|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #79096 FFI Struct Segfault
Submitted: 2020-01-10 23:02 UTC Modified: 2020-01-14 15:49 UTC
From: php at tim dot ainfach dot de Assigned: cmb (profile)
Status: Closed Package: *Extensibility Functions
PHP Version: 7.4.1 OS: OSX 10.14.6
Private report: No CVE-ID: None
 [2020-01-10 23:02 UTC] php at tim dot ainfach dot de
Returning a struct with multiple fields larger than an uint64_t segaults.

for example when i return a struct with two uint32_t values everything seems to be fine. When i return a struct with three uint32_t members the script segfaults.

Works fine:
struct Buffer {
    uint32_t   a;
    uint32_t   b;

struct Buffer {
    uint32_t   a;
    uint64_t   b;

Test script:
// header
struct Buffer {
    uint32_t   a;
    uint64_t   b; // with uint32_t it works

struct Buffer poll();

// php
$ffi = \FFI::cdef(file_get_contents(__DIR__ . '/../rlib/rlib.h'), __DIR__ . '/../clib/lib.dylib');

$poll1 = $ffi->poll();

// c
#include <stdint.h>
#include "../rlib/rlib.h"

struct Buffer poll() {
  struct Buffer b;
  b.a = 1;
  b.b = 1;
  return b;

Expected result:
object(FFI\CData:struct Buffer)#2 (2) {

Actual result:
/bin/sh: line 1: 35179 Segmentation fault: 11  php foo.php

Thread 3 received signal SIGSEGV, Segmentation fault.
ZEND_DO_FCALL_SPEC_RETVAL_USED_HANDLER (execute_data=0x1028160f0) at Zend/zend_vm_execute.h:1743
1743   			EG(current_execute_data) = execute_data;
(gdb) bt
#0  ZEND_DO_FCALL_SPEC_RETVAL_USED_HANDLER (execute_data=0x1028160f0) at Zend/zend_vm_execute.h:1743
#1  0x0000000100363fd8 in execute_ex (ex=0x1) at Zend/zend_vm_execute.h:53379
#2  0x0000000100364199 in zend_execute (op_array=0x1028160f0, return_value=0x0) at Zend/zend_vm_execute.h:57664
#3  0x0000000100318d51 in zend_execute_scripts (type=42033392, retval=0x0, file_count=12405416) at Zend/zend.c:1663
#4  0x00000001002a214c in php_execute_script (primary_file=<optimized out>) at main/main.c:2619
#5  0x00000001003b5ea5 in do_cli (argc=<optimized out>, argv=0x102816020) at sapi/cli/php_cli.c:961
#6  0x00000001003b4d35 in main (argc=42033392, argv=0x102890120) at sapi/cli/php_cli.c:1352


Add a Patch

Pull Requests

Pull requests:

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2020-01-11 18:52 UTC]
-Status: Open +Status: Verified
 [2020-01-11 18:52 UTC]
Confirmed.  Currently ext/ffi assumes that the size of the return
value is less than or equal to sizeof(ffi_arg), which is basically
 [2020-01-11 22:45 UTC]
The following pull request has been associated:

Patch Name: Fix #79096: FFI Struct Segfault
On GitHub:
 [2020-01-14 15:47 UTC]
Automatic comment on behalf of
Log: Fix #79096: FFI Struct Segfault
 [2020-01-14 15:47 UTC]
-Status: Verified +Status: Closed
 [2020-01-14 15:49 UTC]
-Assigned To: +Assigned To: cmb
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Tue Mar 05 05:01:29 2024 UTC