php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #79096 FFI Struct Segfault
Submitted: 2020-01-10 23:02 UTC Modified: 2020-01-14 15:49 UTC
From: php at tim dot ainfach dot de Assigned: cmb (profile)
Status: Closed Package: *Extensibility Functions
PHP Version: 7.4.1 OS: OSX 10.14.6
Private report: No CVE-ID: None
View Developer Edit
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: php at tim dot ainfach dot de
New email:
PHP Version: OS:

 

 [2020-01-10 23:02 UTC] php at tim dot ainfach dot de 
Description:
------------
Returning a struct with multiple fields larger than an uint64_t segaults.

for example when i return a struct with two uint32_t values everything seems to be fine. When i return a struct with three uint32_t members the script segfaults.


Works fine:
struct Buffer {
    uint32_t   a;
    uint32_t   b;
};

Segfault:
struct Buffer {
    uint32_t   a;
    uint64_t   b;
};

Test script:
---------------
// header
struct Buffer {
    uint32_t   a;
    uint64_t   b; // with uint32_t it works
};

struct Buffer poll();

// php
$ffi = \FFI::cdef(file_get_contents(__DIR__ . '/../rlib/rlib.h'), __DIR__ . '/../clib/lib.dylib');

$poll1 = $ffi->poll();
var_dump($poll1);

// c
#include <stdint.h>
#include "../rlib/rlib.h"

struct Buffer poll() {
  struct Buffer b;
  b.a = 1;
  b.b = 1;
  return b;
}

Expected result:
----------------
object(FFI\CData:struct Buffer)#2 (2) {
  ["a"]=>
  int(1)
  ["b"]=>
  int(1)
}

Actual result:
--------------
/bin/sh: line 1: 35179 Segmentation fault: 11  php foo.php


Thread 3 received signal SIGSEGV, Segmentation fault.
ZEND_DO_FCALL_SPEC_RETVAL_USED_HANDLER (execute_data=0x1028160f0) at Zend/zend_vm_execute.h:1743
1743   			EG(current_execute_data) = execute_data;
(gdb) bt
#0  ZEND_DO_FCALL_SPEC_RETVAL_USED_HANDLER (execute_data=0x1028160f0) at Zend/zend_vm_execute.h:1743
#1  0x0000000100363fd8 in execute_ex (ex=0x1) at Zend/zend_vm_execute.h:53379
#2  0x0000000100364199 in zend_execute (op_array=0x1028160f0, return_value=0x0) at Zend/zend_vm_execute.h:57664
#3  0x0000000100318d51 in zend_execute_scripts (type=42033392, retval=0x0, file_count=12405416) at Zend/zend.c:1663
#4  0x00000001002a214c in php_execute_script (primary_file=<optimized out>) at main/main.c:2619
#5  0x00000001003b5ea5 in do_cli (argc=<optimized out>, argv=0x102816020) at sapi/cli/php_cli.c:961
#6  0x00000001003b4d35 in main (argc=42033392, argv=0x102890120) at sapi/cli/php_cli.c:1352

Patches

Pull Requests

Pull requests:

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2020-01-11 18:52 UTC] cmb@php.net
-Status: Open +Status: Verified
 [2020-01-11 18:52 UTC] cmb@php.net 
Confirmed.  Currently ext/ffi assumes that the size of the return
value is less than or equal to sizeof(ffi_arg), which is basically
sizeof(long).
 [2020-01-11 22:45 UTC] cmb@php.net 
The following pull request has been associated:

Patch Name: Fix #79096: FFI Struct Segfault
On GitHub:  https://github.com/php/php-src/pull/5079
Patch:      https://github.com/php/php-src/pull/5079.patch
 [2020-01-14 15:47 UTC] cmb@php.net 
Automatic comment on behalf of cmbecker69@gmx.de
Revision: http://git.php.net/?p=php-src.git;a=commit;h=05f3cd23ed61d800a861f2dd057ed56e783ea6f1
Log: Fix #79096: FFI Struct Segfault
 [2020-01-14 15:47 UTC] cmb@php.net
-Status: Verified +Status: Closed
 [2020-01-14 15:49 UTC] cmb@php.net
-Assigned To: +Assigned To: cmb
 
PHP Copyright © 2001-2025 The PHP Group
All rights reserved. 		Last updated: Mon Mar 31 07:01:29 2025 UTC