PHP :: Bug #70111 :: Segfault when a function uses both an explicit return type and an explicit cast

Bug #70111	Segfault when a function uses both an explicit return type and an explicit cast
Submitted:	2015-07-22 10:31 UTC	Modified:	2015-07-22 19:59 UTC
From:	malte dot skoruppa at gmail dot com	Assigned:	laruence (profile)
Status:	Closed	Package:	Reproducible crash
PHP Version:	7.0Git-2015-07-22 (Git)	OS:	Ubuntu 14.04 LTS
Private report:	No	CVE-ID:	None

View Developer Edit

[2015-07-22 10:31 UTC] malte dot skoruppa at gmail dot com

Description:
------------
When a function both
* specifies an explicit return type
* AND uses an explicit cast of the return value,
then the PHP interpreter segfaults non-deterministically with high probability.

To reproduce, execute the following script with the PHP interpreter several times in a row. Sometimes it works, sometimes it segfaults.


Test script:
---------------
<?php

foo();

function foo() : string {
  return (string) 42;
}


Expected result:
----------------
PHP interpreter should not crash, no matter how many times the script is run.


Actual result:
--------------
The PHP interpreter segfaults when running this script. Not always, but very often:

$ php crash.php
Segmentation fault (core dumped)


gdb backtrace:

Core was generated by `php crash.php'.
Program terminated with signal SIGSEGV, Segmentation fault.
#0  0x0000000000000000 in ?? ()
(gdb) bt
#0  0x0000000000000000 in ?? ()
#1  0x0000000000888c20 in execute_ex (ex=0x7fa8daa14030) at /home/malte/php7/php-src/Zend/zend_vm_execute.h:406
#2  0x0000000000888d32 in zend_execute (op_array=0x7fa8daa75100, return_value=0x0) at /home/malte/php7/php-src/Zend/zend_vm_execute.h:450
#3  0x000000000082ee86 in zend_execute_scripts (type=8, retval=0x0, file_count=3) at /home/malte/php7/php-src/Zend/zend.c:1399
#4  0x000000000079aefc in php_execute_script (primary_file=0x7ffdb976c850) at /home/malte/php7/php-src/main/main.c:2475
#5  0x00000000008ec6ac in do_cli (argc=2, argv=0x2f6b0e0) at /home/malte/php7/php-src/sapi/cli/php_cli.c:971
#6  0x00000000008ed870 in main (argc=2, argv=0x2f6b0e0) at /home/malte/php7/php-src/sapi/cli/php_cli.c:1338

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2015-07-22 11:30 UTC] laruence@php.net

-Assigned To: +Assigned To: laruence

[2015-07-22 11:30 UTC] laruence@php.net

this is an opcache issue...

[2015-07-22 14:48 UTC] laruence@php.net

Automatic comment on behalf of laruence
Revision: http://git.php.net/?p=php-src.git;a=commit;h=3e479ef424b2193f41a28fda18bde076a79ea71e
Log: Fixed bug #70111 (Segfault when a function uses both an explicit return type and an explicit cast)

[2015-07-22 14:48 UTC] laruence@php.net

-Status: Assigned +Status: Closed

[2015-07-22 19:59 UTC] malte dot skoruppa at gmail dot com

Great! That was incredibly fast. :)

Please note that the bug did not happen everytime (especially the first 1-2 times when executing the script), so the test case you added might randomly pass even if the bug reappears. Is there a facility to run the regresstion test more than once?

[2015-08-04 20:54 UTC] ab@php.net

Automatic comment on behalf of laruence
Revision: http://git.php.net/?p=php-src.git;a=commit;h=3e479ef424b2193f41a28fda18bde076a79ea71e
Log: Fixed bug #70111 (Segfault when a function uses both an explicit return type and an explicit cast)

[2016-07-20 11:37 UTC] davey@php.net

Automatic comment on behalf of laruence
Revision: http://git.php.net/?p=php-src.git;a=commit;h=3e479ef424b2193f41a28fda18bde076a79ea71e
Log: Fixed bug #70111 (Segfault when a function uses both an explicit return type and an explicit cast)

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2025 The PHP Group All rights reserved.	Last updated: Fri Oct 24 07:00:01 2025 UTC