SEGV Zend/zend_execute.c #18037

YuanchengJiang · 2025-03-13T06:30:34Z

Description

The following code:

<?php
require __DIR__ . '/test_utils.inc';
$dom = DOM\XMLDocument::createFromString(<<<XML
<container>
</container>
XML);
test_helper($dom, '.only-of-type3 p:only-of-type');

Resulted in this output:

/home/phpfuzz/WorkSpace/flowfusion/php-src/Zend/zend_execute.c:2459:3: runtime error: member access within misaligned address 0x000042119bc9 for type 'zval' (aka 'struct _zval_struct'), which requires 8 byte alignment
0x000042119bc9: note: pointer points here
 00 00 00  d0 6c d0 04 00 00 00 00  60 00 00 00 01 00 00 00  50 00 00 00 00 00 00 00  1d 00 00 00 42
              ^ 
    #0 0x51965f6 in zend_invalid_method_call /home/phpfuzz/WorkSpace/flowfusion/php-src/Zend/zend_execute.c:2459:3
    #1 0x4e4f2f4 in ZEND_INIT_METHOD_CALL_SPEC_CV_CONST_HANDLER /home/phpfuzz/WorkSpace/flowfusion/php-src/Zend/zend_vm_execute.h:44884:5
LLVMSymbolizer: error reading file: No such file or directory
    #2 0x48e6fd6b  (/dev/zero (deleted)+0x8000d6b)

SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior /home/phpfuzz/WorkSpace/flowfusion/php-src/Zend/zend_execute.c:2459:3 in

To reproduce:

./php-src/sapi/cli/php  -d "zend_extension=/home/phpfuzz/WorkSpace/flowfusion/php-src/modules/opcache.so" -d "opcache.jit=1201" -d "opcache.enable_cli=1" ./test.php

Commit:

cd586623b65c86b423883eda20411634e49084ba

Configurations:

CC="clang-12" CXX="clang++-12" CFLAGS="-DZEND_VERIFY_TYPE_INFERENCE" CXXFLAGS="-DZEND_VERIFY_TYPE_INFERENCE" ./configure --enable-debug --enable-address-sanitizer --enable-undefined-sanitizer --enable-re2c-cgoto --enable-fpm --enable-litespeed --enable-phpdbg-debug --enable-zts --enable-bcmath --enable-calendar --enable-dba --enable-dl-test --enable-exif --enable-ftp --enable-gd --enable-gd-jis-conv --enable-mbstring --enable-pcntl --enable-shmop --enable-soap --enable-sockets --enable-sysvmsg --enable-zend-test --with-zlib --with-bz2 --with-curl --with-enchant --with-gettext --with-gmp --with-mhash --with-ldap --with-libedit --with-readline --with-snmp --with-sodium --with-xsl --with-zip --with-mysqli --with-pdo-mysql --with-pdo-pgsql --with-pgsql --with-sqlite3 --with-pdo-sqlite --with-webp --with-jpeg --with-freetype --enable-sigchild --with-readline --with-pcre-jit --with-iconv

Operating System:

Ubuntu 20.04 Host, Docker 0599jiangyc/flowfusion:latest

This report is automatically generated by FlowFusion

PHP Version

cd58662

Operating System

No response

The text was updated successfully, but these errors were encountered:

A frameless icall with 3 arguments is a special case because it uses OP_DATA, but this was not added to the list, so the opline pointed to the wrong address resulting in UBSAN report or crash.

* PHP-8.4: Fix GH-18037: SEGV Zend/zend_execute.c

YuanchengJiang added Bug Status: Needs Triage labels Mar 13, 2025

devnexen added Category: JIT Category: Engine Extension: opcache Status: Verified and removed Status: Needs Triage labels Mar 13, 2025

Girgias assigned nielsdos Mar 13, 2025

nielsdos linked a pull request Mar 13, 2025 that will close this issue

Fix GH-18037: SEGV Zend/zend_execute.c #18048

Closed

nielsdos closed this as completed in 4139381 Mar 13, 2025

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

SEGV Zend/zend_execute.c #18037

SEGV Zend/zend_execute.c #18037

YuanchengJiang commented Mar 13, 2025

SEGV Zend/zend_execute.c #18037

SEGV Zend/zend_execute.c #18037

Comments

YuanchengJiang commented Mar 13, 2025

Description

PHP Version

Operating System