php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #73654 Segmentation fault in zend_call_function
Submitted: 2016-12-05 13:58 UTC Modified: 2016-12-05 18:20 UTC
From: tom60 at op dot pl Assigned:
Status: Closed Package: opcache
PHP Version: 7.1.0 OS: Debian Jessie 64 bit
Private report: No CVE-ID: None
View Developer Edit
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: tom60 at op dot pl
New email:
PHP Version: OS:

 

 [2016-12-05 13:58 UTC] tom60 at op dot pl 
Description:
------------
Upgrading from PHP 7.0.13 to PHP 7.1.0 we started seeing the following segmentation fault.

Actual result:
--------------
Reading symbols from /opt/apache2/sbin/apache2...done.
[New LWP 6800]
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
Core was generated by `/opt/apache2/sbin/apache2 -k start'.
Program terminated with signal SIGSEGV, Segmentation fault.
#0  execute_ex (ex=<optimized out>) at /src/php-7.1.0/Zend/zend_vm_execute.h:429
429                     ((opcode_handler_t)OPLINE->handler)(ZEND_OPCODE_HANDLER_ARGS_PASSTHRU);
(gdb) bt
#0  execute_ex (ex=<optimized out>) at /src/php-7.1.0/Zend/zend_vm_execute.h:429
#1  0x00007f76565752f7 in zend_call_function (fci=0x7f7650813700, fci@entry=0x7fff1ea11720, fci_cache=<optimized out>, fci_cache@entry=0x7fff1ea116f0)
    at /src/php-7.1.0/Zend/zend_execute_API.c:828
#2  0x00007f76565a0e80 in zend_call_method (object=object@entry=0x7f7650813100, obj_ce=<optimized out>, obj_ce@entry=0x7f763d1c7e40, fn_proxy=fn_proxy@entry=0x7f763d1c7f70, 
    function_name=function_name@entry=0x7f7656b60f61 "__tostring", function_name_len=function_name_len@entry=10, retval_ptr=retval_ptr@entry=0x7fff1ea117c0, param_count=0, 
    arg1=0x0, arg2=0x0) at /src/php-7.1.0/Zend/zend_interfaces.c:101
#3  0x00007f76565bbadd in zend_std_cast_object_tostring (readobj=0x7f7650813100, writeobj=0x7fff1ea11820, type=<optimized out>)
    at /src/php-7.1.0/Zend/zend_object_handlers.c:1631
#4  0x00007f7656585d84 in zend_parse_arg_str_weak (arg=arg@entry=0x7f7650813100, dest=dest@entry=0x7fff1ea11868)
    at /src/php-7.1.0/Zend/zend_API.c:457
#5  0x00007f76565daf9d in zend_verify_weak_scalar_type_hint (arg=0x7f7650813100, type_hint=<optimized out>) at /src/php-7.1.0/Zend/zend_execute.c:782
#6  zend_verify_scalar_type_hint (type_hint=<optimized out>, arg=arg@entry=0x7f7650813100, strict=<optimized out>)
    at /src/php-7.1.0/Zend/zend_execute.c:803
#7  0x00007f76565db223 in zend_check_type (is_return_type=1 '\001', default_value=0x0, cache_slot=<optimized out>, ce=<synthetic pointer>, arg=0x7f7650813100, 
    arg_info=<optimized out>, zf=0x7f763d451c38) at /src/php-7.1.0/Zend/zend_execute.c:936
#8  zend_verify_return_type (cache_slot=<optimized out>, ret=0x7f7650813100, zf=0x7f763d451c38) at /src/php-7.1.0/Zend/zend_execute.c:1063
#9  ZEND_VERIFY_RETURN_TYPE_SPEC_VAR_UNUSED_HANDLER () at /src/php-7.1.0/Zend/zend_vm_execute.h:21869
#10 0x00007f76565ca78b in execute_ex (ex=<optimized out>) at /src/php-7.1.0/Zend/zend_vm_execute.h:429
#11 0x00007f76565752f7 in zend_call_function (fci=0x7f7650813050, fci@entry=0x7fff1ea11a20, fci_cache=<optimized out>, fci_cache@entry=0x7fff1ea119f0)
    at /src/php-7.1.0/Zend/zend_execute_API.c:828
#12 0x00007f765648bb3f in zif_call_user_func (execute_data=<optimized out>, return_value=0x7f76508118e0)
    at /src/php-7.1.0/ext/standard/basic_functions.c:4825
#13 0x00007f7656622932 in ZEND_DO_FCALL_BY_NAME_SPEC_RETVAL_USED_HANDLER () at /src/php-7.1.0/Zend/zend_vm_execute.h:876
#14 0x00007f76565ca78b in execute_ex (ex=<optimized out>) at /src/php-7.1.0/Zend/zend_vm_execute.h:429
#15 0x00007f76565752f7 in zend_call_function (fci=0x7f7650811860, fci@entry=0x7fff1ea11c30, fci_cache=<optimized out>, fci_cache@entry=0x7fff1ea11c00)
    at /src/php-7.1.0/Zend/zend_execute_API.c:828
#16 0x00007f765648bb3f in zif_call_user_func (execute_data=<optimized out>, return_value=0x7f7650811680)
    at /src/php-7.1.0/ext/standard/basic_functions.c:4825
#17 0x00007f7656622932 in ZEND_DO_FCALL_BY_NAME_SPEC_RETVAL_USED_HANDLER () at /src/php-7.1.0/Zend/zend_vm_execute.h:876
#18 0x00007f76565ca78b in execute_ex (ex=<optimized out>) at /src/php-7.1.0/Zend/zend_vm_execute.h:429
#19 0x00007f76566257b0 in zend_execute (op_array=0x7f7650868000, op_array@entry=0x7f7641a815a0, return_value=return_value@entry=0x7f76508115e0)
    at /src/php-7.1.0/Zend/zend_vm_execute.h:474
#20 0x00007f7656583f14 in zend_execute_scripts (type=type@entry=8, retval=0x7f76508115e0, retval@entry=0x0, file_count=file_count@entry=3)
    at /src/php-7.1.0/Zend/zend.c:1474
#21 0x00007f76565245c0 in php_execute_script (primary_file=primary_file@entry=0x7fff1ea14110) at /src/php-7.1.0/main/main.c:2533
#22 0x00007f765662761a in php_handler (r=<optimized out>) at /src/php-7.1.0/sapi/apache2handler/sapi_apache2.c:712
#23 0x000055875f79e2f0 in ap_run_handler (r=r@entry=0x558761288f98) at config.c:170
#24 0x000055875f79e839 in ap_invoke_handler (r=r@entry=0x558761288f98) at config.c:434
#25 0x000055875f7be79c in ap_internal_redirect (new_uri=<optimized out>, r=<optimized out>) at http_request.c:730
#26 0x000055875f816f92 in handler_redirect (r=0x558761297370) at mod_rewrite.c:5184
#27 0x000055875f79e2f0 in ap_run_handler (r=r@entry=0x558761297370) at config.c:170
#28 0x000055875f79e839 in ap_invoke_handler (r=0x558761297370) at config.c:434
#29 0x000055875f7bf502 in ap_process_async_request (r=0x558761297370) at http_request.c:410
#30 0x000055875f7bf6a0 in ap_process_request (r=0x558761297370) at http_request.c:445
#31 0x000055875f7bb7f5 in ap_process_http_sync_connection (c=0x55876122dc10) at http_core.c:210
#32 ap_process_http_connection (c=0x55876122dc10) at http_core.c:251
#33 0x000055875f7a7b20 in ap_run_process_connection (c=0x55876122dc10) at connection.c:42
#34 0x000055875f81eda2 in child_main (child_num_arg=0, child_bucket=513885488) at prefork.c:723
#35 0x000055875f81f020 in make_child (s=0x558760ec41b0, slot=2, bucket=0) at prefork.c:824
#36 0x000055875f81fe75 in perform_idle_server_maintenance (p=<optimized out>) at prefork.c:932
#37 prefork_run (_pconf=0x0, plog=0x7fff1ea14604, s=0x7fff1ea145e0) at prefork.c:1128
#38 0x000055875f782cce in ap_run_mpm (pconf=0x558760e91138, plog=0x558760eccb38, s=0x558760ec41b0) at mpm_common.c:94
#39 0x000055875f77bfd8 in main (argc=3, argv=0x7fff1ea148b8) at main.c:783{code}

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2016-12-05 15:22 UTC] tom60 at op dot pl
-Summary: Segmentation fault in ((opcode_handler_t)OPLINE->handler)(ZEND_OPCODE_HANDLER_A +Summary: Segmentation fault in zend_call_function
 [2016-12-05 15:22 UTC] tom60 at op dot pl 
Snippet of code causing the issue:

<?php
echo xyz();

function x () : string {
return 'x';
}

function xyz() : string {
return x().'yz';
}
die();
 [2016-12-05 17:58 UTC] nikic@php.net 
This is an optimization bug in opcache. We're not handling op replacement for VERIFY_RETURN_TYPE correctly.
 [2016-12-05 18:20 UTC] cmb@php.net
-Package: Reproducible crash +Package: opcache
 [2016-12-05 19:41 UTC] nikic@php.net 
Automatic comment on behalf of nikic
Revision: http://git.php.net/?p=php-src.git;a=commit;h=3b79f8f408ab090825bc15656e517746fdc43db9
Log: Fix bug #73654
 [2016-12-05 19:41 UTC] nikic@php.net
-Status: Open +Status: Closed
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Thu Nov 21 13:01:29 2024 UTC