php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #75932 zend_user_opcode_handlers not checked for null handler
Submitted: 2018-02-07 21:23 UTC Modified: 2020-11-27 09:37 UTC
Votes:3
Avg. Score:4.0 ± 0.8
Reproduced:1 of 1 (100.0%)
Same Version:0 (0.0%)
Same OS:0 (0.0%)
From: john-stevenson at blueyonder dot co dot uk Assigned: nikic (profile)
Status: Closed Package: Reproducible crash
PHP Version: Irrelevant OS: Linux/Windows/?
Private report: No CVE-ID: None
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If this is not your bug, you can add a comment by following this link.
If this is your bug, but you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: john-stevenson at blueyonder dot co dot uk
New email:
PHP Version: OS:

 

 [2018-02-07 21:23 UTC] john-stevenson at blueyonder dot co dot uk
Description:
------------
Relates to this Windows specific crash (https://bugs.php.net/bug.php?id=75886) which also happens on *nix when opcache file-caching is used.

If an extension sets its own opcode handlers (via zend_set_user_opcode_handler, in zend_execute.c) then a reference to these will be stored by opcache if the script needs to be (re)cached. The handlers are invoked from zend_vm_execute.h using the zend_user_opcode_handlers array:  

    ret = zend_user_opcode_handlers[opline->opcode](execute_data);

which was previously set by the calls to zend_set_user_opcode_handler. 

When a later process runs without the extension, the handlers are unserialized and invoked using the same mechanism, except that zend_user_opcode_handlers has not been populated and points to null data.

On Windows this also happens without opcache file-caching, to a child process that has been restarted without the extension.

Test script:
---------------
// test.php
<?php
echo "okay\n";
?>
----

Ini: opcache and xdebug enabled
     opcache.enable_cli=1
     opcache.file_cache=/some/where
     opcache.file_cache_only=1

Run: php.exe test.php // Prints "okay"

Ini: As above, but disable xdebug
Run: php.exe test.php // crashes

Actual result:
--------------
PHP 7.2.1 (cli) (built: Feb  7 2018 13:01:16) ( ZTS DEBUG )
Copyright (c) 1997-2017 The PHP Group
Zend Engine v3.2.0, Copyright (c) 1998-2017 Zend Technologies
    with Zend OPcache v7.2.1, Copyright (c) 1999-2017, by Zend Technologies

Program received signal SIGSEGV, Segmentation fault.
0x0000000000000000 in ?? ()

#0  0x0000000000000000 in ?? ()
#1  0x00000000007737be in ZEND_USER_OPCODE_SPEC_HANDLER () at /usr/src/Zend/zend_vm_execute.h:1813
#2  0x00000000007fd2f3 in execute_ex (ex=0x7ffff6e1f030) at /usr/src/Zend/zend_vm_execute.h:59815
#3  0x000000000080265a in zend_execute (op_array=0x7ffff6e80300, return_value=0x0) at /usr/src/Zend/zend_vm_execute.h:63763
#4  0x0000000000700aeb in zend_execute_scripts (type=8, retval=0x0, file_count=3) at /usr/src/Zend/zend.c:1496
#5  0x0000000000637684 in php_execute_script (primary_file=0x7fffffffd350) at /usr/src/main/main.c:2590
#6  0x0000000000805458 in do_cli (argc=4, argv=0xc748c0) at /usr/src/sapi/cli/php_cli.c:1011
#7  0x00000000008068ea in main (argc=4, argv=0xc748c0) at /usr/src/sapi/cli/php_cli.c:1404

Patches

Add a Patch

Pull Requests

Pull requests:

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2020-11-27 09:37 UTC] nikic@php.net
-Status: Open +Status: Closed -Assigned To: +Assigned To: nikic
 [2020-11-27 09:37 UTC] nikic@php.net
I believe this has been fixed by https://github.com/php/php-src/pull/5836.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Fri Mar 29 11:01:29 2024 UTC