_request_shutdown /root/php-git/main/main.c:1879
#8 0x238b5a9 in do_cli /root/php-git/sapi/cli/php_cli.c:1164
#9 0x47253b in main /root/php-git/sapi/cli/php_cli.c:1390
#10 0x7f9b6d3b9b44 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b44)
#11 0x47318e (/root/php-git/sapi/cli/php+0x47318e)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /root/php-git/Zend/zend_variables.h:48 i_zval_ptr_dtor
Patchesbug_74310_decrement_after_alloc (last revision 2017-03-26 17:08 UTC by bwoebi@php.net)Pull RequestsHistoryAllCommentsChangesGit/SVN commits
|
|||||||||||||||||||||||||||||||||||||
Copyright © 2001-2025 The PHP GroupAll rights reserved. |
Last updated: Tue Oct 28 20:00:01 2025 UTC |
I've been able to reduce the repro script to the following. When I gdb, it still crashes, apparently while trying to clean up the global symbol table at request end. <? $o{8}='800000000'; $$o{'8000000'}=$Array='Q'; $$o{'800000000'}=$$Array=0; Interestingly, shortening the keys (while keeping them unique) *does* avoid the crash. (gdb) bt #0 0x00000000009a006c in i_zval_ptr_dtor (zval_ptr=0x7fffef01e090, __zend_filename=0x10d7148 "/home/sgolemon/dev/php/php-src/Zend/zend_execute_API.c", __zend_lineno=212) at /home/sgolemon/dev/php/php-src/Zend/zend_variables.h:48 #1 0x00000000009a0c5c in zend_unclean_zval_ptr_dtor (zv=0x7fffef01e090) at /home/sgolemon/dev/php/php-src/Zend/zend_execute_API.c:212 #2 0x00000000009d2893 in _zend_hash_del_el_ex (ht=0x1452d90 <executor_globals+304>, idx=8, p=0x7fffef063200, prev=0x0) at /home/sgolemon/dev/php/php-src/Zend/zend_hash.c:997 #3 0x00000000009d2973 in _zend_hash_del_el (ht=0x1452d90 <executor_globals+304>, idx=8, p=0x7fffef063200) at /home/sgolemon/dev/php/php-src/Zend/zend_hash.c:1020 #4 0x00000000009d3ef8 in zend_hash_graceful_reverse_destroy ( ht=0x1452d90 <executor_globals+304>) at /home/sgolemon/dev/php/php-src/Zend/zend_hash.c:1476 #5 0x00000000009a0f86 in shutdown_executor () at /home/sgolemon/dev/php/php-src/Zend/zend_execute_API.c:281 #6 0x00000000009bbc73 in zend_deactivate () at /home/sgolemon/dev/php/php-src/Zend/zend.c:1060 #7 0x0000000000921857 in php_request_shutdown (dummy=0x0) at /home/sgolemon/dev/php/php-src/main/main.c:1879 #8 0x0000000000aa848b in do_cli (argc=2, argv=0x1457d20) at /home/sgolemon/dev/php/php-src/sapi/cli/php_cli.c:1164 #9 0x0000000000aa8cf9 in main (argc=2, argv=0x1457d20) at /home/sgolemon/dev/php/php-src/sapi/cli/php_cli.c:1390