SEGV Zend/zend_types.h in zend_gc_refcount

[YuanchengJiang]

Description

The following code:

<?php
set_error_handler(function ($errno, $errstr) {
global $nan;
$nan = bin2hex(random_bytes(4));
});
settype($nan, 'object');
try {next($nan);} catch (Exception $e) { echo($e); }

Resulted in this output:

AddressSanitizer:DEADLYSIGNAL
=================================================================
==1382==ERROR: AddressSanitizer: SEGV on unknown address (pc 0x000003f9f57e bp 0x7ffcea9a2a50 sp 0x7ffcea9a2a30 T0)
==1382==The signal is caused by a READ memory access.
==1382==Hint: this fault was caused by a dereference of a high value address (see register values below).  Disassemble the provided pc to learn which register was used.
    #0 0x3f9f57e in zend_gc_refcount /home/phpfuzz/WorkSpace/flowfusion/php-src/Zend/zend_types.h:1355:12
    #1 0x3fb06ae in get_ht_for_iap /home/phpfuzz/WorkSpace/flowfusion/php-src/ext/standard/array.c:1003:38
    #2 0x3fb3c76 in zif_next /home/phpfuzz/WorkSpace/flowfusion/php-src/ext/standard/array.c:1105:21
    #3 0x60463be in ZEND_DO_ICALL_SPEC_RETVAL_UNUSED_HANDLER /home/phpfuzz/WorkSpace/flowfusion/php-src/Zend/zend_vm_execute.h:1355:2
    #4 0x5b62a3b in execute_ex /home/phpfuzz/WorkSpace/flowfusion/php-src/Zend/zend_vm_execute.h:115764:12
    #5 0x5b64fcc in zend_execute /home/phpfuzz/WorkSpace/flowfusion/php-src/Zend/zend_vm_execute.h:121476:2
    #6 0x68ebc29 in zend_execute_script /home/phpfuzz/WorkSpace/flowfusion/php-src/Zend/zend.c:1977:3
    #7 0x50c283a in php_execute_script_ex /home/phpfuzz/WorkSpace/flowfusion/php-src/main/main.c:2640:13
    #8 0x50c3978 in php_execute_script /home/phpfuzz/WorkSpace/flowfusion/php-src/main/main.c:2680:9
    #9 0x6900b3a in do_cli /home/phpfuzz/WorkSpace/flowfusion/php-src/sapi/cli/php_cli.c:951:5
    #10 0x68faf1f in main /home/phpfuzz/WorkSpace/flowfusion/php-src/sapi/cli/php_cli.c:1362:18
    #11 0x73f315b7bd8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
    #12 0x73f315b7be3f in __libc_start_main csu/../csu/libc-start.c:392:3
    #13 0x606204 in _start (/home/phpfuzz/WorkSpace/flowfusion/php-src/sapi/cli/php+0x606204)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /home/phpfuzz/WorkSpace/flowfusion/php-src/Zend/zend_types.h:1355:12 in zend_gc_refcount
==1382==ABORTING

To reproduce:

./php-src/sapi/cli/php  -d "opcache.enable_cli=1" ./test.php

Commit:

02d187d7663afdde5027f72fad180079806c4fc9

Configurations:

CC="clang-12" CXX="clang++-12" CFLAGS="-DZEND_VERIFY_TYPE_INFERENCE" CXXFLAGS="-DZEND_VERIFY_TYPE_INFERENCE" ./configure --enable-debug --enable-address-sanitizer --enable-undefined-sanitizer --enable-re2c-cgoto --enable-fpm --enable-litespeed --enable-phpdbg-debug --enable-zts --enable-bcmath --enable-calendar --enable-dba --enable-dl-test --enable-exif --enable-ftp --enable-gd --enable-gd-jis-conv --enable-mbstring --enable-pcntl --enable-shmop --enable-soap --enable-sockets --enable-sysvmsg --enable-zend-test --with-zlib --with-bz2 --with-curl --with-enchant --with-gettext --with-gmp --with-mhash --with-ldap --with-libedit --with-readline --with-snmp --with-sodium --with-xsl --with-zip --with-mysqli --with-pdo-mysql --with-pdo-pgsql --with-pgsql --with-sqlite3 --with-pdo-sqlite --with-webp --with-jpeg --with-freetype --enable-sigchild --with-readline --with-pcre-jit --with-iconv

Operating System:

Ubuntu 20.04 Host, Docker 0599jiangyc/flowfusion:latest

This report is automatically generated by FlowFusion

PHP Version

nightly

Operating System

No response

[devnexen]

Likely similar issue as #20042

[YuanchengJiang]

i also noticed that and it could be a dup. the difference is -d "opcache.enable_cli=1"

[ndossche]

You may change likely to definitely ;)