php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #81577 Segfault when signal handler raising a fatal error interrupts sleep+negation
Submitted: 2021-10-31 08:42 UTC Modified: 2024-07-19 21:48 UTC
Votes:2
Avg. Score:4.0 ± 1.0
Reproduced:1 of 1 (100.0%)
Same Version:0 (0.0%)
Same OS:1 (100.0%)
From: abecker at mailbox dot org Assigned: cmb (profile)
Status: Feedback Package: PCNTL related
PHP Version: 8.0.12 OS: Linux
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.
(description)
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: abecker at mailbox dot org
New email:
PHP Version: OS:

 

 [2021-10-31 08:42 UTC] abecker at mailbox dot org 
Description:
------------
Run the test script on the command line and press Ctrl+C. The program will crash.

A crash will occur if sleep is interrupted by the faulty signal handler and
a negation of any variable with any value follows immediately. Negation of
a constant will not result in a crash.

Test script:
---------------
pcntl_async_signals(true);
pcntl_signal(SIGINT, function() { 0/0; });
sleep(10);
! $anyVariableWithAnyValue;

Patches

Add a Patch

Pull Requests

Pull requests:

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2021-11-02 09:40 UTC] cmb@php.net
-Package: Reproducible crash +Package: PCNTL related
 [2021-11-04 11:13 UTC] nikic@php.net
-Status: Open +Status: Verified
 [2021-11-04 11:13 UTC] nikic@php.net 
Confirmed under valgrind:

^C==185861== Conditional jump or move depends on uninitialised value(s)
==185861==    at 0xA256BE: zval_ptr_dtor_nogc (zend_variables.h:34)
==185861==    by 0xA3B359: ZEND_HANDLE_EXCEPTION_SPEC_HANDLER (zend_vm_execute.h:2978)
==185861==    by 0xAA6D96: execute_ex (zend_vm_execute.h:54284)
==185861==    by 0xAAC367: zend_execute (zend_vm_execute.h:58523)
==185861==    by 0x9FCCCE: zend_execute_scripts (zend.c:1680)
==185861==    by 0x95E7C2: php_execute_script (main.c:2539)
==185861==    by 0xAED57D: do_cli (php_cli.c:949)
==185861==    by 0xAEE5CA: main (php_cli.c:1337)
==185861==
 [2021-11-04 14:08 UTC] nikic@php.net 
The following pull request has been associated:

Patch Name: Fix bug #81577: Execute interrupt handler on original opline
On GitHub:  https://github.com/php/php-src/pull/7624
Patch:      https://github.com/php/php-src/pull/7624.patch
 [2021-11-11 08:08 UTC] nikic@php.net 
Related To: Bug #81610
 [2021-11-11 18:28 UTC] dmitry@php.net 
The bug is partially fixed in PHP-8.0 and above by the following commits:

https://github.com/php/php-src/commit/fa0b84a06b03a1c2a2bcadd647232a8a4a90aa05
https://github.com/php/php-src/commit/5380b415a243e538240fbbb92bf020a3719ab927
 [2021-11-12 03:05 UTC] tstarling@php.net 
I confirmed that the commits by Dmitry fix the test case I reported at bug #81610. I did still observe an "AddressSanitizer: heap-use-after-free" error during random testing, from debug_backtrace_get_args() due to exception object creation. I haven't isolated it and I don't plan on working on it right now, but I can provide the backtrace if you're interested.
 [2024-07-19 21:48 UTC] cmb@php.net
-Status: Verified +Status: Feedback -Assigned To: +Assigned To: cmb
 [2024-07-19 21:48 UTC] cmb@php.net 
Is that still an issue with any of the actively supported PHP
versions[1]?

[1] <https://www.php.net/supported-versions>
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Fri Jul 26 23:01:30 2024 UTC