|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #79760 Potential use after free if memory limit hit during GC
Submitted: 2020-06-30 10:48 UTC Modified: -
From: Assigned:
Status: Open Package: Scripting Engine problem
PHP Version: 8.0Git-2020-06-30 (Git) OS:
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.
Block user comment
Status: Assign to:
Bug Type:
New email:
PHP Version: OS:


 [2020-06-30 10:48 UTC]
If a get_gc handler triggers the memory limit after the GC has decremented refcounts, we may end up freeing objects early.

For example, running Laravel tests on master with default memory limit results in:

php: /home/nikic/php/php-src-asan/Zend/zend_types.h:1162: zend_gc_delref: Assertion `p->refcount > 0' failed.

with the following backtrace fragment from the _zend_bailout:

#15 0x0000555556c5b818 in zend_std_get_properties (zobj=0x7fffe7992c08)
    at /home/nikic/php/php-src-asan/Zend/zend_object_handlers.c:110
#16 0x0000555556358910 in reflection_get_gc (obj=0x7fffe7992c08, gc_data=0x7fffffff8bd0, 
    at /home/nikic/php/php-src-asan/ext/reflection/php_reflection.c:275
#17 0x0000555556c1f296 in gc_mark_grey (ref=0x7fffe7992c08, stack=0x7fffffff8d10)
    at /home/nikic/php/php-src-asan/Zend/zend_gc.c:827
#18 0x0000555556c20335 in gc_mark_roots (stack=0x7fffffff8d10)
    at /home/nikic/php/php-src-asan/Zend/zend_gc.c:979
#19 0x0000555556c23c23 in zend_gc_collect_cycles ()
    at /home/nikic/php/php-src-asan/Zend/zend_gc.c:1464

Not sure how to fix this.


Add a Patch

Pull Requests

Add a Pull Request

PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Thu Apr 25 07:01:31 2024 UTC