Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Segmentation fault in php 7.4 with opcache installed and opcache.enable_cli=1 #217

Open
TysonAndre opened this issue Jan 21, 2020 · 1 comment
Open

Segmentation fault in php 7.4 with opcache installed and opcache.enable_cli=1 #217

TysonAndre opened this issue Jan 21, 2020 · 1 comment
Labels
bug

Comments

@TysonAndre
Copy link
Member

TysonAndre commented Jan 21, 2020
edited
Loading

Possibly related to #208 or changes to reflection - I haven't looked into this much

Related to #117

This is one of many test failures. It's limited to php 7.4+.

PHP_VERSION : 7.4.3-dev                                                                                                                                                                                                                                                                                                                                                                                          [17/294]
ZEND_VERSION: 3.4.0                                                                                   
PHP_OS      : Linux - Linux student3 4.15.0-72-generic #81~16.04.1-Ubuntu SMP Tue Nov 26 16:34:21 UTC 2019 x86_64
INI actual  : /path/to/runkit7                                                         
More .INIs  :                                                                                         
CWD         : /path/to/runkit7                                                         
Extra dirs  :                                                                                         
VALGRIND    : valgrind-3.11.0 (memcheck)                                                              
=====================================================================                                 
Running selected tests.                                                                               
TEST 1/1 [tests/runkit_method_copy_and_doc_comment.phpt]                                              
========DIFF========                                                                                  
004+                                                                                                  
005+ Warning: runkit_method_redefine(): runkit_class::runkit_method() is not a user function in /path/to/runkit7/tests/runkit_method_copy_and_doc_comment.php on line 15
007- new doc_comment                                                                                  
008- After redefine                                                                                   
009- new doc_comment                                                                                  
009+ Segmentation fault                                                                               
010+                                                                                                  
011+ Termsig=11                                                                                       
010- After redefine 2                                                                                 
011- new doc_comment                                                                                  
012- After redefine 3                                                                                 
========DONE========                                                                                  
                                                                                                      
========MEM========                                                                                                                               
==8237== Invalid read of size 4                                                                                                                   
==8237==    at 0x7D158A: zim_reflection_method___construct (php_reflection.c:2988)                                             
==8237==    by 0xB43437: ZEND_DO_FCALL_SPEC_RETVAL_UNUSED_HANDLER (zend_vm_execute.h:1618)                                     
==8237==    by 0xBA886D: execute_ex (zend_vm_execute.h:53817)                                                                  
==8237==    by 0xBAC95B: zend_execute (zend_vm_execute.h:57913)                                                                
==8237==    by 0xACFA72: zend_execute_scripts (zend.c:1665)                                                                                       
==8237==    by 0xA30FCA: php_execute_script (main.c:2617)                                                                                         
==8237==    by 0xBAF518: do_cli (php_cli.c:961)                          
==8237==    by 0xBB0669: main (php_cli.c:1352)                           
==8237==  Address 0xffffffff00000012 is not stack'd, malloc'd or (recently) free'd                                                                
==8237==                                                                                                                                          
==8237==                                                                                                                                          
==8237== Process terminating with default action of signal 11 (SIGSEGV)                                                                           
==8237==  Access not within mapped region at address 0xFFFFFFFF00000012                                                                           
==8237==    at 0x7D158A: zim_reflection_method___construct (php_reflection.c:2988)
==8237==    by 0xB43437: ZEND_DO_FCALL_SPEC_RETVAL_UNUSED_HANDLER (zend_vm_execute.h:1618)                                                                                                                                                                                                          
==8237==    by 0xBA886D: execute_ex (zend_vm_execute.h:53817)                                                                                     
==8237==    by 0xBAC95B: zend_execute (zend_vm_execute.h:57913)           
==8237==    by 0xACFA72: zend_execute_scripts (zend.c:1665)               
==8237==    by 0xA30FCA: php_execute_script (main.c:2617)                 
==8237==    by 0xBAF518: do_cli (php_cli.c:961)                          
==8237==    by 0xBB0669: main (php_cli.c:1352)                           
==8237==  If you believe this happened as a result of a stack
==8237==  overflow in your program's main thread (unlikely but
==8237==  possible), you can try to increase the size of the
==8237==  main thread stack using the --main-stacksize= flag.
==8237==  The main thread stack size used in this run was 8388608.
========DONE========                                                                                  
LEAK&FAIL runkit_method_copy() function and doc_comment [tests/runkit_method_copy_and_doc_comment.phpt] 
=====================================================================


	ZVAL_STR_COPY(reflection_prop_name(object), mptr->common.function_name);  // line 2988 of php_reflection.c
	ZVAL_STR_COPY(reflection_prop_class(object), mptr->common.scope->name);
	intern->ptr = mptr;
	intern->ref_type = REF_TYPE_FUNCTION;
	intern->ce = ce;
@TysonAndre TysonAndre added the bug label Jan 21, 2020
@TysonAndre
Copy link
Member Author

The function_name of the method seems to be improperly set when runkit manipulates methods with opcache enabled. There may be other issues

USE_ZEND_ALLOC=0 gdb -args `which php` -d extension=runkit7.so -d zend_extension=opcache.so -d opcache.enable_cli=1 tests/runkit_method_copy_and_doc_comment.php 

....
Program received signal SIGSEGV, Segmentation fault.
0x00000000007d158a in zim_reflection_method___construct (execute_data=0x1ab70e0, return_value=0x7fffffff9d90) at /path/to/ext/reflection/php_reflection.c:2988
2988            ZVAL_STR_COPY(reflection_prop_name(object), mptr->common.function_name);  // line 2988
(gdb) print reflection_prop_name(object)
$1 = (zval *) 0x1b09e00
(gdb) print mptr->common
$2 = {type = 160 '\240', arg_flags = "\233\260\001", fn_flags = 0, function_name = 0xffffffff0000000e, scope = 0xd53012a5537a8493, prototype = 0x7fffe3271090, num_args = 1, required_num_args = 1, arg_info = 0x7fffe38cda58}
(gdb) print mptr->common.function_name
$3 = (zend_string *) 0xffffffff0000000e
(gdb) print *(mptr->common.function_name)
Cannot access memory at address 0xffffffff0000000e

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@TysonAndre