Segfault when compiling code on the request shutdown after a fatal error

[mikhainin]

Description

The following code:

<?php
register_shutdown_function(function() {
        include 'shutdown.php';
});
include 'test.php';

shutdown.php

<?php
class Test{
        public function tmp() {
                throw RuntimeException('hello crash');
        }
}

test.php

<?php
  
$messageList[$host][] ??= []; // this code looks like a bug but I wouldn't expect a crash because of this :)
$messageList[$host][] = $message;

Resulted in this output:

48060 segmentation fault  php crash-test.php

But I expected this output instead:

Fatal error: Cannot use [] for reading in test.php on line 3

I can see the following stacktrace on Mac (PHP 8.2.3):

* thread #1, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=1, address=0x0)
  * frame #0: 0x000000010034af8c php`zend_compile_expr_inner + 120
    frame #1: 0x0000000100345f44 php`zend_compile_expr + 52
    frame #2: 0x00000001003410f8 php`zend_compile_stmt + 152
    frame #3: 0x00000001003414f4 php`zend_compile_stmt + 1172
    frame #4: 0x000000010034035c php`zend_compile_func_decl + 4200
    frame #5: 0x0000000100341288 php`zend_compile_stmt + 552
    frame #6: 0x00000001003414f4 php`zend_compile_stmt + 1172
    frame #7: 0x0000000100340a5c php`zend_compile_class_decl + 744
    frame #8: 0x000000010033f294 php`zend_compile_top_stmt + 156
    frame #9: 0x000000010033f244 php`zend_compile_top_stmt + 76
    frame #10: 0x0000000100326abc php`zend_compile + 184
    frame #11: 0x00000001003269a8 php`compile_file + 60
    frame #12: 0x00000001001c3338 php`phar_compile_file + 216
    frame #13: 0x0000000100326e6c php`compile_filename + 56
    frame #14: 0x00000001003d65c0 php`zend_include_or_eval + 120
    frame #15: 0x00000001003a7060 php`ZEND_INCLUDE_OR_EVAL_SPEC_CONST_HANDLER + 52
    frame #16: 0x000000010037fb74 php`execute_ex + 52
    frame #17: 0x00000001003516b4 php`zend_call_function + 1332
    frame #18: 0x0000000100273f4c php`user_shutdown_function_call + 32
    frame #19: 0x0000000100372724 php`zend_hash_apply + 660
    frame #20: 0x0000000100273ef8 php`php_call_shutdown_functions + 96
    frame #21: 0x0000000100304574 php`php_request_shutdown + 116
    frame #22: 0x0000000100446494 php`do_cli + 6472
    frame #23: 0x0000000100444a04 php`main + 696
    frame #24: 0x000000019e797f28 dyld`start + 2236

Linux (PHP 8.0.28):

(gdb) bt
#0  zend_compile_memoized_expr (expr=0x7fffc76209c0, result=0x0) at /build/php.git/Zend/zend_compile.c:2351
#1  zend_compile_expr_inner (ast=0x7fffc76209c0, result=0x0) at /build/php.git/Zend/zend_compile.c:9510
#2  zend_compile_expr (result=0x0, ast=0x7fffc76209c0) at /build/php.git/Zend/zend_compile.c:9651
#3  0x00000000006932fa in zend_compile_stmt (ast=0x7fffc76209c0) at /build/php.git/Zend/zend_compile.c:9488
#4  0x000000000069319f in zend_compile_stmt_list (ast=<optimized out>) at /build/php.git/Zend/zend_compile.c:6000
#5  zend_compile_stmt_list (ast=<optimized out>) at /build/php.git/Zend/zend_compile.c:5995
#6  zend_compile_stmt (ast=ast@entry=0x7fffc7620818) at /build/php.git/Zend/zend_compile.c:9405
#7  0x00000000006a04c8 in zend_compile_if (ast=ast@entry=0x7fffc76209e8) at /build/php.git/Zend/zend_compile.c:5245
#8  0x0000000000693328 in zend_compile_stmt (ast=0x7fffc76209e8) at /build/php.git/Zend/zend_compile.c:9445
#9  0x000000000069319f in zend_compile_stmt_list (ast=<optimized out>) at /build/php.git/Zend/zend_compile.c:6000
#10 zend_compile_stmt_list (ast=<optimized out>) at /build/php.git/Zend/zend_compile.c:5995
#11 zend_compile_stmt (ast=ast@entry=0x7fffc76205e8) at /build/php.git/Zend/zend_compile.c:9405
#12 0x00000000006a04c8 in zend_compile_if (ast=ast@entry=0x7fffc7620b38) at /build/php.git/Zend/zend_compile.c:5245
#13 0x0000000000693328 in zend_compile_stmt (ast=0x7fffc7620b38) at /build/php.git/Zend/zend_compile.c:9445
#14 0x000000000069319f in zend_compile_stmt_list (ast=<optimized out>) at /build/php.git/Zend/zend_compile.c:6000
#15 zend_compile_stmt_list (ast=<optimized out>) at /build/php.git/Zend/zend_compile.c:5995
#16 zend_compile_stmt (ast=ast@entry=0x7fffc7620178) at /build/php.git/Zend/zend_compile.c:9405
#17 0x0000000000693582 in zend_compile_try (ast=<optimized out>) at /build/php.git/Zend/zend_compile.c:5730
#18 0x00000000006933f0 in zend_compile_stmt (ast=0x7fffc7620ff0) at /build/php.git/Zend/zend_compile.c:9451
#19 0x000000000069319f in zend_compile_stmt_list (ast=<optimized out>) at /build/php.git/Zend/zend_compile.c:6000
#20 zend_compile_stmt_list (ast=<optimized out>) at /build/php.git/Zend/zend_compile.c:5995
#21 zend_compile_stmt (ast=ast@entry=0x7fffc761ffb0) at /build/php.git/Zend/zend_compile.c:9405
#22 0x000000000069443a in zend_compile_func_decl (result=<optimized out>, ast=<optimized out>, toplevel=<optimized out>) at /build/php.git/Zend/zend_compile.c:6999
#23 0x000000000069321c in zend_compile_stmt (ast=0x7fffc7621048) at /build/php.git/Zend/zend_compile.c:9458
#24 0x000000000069319f in zend_compile_stmt_list (ast=<optimized out>) at /build/php.git/Zend/zend_compile.c:6000
#25 zend_compile_stmt_list (ast=<optimized out>) at /build/php.git/Zend/zend_compile.c:5995
#26 zend_compile_stmt (ast=ast@entry=0x7fffc762df48) at /build/php.git/Zend/zend_compile.c:9405
#27 0x0000000000694e7d in zend_compile_class_decl (result=0x0, ast=0x7fffc763d200, toplevel=<optimized out>) at /build/php.git/Zend/zend_compile.c:7409
#28 0x00000000006a1998 in zend_compile_top_stmt (ast=0x7fffc763d200) at /build/php.git/Zend/zend_compile.c:9380
#29 0x00000000006a19c8 in zend_compile_top_stmt (ast=0x7fffc761a018) at /build/php.git/Zend/zend_compile.c:9369
#30 0x000000000066e371 in zend_compile (type=type@entry=2) at Zend/zend_language_scanner.l:629
#31 0x000000000066fc1a in compile_file (file_handle=0x7fffffffb1f0, type=2) at Zend/zend_language_scanner.l:664
#32 0x00007fffe804f077 in phar_compile_file (file_handle=0x7fffffffb1f0, type=2) at /build/php.git/ext/phar/phar.c:3373
#33 0x00000000006e34c2 in zend_include_or_eval (inc_filename=0x7ffff4815560, type=4) at /build/php.git/Zend/zend_execute.c:4467
#34 0x00000000006f9b6c in ZEND_INCLUDE_OR_EVAL_SPEC_OBSERVER_HANDLER () at /build/php.git/Zend/zend_vm_execute.h:4791
#35 0x0000000000713b6f in execute_ex (ex=0xe1fc28 <compiler_globals+520>) at /build/php.git/Zend/zend_vm_execute.h:55592
#36 0x00000000006a529a in zend_call_function (fci=0x7fffffffb490, fci_cache=0x7fffffffb470) at /build/php.git/Zend/zend_execute_API.c:896
#37 0x00000000006a5694 in zend_call_known_function (fn=0x7ffff48cc178, object=<optimized out>, called_scope=0x0, retval_ptr=retval_ptr@entry=0x0, param_count=param_count@entry=1, 
    params=params@entry=0x7fffffffb500, named_params=0x0) at /build/php.git/Zend/zend_execute_API.c:986
#38 0x0000000000573495 in spl_perform_autoload (class_name=0x7fffdaf8edb0, lc_name=0x7fffdaf8ede0) at /build/php.git/ext/spl/php_spl.c:440
#39 0x00000000006a4501 in zend_lookup_class_ex (name=name@entry=0x7fffdaf8edb0, key=0x7fffdaf8ede0, flags=flags@entry=512) at /build/php.git/Zend/zend_execute_API.c:1111
#40 0x00000000006a5b1c in zend_fetch_class_by_name (class_name=0x7fffdaf8edb0, key=<optimized out>, fetch_type=fetch_type@entry=512) at /build/php.git/Zend/zend_execute_API.c:1522
#41 0x00000000006f7dd7 in ZEND_INIT_STATIC_METHOD_CALL_SPEC_CONST_CONST_HANDLER () at /build/php.git/Zend/zend_vm_execute.h:6610
#42 0x000000000071530e in execute_ex (ex=0xe1fc28 <compiler_globals+520>) at /build/php.git/Zend/zend_vm_execute.h:55772
#43 0x00000000006a529a in zend_call_function (fci=0x7fffffffb780, fci_cache=0x7fffffffb6c0) at /build/php.git/Zend/zend_execute_API.c:896
#44 0x00000000006a55a5 in _call_user_function_impl (object=object@entry=0x0, function_name=function_name@entry=0x7fffdacaf4c0, retval_ptr=retval_ptr@entry=0x7fffffffb7d0, param_count=<optimized out>, 
    params=<optimized out>, named_params=named_params@entry=0x0) at /build/php.git/Zend/zend_execute_API.c:660
#45 0x00000000005b19df in user_shutdown_function_call (zv=<optimized out>) at /build/php.git/ext/standard/basic_functions.c:1693
#46 0x00000000006c4f9b in zend_hash_apply (ht=0x7fffdae5b8f8, apply_func=apply_func@entry=0x5b19b0 <user_shutdown_function_call>) at /build/php.git/Zend/zend_hash.c:1837
--Type <RET> for more, q to quit, c to continue without paging--
#47 0x00000000005b4b11 in php_call_shutdown_functions () at /build/php.git/ext/standard/basic_functions.c:1766
#48 0x0000000000643585 in php_request_shutdown (dummy=dummy@entry=0x0) at /build/php.git/main/main.c:1821
#49 0x00000000007427ae in do_cli (argc=4, argv=0xe37af0) at /build/php.git/sapi/cli/php_cli.c:1111
#50 0x0000000000455c22 in main (argc=4, argv=0xe37af0) at /build/php.git/sapi/cli/php_cli.c:1341

It seems like there's an attempt to dereference result which is NULL...

PHP Version

8.0.28, 8.2.3

Operating System

CentOS Stream 8, macOS

[iluuu1994]

This is caused by an incorrect state of the compiler globals after bailout. test.php fails at the line $messageList[$host][] ??= []; (Cannot use [] for reading). The global CG(memoized_exprs) is usually reset after zend_compile_assign_coalesce but not here due to the bailout. The shutdown handler then tries to compile another file (shutdown.php) which depends on CG(memoized_exprs) being set properly.

A simple fix is to reset CG(memoized_exprs) in _zend_bailout() (thanks for the suggestion @bwoebi 🙂). Unfortunately, the shutdown handler after bailout is inherently unstable.