php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #77638 var_export on an FFI\CData:* instance causes a segmentation fault
Submitted: 2019-02-18 18:35 UTC Modified: 2019-10-21 14:08 UTC
Votes:1
Avg. Score:3.0 ± 0.0
Reproduced:0 of 0 (0.0%)
From: tandre@php.net Assigned:
Status: Verified Package: Reproducible crash
PHP Version: Next Minor Version OS: Linux
Private report: No CVE-ID: None
Have you experienced this issue?
Rate the importance of this bug to you:

 [2019-02-18 18:35 UTC] tandre@php.net
Description:
------------
Whenever var_export() is called on the result of FFI::new(), PHP segfaults.

I think it's related to calling GC_PROTECT_RECURSION, *but the line numbers in my build may be wrong*

```
 553                                             GC_PROTECT_RECURSION(myht);
(gdb) bt
#0  0x0000000000944811 in php_var_export_ex (struc=0x7fffecc13100, level=1, buf=0x7fffffffbf90) at /path/to/php-src/ext/standard/var.c:553
#1  0x0000000000944fe3 in zif_var_export (execute_data=0x7fffecc130b0, return_value=0x7fffffffbfe0) at /path/to/php-src/ext/standard/var.c:622
#2  0x0000000000bb2b63 in ZEND_DO_ICALL_SPEC_RETVAL_UNUSED_HANDLER () at /path/to/php-src/Zend/zend_vm_execute.h:649
```

Test script:
---------------
```
ยป php -a
Interactive shell

php > $x = FFI::new('int');
php > echo gettype($x);
object
php > echo get_class($x);
FFI\CData
php > var_dump($x);
object(FFI\CData:int32_t)#1 (1) {
  ["cdata"]=>
  int(0)
}
php > var_export($x);
[1]    2615 segmentation fault  php -a
```

Expected result:
----------------
Either dumps the type or throws an Exception/Error for being impossible to dump

Actual result:
--------------
Segfaults

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2019-10-21 11:53 UTC] cmb@php.net
-Status: Open +Status: Verified
 [2019-10-21 11:53 UTC] cmb@php.net
The problem is that the get_properties handler returns a pointer
to a const Hashtable[1], which we're trying to modify in
php_var_export_ex().

[1] <https://github.com/php/php-src/blob/d608ac6ee917c1da75868bd9cf40d5029d5e8a18/ext/ffi/ffi.c#L4699>
 [2019-10-21 14:08 UTC] nikic@php.net
Simple fix is to just return NULL instead, but I'd say the proper fix is to use GC_TRY_(UN)PROTECT_RECURSION macros in var_dump/var_export.
 
PHP Copyright © 2001-2019 The PHP Group
All rights reserved.
Last updated: Fri Nov 15 12:01:34 2019 UTC