Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Dom\TokenList issues with interned string replace #17201

Closed
YuanchengJiang opened this issue Dec 17, 2024 · 1 comment
Closed

Dom\TokenList issues with interned string replace #17201

YuanchengJiang opened this issue Dec 17, 2024 · 1 comment
Assignees
@nielsdos
Labels
Bug Extension: dom Status: Verified

Comments

@YuanchengJiang
Copy link

Description

The following code:

<?php
$dom = DOM\XMLDocument::createFromString('<root class="A B C"/>');
$element = $dom->documentElement;
$list = $element->classList;
$list->replace('A', 'AA');
$fusion = $list;
require(__DIR__ . "/run_bcmath_tests_function.inc");
$exponents = ["252", "-112"];
$baseNumbers = array_merge($exponents, [
]);
run_bcmath_tests($baseNumbers, $fusion, "**", bcpow(...));

you need: run_bcmath_tests_function.inc

Resulted in this output:

Number "252" (scale 0)
AddressSanitizer:DEADLYSIGNAL
=================================================================
==1257793==ERROR: AddressSanitizer: SEGV on unknown address 0x000040fc5f58 (pc 0x000003f51e0a bp 0x7fffc34e07f0 sp 0x7fffc34e07d0 T0)
==1257793==The signal is caused by a WRITE memory access.
    #0 0x3f51e0a in zend_gc_addref /home/phpfuzz/WorkSpace/flowfusion/php-src/Zend/zend_types.h:1330:9
    #1 0x469be7f in zval_addref_p /home/phpfuzz/WorkSpace/flowfusion/php-src/Zend/zend_types.h:1379:9
    #2 0x46b88a0 in zend_copy_to_variable /home/phpfuzz/WorkSpace/flowfusion/php-src/Zend/zend_execute.h:150:4
    #3 0x46b8040 in zend_assign_to_variable /home/phpfuzz/WorkSpace/flowfusion/php-src/Zend/zend_execute.h:184:2
    #4 0x46f2621 in zend_fe_fetch_object_helper_SPEC /home/phpfuzz/WorkSpace/flowfusion/php-src/Zend/zend_vm_execute.h:3006:3
    #5 0x42f86ae in ZEND_FE_FETCH_R_SPEC_VAR_HANDLER /home/phpfuzz/WorkSpace/flowfusion/php-src/Zend/zend_vm_execute.h:23013:3
    #6 0x3f826f7 in execute_ex /home/phpfuzz/WorkSpace/flowfusion/php-src/Zend/zend_vm_execute.h:58595:7
    #7 0x3f8497c in zend_execute /home/phpfuzz/WorkSpace/flowfusion/php-src/Zend/zend_vm_execute.h:64247:2
    #8 0x4d1b689 in zend_execute_script /home/phpfuzz/WorkSpace/flowfusion/php-src/Zend/zend.c:1934:3
    #9 0x352fd9a in php_execute_script_ex /home/phpfuzz/WorkSpace/flowfusion/php-src/main/main.c:2577:13
    #10 0x3530ed8 in php_execute_script /home/phpfuzz/WorkSpace/flowfusion/php-src/main/main.c:2617:9
    #11 0x4d2f99a in do_cli /home/phpfuzz/WorkSpace/flowfusion/php-src/sapi/cli/php_cli.c:938:5
    #12 0x4d29e7f in main /home/phpfuzz/WorkSpace/flowfusion/php-src/sapi/cli/php_cli.c:1313:18
    #13 0x7f8b43fa1d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
    #14 0x7f8b43fa1e3f in __libc_start_main csu/../csu/libc-start.c:392:3
    #15 0x605934 in _start (/home/phpfuzz/WorkSpace/flowfusion/php-src/sapi/cli/php+0x605934)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /home/phpfuzz/WorkSpace/flowfusion/php-src/Zend/zend_types.h:1330:9 in zend_gc_addref
==1257793==ABORTING

To reproduce:

-d "opcache.protect_memory=1" -d "zend_extension=/home/phpfuzz/WorkSpace/flowfusion/php-src/modules/opcache.so" -d "opcache.enable_cli=1"

PHP Version

nightly

Operating System

No response
@nielsdos
Copy link
Member

nielsdos commented Dec 17, 2024
edited
Loading

Looks related to #17196 EDIT: nope
I'll look later today

@nielsdos nielsdos self-assigned this Dec 17, 2024
@nielsdos nielsdos changed the title Segmentation fault Zend/zend_types.h:1330:9 in zend_gc_addref Dom\TokenList issues with interned string replace Dec 17, 2024
nielsdos added a commit to nielsdos/php-src that referenced this issue Dec 17, 2024
@nielsdos
Fix phpGH-17201: Dom\TokenList issues with interned string replace
4901b42 
If a bucket previously had a non-interned string, and is now replaced
with an interned string, then the type flags still incorrectly state
it's a non-interned string. This leads to the refcount being edited for
interned strings, which in turn can lead to a crash when protect_memory
is set.
@nielsdos nielsdos linked a pull request Dec 17, 2024 that will close this issue
Fix GH-17201: Dom\TokenList issues with interned string replace #17207
Closed
nielsdos added a commit that referenced this issue Dec 17, 2024
@nielsdos
Merge branch 'PHP-8.4'
e78a008 
* PHP-8.4:
  Fix GH-17201: Dom\TokenList issues with interned string replace
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@nielsdos nielsdos

Labels
Bug Extension: dom Status: Verified
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Fix GH-17201: Dom\TokenList issues with interned string replace nielsdos/php-src
2 participants
@nielsdos @YuanchengJiang