php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #79760 Potential use after free if memory limit hit during GC
Submitted: 2020-06-30 10:48 UTC Modified: -
From: nikic@php.net Assigned:
Status: Open Package: Scripting Engine problem
PHP Version: 8.0Git-2020-06-30 (Git) OS:
Private report: No CVE-ID: None
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If this is not your bug, you can add a comment by following this link.
If this is your bug, but you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: nikic@php.net
New email:
PHP Version: OS:

 

 [2020-06-30 10:48 UTC] nikic@php.net
Description:
------------
If a get_gc handler triggers the memory limit after the GC has decremented refcounts, we may end up freeing objects early.

For example, running Laravel tests on master with default memory limit results in:

php: /home/nikic/php/php-src-asan/Zend/zend_types.h:1162: zend_gc_delref: Assertion `p->refcount > 0' failed.

with the following backtrace fragment from the _zend_bailout:

#15 0x0000555556c5b818 in zend_std_get_properties (zobj=0x7fffe7992c08)
    at /home/nikic/php/php-src-asan/Zend/zend_object_handlers.c:110
#16 0x0000555556358910 in reflection_get_gc (obj=0x7fffe7992c08, gc_data=0x7fffffff8bd0, 
    gc_data_count=0x7fffffff8b80)
    at /home/nikic/php/php-src-asan/ext/reflection/php_reflection.c:275
#17 0x0000555556c1f296 in gc_mark_grey (ref=0x7fffe7992c08, stack=0x7fffffff8d10)
    at /home/nikic/php/php-src-asan/Zend/zend_gc.c:827
#18 0x0000555556c20335 in gc_mark_roots (stack=0x7fffffff8d10)
    at /home/nikic/php/php-src-asan/Zend/zend_gc.c:979
#19 0x0000555556c23c23 in zend_gc_collect_cycles ()
    at /home/nikic/php/php-src-asan/Zend/zend_gc.c:1464

Not sure how to fix this.


Patches

Add a Patch

Pull Requests

Add a Pull Request

 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Tue Feb 27 01:01:28 2024 UTC