php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #79096 FFI Struct Segfault
Submitted: 2020-01-10 23:02 UTC Modified: 2020-01-14 15:49 UTC
From: php at tim dot ainfach dot de Assigned: cmb (profile)
Status: Closed Package: *Extensibility Functions
PHP Version: 7.4.1 OS: OSX 10.14.6
Private report: No CVE-ID: None
 [2020-01-10 23:02 UTC] php at tim dot ainfach dot de
Description:
------------
Returning a struct with multiple fields larger than an uint64_t segaults.

for example when i return a struct with two uint32_t values everything seems to be fine. When i return a struct with three uint32_t members the script segfaults.


Works fine:
struct Buffer {
    uint32_t   a;
    uint32_t   b;
};

Segfault:
struct Buffer {
    uint32_t   a;
    uint64_t   b;
};

Test script:
---------------
// header
struct Buffer {
    uint32_t   a;
    uint64_t   b; // with uint32_t it works
};

struct Buffer poll();

// php
$ffi = \FFI::cdef(file_get_contents(__DIR__ . '/../rlib/rlib.h'), __DIR__ . '/../clib/lib.dylib');

$poll1 = $ffi->poll();
var_dump($poll1);

// c
#include <stdint.h>
#include "../rlib/rlib.h"

struct Buffer poll() {
  struct Buffer b;
  b.a = 1;
  b.b = 1;
  return b;
}

Expected result:
----------------
object(FFI\CData:struct Buffer)#2 (2) {
  ["a"]=>
  int(1)
  ["b"]=>
  int(1)
}

Actual result:
--------------
/bin/sh: line 1: 35179 Segmentation fault: 11  php foo.php


Thread 3 received signal SIGSEGV, Segmentation fault.
ZEND_DO_FCALL_SPEC_RETVAL_USED_HANDLER (execute_data=0x1028160f0) at Zend/zend_vm_execute.h:1743
1743   			EG(current_execute_data) = execute_data;
(gdb) bt
#0  ZEND_DO_FCALL_SPEC_RETVAL_USED_HANDLER (execute_data=0x1028160f0) at Zend/zend_vm_execute.h:1743
#1  0x0000000100363fd8 in execute_ex (ex=0x1) at Zend/zend_vm_execute.h:53379
#2  0x0000000100364199 in zend_execute (op_array=0x1028160f0, return_value=0x0) at Zend/zend_vm_execute.h:57664
#3  0x0000000100318d51 in zend_execute_scripts (type=42033392, retval=0x0, file_count=12405416) at Zend/zend.c:1663
#4  0x00000001002a214c in php_execute_script (primary_file=<optimized out>) at main/main.c:2619
#5  0x00000001003b5ea5 in do_cli (argc=<optimized out>, argv=0x102816020) at sapi/cli/php_cli.c:961
#6  0x00000001003b4d35 in main (argc=42033392, argv=0x102890120) at sapi/cli/php_cli.c:1352

Patches

Pull Requests

Pull requests:

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2020-01-11 18:52 UTC] cmb@php.net
-Status: Open +Status: Verified
 [2020-01-11 18:52 UTC] cmb@php.net
Confirmed.  Currently ext/ffi assumes that the size of the return
value is less than or equal to sizeof(ffi_arg), which is basically
sizeof(long).
 [2020-01-11 22:45 UTC] cmb@php.net
The following pull request has been associated:

Patch Name: Fix #79096: FFI Struct Segfault
On GitHub:  https://github.com/php/php-src/pull/5079
Patch:      https://github.com/php/php-src/pull/5079.patch
 [2020-01-14 15:47 UTC] cmb@php.net
Automatic comment on behalf of cmbecker69@gmx.de
Revision: http://git.php.net/?p=php-src.git;a=commit;h=05f3cd23ed61d800a861f2dd057ed56e783ea6f1
Log: Fix #79096: FFI Struct Segfault
 [2020-01-14 15:47 UTC] cmb@php.net
-Status: Verified +Status: Closed
 [2020-01-14 15:49 UTC] cmb@php.net
-Assigned To: +Assigned To: cmb
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Tue Dec 03 17:01:29 2024 UTC