|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #81435 Observer current_observed_frame may point to an old (overwritten) frame
Submitted: 2021-09-13 12:14 UTC Modified: 2021-09-13 12:15 UTC
From: Assigned: bwoebi (profile)
Status: Closed Package: Reproducible crash
PHP Version: 8.0.10 OS: MacOS 11
Private report: No CVE-ID: None
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If this is not your bug, you can add a comment by following this link.
If this is your bug, but you forgot your password, you can retrieve your password here.
Bug Type:
New email:
PHP Version: OS:


 [2021-09-13 12:14 UTC]
Observer current_observed_frame is unconditionally updated to prev_execute_data. However prev_execute_data may point to an unobserved function, causing current_observed_frame not to be updated until another observed function ends.
Thus current_observed_frame may point to some already left unobserved function, which may already have been overwritten.

Test script:
Installing observers on a and d,


ini_set("memory_limit", "20M");

function d() {} // observed

function c() { // gets prev_execute_data after end of d()

function b() {

function bailout(...$args) {
        array_map("str_repeat", ["\xFF"], [100000000]);

function a() { // observed (first_observed_frame)
        bailout(1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15); // overwrite the vm_stack containing prev_execute_data


Expected result:
No crash.

Actual result:
Crash, with current_observed_frame pointing to something not being a valid frame on the vm_stack:

(gdb) bt
#0  0x0000000012cd24c9 in zend_observer_fcall_end_all () at /usr/src/debug/php-8.0.10/Zend/zend_observer.c:235
#1  0x0000000012be059b in php_request_shutdown (dummy=dummy@entry=0x0) at /usr/src/debug/php-8.0.10/main/main.c:1777


Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2021-09-13 12:15 UTC]
-Status: Open +Status: Assigned -Assigned To: +Assigned To: bwoebi
 [2021-09-13 14:17 UTC]
Automatic comment on behalf of bwoebi
Log: Fix #81435 Observer current_observed_frame may point to an old (overwritten) frame
 [2021-09-13 14:17 UTC]
-Status: Assigned +Status: Closed
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Sun Jun 23 04:01:29 2024 UTC