PHP :: Bug #75932 :: zend_user_opcode_handlers not checked for null handler

Bug #75932

zend_user_opcode_handlers not checked for null handler

Submitted:

2018-02-07 21:23 UTC

Modified:

2020-11-27 09:37 UTC

Votes:	3
Avg. Score:	4.0 ± 0.8
Reproduced:	1 of 1 (100.0%)
Same Version:	0 (0.0%)
Same OS:	0 (0.0%)

From:

john-stevenson at blueyonder dot co dot uk

Assigned:

nikic (profile)

Status:

Closed

Package:

Reproducible crash

PHP Version:

Irrelevant

OS:

Linux/Windows/?

Private report:

CVE-ID:

None

View Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	john-stevenson at blueyonder dot co dot uk
New email:
PHP Version:		OS:

New Comment:

[2018-02-07 21:23 UTC] john-stevenson at blueyonder dot co dot uk

Description:
------------
Relates to this Windows specific crash (https://bugs.php.net/bug.php?id=75886) which also happens on *nix when opcache file-caching is used.

If an extension sets its own opcode handlers (via zend_set_user_opcode_handler, in zend_execute.c) then a reference to these will be stored by opcache if the script needs to be (re)cached. The handlers are invoked from zend_vm_execute.h using the zend_user_opcode_handlers array:  

    ret = zend_user_opcode_handlers[opline->opcode](execute_data);

which was previously set by the calls to zend_set_user_opcode_handler. 

When a later process runs without the extension, the handlers are unserialized and invoked using the same mechanism, except that zend_user_opcode_handlers has not been populated and points to null data.

On Windows this also happens without opcache file-caching, to a child process that has been restarted without the extension.

Test script:
---------------
// test.php
<?php
echo "okay\n";
?>
----

Ini: opcache and xdebug enabled
     opcache.enable_cli=1
     opcache.file_cache=/some/where
     opcache.file_cache_only=1

Run: php.exe test.php // Prints "okay"

Ini: As above, but disable xdebug
Run: php.exe test.php // crashes

Actual result:
--------------
PHP 7.2.1 (cli) (built: Feb  7 2018 13:01:16) ( ZTS DEBUG )
Copyright (c) 1997-2017 The PHP Group
Zend Engine v3.2.0, Copyright (c) 1998-2017 Zend Technologies
    with Zend OPcache v7.2.1, Copyright (c) 1999-2017, by Zend Technologies

Program received signal SIGSEGV, Segmentation fault.
0x0000000000000000 in ?? ()

#0  0x0000000000000000 in ?? ()
#1  0x00000000007737be in ZEND_USER_OPCODE_SPEC_HANDLER () at /usr/src/Zend/zend_vm_execute.h:1813
#2  0x00000000007fd2f3 in execute_ex (ex=0x7ffff6e1f030) at /usr/src/Zend/zend_vm_execute.h:59815
#3  0x000000000080265a in zend_execute (op_array=0x7ffff6e80300, return_value=0x0) at /usr/src/Zend/zend_vm_execute.h:63763
#4  0x0000000000700aeb in zend_execute_scripts (type=8, retval=0x0, file_count=3) at /usr/src/Zend/zend.c:1496
#5  0x0000000000637684 in php_execute_script (primary_file=0x7fffffffd350) at /usr/src/main/main.c:2590
#6  0x0000000000805458 in do_cli (argc=4, argv=0xc748c0) at /usr/src/sapi/cli/php_cli.c:1011
#7  0x00000000008068ea in main (argc=4, argv=0xc748c0) at /usr/src/sapi/cli/php_cli.c:1404

Patches

Pull Requests

Pull requests:

Fix #75932: zend_user_opcode_handlers crash (php-src/3087)

History

AllCommentsChangesGit/SVN commitsRelated reports

[2020-11-27 09:37 UTC] nikic@php.net

-Status: Open +Status: Closed -Assigned To: +Assigned To: nikic

[2020-11-27 09:37 UTC] nikic@php.net

I believe this has been fixed by https://github.com/php/php-src/pull/5836.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2025 The PHP Group All rights reserved.	Last updated: Wed Apr 02 22:01:29 2025 UTC