Segmentation Fault on stream

[sf-cg]

Description

The following code:
from the reproducible repo: https://github.com/sf-cg/php-8.2-segfault

When running php-vcr on PHP8.2 (any patch version, and even 8.3 alpha), the tests are resulting in a segfault. This does not happen on 8.1 or previous versions even when using the same php-vcr package.

Resulted in this output:
Segmentation fault

But I expected this output instead:
Tests to complete running successfully

gdb bt:

(gdb) bt
#0  user_wrapper_opener (wrapper=0x7ffff04151b0, filename=<optimised out>, mode=0x5555559abfe3 "rb", options=82048, opened_path=0x7fffffff99e0, context=<optimised out>) at ./main/streams/userspace.c:380
#1  0x0000555555801a11 in _php_stream_open_wrapper_ex (path=0x7ffff0a704c8 "/segfault/bootstrap/app.php", path@entry=0x7ffff0b1f888 "/segfault/tests/../bootstrap/app.php",
    mode=mode@entry=0x5555559abfe3 "rb", options=<optimised out>, opened_path=opened_path@entry=0x7fffffff99e0, context=context@entry=0x0) at ./main/streams/streams.c:2175
#2  0x00005555557e8f23 in php_stream_open_for_zend_ex (handle=0x7fffffff9d60, mode=<optimised out>) at ./main/main.c:1550
#3  0x00005555558c6945 in zend_stream_fixup (file_handle=file_handle@entry=0x7fffffff9d60, buf=buf@entry=0x7fffffff9a58, len=len@entry=0x7fffffff9a60) at ./Zend/zend_stream.c:138
#4  0x0000555555811920 in open_file_for_scanning (file_handle=0x7fffffff9d60) at ./Zend/zend_language_scanner.c:533
#5  0x0000555555811b5d in compile_file (file_handle=0x7fffffff9d60, type=8) at ./Zend/zend_language_scanner.c:646
#6  0x00007ffff12e9916 in phar_compile_file (file_handle=0x7fffffff9d60, type=8) at ./ext/phar/phar.c:3355
#7  0x0000555555811c2d in compile_filename (type=type@entry=8, filename=filename@entry=0x7ffff0b1f870) at ./Zend/zend_language_scanner.c:706
#8  0x000055555588498a in zend_include_or_eval (inc_filename_zv=<optimised out>, type=8) at ./Zend/zend_execute.c:4799
#9  0x0000555555892102 in ZEND_INCLUDE_OR_EVAL_SPEC_CONST_HANDLER () at ./Zend/zend_vm_execute.h:4931
#10 0x00005555558b93b9 in execute_ex (ex=0x7fffefb95764) at ./Zend/zend_vm_execute.h:56453
#11 0x00005555558c3265 in zend_execute (op_array=0x7ffff528d000, return_value=0x0) at ./Zend/zend_vm_execute.h:60408
#12 0x0000555555850fb0 in zend_execute_scripts (type=type@entry=8, retval=retval@entry=0x0, file_count=file_count@entry=3) at ./Zend/zend.c:1827
#13 0x00005555557ea7fa in php_execute_script (primary_file=primary_file@entry=0x7fffffffc490) at ./main/main.c:2542
#14 0x0000555555939c87 in do_cli (argc=2, argv=0x555555af1be0) at ./sapi/cli/php_cli.c:964
#15 0x000055555567fb46 in main (argc=2, argv=0x555555af1be0) at ./sapi/cli/php_cli.c:1333

PHP Version

PHP 8.2

Operating System

Ubuntu 22.04

[iluuu1994]

@sf-cg Hopefully #11737 should solve the issue for you. In PHP 8.1, any opened user stream wrapper would leak until the end of the request. 8.2 fixes this by closing the user stream as soon as the last resource that uses it is closed. However, it was missed that in stream_open(), which is called between fetching the user stream and creating the resource the user stream wrapper might be unregistered, releasing it too early and causing a use-after-free. That's what happened here. This is solved by increasing the refcount early.

The use-after-free goes away with this patch, however the test still fails for me. Can you verify if the behavior is correct?

[sf-cg]

@iluuu1994 that was much quicker than expected!

Once I built your branch correctly (need to make sure it had curl, mbstring, xml and with openssl for php-vcr to competely work) it passed the tests fine. If the test failed fo you it may have been due to missing one of these as it was also giving the first test and error for me without them (and not recording/reading the cassette as PHP-VCR normally would) - I probably should have added those requirements to composer so it was easier to understand.

[sf-cg]

I can also confirm using your branch of PHP works with the original project where we came across this issue.

Thanks again for the quick response and fix 👍

I'm new to this, but if this is approved and merged how long before we could get a 8.2.9 version installed without having to build it ourselves?

[iluuu1994]

@sf-cg You're welcome! We just missed RC1 of 8.2.9 but I can ask for it to be cherry-picked. It should be released somewhere in the first half of next month. How fast it is available on your distro depends on the distro, but I think it's usually not long after.