Iterating a \Google\Protobuf\Internal\Message PHP object segfaults when using the protobuf extension · protocolbuffers/protobuf#22173

(3 comments) (1 reaction) (0 assignees)C++ (71,223 stars) (16,128 forks)batch import

help wantedphp

Description

What version of protobuf and what language are you using? Version: 4.31.1 Language: PHP

What operating system (Linux, Windows, ...) and version? Linux 6.1.0-37-cloud-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.1.140-1 (2025-05-22) x86_64 GNU/Linux

What runtime / compiler are you using (e.g., python version or gcc version) PHP 8.4.1 with protobuf extension 4.31.1

What did you do? Steps to reproduce the behavior:

Define a protobuf message

syntax = "proto3";

package example;

message ProtoMessage {
  string msg = 1;
}

Compile with libprotoc

$ protoc --version
libprotoc 3.21.12
$ protoc --proto_path=. --php_out=build/gen message.proto
$ tree build/gen
build/gen/
├── Example
│   └── ProtoMessage.php
└── GPBMetadata
    └── Message.php

Run this script

<?php

require 'build/gen/GPBMetadata/Message.php';
require 'build/gen/Example/ProtoMessage.php';

echo "iterating generated php class ProtoMessage\n";

$proto_msg = new \Example\ProtoMessage();
foreach ($proto_msg as $key => $value) {
    assert(false);
}

What did you expect to see The process does not emit a segv

What did you see instead? Actually the process emits a segv

$ php segv.php
iterating generated php class ProtoMessage
Segmentation fault (core dumped)

Make sure you include information that can help us debug (full error message, exception listing, stack trace, logs). gdb backtrace

(gdb) backtrace
#0  ZEND_FE_RESET_R_SPEC_CV_HANDLER () at ./Zend/zend_hash.h:317
#1  0x0000559b7e901690 in zend_vm_call_opcode_handler (ex=ex@entry=0x7fe88d214020)
    at ./Zend/zend_vm_execute.h:68448
#2  0x00007fe88d636958 in php_pcov_trace (execute_data=0x7fe88d214020)
    at /tmp/pear/temp/pcov/pcov.c:264
#3  php_pcov_execute_ex (execute_data=0x7fe88d214020) at /tmp/pear/temp/pcov/pcov.c:305
#4  0x0000559b7e900b63 in zend_execute (op_array=op_array@entry=0x7fe88d26e000, 
    return_value=return_value@entry=0x0) at ./Zend/zend_vm_execute.h:64236
#5  0x0000559b7e9681a0 in zend_execute_script (type=type@entry=8, 
    retval=retval@entry=0x0, file_handle=file_handle@entry=0x7ffd94dc1fc0)
    at ./Zend/zend.c:1934
#6  0x0000559b7e806cb5 in php_execute_script_ex (primary_file=<optimized out>, 
    retval=retval@entry=0x0) at ./main/main.c:2574
#7  0x0000559b7e806fd7 in php_execute_script (primary_file=<optimized out>)
    at ./main/main.c:2614
#8  0x0000559b7e969f2c in do_cli (argc=2, argv=0x559ba41a7480)
    at ./sapi/cli/php_cli.c:935
#9  0x0000559b7e41a879 in main (argc=2, argv=0x559ba41a7480) at ./sapi/cli/php_cli.c:1310
(gdb)

Anything else we should know about your project / environment Almost similar issue: https://github.com/protocolbuffers/protobuf/issues/7319

Contributor guide

Tech stack: phpcpp
Domain: backendapi
Issue type: bug
Difficulty: 5
Estimated time: over 1 week
Activity status: fresh
Clarity: clear
Prerequisites: PHP C extension developmentProtocol BuffersSegfault debuggingBuild protobuf from source
Newbie friendliness: 10
Research direction: Examine the protobuf PHP extension source code, specifically the implementation of the Traversable interface for messages (likely in php/protobuf.c or similar). Compare with the previous similar issue #7319 to see if the fix attempted there was incomplete. Reproduce the segfault locally with a debug build of PHP and protobuf extension to get more detailed backtrace. Consider adding a null check or proper initialization of internal iteration pointers.