php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #75932 zend_user_opcode_handlers not checked for null handler
Submitted: 2018-02-07 21:23 UTC Modified: -
Votes:1
Avg. Score:5.0 ± 0.0
Reproduced:0 of 0 (0.0%)
From: john-stevenson at blueyonder dot co dot uk Assigned:
Status: Open Package: Reproducible crash
PHP Version: Irrelevant OS: Linux/Windows/?
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.
(description)
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: john-stevenson at blueyonder dot co dot uk
New email:
PHP Version: OS:

 

 [2018-02-07 21:23 UTC] john-stevenson at blueyonder dot co dot uk
Description:
------------
Relates to this Windows specific crash (https://bugs.php.net/bug.php?id=75886) which also happens on *nix when opcache file-caching is used.

If an extension sets its own opcode handlers (via zend_set_user_opcode_handler, in zend_execute.c) then a reference to these will be stored by opcache if the script needs to be (re)cached. The handlers are invoked from zend_vm_execute.h using the zend_user_opcode_handlers array:  

    ret = zend_user_opcode_handlers[opline->opcode](execute_data);

which was previously set by the calls to zend_set_user_opcode_handler. 

When a later process runs without the extension, the handlers are unserialized and invoked using the same mechanism, except that zend_user_opcode_handlers has not been populated and points to null data.

On Windows this also happens without opcache file-caching, to a child process that has been restarted without the extension.

Test script:
---------------
// test.php
<?php
echo "okay\n";
?>
----

Ini: opcache and xdebug enabled
     opcache.enable_cli=1
     opcache.file_cache=/some/where
     opcache.file_cache_only=1

Run: php.exe test.php // Prints "okay"

Ini: As above, but disable xdebug
Run: php.exe test.php // crashes

Actual result:
--------------
PHP 7.2.1 (cli) (built: Feb  7 2018 13:01:16) ( ZTS DEBUG )
Copyright (c) 1997-2017 The PHP Group
Zend Engine v3.2.0, Copyright (c) 1998-2017 Zend Technologies
    with Zend OPcache v7.2.1, Copyright (c) 1999-2017, by Zend Technologies

Program received signal SIGSEGV, Segmentation fault.
0x0000000000000000 in ?? ()

#0  0x0000000000000000 in ?? ()
#1  0x00000000007737be in ZEND_USER_OPCODE_SPEC_HANDLER () at /usr/src/Zend/zend_vm_execute.h:1813
#2  0x00000000007fd2f3 in execute_ex (ex=0x7ffff6e1f030) at /usr/src/Zend/zend_vm_execute.h:59815
#3  0x000000000080265a in zend_execute (op_array=0x7ffff6e80300, return_value=0x0) at /usr/src/Zend/zend_vm_execute.h:63763
#4  0x0000000000700aeb in zend_execute_scripts (type=8, retval=0x0, file_count=3) at /usr/src/Zend/zend.c:1496
#5  0x0000000000637684 in php_execute_script (primary_file=0x7fffffffd350) at /usr/src/main/main.c:2590
#6  0x0000000000805458 in do_cli (argc=4, argv=0xc748c0) at /usr/src/sapi/cli/php_cli.c:1011
#7  0x00000000008068ea in main (argc=4, argv=0xc748c0) at /usr/src/sapi/cli/php_cli.c:1404

Patches

Add a Patch

Pull Requests

Pull requests:

Add a Pull Request

 
PHP Copyright © 2001-2018 The PHP Group
All rights reserved.
Last updated: Mon Dec 17 05:01:26 2018 UTC