php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #81577 Segfault when signal handler raising a fatal error interrupts sleep+negation
Submitted: 2021-10-31 08:42 UTC Modified: 2021-11-11 18:28 UTC
From: abecker at mailbox dot org Assigned:
Status: Verified Package: PCNTL related
PHP Version: 8.0.12 OS: Linux
Private report: No CVE-ID: None
Have you experienced this issue?
Rate the importance of this bug to you:

 [2021-10-31 08:42 UTC] abecker at mailbox dot org
Description:
------------
Run the test script on the command line and press Ctrl+C. The program will crash.

A crash will occur if sleep is interrupted by the faulty signal handler and
a negation of any variable with any value follows immediately. Negation of
a constant will not result in a crash.

Test script:
---------------
pcntl_async_signals(true);
pcntl_signal(SIGINT, function() { 0/0; });
sleep(10);
! $anyVariableWithAnyValue;



Patches

Add a Patch

Pull Requests

Pull requests:

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2021-11-02 09:40 UTC] cmb@php.net
-Package: Reproducible crash +Package: PCNTL related
 [2021-11-04 11:13 UTC] nikic@php.net
-Status: Open +Status: Verified
 [2021-11-04 11:13 UTC] nikic@php.net
Confirmed under valgrind:

^C==185861== Conditional jump or move depends on uninitialised value(s)
==185861==    at 0xA256BE: zval_ptr_dtor_nogc (zend_variables.h:34)
==185861==    by 0xA3B359: ZEND_HANDLE_EXCEPTION_SPEC_HANDLER (zend_vm_execute.h:2978)
==185861==    by 0xAA6D96: execute_ex (zend_vm_execute.h:54284)
==185861==    by 0xAAC367: zend_execute (zend_vm_execute.h:58523)
==185861==    by 0x9FCCCE: zend_execute_scripts (zend.c:1680)
==185861==    by 0x95E7C2: php_execute_script (main.c:2539)
==185861==    by 0xAED57D: do_cli (php_cli.c:949)
==185861==    by 0xAEE5CA: main (php_cli.c:1337)
==185861==
 [2021-11-04 14:08 UTC] nikic@php.net
The following pull request has been associated:

Patch Name: Fix bug #81577: Execute interrupt handler on original opline
On GitHub:  https://github.com/php/php-src/pull/7624
Patch:      https://github.com/php/php-src/pull/7624.patch
 [2021-11-12 03:05 UTC] tstarling@php.net
I confirmed that the commits by Dmitry fix the test case I reported at bug #81610. I did still observe an "AddressSanitizer: heap-use-after-free" error during random testing, from debug_backtrace_get_args() due to exception object creation. I haven't isolated it and I don't plan on working on it right now, but I can provide the backtrace if you're interested.
 [2023-01-05 08:11 UTC] EmmaGallagher at jourrapide dot com
If you're the original bug submitter, here's where you can edit the bug or add additional notes. If this is not your bug, you can add a comment by following this link.

<https://www.dmvnow.me/>github.com
 
PHP Copyright © 2001-2023 The PHP Group
All rights reserved.
Last updated: Sat Feb 04 20:05:50 2023 UTC