Fixed bug #81430 Check if runtime cache pointer is NULL before dereferencing #7665
Conversation
rioderelfte
changed the title
| @@ -229,6 +229,7 @@ ZEND_API void ZEND_FASTCALL zend_observer_fcall_end( | |||
| zend_execute_data *ex = execute_data->prev_execute_data; | |||
| while (ex && (!ex->func || ex->func->type == ZEND_INTERNAL_FUNCTION | |||
| || !ZEND_OBSERVABLE_FN(ex->func->common.fn_flags) | |||
| || !&RUN_TIME_CACHE(&ex->func->op_array) | |||
There was a problem hiding this comment.
We thought alternatively to make sure the dummy execute_data created in call_attribute_constructor (ext/reflection/php_refleciton.c) should do what zend_get_call_trampoline_func does, but we didn't manage to replicate this:
ZEND_MAP_PTR_INIT(func->run_time_cache, (void***)&dummy);
|
This looks like a partial fix to me. But we can merge this specific fix already I think. As far as I had diagnosed back then, the dummy frame is stack-allocated - data on a stack which may have been overwritten by the time zend_observer_fcall_end is executed. (i.e. the attributes ctor frame is not within the active stack at that point in time, if it bailed out somewhere within attribute construction.) |
Check if the runtime cache pointer is NULL before dereferencing it.
zend_observer_fcall_end_all accesses a dangling pointer when the execute_data was allocated on the stack.
rioderelfte
force-pushed
the
fix/81430
branch
from
43abc8f to
a8aa2e4
Compare
|
Thanks for your feedback! I think those are two different problems. This PR fixes the problem the issue that the runtime cache of the dummy frame is null. I think this issue was introduced by 12b0f1b. The other issue is that accessing stack allocated frames inside Lines 1783 to 1786 in 4c171ed From my understanding the reflection dummy frame is not the only place where frames are stack allocated. I don't think accessing the frames in the
I am happy to try to implement one of these fixes. My preferred fix would be number four. What do you think about this? But since I think these are two separat issues and this one is a regression while the other is not, I would like to ask you to merge this PR while I try to fix the other issue as well. |
|
For clarification: This fixes a real live crash in our extension which was introduced by PHP 8.0.12. That's why I would like to get this merged before the 8.0.14 release. |
What we missed. Sorry. Anyhow, the fix looks good to me; if there are no objections, I'll merge it on Monday. |
|
@cmb69 thabk you! |
|
Oh, just noticed that the test is apparently failing, but the logs are no longer available, and for some reason triggering a re-run does not work. So I'm closing and re-opening to trigger the test runs again. |
Ah, I missed that. However, the test appears to have failed due to the hard-coded memory limit in the error message; replacing that with I'm going ahead and commit the null check with the first test only. Any further issues can still be addressed later, if necessary. |
|
@cmb69 IIRC the second test was largely "luck" dependent, depending on whether the memory it points to is containing a valid pointer or such. |
|
@bwoebi, ah, thanks for clarifying. So the test is somewhat useless anyway. |
|
I have reverted the commit, since it broke PHP-8.1 and master, and according to @dstogov, "the real problem is the improper call frame construction in ext/reflection". |
Check if the runtime cache pointer is NULL before dereferencing it.