PCOV causes segmentation fault during memory overflow.

[porthorian]

Description

The following code:

<?php declare(strict_types=1);

////
// Execute the bug
////
main();


////
// Minimum Viable Bug
////

interface SessionCookieInterface
{
}

interface SessionRepositoryInterface
{
}

class SessionFactory
{
	public function createSession(string $session_name, ?SessionCookieInterface $cookie = null, ?SessionRepositoryInterface $repo = null) : SessionInterface
	{
		if ($cookie === null)
		{
			$cookie = self::generateDefaultSession();
		}

		return (new Session())
			->withName($session_name)
			->withCookieParams($cookie);
	}

	public static function generateDefaultSession() : SessionInterface
	{
		return (new SessionFactory())->createSession('test1234');
	}
}

class Session
{
	private string $name = 'SID';
	private SessionCookieInterface $cookie;

	public function withName(string $session_name) : self
	{
		$new = clone $this;
		$new->name = $session_name;

		return $new;
	}

	public function withCookieParams(SessionCookieInterface $cookie) : self
	{
		$new = clone $this;
		$new->cookie = $cookie;

		return $new;
	}
}

function main()
{
	$session = (new SessionFactory())->createSession('test1234');
}

Resulted in this output:

Output of script

root@175dab3f7cb7:/home/app/src/Session# php test_segmentation.php
Segmentation fault (core dumped)
root@175dab3f7cb7:/home/app/src/Session# 

===========Core Dump information=========
[vmarone@vinnielab: ~/projects/aiur/aiur-api]$ gdb /usr/bin/php /tmp/coredump-php.741983
GNU gdb (GDB) 12.1
Copyright (C) 2022 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Type "show copying" and "show warranty" for details.
This GDB was configured as "x86_64-pc-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<https://www.gnu.org/software/gdb/bugs/>.
Find the GDB manual and other documentation resources online at:
    <http://www.gnu.org/software/gdb/documentation/>.

For help, type "help".
Type "apropos word" to search for commands related to "word"...
Reading symbols from /usr/bin/php...
(No debugging symbols found in /usr/bin/php)
[New LWP 741983]
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/usr/lib/libthread_db.so.1".
Core was generated by `php src/Session/test_segmentation.php'.
Program terminated with signal SIGSEGV, Segmentation fault.
#0  0x00007f2bc2a796bb in php_pcov_execute_ex () from /usr/lib/php/modules/pcov.so
(gdb) q
[vmarone@vinnielab: ~/projects/aiur/aiur-api]$

=========LOGS========

aiur_php    | [27-Sep-2022 19:43:08] WARNING: [pool www] child 8 exited on signal 11 (SIGSEGV - core dumped) after 3.834072 seconds from start
aiur_php    | [27-Sep-2022 19:43:08] NOTICE: [pool www] child 10 started
aiur_php    | [27-Sep-2022 19:43:38] WARNING: [pool www] child 9 exited on signal 11 (SIGSEGV - core dumped) after 33.987749 seconds from start
aiur_php    | [27-Sep-2022 19:43:38] NOTICE: [pool www] child 11 started
aiur_php    | 172.31.0.5 -  27/Sep/2022:19:44:01 +0000 "POST /index.php" 200
aiur_php    | [27-Sep-2022 19:44:44] ALERT: oops, unknown child (22) exited with code 0. Please open a bug report (https://github.com/php/php-src/issues).
aiur_php    | [27-Sep-2022 19:44:56] WARNING: [pool www] child 11 exited on signal 11 (SIGSEGV - core dumped) after 78.615515 seconds from start
aiur_php    | [27-Sep-2022 19:44:56] NOTICE: [pool www] child 27 started
aiur_php    | [27-Sep-2022 19:45:41] WARNING: [pool www] child 10 exited on signal 11 (SIGSEGV - core dumped) after 153.733791 seconds from start
aiur_php    | [27-Sep-2022 19:45:41] NOTICE: [pool www] child 28 started
aiur_php    | [27-Sep-2022 19:45:49] WARNING: [pool www] child 27 exited on signal 11 (SIGSEGV - core dumped) after 52.722584 seconds from start
aiur_php    | [27-Sep-2022 19:45:49] NOTICE: [pool www] child 29 started
aiur_php    | [27-Sep-2022 19:45:59] WARNING: [pool www] child 28 exited on signal 11 (SIGSEGV - core dumped) after 17.311002 seconds from start
aiur_php    | [27-Sep-2022 19:45:59] NOTICE: [pool www] child 30 started
aiur_php    | [27-Sep-2022 19:47:00] ALERT: oops, unknown child (42) exited with code 0. Please open a bug report (https://github.com/php/php-src/issues).
aiur_php    | [27-Sep-2022 19:47:17] ALERT: oops, unknown child (57) exited with code 0. Please open a bug report (https://github.com/php/php-src/issues).
aiur_php    | [27-Sep-2022 19:48:19] ALERT: oops, unknown child (72) exited with code 0. Please open a bug report (https://github.com/php/php-src/issues).
aiur_php    | [27-Sep-2022 19:48:48] ALERT: oops, unknown child (87) exited with code 0. Please open a bug report (https://github.com/php/php-src/issues).

But I expected this output instead:

The expected output should of probably been some sort of fatal exception, not crash the entire php-fpm child.

Something like this.

[vmarone@vinnielab: ~/projects/aiur/aiur-api]$ php src/Session/test_segmentation.php
PHP Fatal error:  Allowed memory size of 134217728 bytes exhausted (tried to allocate 262144 bytes) in /home/vmarone/projects/aiur/aiur-api/src/Session/test_segmentation.php on line 37
[vmarone@vinnielab: ~/projects/aiur/aiur-api]$

PHP Version

8.1.9

Operating System

Linux 175dab3f7cb7 5.19.7-arch1-1 #1 SMP PREEMPT_DYNAMIC Mon, 05 Sep 2022 18:09:09 +0000 x86_64 GNU/Linux

[porthorian]

The bug was originally opened up at php/php-src#9623