php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Request #78860 Crashes when using ZEND_OP_ARRAY_EXTENSION
Submitted: 2019-11-23 00:58 UTC Modified: 2019-12-09 13:02 UTC
From: jtax at newrelic dot com Assigned: dmitry (profile)
Status: Feedback Package: Reproducible crash
PHP Version: 7.4.0RC6 OS: Linux
Private report: No CVE-ID: None
Have you experienced this issue?
Rate the importance of this bug to you:

 [2019-11-23 00:58 UTC] jtax at newrelic dot com
Description:
------------
I'm trying to migrate from using op_array->reserved to ZEND_OP_ARRAY_EXTENSION
in a PHP extension. This is recommended in the UPGRADE.INTERNALS, and I anyway
already ran into problems with op_array reserved pointers in PHP 7.3. I see
various crashes when using ZEND_OP_ARRAY_EXTENSION and I could nail down two
major reasons for those crashes.

1. The run time cache that ZEND_OP_ARRAY_EXTENSION accesses is not always 
   initialized, and ZEND_OP_ARRAY_EXTENSION does no safety checks around that.

   I can mitigate this by calling zend_fetch_function for all functions that I
   need to access (zend_fetch_function ensures that the run time cache is
   initialized), however there's no similar way to ensure an initialized run
   time cache for class methods or callables.

   To transition from op_array->reserved to ZEND_OP_ARRAY_EXTENSION, I would
   need a way to ensure that the run time cache on the op_array is initialized.
   This could be an API function that I can call. There exists a function
   init_func_run_time_cache in Zend, but it's static and not part of the public
   API.

2. In one cases (namely in zend_get_call_trampoline_func), the run time cache
   pointer is set to a dummy value of 0x2. Accessing this op_array with 
   ZEND_OP_ARRAY_EXTENSION causes a crash.

   I'd expect ZEND_OP_ARRAY_EXTENSION to check for this special condition and
   handle it accordingly.

The one critical necessary for me (and I think for many others) to transition
from op_array->reserved to ZEND_OP_ARRAY_EXTENSION is a way to ensure an 
initialized run time cache on an op_array, like a function 
init_func_run_time_cache that I can call. Enhanced safety checks in
ZEND_OP_ARRAY_EXTENSION would be a nice-to-have.



Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2019-11-26 10:55 UTC] cmb@php.net
-Assigned To: +Assigned To: dmitry
 [2019-11-26 10:55 UTC] cmb@php.net
Dmitry, what do you think?
 [2019-12-09 13:02 UTC] dmitry@php.net
-Status: Assigned +Status: Feedback -Type: Bug +Type: Feature/Change Request
 [2019-12-09 13:02 UTC] dmitry@php.net
It's a big question, how you are using op_array extensions.

op_array->run_time_cache is initialized when function is called first time.
If you need to add extended information early, you'll have to initialize run_time_cache yourself. I added API call at https://github.com/php/php-src/commit/03d1c788ea8d9976f2fcb17d5d1c3d4280dd9570

I'm not sure if additional checks in ZEND_OP_ARRAY_EXTENSION() could help, because they need to return something anyway. And you'll have to check for trampoline case yourself (op_array->fn_flags & ZEND_ACC_CALL_VIA_TRAMPOLINE)
 
PHP Copyright © 2001-2019 The PHP Group
All rights reserved.
Last updated: Fri Dec 13 10:01:24 2019 UTC