PHP7 segmentation fault with references

[redcapital]

Segfault when using PHP references. This is the test case which I tried to reduce as much as possible:

$ cat reftest.php
<?
$bad = unserialize('a:4:{i:1;a:1:{s:10:"verylongid";s:1:"1";}i:10;a:1:{s:10:"verylongid";s:2:"10";}i:16;a:1:{s:10:"verylongid";s:2:"16";}i:0;a:1:{s:8:"children";a:3:{i:16;R:6;i:10;R:4;i:1;R:2;}}}');
$p = msgpack_pack($bad);
$unpacked = msgpack_unpack($p);

$ php reftest.php
Segmentation fault
$ php --version
PHP 7.0.7-5~wheezy (cli) ( NTS )

Works in PHP 5.4 and possibly in any other PHP 5

[Sean-Der]

Hey @redcapital

This is AWESOME I had some other people submit a bug that is probably the same, but couldn't get to the bottom of it because the cases were large (I couldn't get them smaller and reproduce either)

I will look at this tonight after work. thanks

[mente]

@Sean-Der have you forgot about it?

[NanneHuiges]

Here is some extra test data. I pulled it out of the unserialize for some clarity:

$bad2 = array (
    1 =>
        array (
            'a' => 'x',
        ),
    30 =>
        array (
            'b' => 'y',
        ),
    2 =>
        array (
            'c' => 'z',
        ),
);

$bad2[0]['children'][2] = &$bad2[1];
$p = msgpack_pack($bad2);
$unpacked = msgpack_unpack($p);

this wil segfault in php7, but not in php5.5:

PHP 5.5.9-1ubuntu4.20 (cli) (built: Oct 3 2016 13:00:37)

works

PHP 7.0.12-1+deb.sury.org~xenial+1 (cli) ( NTS )

segmentation fault

Strange thing is, there are a lot of ways to have it not-segfault, for instance:

$bad2 = array (
    1 =>
        array (
            'a' => 'x',
        ),
    2 =>
        array (
            'b' => 'y',
        ),
    30 =>
        array (
            'c' => 'z',
        ),
);

$bad2[0]['children'][2] = &$bad2[1];
$p = msgpack_pack($bad2);
$unpacked = msgpack_unpack($p);

This works in all versions.

[Sean-Der]

Hey @redcapital @mente @NanneHuiges sorry this got dropped, I don't work on PHP daily so hard to find time.

The good news is that @sodabrew contributed a patch that fixes this! Would you mind trying master? The example data in the first comment doesn't cause a segfault anymore.

[NanneHuiges]

cool! Do you mean the commit by @mheijkoop above? Because I know for sure that it fixes my issue as she made it specifically for the same core-problem we had! :D

We're currently running our own compiled version with that patch ( https://github.com/msgpack/msgpack-php/commit/e93208843dbd7d07e8009e496b218f039f78e5d2 ) and it is performing very well for us.

[Sean-Der]

Yep! My mistake it was @mheijkoop who fixed it, I was trying to close tickets quickly last night and just grabbing anything that worked out of my clipring

[NanneHuiges]

:+1: then this is considered fixed for us