php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #81353 segfault with preloading and statically bound closure
Submitted: 2021-08-12 17:46 UTC Modified: 2021-08-16 12:50 UTC
Votes:1
Avg. Score:1.0 ± 0.0
Reproduced:0 of 1 (0.0%)
From: mike@php.net Assigned:
Status: Closed Package: opcache
PHP Version: 7.4Git OS: Linux, macOS
Private report: No CVE-ID: None
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: mike@php.net
New email:
PHP Version: OS:

 

 [2021-08-12 17:46 UTC] mike@php.net
Description:
------------
Probable ingredients:

* preloading
* big set of files to cache
* strict_types
* error_handler receiving NULL as 4th parameter
* monolog

Test script:
---------------
git clone https://github.com/m6w6/php-crash-preload-error_handler
cd php-crash-preload-error_handler
composer install
./run.sh


Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2021-08-12 17:56 UTC] mike@php.net
Sorry, read "4th parameter" as if 0-indexed -- i.e. as `errcontext` (5th param)
 [2021-08-16 05:58 UTC] mike@php.net
-Package: Reproducible crash +Package: opcache
 [2021-08-16 06:17 UTC] mike@php.net
ASAN backtrace:

    frame #5: 0x0000000100dd7bf4 php`zend_gc_refcount(p=0x0000000106452ca0) at zend_types.h:1025:12
    frame #6: 0x0000000100daa98c php`ZEND_BIND_STATIC_SPEC_CV_UNUSED_HANDLER(execute_data=0x0000000110604f20) at zend_vm_execute.h:46571:13
    frame #7: 0x0000000100c16514 php`execute_ex(ex=0x0000000110604f20) at zend_vm_execute.h:53291:7
    frame #8: 0x0000000100a915d4 php`zend_call_function(fci=0x000000016fdf8a70, fci_cache=0x000000016fdf8ad0) at zend_execute_API.c:820:3
    frame #9: 0x00000001005b1354 php`zif_spl_autoload_call(execute_data=0x0000000110604ec0, return_value=0x000000016fdf9ce0) at php_spl.c:452:4
    frame #10: 0x0000000100a91890 php`zend_call_function(fci=0x000000016fdf9d00, fci_cache=0x000000016fdf9d60) at zend_execute_API.c:833:4
    frame #11: 0x0000000100a93878 php`zend_lookup_class_ex(name=0x000000010647da80, key=0x000000010647da20, flags=512) at zend_execute_API.c:1002:7
    frame #12: 0x0000000100a960ac php`zend_fetch_class_by_name(class_name=0x000000010647da80, key=0x000000010647da20, fetch_type=512) at zend_execute_API.c:1433:19
    frame #13: 0x0000000100ce0b24 php`ZEND_NEW_SPEC_CONST_UNUSED_HANDLER(execute_data=0x0000000110604b80) at zend_vm_execute.h:9255:9
    frame #14: 0x0000000100c16514 php`execute_ex(ex=0x0000000110604820) at zend_vm_execute.h:53291:7
    frame #15: 0x0000000100a915d4 php`zend_call_function(fci=0x000000016fdfb4a0, fci_cache=0x000000016fdfa830) at zend_execute_API.c:820:3
    frame #16: 0x0000000100a8f3b8 php`_call_user_function_ex(object=0x0000000000000000, function_name=0x000000016fdfb7b0, retval_ptr=0x000000016fdfb790, param_count=5, params=0x000000016fdfb720, no_separation=1) at zend_execute_API.c:645:9
    frame #17: 0x0000000100adf620 php`zend_error_va_list(type=2, error_filename="/private/tmp/php-crash-preload-error_handler/vendor/google/apiclient/src/aliases.php", error_lineno=64, format="Can't preload already declared class %s", args="ؿF\U00000006\U00000001") at zend.c:1380:8
    frame #18: 0x0000000100add888 php`zend_error_at(type=2, filename="/private/tmp/php-crash-preload-error_handler/vendor/google/apiclient/src/aliases.php", lineno=64, format="Can't preload already declared class %s") at zend.c:1483:2
    frame #19: 0x0000000107c21ce4 opcache.so`preload_link at ZendAccelerator.c:3809:5
    frame #20: 0x0000000107c1d9fc opcache.so`accel_preload(config="/tmp/php-crash-preload-error_handler/index.php") at ZendAccelerator.c:4503:4
    frame #21: 0x0000000107c18058 opcache.so`accel_finish_startup at ZendAccelerator.c:4830:8
    frame #22: 0x0000000107c14ee8 opcache.so`accel_post_startup at ZendAccelerator.c:3059:9
    frame #23: 0x0000000100adbbb8 php`zend_post_startup at zend.c:1009:7
    frame #24: 0x0000000100909c80 php`php_module_startup(sf=0x00000001017b3ae0, additional_modules=0x0000000000000000, num_additional_modules=0) at main.c:2397:6
    frame #25: 0x0000000100e0f108 php`php_cli_startup(sapi_module=0x00000001017b3ae0) at php_cli.c:410:6
    frame #26: 0x0000000100e0b80c php`main(argc=7, argv=0x000000016fdff078) at php_cli.c:1327:6
 [2021-08-16 06:18 UTC] mike@php.net
-PHP Version: 7.4.22 +PHP Version: 7.4Git
 [2021-08-16 07:20 UTC] mike@php.net
Looks like it has to do with the static arrays and calling Closure::bind() with a class scope in composer's autoload_static.
 [2021-08-16 07:51 UTC] mike@php.net
ASAN report:

2021-08-16 09:47:50.462931+0200 php[45131:2277503] ==45131==ERROR: AddressSanitizer: heap-use-after-free on address 0x000106452ca0 at pc 0x000100dd7b74 bp 0x00016fdf7650 sp 0x00016fdf7648
2021-08-16 09:47:50.462937+0200 php[45131:2277503] READ of size 4 at 0x000106452ca0 thread T0
2021-08-16 09:47:50.462942+0200 php[45131:2277503]     #0 0x100dd7b70 in zend_gc_refcount zend_types.h:1025
2021-08-16 09:47:50.462946+0200 php[45131:2277503]     #1 0x100daa908 in ZEND_BIND_STATIC_SPEC_CV_UNUSED_HANDLER zend_vm_execute.h:46571
2021-08-16 09:47:50.462950+0200 php[45131:2277503]     #2 0x100c16490 in execute_ex zend_vm_execute.h:53291
2021-08-16 09:47:50.462954+0200 php[45131:2277503]     #3 0x100a91504 in zend_call_function zend_execute_API.c:820
2021-08-16 09:47:50.462958+0200 php[45131:2277503]     #4 0x1005b1284 in zif_spl_autoload_call php_spl.c:452
2021-08-16 09:47:50.462962+0200 php[45131:2277503]     #5 0x100a917c0 in zend_call_function zend_execute_API.c:833
2021-08-16 09:47:50.462966+0200 php[45131:2277503]     #6 0x100a937a8 in zend_lookup_class_ex zend_execute_API.c:1002
2021-08-16 09:47:50.462970+0200 php[45131:2277503]     #7 0x100a95fdc in zend_fetch_class_by_name zend_execute_API.c:1433
2021-08-16 09:47:50.462974+0200 php[45131:2277503]     #8 0x100ce0aa0 in ZEND_NEW_SPEC_CONST_UNUSED_HANDLER zend_vm_execute.h:9255
2021-08-16 09:47:50.462978+0200 php[45131:2277503]     #9 0x100c16490 in execute_ex zend_vm_execute.h:53291
2021-08-16 09:47:50.462982+0200 php[45131:2277503]     #10 0x100a91504 in zend_call_function zend_execute_API.c:820
2021-08-16 09:47:50.462986+0200 php[45131:2277503]     #11 0x100a8f2e8 in _call_user_function_ex zend_execute_API.c:645
2021-08-16 09:47:50.462993+0200 php[45131:2277503]     #12 0x100adf550 in zend_error_va_list zend.c:1380
2021-08-16 09:47:50.462998+0200 php[45131:2277503]     #13 0x100add7b8 in zend_error_at zend.c:1483
2021-08-16 09:47:50.463001+0200 php[45131:2277503]     #14 0x107c21ce0 in preload_link ZendAccelerator.c:3809
2021-08-16 09:47:50.463005+0200 php[45131:2277503]     #15 0x107c1d9f8 in accel_preload ZendAccelerator.c:4503
2021-08-16 09:47:50.463009+0200 php[45131:2277503]     #16 0x107c18054 in accel_finish_startup ZendAccelerator.c:4830
2021-08-16 09:47:50.463013+0200 php[45131:2277503]     #17 0x107c14ee4 in accel_post_startup ZendAccelerator.c:3059
2021-08-16 09:47:50.463016+0200 php[45131:2277503]     #18 0x100adbae8 in zend_post_startup zend.c:1009
2021-08-16 09:47:50.463020+0200 php[45131:2277503]     #19 0x100909bb0 in php_module_startup main.c:2397
2021-08-16 09:47:50.463024+0200 php[45131:2277503]     #20 0x100e0f084 in php_cli_startup php_cli.c:410
2021-08-16 09:47:50.463027+0200 php[45131:2277503]     #21 0x100e0b788 in main php_cli.c:1327
2021-08-16 09:47:50.463031+0200 php[45131:2277503]     #22 0x1a119542c in start+0x0 (libdyld.dylib:arm64e+0x1842c)
2021-08-16 09:47:50.463034+0200 php[45131:2277503] 
2021-08-16 09:47:50.463038+0200 php[45131:2277503] 0x000106452ca0 is located 0 bytes inside of 56-byte region [0x000106452ca0,0x000106452cd8)
2021-08-16 09:47:50.463042+0200 php[45131:2277503] freed by thread T0 here:
2021-08-16 09:47:50.463045+0200 php[45131:2277503]     #0 0x10213f2b4 in wrap_free+0x98 (libclang_rt.asan_osx_dynamic.dylib:arm64e+0x3f2b4)
2021-08-16 09:47:50.463049+0200 php[45131:2277503]     #1 0x100a1f280 in _efree_custom zend_alloc.c:2426
2021-08-16 09:47:50.463053+0200 php[45131:2277503]     #2 0x100a1f138 in _efree zend_alloc.c:2546
2021-08-16 09:47:50.463057+0200 php[45131:2277503]     #3 0x100b2e790 in zend_array_destroy zend_hash.c:1637
2021-08-16 09:47:50.463060+0200 php[45131:2277503]     #4 0x100a9fee8 in destroy_op_array zend_opcode.c:428
2021-08-16 09:47:50.463064+0200 php[45131:2277503]     #5 0x100b9d90c in zend_closure_free_storage zend_closures.c:474
2021-08-16 09:47:50.463075+0200 php[45131:2277503]     #6 0x100bebdd0 in zend_objects_store_free_object_storage zend_objects_API.c:104
2021-08-16 09:47:50.463079+0200 php[45131:2277503]     #7 0x107c1ca58 in accel_preload ZendAccelerator.c:4435
2021-08-16 09:47:50.463083+0200 php[45131:2277503]     #8 0x107c18054 in accel_finish_startup ZendAccelerator.c:4830
2021-08-16 09:47:50.463087+0200 php[45131:2277503]     #9 0x107c14ee4 in accel_post_startup ZendAccelerator.c:3059
2021-08-16 09:47:50.463090+0200 php[45131:2277503]     #10 0x100adbae8 in zend_post_startup zend.c:1009
2021-08-16 09:47:50.463094+0200 php[45131:2277503]     #11 0x100909bb0 in php_module_startup main.c:2397
2021-08-16 09:47:50.463098+0200 php[45131:2277503]     #12 0x100e0f084 in php_cli_startup php_cli.c:410
2021-08-16 09:47:50.463102+0200 php[45131:2277503]     #13 0x100e0b788 in main php_cli.c:1327
2021-08-16 09:47:50.463105+0200 php[45131:2277503]     #14 0x1a119542c in start+0x0 (libdyld.dylib:arm64e+0x1842c)
2021-08-16 09:47:50.463109+0200 php[45131:2277503] 
2021-08-16 09:47:50.463112+0200 php[45131:2277503] previously allocated by thread T0 here:
2021-08-16 09:47:50.463116+0200 php[45131:2277503]     #0 0x10213f178 in wrap_malloc+0x94 (libclang_rt.asan_osx_dynamic.dylib:arm64e+0x3f178)
2021-08-16 09:47:50.463120+0200 php[45131:2277503]     #1 0x100a1f9a0 in __zend_malloc zend_alloc.c:2982
2021-08-16 09:47:50.463123+0200 php[45131:2277503]     #2 0x100a1f080 in _malloc_custom zend_alloc.c:2417
2021-08-16 09:47:50.463127+0200 php[45131:2277503]     #3 0x100a1ef28 in _emalloc zend_alloc.c:2536
2021-08-16 09:47:50.463131+0200 php[45131:2277503]     #4 0x100b22ab4 in zend_array_dup zend_hash.c:2047
2021-08-16 09:47:50.463134+0200 php[45131:2277503]     #5 0x100b996fc in zend_create_closure zend_closures.c:704
2021-08-16 09:47:50.463138+0200 php[45131:2277503]     #6 0x100d725c0 in ZEND_DECLARE_LAMBDA_FUNCTION_SPEC_CONST_UNUSED_HANDLER zend_vm_execute.h:9548
2021-08-16 09:47:50.463142+0200 php[45131:2277503]     #7 0x100c16490 in execute_ex zend_vm_execute.h:53291
2021-08-16 09:47:50.463146+0200 php[45131:2277503]     #8 0x100c16930 in zend_execute zend_vm_execute.h:57593
2021-08-16 09:47:50.463150+0200 php[45131:2277503]     #9 0x107c1c690 in accel_preload ZendAccelerator.c:4372
2021-08-16 09:47:50.463153+0200 php[45131:2277503]     #10 0x107c18054 in accel_finish_startup ZendAccelerator.c:4830
2021-08-16 09:47:50.463157+0200 php[45131:2277503]     #11 0x107c14ee4 in accel_post_startup ZendAccelerator.c:3059
2021-08-16 09:47:50.463161+0200 php[45131:2277503]     #12 0x100adbae8 in zend_post_startup zend.c:1009
2021-08-16 09:47:50.463164+0200 php[45131:2277503]     #13 0x100909bb0 in php_module_startup main.c:2397
2021-08-16 09:47:50.463168+0200 php[45131:2277503]     #14 0x100e0f084 in php_cli_startup php_cli.c:410
2021-08-16 09:47:50.463171+0200 php[45131:2277503]     #15 0x100e0b788 in main php_cli.c:1327
2021-08-16 09:47:50.463175+0200 php[45131:2277503]     #16 0x1a119542c in start+0x0 (libdyld.dylib:arm64e+0x1842c)
 [2021-08-16 08:41 UTC] mike@php.net
-Summary: segfault with preloading and error_handler +Summary: segfault with preloading and statically bound closure
 [2021-08-16 12:50 UTC] nikic@php.net
-Status: Open +Status: Verified
 [2021-08-16 12:50 UTC] nikic@php.net
We should be unsetting user defined error handlers before preloading.
 [2021-08-16 13:06 UTC] git@php.net
Automatic comment on behalf of nikic
Revision: https://github.com/php/php-src/commit/d1e956ff31f607209e16a1e1ea9aff3702bdfe5b
Log: Fixed bug #81353
 [2021-08-16 13:06 UTC] git@php.net
-Status: Verified +Status: Closed
 [2021-10-18 19:40 UTC] danderson at acromedia dot com
Segfaults are still happening with PHP (FPM) 8.0.11 from Remi's repo on RedHat Enterprise 7.8 (php-opcache-8.0.11-1.el7.remi.x86_64). 

Disabling the opcache module stops the segfaults.

I'm happy to provide full environment info in a DM if needed.
 [2021-10-28 20:49 UTC] mhemmings at nwtel dot ca
Disabling opcache does resolve the issue
Can provide a full core dump if necessary

#0  0x000056097c093c06 in _emalloc_56 ()
#1  0x000056097c0c6059 in _zend_new_array_0 ()
#2  0x000056097c021195 in zif_explode ()
#3  0x000056097c13c708 in execute_ex ()
#4  0x000056097c0abdf6 in zend_call_function ()
#5  0x000056097bfb4a0c in zif_spl_autoload_call ()
#6  0x000056097c0abcd2 in zend_call_function ()
#7  0x000056097c0ac2cd in zend_lookup_class_ex ()
#8  0x000056097c0acb4c in zend_fetch_class_by_name ()
#9  0x000056097c11f0a7 in ZEND_NEW_SPEC_CONST_UNUSED_HANDLER ()
#10 0x000056097c13a45a in execute_ex ()
#11 0x000056097c141a21 in zend_execute ()
#12 0x000056097c0ba793 in zend_execute_scripts ()
#13 0x000056097c058f10 in php_execute_script ()
#14 0x000056097bec3e69 in main ()
 [2021-10-28 20:50 UTC] mhemmings at nwtel dot ca
Sorry, related to my above

opcache 7.4.24-1.el7.remi from Remi's Repo RHEL 7.8
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Fri Dec 06 05:01:29 2024 UTC