PHP :: Bug #79096 :: FFI Struct Segfault

Bug #79096	FFI Struct Segfault
Submitted:	2020-01-10 23:02 UTC	Modified:	2020-01-14 15:49 UTC
From:	php at tim dot ainfach dot de	Assigned:	cmb (profile)
Status:	Closed	Package:	*Extensibility Functions
PHP Version:	7.4.1	OS:	OSX 10.14.6
Private report:	No	CVE-ID:	None

View Developer Edit

Welcome! If you don't have a Git account, you can't do anything here.
If you reported this bug, you can edit this bug over here.

php.net Username: php.net Password:

Quick Fix:	(description)
	Block user comment
Status:		Assign to:
Package:
Bug Type:
Summary:
From:	php at tim dot ainfach dot de
New email:
PHP Version:		OS:

New/Additional Comment:

[2020-01-10 23:02 UTC] php at tim dot ainfach dot de

Description:
------------
Returning a struct with multiple fields larger than an uint64_t segaults.

for example when i return a struct with two uint32_t values everything seems to be fine. When i return a struct with three uint32_t members the script segfaults.


Works fine:
struct Buffer {
    uint32_t   a;
    uint32_t   b;
};

Segfault:
struct Buffer {
    uint32_t   a;
    uint64_t   b;
};

Test script:
---------------
// header
struct Buffer {
    uint32_t   a;
    uint64_t   b; // with uint32_t it works
};

struct Buffer poll();

// php
$ffi = \FFI::cdef(file_get_contents(__DIR__ . '/../rlib/rlib.h'), __DIR__ . '/../clib/lib.dylib');

$poll1 = $ffi->poll();
var_dump($poll1);

// c
#include <stdint.h>
#include "../rlib/rlib.h"

struct Buffer poll() {
  struct Buffer b;
  b.a = 1;
  b.b = 1;
  return b;
}

Expected result:
----------------
object(FFI\CData:struct Buffer)#2 (2) {
  ["a"]=>
  int(1)
  ["b"]=>
  int(1)
}

Actual result:
--------------
/bin/sh: line 1: 35179 Segmentation fault: 11  php foo.php


Thread 3 received signal SIGSEGV, Segmentation fault.
ZEND_DO_FCALL_SPEC_RETVAL_USED_HANDLER (execute_data=0x1028160f0) at Zend/zend_vm_execute.h:1743
1743   			EG(current_execute_data) = execute_data;
(gdb) bt
#0  ZEND_DO_FCALL_SPEC_RETVAL_USED_HANDLER (execute_data=0x1028160f0) at Zend/zend_vm_execute.h:1743
#1  0x0000000100363fd8 in execute_ex (ex=0x1) at Zend/zend_vm_execute.h:53379
#2  0x0000000100364199 in zend_execute (op_array=0x1028160f0, return_value=0x0) at Zend/zend_vm_execute.h:57664
#3  0x0000000100318d51 in zend_execute_scripts (type=42033392, retval=0x0, file_count=12405416) at Zend/zend.c:1663
#4  0x00000001002a214c in php_execute_script (primary_file=<optimized out>) at main/main.c:2619
#5  0x00000001003b5ea5 in do_cli (argc=<optimized out>, argv=0x102816020) at sapi/cli/php_cli.c:961
#6  0x00000001003b4d35 in main (argc=42033392, argv=0x102890120) at sapi/cli/php_cli.c:1352

Patches

Pull Requests

Pull requests:

Fix #79096: FFI Struct Segfault (php-src/5079)

History

AllCommentsChangesGit/SVN commitsRelated reports

[2020-01-11 18:52 UTC] cmb@php.net

-Status: Open +Status: Verified

[2020-01-11 18:52 UTC] cmb@php.net

Confirmed.  Currently ext/ffi assumes that the size of the return
value is less than or equal to sizeof(ffi_arg), which is basically
sizeof(long).

[2020-01-11 22:45 UTC] cmb@php.net

The following pull request has been associated:

Patch Name: Fix #79096: FFI Struct Segfault
On GitHub:  https://github.com/php/php-src/pull/5079
Patch:      https://github.com/php/php-src/pull/5079.patch

[2020-01-14 15:47 UTC] cmb@php.net

Automatic comment on behalf of cmbecker69@gmx.de
Revision: http://git.php.net/?p=php-src.git;a=commit;h=05f3cd23ed61d800a861f2dd057ed56e783ea6f1
Log: Fix #79096: FFI Struct Segfault

[2020-01-14 15:47 UTC] cmb@php.net

-Status: Verified +Status: Closed

[2020-01-14 15:49 UTC] cmb@php.net

-Assigned To: +Assigned To: cmb

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2025 The PHP Group All rights reserved.	Last updated: Wed Oct 22 06:00:01 2025 UTC