Closed
Description
Description
The following code:
<?php
class foo{
function __destruct(){
declare(ticks=1);
register_tick_function(
function() { }
);
}
}
$bar=new foo;
?>Results in a segmentation fault of the OSS-Fuzz harness php-fuzz-function-jit & php-fuzz-tracing-jit. It appears that the code snippet executes fine without jit, but crashes with the following stacktrace when jit is enabled:
#0 0x55bf976bdfc4 in zend_llist_apply /src/php-src/Zend/zend_llist.c:183
#1 0x55bf976be434 in zend_llist_apply_with_argument /src/php-src/Zend/zend_llist.c:236:3
#2 0x55bf97107be3 in php_run_ticks /src/php-src/main/php_ticks.c:68:2
#3 0x55bf974e3214 in ZEND_TICKS_SPEC_HANDLER /src/php-src/Zend/zend_vm_execute.h:3154:4
#4 0x55bf973e716b in execute_ex /src/php-src/Zend/zend_vm_execute.h:58595:7
#5 0x55bf973e7ba2 in zend_execute /src/php-src/Zend/zend_vm_execute.h:64247:2
#6 0x55bf9774e0f3 in fuzzer_do_request_from_buffer /src/php-src/sapi/fuzzer/fuzzer-sapi.c:274:5
#7 0x55bf9774c92e in LLVMFuzzerTestOneInput /src/php-src/sapi/fuzzer/fuzzer-tracing-jit.c:43:3
#8 0x55bf96a1f020 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:614:13
#9 0x55bf96a0a295 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:327:6
#10 0x55bf96a0fd2f in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:862:9
#11 0x55bf96a3afd2 in main /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerMain.cpp:20:10
#12 0x7f271614b082 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x24082) (BuildId: 0702430aef5fa3dda43986563e9ffcc47efbd75e)
#13 0x55bf96a0247d in _start (/out/php-fuzz-tracing-jit+0x80247d)
We discovered this crash by fuzzing using the OSS-Fuzz infrastructure. We verified the issue to exist in commit 8731c95
PHP Version
master
Operating System
No response