PHP :: Bug #79744 :: OOM in array-to-object cast on ppc64el

Bug #79744	OOM in array-to-object cast on ppc64el
Submitted:	2020-06-26 18:46 UTC	Modified:	2020-06-29 08:59 UTC
From:	jbboehr@php.net	Assigned:
Status:	Open	Package:	Reproducible crash
PHP Version:	7.4.7	OS:	ubuntu bionic ppc64el
Private report:	No	CVE-ID:	None

View Developer Edit

[2020-06-26 18:46 UTC] jbboehr@php.net

Description:
------------
I was testing my code against the ppc64le architecture on TravisCI and ran into this issue. I've had the error both on TravisCI and using qemu-system-ppc64 with ondrej/php. I don't believe I had the same problem on PHP 7.2.

$ uname -a
Linux ubuntu 4.15.0-106-generic #107-Ubuntu SMP Thu Jun 4 11:27:34 UTC 2020 ppc64le ppc64le ppc64le GNU/Linux

$ php --version
PHP 7.4.7 (cli) (built: Jun 12 2020 07:44:05) ( NTS )
Copyright (c) The PHP Group
Zend Engine v3.4.0, Copyright (c) Zend Technologies
    with Zend OPcache v7.4.7, Copyright (c), by Zend Technologi

$ apt-cache show php7.4-dev
Package: php7.4-dev
Source: php7.4
Priority: optional
Section: php
Installed-Size: 5289
Maintainer: Debian PHP Maintainers <team+pkg-php@tracker.debian.org>
Architecture: ppc64el
Version: 7.4.7-1+ubuntu18.04.1+deb.sury.org+1

---

With this:
printf "run\nbt" | USE_ZEND_ALLOC=0 gdb --args php -r '(object)[];'

and then killing while it's busy allocating my entire system memory with kill -3, I get:

zend_array_dup (source=0x10050de48 <zend_empty_array>)
    at ./Zend/zend_hash.c:2054
2054    ./Zend/zend_hash.c: No such file or directory.
(gdb) #0  zend_array_dup (source=0x10050de48 <zend_empty_array>)
    at ./Zend/zend_hash.c:2054
#1  0x00000001000f85a0 in ZEND_CAST_SPEC_CONST_HANDLER ()
    at ./Zend/zend_vm_execute.h:4026
#2  0x00000001003f68ac in execute_ex (ex=<optimized out>)
    at ./Zend/zend_vm_execute.h:54112
#3  0x0000000100400164 in zend_execute (op_array=0x1006194b0, 
    return_value=<optimized out>) at ./Zend/zend_vm_execute.h:57922
#4  0x000000010031b40c in zend_eval_stringl (str=0x100542430 "(object)[];", 
    str_len=<optimized out>, retval_ptr=0x0, 
    string_name=0x100469fd0 "Command line code")
    at ./Zend/zend_execute_API.c:1088
#5  0x000000010031b670 in zend_eval_stringl_ex (str=<optimized out>, 
    str_len=<optimized out>, retval_ptr=<optimized out>, 
    string_name=<optimized out>, handle_exceptions=<optimized out>)
    at ./Zend/zend_execute_API.c:1129
#6  0x000000010031b724 in zend_eval_string_ex (str=0x100542430 "(object)[];", 
    retval_ptr=0x0, string_name=0x100469fd0 "Command line code", 
    handle_exceptions=<optimized out>) at ./Zend/zend_execute_API.c:1140
#7  0x0000000100402bd8 in do_cli (argc=<optimized out>, argv=0x1005423c0)
    at ./sapi/cli/php_cli.c:992
#8  0x00000001000fc7e8 in main (argc=<optimized out>, argv=0x1005423c0)
    at ./sapi/cli/php_cli.c:1356


Test script:
---------------
This is all that is needed to reproduce it:
php -r 'var_dump((object) []);'


The QEMU setup script I'm using:
https://gist.github.com/jbboehr/ea36d5347429cbc5c86f251cb851150f

Expected result:
----------------
object(stdClass)#1 (0) {
}

Actual result:
--------------
mmap() failed: [12] Cannot allocate memory

mmap() failed: [12] Cannot allocate memory
PHP Fatal error:  Out of memory (allocated 3506438144) (tried to allocate 536870912 bytes) in Command line code on line 1

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2020-06-27 06:23 UTC] jbboehr@php.net

I was having trouble replicating it on the `PHP-7.4` branch, but I recompiled with the options used in ondrej/php and then was able to replicate it again. 

Probably something in the CFLAGS is triggering it:
CFLAGS=-g -O3 -fdebug-prefix-map=/build/php7.4-1KR0i7/php7.4-7.4.7=. -fstack-protector-strong -Wformat -Werror=format-security -O2 -Wall -pedantic -fsigned-char -fno-strict-aliasing -g

New stack trace:
0x00000001000fba9c in ZEND_CAST_SPEC_CONST_HANDLER ()
    at /home/ubuntu/php-src/Zend/zend_vm_execute.h:4019
4019                                    ZVAL_OBJ(result, zend_objects_new(zend_standard_class_def));
(gdb) #0  0x00000001000fba9c in ZEND_CAST_SPEC_CONST_HANDLER ()
    at /home/ubuntu/php-src/Zend/zend_vm_execute.h:4019
#1  0x00000001003f6e8c in execute_ex (ex=<optimized out>)
    at /home/ubuntu/php-src/Zend/zend_vm_execute.h:54110
#2  0x0000000100400744 in zend_execute (op_array=0x7ffff507a2a0, 
    return_value=<optimized out>)
    at /home/ubuntu/php-src/Zend/zend_vm_execute.h:57920
#3  0x000000010031ba0c in zend_eval_stringl (str=0x1005f2450 "(object)[];", 
    str_len=<optimized out>, retval_ptr=0x0, 
    string_name=0x100516860 "Command line code")
    at /home/ubuntu/php-src/Zend/zend_execute_API.c:1088
#4  0x000000010031bc70 in zend_eval_stringl_ex (str=<optimized out>, 
    str_len=<optimized out>, retval_ptr=<optimized out>, 
    string_name=<optimized out>, handle_exceptions=<optimized out>)
    at /home/ubuntu/php-src/Zend/zend_execute_API.c:1129
#5  0x000000010031bd24 in zend_eval_string_ex (str=0x1005f2450 "(object)[];", 
    retval_ptr=0x0, string_name=0x100516860 "Command line code", 
    handle_exceptions=<optimized out>)
    at /home/ubuntu/php-src/Zend/zend_execute_API.c:1140
#6  0x00000001004031c8 in do_cli (argc=<optimized out>, argv=0x1005f23d0)
    at /home/ubuntu/php-src/sapi/cli/php_cli.c:995
#7  0x00000001000ffd28 in main (argc=<optimized out>, argv=0x1005f23d0)
    at /home/ubuntu/php-src/sapi/cli/php_cli.c:1359

[2020-06-29 08:59 UTC] nikic@php.net

I can only suggest to bisect the flags to figure out which one is responsible. They all aren't particularly exotic, but my best guess would be either -fstack-protector-strong.

[2020-07-11 23:42 UTC] jbboehr@php.net

It seems to not show up with -O0 but does with -O1 and higher. I'm trying to bisect the individual flags enabled by -O1 but gcc is giving weird errors.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2025 The PHP Group All rights reserved.	Last updated: Wed Apr 02 03:01:28 2025 UTC