php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Request #78860 Crashes when using ZEND_OP_ARRAY_EXTENSION
Submitted: 2019-11-23 00:58 UTC Modified: 2020-04-21 20:00 UTC
From: jtax at newrelic dot com Assigned: dmitry (profile)
Status: Re-Opened Package: Reproducible crash
PHP Version: 7.4.0RC6 OS: Linux
Private report: No CVE-ID: None
Have you experienced this issue?
Rate the importance of this bug to you:

 [2019-11-23 00:58 UTC] jtax at newrelic dot com
Description:
------------
I'm trying to migrate from using op_array->reserved to ZEND_OP_ARRAY_EXTENSION
in a PHP extension. This is recommended in the UPGRADE.INTERNALS, and I anyway
already ran into problems with op_array reserved pointers in PHP 7.3. I see
various crashes when using ZEND_OP_ARRAY_EXTENSION and I could nail down two
major reasons for those crashes.

1. The run time cache that ZEND_OP_ARRAY_EXTENSION accesses is not always 
   initialized, and ZEND_OP_ARRAY_EXTENSION does no safety checks around that.

   I can mitigate this by calling zend_fetch_function for all functions that I
   need to access (zend_fetch_function ensures that the run time cache is
   initialized), however there's no similar way to ensure an initialized run
   time cache for class methods or callables.

   To transition from op_array->reserved to ZEND_OP_ARRAY_EXTENSION, I would
   need a way to ensure that the run time cache on the op_array is initialized.
   This could be an API function that I can call. There exists a function
   init_func_run_time_cache in Zend, but it's static and not part of the public
   API.

2. In one cases (namely in zend_get_call_trampoline_func), the run time cache
   pointer is set to a dummy value of 0x2. Accessing this op_array with 
   ZEND_OP_ARRAY_EXTENSION causes a crash.

   I'd expect ZEND_OP_ARRAY_EXTENSION to check for this special condition and
   handle it accordingly.

The one critical necessary for me (and I think for many others) to transition
from op_array->reserved to ZEND_OP_ARRAY_EXTENSION is a way to ensure an 
initialized run time cache on an op_array, like a function 
init_func_run_time_cache that I can call. Enhanced safety checks in
ZEND_OP_ARRAY_EXTENSION would be a nice-to-have.



Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2019-11-26 10:55 UTC] cmb@php.net
-Assigned To: +Assigned To: dmitry
 [2019-11-26 10:55 UTC] cmb@php.net
Dmitry, what do you think?
 [2019-12-09 13:02 UTC] dmitry@php.net
-Status: Assigned +Status: Feedback -Type: Bug +Type: Feature/Change Request
 [2019-12-09 13:02 UTC] dmitry@php.net
It's a big question, how you are using op_array extensions.

op_array->run_time_cache is initialized when function is called first time.
If you need to add extended information early, you'll have to initialize run_time_cache yourself. I added API call at https://github.com/php/php-src/commit/03d1c788ea8d9976f2fcb17d5d1c3d4280dd9570

I'm not sure if additional checks in ZEND_OP_ARRAY_EXTENSION() could help, because they need to return something anyway. And you'll have to check for trampoline case yourself (op_array->fn_flags & ZEND_ACC_CALL_VIA_TRAMPOLINE)
 [2019-12-22 04:22 UTC] php-bugs at lists dot php dot net
No feedback was provided. The bug is being suspended because
we assume that you are no longer experiencing the problem.
If this is not the case and you are able to provide the
information that was requested earlier, please do so and
change the status of the bug back to "Re-Opened". Thank you.
 [2020-04-21 20:00 UTC] levim@php.net
-Status: No Feedback +Status: Re-Opened
 [2020-04-21 20:00 UTC] levim@php.net
I have a reproduction case that for something that appears to be the same issue:


git clone https://github.com/morrisonlevi/reserved_slot
cd reserved_slot
# with PHP 7.4; haven't tested master
phpize &&./configure && make
cd bug
composer install
php -d zend_extension=$PWD/../modules/reserved_slot.so index.php

-----

> And you'll have to check for trampoline case yourself (op_array->fn_flags & ZEND_ACC_CALL_VIA_TRAMPOLINE)

I'm not sure what to do if this flag is true; if it is a trampoline, what does that mean for code using ZEND_OP_ARRAY_EXTENSION?
 
PHP Copyright © 2001-2020 The PHP Group
All rights reserved.
Last updated: Sat Jul 11 11:01:24 2020 UTC