php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #79125 FFI lifetime
Submitted: 2020-01-15 19:11 UTC Modified: 2021-09-16 21:31 UTC
Votes:2
Avg. Score:1.0 ± 0.0
Reproduced:1 of 2 (50.0%)
Same Version:0 (0.0%)
Same OS:0 (0.0%)
From: php at tim dot ainfach dot de Assigned:
Status: Verified Package: FFI (PECL)
PHP Version: 7.4.2RC1 OS: OSX 10.14.6
Private report: No CVE-ID: None
View Developer Edit
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: php at tim dot ainfach dot de
New email:
PHP Version: OS:

 

 [2020-01-15 19:11 UTC] php at tim dot ainfach dot de 
Description:
------------
returning and directly using the result of a \FFI::cdef() function ends up in a void pointer.


php-src/ext/ffi/ffi.c:1990: zend_ffi_cdata_get_debug_info: Assertion `0' failed.
https://github.com/php/php-src/blob/9d7e03c325473024e54c864f0379efc1bbf03e72/ext/ffi/ffi.c#L1990


it's easy to reproduct with the same structs used here:

https://github.com/php/php-src/commit/05f3cd23ed61d800a861f2dd057ed56e783ea6f1#diff-3ea95b4dc57e34c882215bcc36f84551


i am not sure if this is a bug or a very consusing api limitation related to the livetime of zvals.




Test script:
---------------
// php code that SEGFAULTS
function ffi()
{
    return \FFI::cdef(
        file_get_contents(__DIR__ . '/example.h'),
        __DIR__ . '/lib.so'
    );
}

$res = ffi()->bug79096();
var_dump($res);


// php code that WORKS

// same as above
$ffi = ffi();
$res = $ffi->bug79096();

// c code
struct bug79096 bug79096(void)
{
  struct bug79096 b;

  b.a = 1;
  b.b = 1;
  return b;
}

// header 
struct bug79096 {
	uint64_t a;
	uint64_t b;
};

struct bug79096 bug79096(void);


Expected result:
----------------
object(FFI\CData:struct bug79096)#9 (2) {
  ["a"]=>
  int(1)
  ["b"]=>
  int(1)
}

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2020-01-15 19:27 UTC] php at tim dot ainfach dot de
-Summary: FFI Struct Segfault +Summary: FFI lifetime
 [2020-01-15 19:27 UTC] php at tim dot ainfach dot de 
sorry for the misleading title, seems that i cant change it? "FFI lifetime" would be much better.
 [2020-01-16 11:51 UTC] cmb@php.net
-Status: Open +Status: Verified
 [2020-01-16 11:51 UTC] cmb@php.net 
Indeed, after `::bug79096()` has been called, the FFI instance is
destroyed including all its types, although the FFI\Cdata instance
still holds a pointer to the `struct bug79096` type.  This results
in a use-after-free.
 [2021-09-16 21:31 UTC] cmb@php.net
-Package: *Extensibility Functions +Package: FFI
 [2023-06-21 10:13 UTC] ph dot anthanhhaikdb33 at gmail dot com 
Thanks for the information... https://www.upsers.app/github.com
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Fri Nov 22 05:01:29 2024 UTC