Segmentation fault: some combination of array operations, first-class callable, exception handler and autoloader

[schlndh]

Description

The following code:

<?php
set_exception_handler(function (\Throwable $e) {
    new NonExistentClass();
});

function foo(string $key): string
{
    throw new \Exception('asdas');
}

$validKeys = array_keys(
    array_filter(
        [
            'a' => 'b',
        ],
    ),
);

$result = array_filter(
    array_combine(
        $validKeys,
        array_map(foo(...), $validKeys),
    ),
);

results in segmentation fault (https://3v4l.org/ZoXRO). This example is as minimal as I was able to get. Here are some random things that fix the segmentation fault (any one of these is enough):

• Changing foo(...) to 'foo'.
• Removing either of the array_filters (i.e. replace it with its argument).
• Removing the array_combine (i.e. replace it with the array_map).
• Not loading the NonExistentClass in the exception handler (the point of the NonExistentClass is to call the autoloader, if the instantiated class is already loaded, then the segfault doesn't happen either).

Here is a backtrace:

(gdb) bt
#0  zend_mm_alloc_small (bin_num=6, heap=0x701fcc600040) at /usr/src/debug/php/php-8.3.6/Zend/zend_alloc.c:1312
#1  _emalloc_56 () at /usr/src/debug/php/php-8.3.6/Zend/zend_alloc.c:2542
#2  _zend_new_array_0 () at /usr/src/debug/php/php-8.3.6/Zend/zend_hash.c:284
#3  0x0000592f9ecfb8b9 in zend_fetch_debug_backtrace (return_value=0x7ffdf7951bf0, skip_last=<optimized out>, options=2, limit=0)
    at /usr/src/debug/php/php-8.3.6/Zend/zend_builtin_functions.c:1781
#4  0x0000592f9ed6357c in zend_default_exception_new (class_type=0x592fa0e8fb90) at /usr/src/debug/php/php-8.3.6/Zend/zend_exceptions.c:265
#5  0x0000592f9ece188c in _object_and_properties_init (properties=0x0, class_type=0x592fa0e8fb90, arg=0x7ffdf7951ca8) at /usr/src/debug/php/php-8.3.6/Zend/zend_API.c:1781
#6  object_init_ex (arg=0x7ffdf7951ca8, class_type=0x592fa0e8fb90) at /usr/src/debug/php/php-8.3.6/Zend/zend_API.c:1795
#7  0x0000592f9ea3ced0 in zend_throw_exception_zstr (exception_ce=exception_ce@entry=0x592fa0e8fb90, message=message@entry=0x701fcc66f100, code=code@entry=0)
    at /usr/src/debug/php/php-8.3.6/Zend/zend_exceptions.c:828
#8  0x0000592f9ea3cfe6 in zend_throw_exception (exception_ce=0x592fa0e8fb90, message=<optimized out>, code=0) at /usr/src/debug/php/php-8.3.6/Zend/zend_exceptions.c:848
#9  0x0000592f9ea2cbed in zend_throw_error (exception_ce=0x592fa0e8fb90, format=<optimized out>) at /usr/src/debug/php/php-8.3.6/Zend/zend.c:1733
#10 0x0000592f9ea46e8c in zend_throw_or_error.constprop.0 (fetch_type=512, exception_ce=0x0, format=<optimized out>, exception_ce=0x0)
    at /usr/src/debug/php/php-8.3.6/Zend/zend_execute_API.c:241
#11 0x0000592f9ea36116 in zend_fetch_class_by_name (fetch_type=512, key=<optimized out>, class_name=0x701fcc602210) at /usr/src/debug/php/php-8.3.6/Zend/zend_execute_API.c:1729
#12 ZEND_NEW_SPEC_CONST_UNUSED_HANDLER (execute_data=0x701fcc613020) at /usr/src/debug/php/php-8.3.6/Zend/zend_vm_execute.h:10519
#13 0x0000592f9ed55658 in execute_ex (ex=<optimized out>) at /usr/src/debug/php/php-8.3.6/Zend/zend_vm_execute.h:57007
#14 0x0000592f9eccb9ae in zend_call_function (fci=fci@entry=0x7ffdf7952040, fci_cache=<optimized out>, fci_cache@entry=0x0) at /usr/src/debug/php/php-8.3.6/Zend/zend_execute_API.c:957
#15 0x0000592f9eccbced in _call_user_function_impl (object=<optimized out>, function_name=<optimized out>, retval_ptr=<optimized out>, param_count=<optimized out>, params=<optimized out>, 
    named_params=<optimized out>) at /usr/src/debug/php/php-8.3.6/Zend/zend_execute_API.c:753
#16 0x0000592f9ea2ca1b in zend_user_exception_handler () at /usr/src/debug/php/php-8.3.6/Zend/zend.c:1847
#17 0x0000592f9ea2d12a in zend_execute_scripts (type=8, retval=0x0, file_count=3) at /usr/src/debug/php/php-8.3.6/Zend/zend.c:1895
#18 0x0000592f9ec69586 in php_execute_script (primary_file=<optimized out>) at /usr/src/debug/php/php-8.3.6/main/main.c:2507
#19 0x0000592f9edc9f19 in do_cli (argc=2, argv=0x592fa0d8ed20) at /usr/src/debug/php/php-8.3.6/sapi/cli/php_cli.c:966
#20 0x0000592f9ea48b10 in main (argc=2, argv=<optimized out>) at /usr/src/debug/php/php-8.3.6/sapi/cli/php_cli.c:1340

Since exception handler and autoloader are involved, I suspect that it might be the same/similar issue as https://bugs.php.net/bug.php?id=81580

PHP Version

PHP 8.3.6

Operating System

Archlinux

[iluuu1994]

Thank for the report. I can verify this.

Details

=================================================================
==2248204==ERROR: AddressSanitizer: heap-use-after-free on address 0x606000032720 at pc 0x0000019641f1 bp 0x7ffe422b2a90 sp 0x7ffe422b2a88
READ of size 4 at 0x606000032720 thread T0
    #0 0x19641f0 in zend_gc_delref /home/ilutov/Developer/php-src/Zend/zend_types.h:1342
    #1 0x196477c in zval_delref_p /home/ilutov/Developer/php-src/Zend/zend_types.h:1378
    #2 0x1966cc4 in zval_ptr_dtor_nogc /home/ilutov/Developer/php-src/Zend/zend_variables.h:35
    #3 0x196ba82 in zend_vm_stack_free_args /home/ilutov/Developer/php-src/Zend/zend_execute.h:324
    #4 0x199e5c2 in cleanup_unfinished_calls /home/ilutov/Developer/php-src/Zend/zend_execute.c:4444
    #5 0x19dbd1e in ZEND_HANDLE_EXCEPTION_SPEC_HANDLER /home/ilutov/Developer/php-src/Zend/zend_vm_execute.h:3267
    #6 0x1c5048e in execute_ex /home/ilutov/Developer/php-src/Zend/zend_vm_execute.h:57509
    #7 0x1c6ce36 in zend_execute /home/ilutov/Developer/php-src/Zend/zend_vm_execute.h:62776
    #8 0x189ac5b in zend_execute_script /home/ilutov/Developer/php-src/Zend/zend.c:1896
    #9 0x1621bbe in php_execute_script_ex /home/ilutov/Developer/php-src/main/main.c:2507
    #10 0x16220ed in php_execute_script /home/ilutov/Developer/php-src/main/main.c:2547
    #11 0x200e947 in do_cli /home/ilutov/Developer/php-src/sapi/cli/php_cli.c:966
    #12 0x20110f5 in main /home/ilutov/Developer/php-src/sapi/cli/php_cli.c:1340
    #13 0x7f045a846149 in __libc_start_call_main (/lib64/libc.so.6+0x28149) (BuildId: e0b579ca7024cf12a2686b60cf49d1d9e3ff6273)
    #14 0x7f045a84620a in __libc_start_main_impl (/lib64/libc.so.6+0x2820a) (BuildId: e0b579ca7024cf12a2686b60cf49d1d9e3ff6273)
    #15 0x603fd4 in _start (/home/ilutov/Developer/php-src/sapi/cli/php+0x603fd4) (BuildId: 33956ec3b9032ba6af5216d19397f7513580e143)

0x606000032720 is located 0 bytes inside of 56-byte region [0x606000032720,0x606000032758)
freed by thread T0 here:
    #0 0x7f045b4d7fb8 in __interceptor_free.part.0 (/lib64/libasan.so.8+0xd7fb8) (BuildId: 2b657470ea196ba4342e3bd8a3cc138b1e200599)
    #1 0x17836c8 in __zend_free /home/ilutov/Developer/php-src/Zend/zend_alloc.c:3109
    #2 0x177efdb in _efree /home/ilutov/Developer/php-src/Zend/zend_alloc.c:2590
    #3 0x190f38e in zend_array_destroy /home/ilutov/Developer/php-src/Zend/zend_hash.c:1861
    #4 0x1889152 in rc_dtor_func /home/ilutov/Developer/php-src/Zend/zend_variables.c:57
    #5 0x1966d1b in zval_ptr_dtor_nogc /home/ilutov/Developer/php-src/Zend/zend_variables.h:36
    #6 0x196ba82 in zend_vm_stack_free_args /home/ilutov/Developer/php-src/Zend/zend_execute.h:324
    #7 0x19b9aab in ZEND_DO_ICALL_SPEC_RETVAL_USED_HANDLER /home/ilutov/Developer/php-src/Zend/zend_vm_execute.h:1365
    #8 0x1c4f8f6 in execute_ex /home/ilutov/Developer/php-src/Zend/zend_vm_execute.h:57369
    #9 0x1c6ce36 in zend_execute /home/ilutov/Developer/php-src/Zend/zend_vm_execute.h:62776
    #10 0x189ac5b in zend_execute_script /home/ilutov/Developer/php-src/Zend/zend.c:1896
    #11 0x1621bbe in php_execute_script_ex /home/ilutov/Developer/php-src/main/main.c:2507
    #12 0x16220ed in php_execute_script /home/ilutov/Developer/php-src/main/main.c:2547
    #13 0x200e947 in do_cli /home/ilutov/Developer/php-src/sapi/cli/php_cli.c:966
    #14 0x20110f5 in main /home/ilutov/Developer/php-src/sapi/cli/php_cli.c:1340
    #15 0x7f045a846149 in __libc_start_call_main (/lib64/libc.so.6+0x28149) (BuildId: e0b579ca7024cf12a2686b60cf49d1d9e3ff6273)
    #16 0x7f045a84620a in __libc_start_main_impl (/lib64/libc.so.6+0x2820a) (BuildId: e0b579ca7024cf12a2686b60cf49d1d9e3ff6273)
    #17 0x603fd4 in _start (/home/ilutov/Developer/php-src/sapi/cli/php+0x603fd4) (BuildId: 33956ec3b9032ba6af5216d19397f7513580e143)

previously allocated by thread T0 here:
    #0 0x7f045b4d92ef in malloc (/lib64/libasan.so.8+0xd92ef) (BuildId: 2b657470ea196ba4342e3bd8a3cc138b1e200599)
    #1 0x1783576 in __zend_malloc /home/ilutov/Developer/php-src/Zend/zend_alloc.c:3081
    #2 0x177ee9c in _emalloc /home/ilutov/Developer/php-src/Zend/zend_alloc.c:2580
    #3 0x18f49e5 in _zend_new_array /home/ilutov/Developer/php-src/Zend/zend_hash.c:291
    #4 0x131fc12 in zif_array_filter /home/ilutov/Developer/php-src/ext/standard/array.c:6522
    #5 0x19b960a in ZEND_DO_ICALL_SPEC_RETVAL_USED_HANDLER /home/ilutov/Developer/php-src/Zend/zend_vm_execute.h:1349
    #6 0x1c4f8f6 in execute_ex /home/ilutov/Developer/php-src/Zend/zend_vm_execute.h:57369
    #7 0x1c6ce36 in zend_execute /home/ilutov/Developer/php-src/Zend/zend_vm_execute.h:62776
    #8 0x189ac5b in zend_execute_script /home/ilutov/Developer/php-src/Zend/zend.c:1896
    #9 0x1621bbe in php_execute_script_ex /home/ilutov/Developer/php-src/main/main.c:2507
    #10 0x16220ed in php_execute_script /home/ilutov/Developer/php-src/main/main.c:2547
    #11 0x200e947 in do_cli /home/ilutov/Developer/php-src/sapi/cli/php_cli.c:966
    #12 0x20110f5 in main /home/ilutov/Developer/php-src/sapi/cli/php_cli.c:1340
    #13 0x7f045a846149 in __libc_start_call_main (/lib64/libc.so.6+0x28149) (BuildId: e0b579ca7024cf12a2686b60cf49d1d9e3ff6273)
    #14 0x7f045a84620a in __libc_start_main_impl (/lib64/libc.so.6+0x2820a) (BuildId: e0b579ca7024cf12a2686b60cf49d1d9e3ff6273)
    #15 0x603fd4 in _start (/home/ilutov/Developer/php-src/sapi/cli/php+0x603fd4) (BuildId: 33956ec3b9032ba6af5216d19397f7513580e143)

SUMMARY: AddressSanitizer: heap-use-after-free /home/ilutov/Developer/php-src/Zend/zend_types.h:1342 in zend_gc_delref
Shadow bytes around the buggy address:
  0x606000032480: 00 00 00 00 00 00 00 fa fa fa fa fa 00 00 00 00
  0x606000032500: 00 00 00 fa fa fa fa fa fd fd fd fd fd fd fd fd
  0x606000032580: fa fa fa fa 00 00 00 00 00 00 00 00 fa fa fa fa
  0x606000032600: 00 00 00 00 00 00 00 fa fa fa fa fa 00 00 00 00
  0x606000032680: 00 00 00 00 fa fa fa fa 00 00 00 00 00 00 00 fa
=>0x606000032700: fa fa fa fa[fd]fd fd fd fd fd fd fa fa fa fa fa
  0x606000032780: 00 00 00 00 00 00 00 fa fa fa fa fa fd fd fd fd
  0x606000032800: fd fd fd fa fa fa fa fa 00 00 00 00 00 00 00 fa
  0x606000032880: fa fa fa fa 00 00 00 00 00 00 00 fa fa fa fa fa
  0x606000032900: 00 00 00 00 00 00 00 fa fa fa fa fa 00 00 00 00
  0x606000032980: 00 00 00 fa fa fa fa fa 00 00 00 00 00 00 00 fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==2248204==ABORTING

[iluuu1994]

cleanup_unfinished_calls is missing handling for ZEND_CALLABLE_CONVERT. I'll create a PR shortly.