php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #81622 Read segmentation fault in zend_jit_helpers.c:360:20
Submitted: 2021-11-15 02:00 UTC Modified: 2024-07-28 04:22 UTC
Votes:1
Avg. Score:5.0 ± 0.0
Reproduced:1 of 1 (100.0%)
Same Version:1 (100.0%)
Same OS:1 (100.0%)
From: swirsz at gmail dot com Assigned: cmb (profile)
Status: No Feedback Package: Scripting Engine problem
PHP Version: master-Git-2021-11-15 (Git) OS: Ubuntu 20.04
Private report: No CVE-ID: None
View Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
If you reported this bug, you can edit this bug over here.
(description)
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: swirsz at gmail dot com
New email:
PHP Version: OS:

 

 [2021-11-15 02:00 UTC] swirsz at gmail dot com 
Description:
------------
Compiled with address sanitizer, reproducible by executing php-fuzz-function-jit with the test script

==100149==ERROR: AddressSanitizer: SEGV on unknown address 0x000188396212 (pc 0x7eff82389697 bp 0x7ffc52ca1c00 sp 0x7ffc52ca1b20 T0)
==100149==The signal is caused by a READ memory access.

SUMMARY: AddressSanitizer: SEGV /php/ext/opcache/jit/zend_jit_helpers.c:360:20 in zend_jit_undefined_op_helper_write
==100149==ABORTING

Test script:
---------------
<?php
set_error_handler(function($_, $m){
    throw new Exception($m);
});
function test() {
    $Óa = [];
    $res = $a[$undef] += 1;
}
try {
    test();
} catch (Exception $e) {
    echo $e->getMessage(), "\n";
}
?>

Actual result:
--------------
#0 0x7fc87a889697 in zend_jit_undefined_op_helper_write /src/php-src/ext/opcache/jit/zend_jit_helpers.c:360:20
    #1 0x7fc87a889697 in zend_jit_fetch_dim_rw_helper /src/php-src/ext/opcache/jit/zend_jit_helpers.c:586:9
    #2 0x49a88237  (/dev/zero (deleted)+0x8001237)
    #3 0xf17bab in zend_execute /src/php-src/Zend/zend_vm_execute.h:59037:2
    #4 0x12da9ad in fuzzer_do_request_from_buffer /src/php-src/sapi/fuzzer/fuzzer-sapi.c:276:5
    #5 0x12d9093 in LLVMFuzzerTestOneInput /src/php-src/sapi/fuzzer/fuzzer-function-jit.c:42:3
    #6 0x639823 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) cxa_noexception.cpp
    #7 0x625132 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:324:6
    #8 0x62abfa in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) cxa_noexception.cpp
    #9 0x653b22 in main /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerMain.cpp:20:10
    #10 0x7fc87c2e30b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2024-07-19 20:02 UTC] cmb@php.net
-Status: Open +Status: Feedback -Assigned To: +Assigned To: cmb
 [2024-07-19 20:02 UTC] cmb@php.net 
Is that still an issue with any of the actively supported PHP
versions[1]?

[1] <https://www.php.net/supported-versions>
 [2024-07-28 04:22 UTC] php-bugs at lists dot php dot net 
No feedback was provided. The bug is being suspended because
we assume that you are no longer experiencing the problem.
If this is not the case and you are able to provide the
information that was requested earlier, please do so and
change the status of the bug back to "Re-Opened". Thank you.
 
PHP Copyright © 2001-2025 The PHP Group
All rights reserved. 		Last updated: Fri Nov 07 22:00:01 2025 UTC