Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Trampoline crash on error #17216

Closed
YuanchengJiang opened this issue Dec 19, 2024 · 2 comments
Closed

Trampoline crash on error #17216

YuanchengJiang opened this issue Dec 19, 2024 · 2 comments
Labels
Bug Category: Engine Status: Verified

Comments

@YuanchengJiang
Copy link

Description

The following code:

<?php
class TrampolineTest {
public function __call(string $name, array $arguments) {
}
}
$o = new TrampolineTest();
$callback = [$o, 'trampoline'];
$arrays = array (
array("str1", "array" => array("hello", 'world'), array(1, 2))
);
foreach($arrays as $arr1) {
}
forward_static_call_array($callback,$arr1);

Resulted in this output:

php: /home/phpfuzz/WorkSpace/flowfusion/php-src/Zend/zend_execute_API.c:518: void shutdown_executor(void): Assertion `(((zend_executor_globals *) (((char*) _tsrm_ls_cache)+(executor_globals_offset)))->trampoline).common.function_name == ((void*)0) || (((zend_compiler_globals *) (((char*) _tsrm_ls_cache)+(compiler_globals_offset)))->unclean_shutdown)' failed.
Aborted (core dumped)

PHP Version

nightly

Operating System

No response
@nielsdos
Copy link
Member

Simplified:

<?php
class TrampolineTest {
    public function __call(string $name, array $arguments) {
    }
}
$o = new TrampolineTest();
$callback = [$o, 'trampoline'];
$array = ["a" => "b", 1];
forward_static_call_array($callback, $array);

@nielsdos
Copy link
Member

Probably this, but need to check better later:

diff --git a/Zend/zend_execute_API.c b/Zend/zend_execute_API.c
index 9ebc15f3a43..8b3d2618112 100644
--- a/Zend/zend_execute_API.c
+++ b/Zend/zend_execute_API.c
@@ -884,7 +884,11 @@ zend_result zend_call_function(zend_fcall_info *fci, zend_fcall_info_cache *fci_
 						ZEND_CALL_NUM_ARGS(call) = i;
 cleanup_args:
 						zend_vm_stack_free_args(call);
+						if (ZEND_CALL_INFO(call) & ZEND_CALL_HAS_EXTRA_NAMED_PARAMS) {
+							zend_free_extra_named_params(call->extra_named_params);
+						}
 						zend_vm_stack_free_call_frame(call);
+						zend_release_fcall_info_cache(fci_cache);
 						return SUCCESS;
 					}
 				}

@nielsdos nielsdos changed the title Assertion failure Zend/zend_execute_API.c:518 Trampoline crash on error Dec 19, 2024
nielsdos added a commit to nielsdos/php-src that referenced this issue Dec 19, 2024
@nielsdos
Fix phpGH-17216: Trampoline crash on error
3bde646 
The error handling is incomplete on argument cleanup.
1. The fci is not cleared which means that zend_free_trampoline() is
   never called.
2. The cleaning for extra named arguments was missing, resulting in
   memory leak.
@nielsdos nielsdos linked a pull request Dec 19, 2024 that will close this issue
Fix GH-17216: Trampoline crash on error #17219
Closed
nielsdos added a commit that referenced this issue Dec 20, 2024
@nielsdos
Merge branch 'PHP-8.3' into PHP-8.4
6274327 
* PHP-8.3:
  Fix GH-17216: Trampoline crash on error
nielsdos added a commit that referenced this issue Dec 20, 2024
@nielsdos
Merge branch 'PHP-8.4'
afc1f0d 
* PHP-8.4:
  Fix GH-17216: Trampoline crash on error
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Bug Category: Engine Status: Verified
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Fix GH-17216: Trampoline crash on error nielsdos/php-src
2 participants
@nielsdos @YuanchengJiang