|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #81430 Attribute instantiation leaves dangling execute_data pointer
Submitted: 2021-09-10 16:22 UTC Modified: -
From: Assigned:
Status: Open Package: Reproducible crash
PHP Version: 8.0.10 OS: MacOS 11
Private report: No CVE-ID: None
Have you experienced this issue?
Rate the importance of this bug to you:

 [2021-09-10 16:22 UTC]
I found sporadic crashes in my application upon max_time_limit exhaustion. They were all somewhere within zend_observer_fcall_end_all.

The crashes are all related to invalid contents within current_observed_frame.

In this specific reproducer I found, the issue is related to attributes, which use a stack allocated dummy frame (notably with ex->func being non-NULL, which is unlike the generator dummy frames).

Test script:
Using zend_test with INI:


namespace X; // avoid cuf() being optimized away

ini_set("memory_limit", "20M");

class A {
        public function __construct() {}

function B() {}

$r = new \ReflectionFunction("X\\B");
var_dump(call_user_func([$r->getAttributes(A::class)[0], 'newInstance']));

array_map("str_repeat", ["\xFF"], [100000000]); // cause a bailout

Expected result:
No crash.

Actual result:
* thread #1, queue = '', stop reason = EXC_BAD_ACCESS (code=EXC_I386_GPFLT)
  * frame #0: 0x0000000100722f16 php`zend_observer_fcall_end(execute_data=0x00007ffeefbfde70, return_value=0x0000000000000000) at zend_observer.c:211:42
    frame #1: 0x00000001007230a3 php`zend_observer_fcall_end_all at zend_observer.c:243:4
    frame #2: 0x00000001004fd7c5 php`php_request_shutdown(dummy=0x0000000000000000) at main.c:1783:3
    frame #3: 0x00000001007a44d1 php`do_cli(argc=4, argv=0x00007ffeefbff930) at php_cli.c:1135:3
(lldb) p execute_data
(zend_execute_data *) $0 = 0x00007ffeefbfde70 // stack memory


Add a Patch

Pull Requests

Add a Pull Request

PHP Copyright © 2001-2021 The PHP Group
All rights reserved.
Last updated: Sun Oct 17 21:03:32 2021 UTC