|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #81577 Segfault when signal handler raising a fatal error interrupts sleep+negation
Submitted: 2021-10-31 08:42 UTC Modified: 2021-11-11 18:28 UTC
Avg. Score:4.0 ± 1.0
Reproduced:1 of 1 (100.0%)
Same Version:0 (0.0%)
Same OS:1 (100.0%)
From: abecker at mailbox dot org Assigned:
Status: Verified Package: PCNTL related
PHP Version: 8.0.12 OS: Linux
Private report: No CVE-ID: None
View Add Comment Developer Edit
Anyone can comment on a bug. Have a simpler test case? Does it work for you on a different platform? Let us know!
Just going to say 'Me too!'? Don't clutter the database with that please — but make sure to vote on the bug!
Your email address:
Solve the problem:
46 + 29 = ?
Subscribe to this entry?

 [2021-10-31 08:42 UTC] abecker at mailbox dot org
Run the test script on the command line and press Ctrl+C. The program will crash.

A crash will occur if sleep is interrupted by the faulty signal handler and
a negation of any variable with any value follows immediately. Negation of
a constant will not result in a crash.

Test script:
pcntl_signal(SIGINT, function() { 0/0; });
! $anyVariableWithAnyValue;


Add a Patch

Pull Requests

Pull requests:

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2021-11-02 09:40 UTC]
-Package: Reproducible crash +Package: PCNTL related
 [2021-11-04 11:13 UTC]
-Status: Open +Status: Verified
 [2021-11-04 11:13 UTC]
Confirmed under valgrind:

^C==185861== Conditional jump or move depends on uninitialised value(s)
==185861==    at 0xA256BE: zval_ptr_dtor_nogc (zend_variables.h:34)
==185861==    by 0xA3B359: ZEND_HANDLE_EXCEPTION_SPEC_HANDLER (zend_vm_execute.h:2978)
==185861==    by 0xAA6D96: execute_ex (zend_vm_execute.h:54284)
==185861==    by 0xAAC367: zend_execute (zend_vm_execute.h:58523)
==185861==    by 0x9FCCCE: zend_execute_scripts (zend.c:1680)
==185861==    by 0x95E7C2: php_execute_script (main.c:2539)
==185861==    by 0xAED57D: do_cli (php_cli.c:949)
==185861==    by 0xAEE5CA: main (php_cli.c:1337)
 [2021-11-04 14:08 UTC]
The following pull request has been associated:

Patch Name: Fix bug #81577: Execute interrupt handler on original opline
On GitHub:
 [2021-11-12 03:05 UTC]
I confirmed that the commits by Dmitry fix the test case I reported at bug #81610. I did still observe an "AddressSanitizer: heap-use-after-free" error during random testing, from debug_backtrace_get_args() due to exception object creation. I haven't isolated it and I don't plan on working on it right now, but I can provide the backtrace if you're interested.
 [2023-01-05 08:11 UTC] EmmaGallagher at jourrapide dot com
If you're the original bug submitter, here's where you can edit the bug or add additional notes. If this is not your bug, you can add a comment by following this link.

PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Sat Apr 20 10:01:28 2024 UTC