php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #78228 base64_decode causes Illegal instruction (core dumped)
Submitted: 2019-06-28 10:57 UTC Modified: 2019-07-05 11:32 UTC
From: pawaroti at gmail dot com Assigned:
Status: Re-Opened Package: *General Issues
PHP Version: 7.3.6 OS: Debian GNU/Linux 9 (stretch)
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.
(description)
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: pawaroti at gmail dot com
New email:
PHP Version: OS:

 

 [2019-06-28 10:57 UTC] pawaroti at gmail dot com
Description:
------------
Works on Ubuntu 16.04.6 LTS (Xenial Xerus)

Doesn't work on Debian GNU/Linux 9 (stretch)

$ cat /proc/cpuinfo
processor	: 0
vendor_id	: GenuineIntel
cpu family	: 6
model		: 63
model name	: Intel(R) Xeon(R) CPU E5-2660 v3 @ 2.60GHz
stepping	: 2
microcode	: 0x31
cpu MHz		: 2600.098
cache size	: 25600 KB
physical id	: 0
siblings	: 2
core id		: 1
cpu cores	: 1
apicid		: 3
initial apicid	: 3
fpu		: yes
fpu_exception	: yes
cpuid level	: 15
wp		: yes
flags		: fpu de tsc msr pae cx8 apic sep cmov pat clflush mmx fxsr sse sse2 ss ht syscall nx lm constant_tsc rep_good nopl pni pclmulqdq ssse3 sdbg fma cx16 sse4_1 sse4_2 movbe popcnt tsc_deadline_timer aes f16c rdrand hypervisor lahf_lm abm epb fsgsbase bmi1 avx2 bmi2 erms dtherm ida arat pln pts
bugs		: cpu_meltdown spectre_v1 spectre_v2 spec_store_bypass l1tf mds
bogomips	: 5200.19
clflush size	: 64
cache_alignment	: 64
address sizes	: 46 bits physical, 48 bits virtual
power management:

processor	: 1
vendor_id	: GenuineIntel
cpu family	: 6
model		: 63
model name	: Intel(R) Xeon(R) CPU E5-2660 v3 @ 2.60GHz
stepping	: 2
microcode	: 0x31
cpu MHz		: 2600.098
cache size	: 25600 KB
physical id	: 0
siblings	: 2
core id		: 1
cpu cores	: 1
apicid		: 3
initial apicid	: 3
fpu		: yes
fpu_exception	: yes
cpuid level	: 15
wp		: yes
flags		: fpu de tsc msr pae cx8 apic sep cmov pat clflush mmx fxsr sse sse2 ss ht syscall nx lm constant_tsc rep_good nopl pni pclmulqdq ssse3 sdbg fma cx16 sse4_1 sse4_2 movbe popcnt tsc_deadline_timer aes f16c rdrand hypervisor lahf_lm abm epb fsgsbase bmi1 avx2 bmi2 erms dtherm ida arat pln pts
bugs		: cpu_meltdown spectre_v1 spectre_v2 spec_store_bypass l1tf mds
bogomips	: 5200.19
clflush size	: 64
cache_alignment	: 64
address sizes	: 46 bits physical, 48 bits virtual
power management:



Test script:
---------------
$STRING = '564dace0-391c-42b6-d098-5b7742cb19ee';
$output = base64_encode($STRING);
print_r($output);

Expected result:
----------------
NTY0ZGFjZTAtMzkxYy00MmI2LWQwOTgtNWI3NzQyY2IxOWVl

Actual result:
--------------
Illegal instruction (core dumped)

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2019-06-28 10:58 UTC] nikic@php.net
How did you compile/get PHP?
 [2019-06-28 11:03 UTC] pawaroti at gmail dot com
I run PHP in Docker container from official repo: https://hub.docker.com/_/php

FROM php:7.3.6-fpm
 [2019-06-28 11:05 UTC] pawaroti at gmail dot com
It is probably related to: #77357 and #77485
 [2019-06-28 11:20 UTC] sjon@php.net
-Status: Open +Status: Duplicate
 [2019-06-28 11:20 UTC] sjon@php.net
Duplicate of Bug #77357

if this still happens, please reopen that instead
 [2019-06-28 15:38 UTC] cmb@php.net
@sjon, only the original reporter and those with php.net accounts
are allowed to change the status of tickets.
 [2019-07-03 09:25 UTC] pawaroti at gmail dot com
Any update on this? The problem still happens.
 [2019-07-03 09:33 UTC] nikic@php.net
-Status: Duplicate +Status: Re-Opened
 [2019-07-03 09:45 UTC] nikic@php.net
Your CPU has both SSSE3 and AVX2, so there really shouldn't be issues due to incorrect implementation selection here.

Can you do something like "gdb --args php file.php" and then "run" and then "disassemble" when you get the illegal instruction?
 [2019-07-05 05:30 UTC] pawaroti at gmail dot com
Here you have:

root@fb34ae598296:/var/www/html# gdb --args php test.php 
GNU gdb (Debian 7.12-6) 7.12.0.20161007-git
Copyright (C) 2016 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>.
Find the GDB manual and other documentation resources online at:
<http://www.gnu.org/software/gdb/documentation/>.
For help, type "help".
Type "apropos word" to search for commands related to "word"...
Reading symbols from php...(no debugging symbols found)...done.
(gdb) run
Starting program: /usr/local/bin/php test.php
warning: Error disabling address space randomization: Operation not permitted
During startup program terminated with signal SIGILL, Illegal instruction.
(gdb) disassemble
No frame selected.
(gdb)
 [2019-07-05 05:31 UTC] pawaroti at gmail dot com
/usr/local/bin/php -v
PHP 7.3.6 (cli) (built: May 31 2019 23:33:18) ( NTS )
Copyright (c) 1997-2018 The PHP Group
Zend Engine v3.3.6, Copyright (c) 1998-2018 Zend Technologies
    with Zend OPcache v7.3.6, Copyright (c) 1999-2018, by Zend Technologies
    with Xdebug v2.7.2, Copyright (c) 2002-2019, by Derick Rethans
 [2019-07-05 05:40 UTC] pawaroti at gmail dot com
After run docker container with --security-opt seccomp=unconfined like mentioned here https://stackoverflow.com/a/46676907

gdb --args php test.php 
GNU gdb (Debian 7.12-6) 7.12.0.20161007-git
Copyright (C) 2016 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>.
Find the GDB manual and other documentation resources online at:
<http://www.gnu.org/software/gdb/documentation/>.
For help, type "help".
Type "apropos word" to search for commands related to "word"...
Reading symbols from php...(no debugging symbols found)...done.
(gdb) run
Starting program: /usr/local/bin/php test.php
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".

Program received signal SIGILL, Illegal instruction.
0x0000555555944c40 in php_base64_encode_avx2 ()
(gdb) disassemble
Dump of assembler code for function php_base64_encode_avx2:
   0x0000555555944aa0 <+0>:	lea    0x8(%rsp),%r10
   0x0000555555944aa5 <+5>:	and    $0xffffffffffffffe0,%rsp
   0x0000555555944aa9 <+9>:	lea    0x2(%rsi),%rdx
   0x0000555555944aad <+13>:	pushq  -0x8(%r10)
   0x0000555555944ab1 <+17>:	push   %rbp
   0x0000555555944ab2 <+18>:	mov    %rdx,%rax
   0x0000555555944ab5 <+21>:	mov    %rsp,%rbp
   0x0000555555944ab8 <+24>:	push   %r13
   0x0000555555944aba <+26>:	movabs $0xaaaaaaaaaaaaaaab,%r13
   0x0000555555944ac4 <+36>:	mul    %r13
   0x0000555555944ac7 <+39>:	push   %r12
   0x0000555555944ac9 <+41>:	push   %r10
   0x0000555555944acb <+43>:	push   %rbx
   0x0000555555944acc <+44>:	mov    %rsi,%r12
   0x0000555555944acf <+47>:	mov    %rdi,%rbx
   0x0000555555944ad2 <+50>:	mov    $0x4,%esi
   0x0000555555944ad7 <+55>:	sub    $0x10,%rsp
   0x0000555555944adb <+59>:	shr    %rdx
   0x0000555555944ade <+62>:	mov    %rdx,%r13
   0x0000555555944ae1 <+65>:	mov    $0x20,%edx
   0x0000555555944ae6 <+70>:	mov    %r13,%rdi
   0x0000555555944ae9 <+73>:	shl    $0x2,%r13
   0x0000555555944aed <+77>:	callq  0x555555a1b070 <_safe_emalloc>
   0x0000555555944af2 <+82>:	cmp    $0x1f,%r12
   0x0000555555944af6 <+86>:	movl   $0x1,(%rax)
   0x0000555555944afc <+92>:	movl   $0x6,0x4(%rax)
   0x0000555555944b03 <+99>:	movq   $0x0,0x8(%rax)
   0x0000555555944b0b <+107>:	mov    %r13,0x10(%rax)
   0x0000555555944b0f <+111>:	lea    0x18(%rax),%rdi
   0x0000555555944b13 <+115>:	ja     0x555555944c40 <php_base64_encode_avx2+416>
   0x0000555555944b19 <+121>:	cmp    $0x2,%r12
   0x0000555555944b1d <+125>:	mov    %rdi,%rdx
   0x0000555555944b20 <+128>:	jbe    0x555555944ba0 <php_base64_encode_avx2+256>
   0x0000555555944b22 <+130>:	lea    0x8afdd7(%rip),%rsi        # 0x5555561f4900
   0x0000555555944b29 <+137>:	nopl   0x0(%rax)
   0x0000555555944b30 <+144>:	movzbl (%rbx),%ecx
   0x0000555555944b33 <+147>:	sub    $0x3,%r12
   0x0000555555944b37 <+151>:	add    $0x4,%rdx
   0x0000555555944b3b <+155>:	add    $0x3,%rbx
   0x0000555555944b3f <+159>:	shr    $0x2,%cl
   0x0000555555944b42 <+162>:	and    $0x3f,%ecx
   0x0000555555944b45 <+165>:	movzbl (%rsi,%rcx,1),%ecx
   0x0000555555944b49 <+169>:	mov    %cl,-0x4(%rdx)
   0x0000555555944b4c <+172>:	movzbl -0x3(%rbx),%ecx
   0x0000555555944b50 <+176>:	movzbl -0x2(%rbx),%r8d
   0x0000555555944b55 <+181>:	shl    $0x4,%ecx
   0x0000555555944b58 <+184>:	shr    $0x4,%r8b
   0x0000555555944b5c <+188>:	and    $0x30,%ecx
   0x0000555555944b5f <+191>:	add    %r8,%rcx
   0x0000555555944b62 <+194>:	and    $0x7f,%ecx
   0x0000555555944b65 <+197>:	movzbl (%rsi,%rcx,1),%ecx
   0x0000555555944b69 <+201>:	mov    %cl,-0x3(%rdx)
   0x0000555555944b6c <+204>:	movzbl -0x2(%rbx),%ecx
   0x0000555555944b70 <+208>:	movzbl -0x1(%rbx),%r8d
   0x0000555555944b75 <+213>:	shl    $0x2,%ecx
   0x0000555555944b78 <+216>:	and    $0x3c,%ecx
   0x0000555555944b7b <+219>:	shr    $0x6,%r8b
   0x0000555555944b7f <+223>:	add    %r8,%rcx
   0x0000555555944b82 <+226>:	and    $0x7f,%ecx
   0x0000555555944b85 <+229>:	movzbl (%rsi,%rcx,1),%ecx
---Type <return> to continue, or q <return> to quit--- 
   0x0000555555944b89 <+233>:	mov    %cl,-0x2(%rdx)
   0x0000555555944b8c <+236>:	movzbl -0x1(%rbx),%ecx
   0x0000555555944b90 <+240>:	and    $0x3f,%ecx
   0x0000555555944b93 <+243>:	cmp    $0x2,%r12
   0x0000555555944b97 <+247>:	movzbl (%rsi,%rcx,1),%ecx
   0x0000555555944b9b <+251>:	mov    %cl,-0x1(%rdx)
   0x0000555555944b9e <+254>:	ja     0x555555944b30 <php_base64_encode_avx2+144>
   0x0000555555944ba0 <+256>:	test   %r12,%r12
   0x0000555555944ba3 <+259>:	je     0x555555944bf9 <php_base64_encode_avx2+345>
   0x0000555555944ba5 <+261>:	movzbl (%rbx),%ecx
   0x0000555555944ba8 <+264>:	lea    0x8afd51(%rip),%rsi        # 0x5555561f4900
   0x0000555555944baf <+271>:	shr    $0x2,%cl
   0x0000555555944bb2 <+274>:	and    $0x3f,%ecx
   0x0000555555944bb5 <+277>:	movzbl (%rsi,%rcx,1),%ecx
   0x0000555555944bb9 <+281>:	mov    %cl,(%rdx)
   0x0000555555944bbb <+283>:	movzbl (%rbx),%ecx
   0x0000555555944bbe <+286>:	shl    $0x4,%ecx
   0x0000555555944bc1 <+289>:	cmp    $0x2,%r12
   0x0000555555944bc5 <+293>:	jne    0x555555944c20 <php_base64_encode_avx2+384>
   0x0000555555944bc7 <+295>:	movzbl 0x1(%rbx),%r8d
   0x0000555555944bcc <+300>:	and    $0x30,%ecx
   0x0000555555944bcf <+303>:	add    $0x4,%rdx
   0x0000555555944bd3 <+307>:	shr    $0x4,%r8b
   0x0000555555944bd7 <+311>:	add    %r8,%rcx
   0x0000555555944bda <+314>:	and    $0x7f,%ecx
   0x0000555555944bdd <+317>:	movzbl (%rsi,%rcx,1),%ecx
   0x0000555555944be1 <+321>:	mov    %cl,-0x3(%rdx)
   0x0000555555944be4 <+324>:	movzbl 0x1(%rbx),%ecx
   0x0000555555944be8 <+328>:	movb   $0x3d,-0x1(%rdx)
   0x0000555555944bec <+332>:	shl    $0x2,%ecx
   0x0000555555944bef <+335>:	and    $0x3c,%ecx
   0x0000555555944bf2 <+338>:	movzbl (%rsi,%rcx,1),%ecx
   0x0000555555944bf6 <+342>:	mov    %cl,-0x2(%rdx)
   0x0000555555944bf9 <+345>:	movb   $0x0,(%rdx)
   0x0000555555944bfc <+348>:	sub    %rdi,%rdx
   0x0000555555944bff <+351>:	mov    %rdx,0x10(%rax)
   0x0000555555944c03 <+355>:	add    $0x10,%rsp
   0x0000555555944c07 <+359>:	pop    %rbx
   0x0000555555944c08 <+360>:	pop    %r10
   0x0000555555944c0a <+362>:	pop    %r12
   0x0000555555944c0c <+364>:	pop    %r13
   0x0000555555944c0e <+366>:	pop    %rbp
   0x0000555555944c0f <+367>:	lea    -0x8(%r10),%rsp
   0x0000555555944c13 <+371>:	retq   
   0x0000555555944c14 <+372>:	xchg   %ax,%ax
   0x0000555555944c16 <+374>:	nopw   %cs:0x0(%rax,%rax,1)
   0x0000555555944c20 <+384>:	and    $0x30,%ecx
   0x0000555555944c23 <+387>:	movb   $0x3d,0x2(%rdx)
   0x0000555555944c27 <+391>:	movb   $0x3d,0x3(%rdx)
   0x0000555555944c2b <+395>:	movzbl (%rsi,%rcx,1),%ecx
   0x0000555555944c2f <+399>:	add    $0x4,%rdx
   0x0000555555944c33 <+403>:	mov    %cl,-0x3(%rdx)
   0x0000555555944c36 <+406>:	jmp    0x555555944bf9 <php_base64_encode_avx2+345>
   0x0000555555944c38 <+408>:	nopl   0x0(%rax,%rax,1)
=> 0x0000555555944c40 <+416>:	vmovdqa 0x8afd18(%rip),%ymm1        # 0x5555561f4960
   0x0000555555944c48 <+424>:	mov    %rdi,%rdx
   0x0000555555944c4b <+427>:	mov    %rbx,%rcx
   0x0000555555944c4e <+430>:	vmovdqa 0x8afd2a(%rip),%ymm9        # 0x5555561f4980
   0x0000555555944c56 <+438>:	vpermd (%rbx),%ymm1,%ymm1
   0x0000555555944c5b <+443>:	vmovdqa 0x8afd3d(%rip),%ymm8        # 0x5555561f49a0
   0x0000555555944c63 <+451>:	vmovdqa 0x8afd55(%rip),%ymm7        # 0x5555561f49c0
---Type <return> to continue, or q <return> to quit---
   0x0000555555944c6b <+459>:	vmovdqa 0x8afd6d(%rip),%ymm6        # 0x5555561f49e0
   0x0000555555944c73 <+467>:	vmovdqa 0x8afd85(%rip),%ymm5        # 0x5555561f4a00
   0x0000555555944c7b <+475>:	vmovdqa 0x8afd9d(%rip),%ymm4        # 0x5555561f4a20
   0x0000555555944c83 <+483>:	vmovdqa 0x8afdb5(%rip),%ymm3        # 0x5555561f4a40
   0x0000555555944c8b <+491>:	vmovdqa 0x8afdcd(%rip),%ymm2        # 0x5555561f4a60
   0x0000555555944c93 <+499>:	jmp    0x555555944ca8 <php_base64_encode_avx2+520>
   0x0000555555944c95 <+501>:	nop
   0x0000555555944c96 <+502>:	nopw   %cs:0x0(%rax,%rax,1)
   0x0000555555944ca0 <+512>:	vmovdqu 0x14(%rcx),%ymm1
   0x0000555555944ca5 <+517>:	mov    %rbx,%rcx
   0x0000555555944ca8 <+520>:	vpshufb %ymm9,%ymm1,%ymm1
   0x0000555555944cad <+525>:	sub    $0x18,%r12
   0x0000555555944cb1 <+529>:	add    $0x18,%rbx
   0x0000555555944cb5 <+533>:	add    $0x20,%rdx
   0x0000555555944cb9 <+537>:	vpand  %ymm1,%ymm8,%ymm0
   0x0000555555944cbd <+541>:	vpmulhuw %ymm7,%ymm0,%ymm10
   0x0000555555944cc1 <+545>:	vpand  %ymm1,%ymm6,%ymm0
   0x0000555555944cc5 <+549>:	vpmullw %ymm0,%ymm5,%ymm0
   0x0000555555944cc9 <+553>:	vpor   %ymm10,%ymm0,%ymm0
   0x0000555555944cce <+558>:	vpcmpgtb %ymm3,%ymm0,%ymm10
   0x0000555555944cd2 <+562>:	vpsubusb %ymm4,%ymm0,%ymm1
   0x0000555555944cd6 <+566>:	vpsubb %ymm10,%ymm1,%ymm1
   0x0000555555944cdb <+571>:	vpshufb %ymm1,%ymm2,%ymm1
   0x0000555555944ce0 <+576>:	vpaddb %ymm0,%ymm1,%ymm0
   0x0000555555944ce4 <+580>:	vmovdqu %ymm0,-0x20(%rdx)
   0x0000555555944ce9 <+585>:	cmp    $0x1b,%r12
   0x0000555555944ced <+589>:	ja     0x555555944ca0 <php_base64_encode_avx2+512>
   0x0000555555944cef <+591>:	vzeroupper 
   0x0000555555944cf2 <+594>:	jmpq   0x555555944b22 <php_base64_encode_avx2+130>
End of assembler dump.
(gdb)
 [2019-07-05 11:32 UTC] nikic@php.net
SIGILL is raised on a vmovdqa, which is avx. I now see in your /proc/cpuinfo output that apparently avx2 support is reported, but avx support is not, which should never happen. I would suspect that you have something (virtualization?) that produces incorrect cpuid output.
 [2019-07-09 15:16 UTC] pawaroti at gmail dot com
My server is  run on XEN, here you have cpu info directly from the host:

processor : 7
vendor_id : GenuineIntel
cpu family : 6
model  : 63
model name : Intel(R) Xeon(R) CPU E5-2630 v3 @ 2.40GHz
stepping : 2
microcode : 0x35
cpu MHz  : 2397.316
cache size : 20480 KB
physical id : 0
siblings : 8
core id  : 3
cpu cores : 4
apicid  : 7
initial apicid : 7
fpu  : yes
fpu_exception : yes
cpuid level : 15
wp  : yes
flags  : fpu de tsc msr pae mce cx8 apic sep mca cmov pat clflush acpi mmx fxsr sse sse2 ss ht syscall nx lm constant_tsc rep_good nopl nonstop_tsc pni pclmulqdq monitor vmx est ssse3 fma cx16 sse4_1 sse4_2 movbe popcnt tsc_deadline_timer aes f16c rdrand hypervisor lahf_lm abm ida arat epb pln pts dtherm tpr_shadow vnmi flexpriority ept vpid fsgsbase bmi1 avx2 bmi2 erms
bogomips : 4794.63
clflush size : 64
cache_alignment : 64
address sizes : 46 bits physical, 48 bits virtual
power management:


There is also no avx support reported, look at CPY desc:

https://ark.intel.com/content/www/us/en/ark/products/83356/intel-xeon-processor-e5-2630-v3-20m-cache-2-40-ghz.html
 
PHP Copyright © 2001-2019 The PHP Group
All rights reserved.
Last updated: Thu Oct 17 00:01:27 2019 UTC