php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Request #78860 Crashes when using ZEND_OP_ARRAY_EXTENSION
Submitted: 2019-11-23 00:58 UTC Modified: 2020-08-19 07:30 UTC
From: jtax at newrelic dot com Assigned: dmitry (profile)
Status: Not a bug Package: Reproducible crash
PHP Version: 7.4.0RC6 OS: Linux
Private report: No CVE-ID: None
View Developer Edit
 [2019-11-23 00:58 UTC] jtax at newrelic dot com 
Description:
------------
I'm trying to migrate from using op_array->reserved to ZEND_OP_ARRAY_EXTENSION
in a PHP extension. This is recommended in the UPGRADE.INTERNALS, and I anyway
already ran into problems with op_array reserved pointers in PHP 7.3. I see
various crashes when using ZEND_OP_ARRAY_EXTENSION and I could nail down two
major reasons for those crashes.

1. The run time cache that ZEND_OP_ARRAY_EXTENSION accesses is not always 
   initialized, and ZEND_OP_ARRAY_EXTENSION does no safety checks around that.

   I can mitigate this by calling zend_fetch_function for all functions that I
   need to access (zend_fetch_function ensures that the run time cache is
   initialized), however there's no similar way to ensure an initialized run
   time cache for class methods or callables.

   To transition from op_array->reserved to ZEND_OP_ARRAY_EXTENSION, I would
   need a way to ensure that the run time cache on the op_array is initialized.
   This could be an API function that I can call. There exists a function
   init_func_run_time_cache in Zend, but it's static and not part of the public
   API.

2. In one cases (namely in zend_get_call_trampoline_func), the run time cache
   pointer is set to a dummy value of 0x2. Accessing this op_array with 
   ZEND_OP_ARRAY_EXTENSION causes a crash.

   I'd expect ZEND_OP_ARRAY_EXTENSION to check for this special condition and
   handle it accordingly.

The one critical necessary for me (and I think for many others) to transition
from op_array->reserved to ZEND_OP_ARRAY_EXTENSION is a way to ensure an 
initialized run time cache on an op_array, like a function 
init_func_run_time_cache that I can call. Enhanced safety checks in
ZEND_OP_ARRAY_EXTENSION would be a nice-to-have.

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2019-11-26 10:55 UTC] cmb@php.net
-Assigned To: +Assigned To: dmitry
 [2019-11-26 10:55 UTC] cmb@php.net 
Dmitry, what do you think?
 [2019-12-09 13:02 UTC] dmitry@php.net
-Status: Assigned +Status: Feedback -Type: Bug +Type: Feature/Change Request
 [2019-12-09 13:02 UTC] dmitry@php.net 
It's a big question, how you are using op_array extensions.

op_array->run_time_cache is initialized when function is called first time.
If you need to add extended information early, you'll have to initialize run_time_cache yourself. I added API call at https://github.com/php/php-src/commit/03d1c788ea8d9976f2fcb17d5d1c3d4280dd9570

I'm not sure if additional checks in ZEND_OP_ARRAY_EXTENSION() could help, because they need to return something anyway. And you'll have to check for trampoline case yourself (op_array->fn_flags & ZEND_ACC_CALL_VIA_TRAMPOLINE)
 [2019-12-22 04:22 UTC] php-bugs at lists dot php dot net 
No feedback was provided. The bug is being suspended because
we assume that you are no longer experiencing the problem.
If this is not the case and you are able to provide the
information that was requested earlier, please do so and
change the status of the bug back to "Re-Opened". Thank you.
 [2020-04-21 20:00 UTC] levim@php.net
-Status: No Feedback +Status: Re-Opened
 [2020-04-21 20:00 UTC] levim@php.net 
I have a reproduction case that for something that appears to be the same issue:


git clone https://github.com/morrisonlevi/reserved_slot
cd reserved_slot
# with PHP 7.4; haven't tested master
phpize &&./configure && make
cd bug
composer install
php -d zend_extension=$PWD/../modules/reserved_slot.so index.php

-----

> And you'll have to check for trampoline case yourself (op_array->fn_flags & ZEND_ACC_CALL_VIA_TRAMPOLINE)

I'm not sure what to do if this flag is true; if it is a trampoline, what does that mean for code using ZEND_OP_ARRAY_EXTENSION?
 [2020-08-19 07:30 UTC] dmitry@php.net
-Status: Re-Opened +Status: Not a bug
 [2020-08-19 07:30 UTC] dmitry@php.net 
Trampolines don't have any extensions. They are used to pass control to __call/__callstatic.

They may be just ignored https://gist.github.com/dstogov/2a6edb668de93dce3a7bcbecc10a8c3d

or handled as __call/__callstatic https://gist.github.com/dstogov/2cbdb2f0cb13cdf94b00416345083fea
 
PHP Copyright © 2001-2025 The PHP Group
All rights reserved. 		Last updated: Sun May 11 19:01:28 2025 UTC