|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #75932 zend_user_opcode_handlers not checked for null handler
Submitted: 2018-02-07 21:23 UTC Modified: 2020-11-27 09:37 UTC
Avg. Score:4.0 ± 0.8
Reproduced:1 of 1 (100.0%)
Same Version:0 (0.0%)
Same OS:0 (0.0%)
From: john-stevenson at blueyonder dot co dot uk Assigned: nikic (profile)
Status: Closed Package: Reproducible crash
PHP Version: Irrelevant OS: Linux/Windows/?
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.
Block user comment
Status: Assign to:
Bug Type:
From: john-stevenson at blueyonder dot co dot uk
New email:
PHP Version: OS:


 [2018-02-07 21:23 UTC] john-stevenson at blueyonder dot co dot uk
Relates to this Windows specific crash ( which also happens on *nix when opcache file-caching is used.

If an extension sets its own opcode handlers (via zend_set_user_opcode_handler, in zend_execute.c) then a reference to these will be stored by opcache if the script needs to be (re)cached. The handlers are invoked from zend_vm_execute.h using the zend_user_opcode_handlers array:  

    ret = zend_user_opcode_handlers[opline->opcode](execute_data);

which was previously set by the calls to zend_set_user_opcode_handler. 

When a later process runs without the extension, the handlers are unserialized and invoked using the same mechanism, except that zend_user_opcode_handlers has not been populated and points to null data.

On Windows this also happens without opcache file-caching, to a child process that has been restarted without the extension.

Test script:
// test.php
echo "okay\n";

Ini: opcache and xdebug enabled

Run: php.exe test.php // Prints "okay"

Ini: As above, but disable xdebug
Run: php.exe test.php // crashes

Actual result:
PHP 7.2.1 (cli) (built: Feb  7 2018 13:01:16) ( ZTS DEBUG )
Copyright (c) 1997-2017 The PHP Group
Zend Engine v3.2.0, Copyright (c) 1998-2017 Zend Technologies
    with Zend OPcache v7.2.1, Copyright (c) 1999-2017, by Zend Technologies

Program received signal SIGSEGV, Segmentation fault.
0x0000000000000000 in ?? ()

#0  0x0000000000000000 in ?? ()
#1  0x00000000007737be in ZEND_USER_OPCODE_SPEC_HANDLER () at /usr/src/Zend/zend_vm_execute.h:1813
#2  0x00000000007fd2f3 in execute_ex (ex=0x7ffff6e1f030) at /usr/src/Zend/zend_vm_execute.h:59815
#3  0x000000000080265a in zend_execute (op_array=0x7ffff6e80300, return_value=0x0) at /usr/src/Zend/zend_vm_execute.h:63763
#4  0x0000000000700aeb in zend_execute_scripts (type=8, retval=0x0, file_count=3) at /usr/src/Zend/zend.c:1496
#5  0x0000000000637684 in php_execute_script (primary_file=0x7fffffffd350) at /usr/src/main/main.c:2590
#6  0x0000000000805458 in do_cli (argc=4, argv=0xc748c0) at /usr/src/sapi/cli/php_cli.c:1011
#7  0x00000000008068ea in main (argc=4, argv=0xc748c0) at /usr/src/sapi/cli/php_cli.c:1404


Add a Patch

Pull Requests

Pull requests:

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2020-11-27 09:37 UTC]
-Status: Open +Status: Closed -Assigned To: +Assigned To: nikic
 [2020-11-27 09:37 UTC]
I believe this has been fixed by
PHP Copyright © 2001-2023 The PHP Group
All rights reserved.
Last updated: Mon Jan 30 16:05:53 2023 UTC