PHP :: Bug #77191 :: Assertion failure in dce_live

Bug #77191	Assertion failure in dce_live_ranges() when silencing is used
Submitted:	2018-11-23 12:31 UTC	Modified:	2019-08-13 09:18 UTC
From:	alexey at nsk21 dot ru	Assigned:
Status:	Closed	Package:	opcache
PHP Version:	7.2.12	OS:	CentOS Linux release 7.5.1804
Private report:	No	CVE-ID:	None

View Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	alexey at nsk21 dot ru
New email:
PHP Version:		OS:

New Comment:

[2018-11-23 12:31 UTC] alexey at nsk21 dot ru

Description:
------------
PHP 7.2.12 compiled from a source *.tar.gz file:

#!/bin/sh
./configure \
        --prefix=/usr/local/php72 \
        --program-suffix=72 \
        --enable-fpm \
        --with-fpm-systemd \
        --with-config-file-scan-dir=/usr/local/php72/lib/php.conf.d \
        --with-curl=/usr/local/lib \
        --with-gd \
        --with-gettext \
        --with-jpeg-dir=/usr/local/lib \
        --with-freetype-dir=/usr/local/lib \
        --with-libxml-dir=/usr/local/lib \
        --with-kerberos \
        --with-openssl \
        --with-mhash \
        --with-mysql-sock=/var/lib/mysql/mysql.sock \
        --with-mysqli=mysqlnd \
        --with-pcre-regex=/usr/local \
        --with-pdo-mysql=mysqlnd \
        --with-pear \
        --with-png-dir=/usr/local/lib \
        --with-xsl \
        --with-zlib \
        --with-zlib-dir=/usr/local/lib \
        --enable-zip \
        --with-iconv=/usr/local \
        --enable-bcmath \
        --enable-calendar \
        --enable-ftp \
        --enable-sockets \
        --enable-soap \
        --enable-mbstring \
        --with-icu-dir=/usr/local/icu \
        --enable-intl \
        --enable-debug



Test script:
---------------
WordPress site of an actual version

Actual result:
--------------
[root@server spool]# gdb /usr/local/php72/sbin/php-fpm ./ccpp-2018-11-23-12:25:27-20411/coredump
GNU gdb (GDB) Red Hat Enterprise Linux 7.6.1-110.el7
Copyright (C) 2013 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-redhat-linux-gnu".
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>...
Reading symbols from /usr/local/php72/sbin/php-fpm72...done.
[New LWP 20411]
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib64/libthread_db.so.1".
Core was generated by `php-fpm: pool onetime                        '.
Program terminated with signal 6, Aborted.
#0  0x00007fb489d66277 in __GI_raise (sig=sig@entry=6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:56
56        return INLINE_SYSCALL (tgkill, 3, pid, selftid, sig);
(gdb) bt
#0  0x00007fb489d66277 in __GI_raise (sig=sig@entry=6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:56
#1  0x00007fb489d67968 in __GI_abort () at abort.c:90
#2  0x00007fb489d5f096 in __assert_fail_base (fmt=0x7fb489eba580 "%s%s%s:%u: %s%sAssertion `%s' failed.\n%n",
    assertion=assertion@entry=0x7fb47fabd9f8 "op_array->opcodes[def].result_type & ((1<<1)|(1<<2))",
    file=file@entry=0x7fb47fabd940 "/usr/local/directadmin/custombuild/php-7.2.12/ext/opcache/Optimizer/dce.c", line=line@entry=589,
    function=function@entry=0x7fb47fabdae0 <__PRETTY_FUNCTION__.10702> "dce_live_ranges") at assert.c:92
#3  0x00007fb489d5f142 in __GI___assert_fail (assertion=0x7fb47fabd9f8 "op_array->opcodes[def].result_type & ((1<<1)|(1<<2))",
    file=0x7fb47fabd940 "/usr/local/directadmin/custombuild/php-7.2.12/ext/opcache/Optimizer/dce.c", line=589, function=0x7fb47fabdae0 <__PRETTY_FUNCTION__.10702> "dce_live_ranges")
    at assert.c:101
#4  0x00007fb47faa599f in dce_live_ranges (ctx=0x7ffe7854af50, op_array=0x7fb45ded0178, ssa=0x7fb45def3540)
    at /usr/local/directadmin/custombuild/php-7.2.12/ext/opcache/Optimizer/dce.c:589
#5  0x00007fb47faa619b in dce_optimize_op_array (op_array=0x7fb45ded0178, ssa=0x7fb45def3540, reorder_dtor_effects=0 '\000')
    at /usr/local/directadmin/custombuild/php-7.2.12/ext/opcache/Optimizer/dce.c:695
#6  0x00007fb47fa6d465 in zend_dfa_optimize_op_array (op_array=0x7fb45ded0178, ctx=0x7ffe7854b120, ssa=0x7fb45def3540, call_map=0x7fb45def3980)
    at /usr/local/directadmin/custombuild/php-7.2.12/ext/opcache/Optimizer/dfa_pass.c:592
#7  0x00007fb47fa50652 in zend_optimize_script (script=0x7fb45e3e9600, optimization_level=2147467263, debug_level=0)
    at /usr/local/directadmin/custombuild/php-7.2.12/ext/opcache/Optimizer/zend_optimizer.c:1263
#8  0x00007fb47fa2c6f5 in cache_script_in_shared_memory (new_persistent_script=0x7fb45e3e9600, key=0x0, key_length=0, from_shared_memory=0x7ffe7854b420)
    at /usr/local/directadmin/custombuild/php-7.2.12/ext/opcache/ZendAccelerator.c:1333
#9  0x00007fb47fa2e186 in persistent_compile_file (file_handle=0x7ffe7854b490, type=2) at /usr/local/directadmin/custombuild/php-7.2.12/ext/opcache/ZendAccelerator.c:1947
#10 0x0000000000a4a2a8 in compile_filename (type=2, filename=0x7fb48621fdc0) at Zend/zend_language_scanner.l:662
#11 0x0000000000b03d7b in zend_include_or_eval (inc_filename=0x7fb48621fdc0, type=2) at /usr/local/directadmin/custombuild/php-7.2.12/Zend/zend_execute.c:2832
#12 0x0000000000b73e6b in ZEND_INCLUDE_OR_EVAL_SPEC_TMPVAR_HANDLER () at /usr/local/directadmin/custombuild/php-7.2.12/Zend/zend_vm_execute.h:48644
#13 0x0000000000b89e53 in execute_ex (ex=0x7fb48621fd60) at /usr/local/directadmin/custombuild/php-7.2.12/Zend/zend_vm_execute.h:63152
#14 0x0000000000a8b044 in zend_call_function (fci=0x7ffe7854b810, fci_cache=0x7ffe7854b7e0) at /usr/local/directadmin/custombuild/php-7.2.12/Zend/zend_execute_API.c:820
#15 0x0000000000867a53 in zif_spl_autoload_call (execute_data=0x7fb48621fd00, return_value=0x7ffe7854ba80) at /usr/local/directadmin/custombuild/php-7.2.12/ext/spl/php_spl.c:451
#16 0x0000000000a8b119 in zend_call_function (fci=0x7ffe7854ba40, fci_cache=0x7ffe7854ba10) at /usr/local/directadmin/custombuild/php-7.2.12/Zend/zend_execute_API.c:834
#17 0x0000000000a8b85a in zend_lookup_class_ex (name=0x7fb4605bec90, key=0x7fb462c911a8, use_autoload=1) at /usr/local/directadmin/custombuild/php-7.2.12/Zend/zend_execute_API.c:991
#18 0x0000000000a8c484 in zend_fetch_class_by_name (class_name=0x7fb4605bec90, key=0x7fb462c911a8, fetch_type=512)
    at /usr/local/directadmin/custombuild/php-7.2.12/Zend/zend_execute_API.c:1426
#19 0x0000000000b0b346 in ZEND_NEW_SPEC_CONST_HANDLER () at /usr/local/directadmin/custombuild/php-7.2.12/Zend/zend_vm_execute.h:3211
#20 0x0000000000b85b83 in execute_ex (ex=0x7fb48621e030) at /usr/local/directadmin/custombuild/php-7.2.12/Zend/zend_vm_execute.h:59945
#21 0x0000000000b8ab88 in zend_execute (op_array=0x7fb486275000, return_value=0x0) at /usr/local/directadmin/custombuild/php-7.2.12/Zend/zend_vm_execute.h:63776
#22 0x0000000000aa487e in zend_execute_scripts (type=8, retval=0x0, file_count=3) at /usr/local/directadmin/custombuild/php-7.2.12/Zend/zend.c:1502
#23 0x0000000000a126ba in php_execute_script (primary_file=0x7ffe7854e120) at /usr/local/directadmin/custombuild/php-7.2.12/main/main.c:2590
#24 0x0000000000b9c7a9 in main (argc=2, argv=0x7ffe7854e348) at /usr/local/directadmin/custombuild/php-7.2.12/sapi/fpm/fpm/fpm_main.c:1966
(gdb) frame 0
#0  0x00007fb489d66277 in __GI_raise (sig=sig@entry=6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:56
56        return INLINE_SYSCALL (tgkill, 3, pid, selftid, sig);
(gdb) frame 1
#1  0x00007fb489d67968 in __GI_abort () at abort.c:90
90            raise (SIGABRT);
(gdb) frame 2
#2  0x00007fb489d5f096 in __assert_fail_base (fmt=0x7fb489eba580 "%s%s%s:%u: %s%sAssertion `%s' failed.\n%n",
    assertion=assertion@entry=0x7fb47fabd9f8 "op_array->opcodes[def].result_type & ((1<<1)|(1<<2))",
    file=file@entry=0x7fb47fabd940 "/usr/local/directadmin/custombuild/php-7.2.12/ext/opcache/Optimizer/dce.c", line=line@entry=589,
    function=function@entry=0x7fb47fabdae0 <__PRETTY_FUNCTION__.10702> "dce_live_ranges") at assert.c:92
92        abort ();
(gdb) frame 3
#3  0x00007fb489d5f142 in __GI___assert_fail (assertion=0x7fb47fabd9f8 "op_array->opcodes[def].result_type & ((1<<1)|(1<<2))",
    file=0x7fb47fabd940 "/usr/local/directadmin/custombuild/php-7.2.12/ext/opcache/Optimizer/dce.c", line=589, function=0x7fb47fabdae0 <__PRETTY_FUNCTION__.10702> "dce_live_ranges")
    at assert.c:101
101       __assert_fail_base (_("%s%s%s:%u: %s%sAssertion `%s' failed.\n%n"),
(gdb) frame 4
#4  0x00007fb47faa599f in dce_live_ranges (ctx=0x7ffe7854af50, op_array=0x7fb45ded0178, ssa=0x7fb45def3540)
    at /usr/local/directadmin/custombuild/php-7.2.12/ext/opcache/Optimizer/dce.c:589
589                             ZEND_ASSERT(op_array->opcodes[def].result_type & (IS_TMP_VAR|IS_VAR));
(gdb) frame 5
#5  0x00007fb47faa619b in dce_optimize_op_array (op_array=0x7fb45ded0178, ssa=0x7fb45def3540, reorder_dtor_effects=0 '\000')
    at /usr/local/directadmin/custombuild/php-7.2.12/ext/opcache/Optimizer/dce.c:695
695                     dce_live_ranges(&ctx, op_array, ssa);
(gdb) frame 6
#6  0x00007fb47fa6d465 in zend_dfa_optimize_op_array (op_array=0x7fb45ded0178, ctx=0x7ffe7854b120, ssa=0x7fb45def3540, call_map=0x7fb45def3980)
    at /usr/local/directadmin/custombuild/php-7.2.12/ext/opcache/Optimizer/dfa_pass.c:592
592                             if (dce_optimize_op_array(op_array, ssa, 0)) {
(gdb) frame 7
#7  0x00007fb47fa50652 in zend_optimize_script (script=0x7fb45e3e9600, optimization_level=2147467263, debug_level=0)
    at /usr/local/directadmin/custombuild/php-7.2.12/ext/opcache/Optimizer/zend_optimizer.c:1263
1263                                    zend_dfa_optimize_op_array(call_graph.op_arrays[i], &ctx, &func_info->ssa, func_info->call_map);
(gdb) frame 8
#8  0x00007fb47fa2c6f5 in cache_script_in_shared_memory (new_persistent_script=0x7fb45e3e9600, key=0x0, key_length=0, from_shared_memory=0x7ffe7854b420)
    at /usr/local/directadmin/custombuild/php-7.2.12/ext/opcache/ZendAccelerator.c:1333
1333            if (!zend_optimize_script(&new_persistent_script->script, ZCG(accel_directives).optimization_level, ZCG(accel_directives).opt_debug_level)) {
(gdb) frame 9
#9  0x00007fb47fa2e186 in persistent_compile_file (file_handle=0x7ffe7854b490, type=2) at /usr/local/directadmin/custombuild/php-7.2.12/ext/opcache/ZendAccelerator.c:1947
1947                            persistent_script = cache_script_in_shared_memory(persistent_script, key, key ? key_length : 0, &from_shared_memory);
(gdb) frame 10
#10 0x0000000000a4a2a8 in compile_filename (type=2, filename=0x7fb48621fdc0) at Zend/zend_language_scanner.l:662
662             retval = zend_compile_file(&file_handle, type);
(gdb) frame 11
#11 0x0000000000b03d7b in zend_include_or_eval (inc_filename=0x7fb48621fdc0, type=2) at /usr/local/directadmin/custombuild/php-7.2.12/Zend/zend_execute.c:2832
2832                                    new_op_array = compile_filename(type, inc_filename);
(gdb) frame 12
#12 0x0000000000b73e6b in ZEND_INCLUDE_OR_EVAL_SPEC_TMPVAR_HANDLER () at /usr/local/directadmin/custombuild/php-7.2.12/Zend/zend_vm_execute.h:48644
48644           new_op_array = zend_include_or_eval(inc_filename, opline->extended_value);
(gdb) frame 13
#13 0x0000000000b89e53 in execute_ex (ex=0x7fb48621fd60) at /usr/local/directadmin/custombuild/php-7.2.12/Zend/zend_vm_execute.h:63152
63152                                   ZEND_INCLUDE_OR_EVAL_SPEC_TMPVAR_HANDLER(ZEND_OPCODE_HANDLER_ARGS_PASSTHRU);
(gdb) frame 14
#14 0x0000000000a8b044 in zend_call_function (fci=0x7ffe7854b810, fci_cache=0x7ffe7854b7e0) at /usr/local/directadmin/custombuild/php-7.2.12/Zend/zend_execute_API.c:820
820                     zend_execute_ex(call);
(gdb) frame 15
#15 0x0000000000867a53 in zif_spl_autoload_call (execute_data=0x7fb48621fd00, return_value=0x7ffe7854ba80) at /usr/local/directadmin/custombuild/php-7.2.12/ext/spl/php_spl.c:451
451                             zend_call_function(&fci, &fcic);
(gdb) frame 16
#16 0x0000000000a8b119 in zend_call_function (fci=0x7ffe7854ba40, fci_cache=0x7ffe7854ba10) at /usr/local/directadmin/custombuild/php-7.2.12/Zend/zend_execute_API.c:834
834                             func->internal_function.handler(call, fci->retval);
(gdb) frame 17
#17 0x0000000000a8b85a in zend_lookup_class_ex (name=0x7fb4605bec90, key=0x7fb462c911a8, use_autoload=1) at /usr/local/directadmin/custombuild/php-7.2.12/Zend/zend_execute_API.c:991
991             if ((zend_call_function(&fcall_info, &fcall_cache) == SUCCESS) && !EG(exception)) {
(gdb) frame 18
#18 0x0000000000a8c484 in zend_fetch_class_by_name (class_name=0x7fb4605bec90, key=0x7fb462c911a8, fetch_type=512)
    at /usr/local/directadmin/custombuild/php-7.2.12/Zend/zend_execute_API.c:1426
1426            } else if ((ce = zend_lookup_class_ex(class_name, key, 1)) == NULL) {
(gdb) frame 19
#19 0x0000000000b0b346 in ZEND_NEW_SPEC_CONST_HANDLER () at /usr/local/directadmin/custombuild/php-7.2.12/Zend/zend_vm_execute.h:3211
3211                            ce = zend_fetch_class_by_name(Z_STR_P(EX_CONSTANT(opline->op1)), EX_CONSTANT(opline->op1) + 1, ZEND_FETCH_CLASS_DEFAULT | ZEND_FETCH_CLASS_EXCEPTION);
(gdb) frame 20
#20 0x0000000000b85b83 in execute_ex (ex=0x7fb48621e030) at /usr/local/directadmin/custombuild/php-7.2.12/Zend/zend_vm_execute.h:59945
59945                                   ZEND_NEW_SPEC_CONST_HANDLER(ZEND_OPCODE_HANDLER_ARGS_PASSTHRU);
(gdb) frame 21
#21 0x0000000000b8ab88 in zend_execute (op_array=0x7fb486275000, return_value=0x0) at /usr/local/directadmin/custombuild/php-7.2.12/Zend/zend_vm_execute.h:63776
63776           zend_execute_ex(execute_data);
(gdb) frame 22
#22 0x0000000000aa487e in zend_execute_scripts (type=8, retval=0x0, file_count=3) at /usr/local/directadmin/custombuild/php-7.2.12/Zend/zend.c:1502
1502                            zend_execute(op_array, retval);
(gdb) frame 23
#23 0x0000000000a126ba in php_execute_script (primary_file=0x7ffe7854e120) at /usr/local/directadmin/custombuild/php-7.2.12/main/main.c:2590
2590                            retval = (zend_execute_scripts(ZEND_REQUIRE, NULL, 3, prepend_file_p, primary_file, append_file_p) == SUCCESS);
(gdb) frame 24
#24 0x0000000000b9c7a9 in main (argc=2, argv=0x7ffe7854e348) at /usr/local/directadmin/custombuild/php-7.2.12/sapi/fpm/fpm/fpm_main.c:1966
1966                            php_execute_script(&file_handle);
(gdb)

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2019-05-27 15:54 UTC] bukka@php.net

-Package: FPM related +Package: opcache

[2019-05-27 15:54 UTC] bukka@php.net

Well this is crashing in opcache so it doesn't seem to be FPM related.

[2019-08-13 08:55 UTC] maxcrees at me dot com

Getting the same thing on 7.2.21 with opcache enabled. Backtrace:

Starting program: /usr/bin/php-cgi /tmp/opcache-crash.php

Program received signal SIGABRT, Aborted.
__restore_sigs (set=set@entry=0x7fffffffb7d0) at ./arch/x86_64/syscall_arch.h:40
40	./arch/x86_64/syscall_arch.h: No such file or directory.
#0  __restore_sigs (set=set@entry=0x7fffffffb7d0) at ./arch/x86_64/syscall_arch.h:40
#1  0x00007ffff7da4aa8 in raise (sig=sig@entry=6) at src/signal/raise.c:11
#2  0x00007ffff7d6b5b1 in abort () at src/exit/abort.c:13
#3  0x00007ffff7d6b681 in __assert_fail (expr=<optimized out>, file=<optimized out>, line=<optimized out>, func=<optimized out>) at src/exit/assert.c:8
#4  0x00007ffff45d67c8 in dce_live_ranges (ctx=0x7fffffffba00, op_array=0x7ffff480e0f8, ssa=0x7ffff4895100)
    at /home/mcrees/packages/user/php7/src/php-7.2.21/ext/opcache/Optimizer/dce.c:589
#5  0x00007ffff45d6f93 in dce_optimize_op_array (op_array=0x7ffff480e0f8, ssa=0x7ffff4895100, reorder_dtor_effects=0 '\000')
    at /home/mcrees/packages/user/php7/src/php-7.2.21/ext/opcache/Optimizer/dce.c:695
#6  0x00007ffff459e492 in zend_dfa_optimize_op_array (op_array=0x7ffff480e0f8, ctx=0x7fffffffbd30, ssa=0x7ffff4895100, call_map=0x0)
    at /home/mcrees/packages/user/php7/src/php-7.2.21/ext/opcache/Optimizer/dfa_pass.c:592
#7  0x00007ffff4580988 in zend_optimize_script (script=0x7ffff4877000, optimization_level=2147467263, debug_level=0)
    at /home/mcrees/packages/user/php7/src/php-7.2.21/ext/opcache/Optimizer/zend_optimizer.c:1263
#8  0x00007ffff45542d1 in cache_script_in_shared_memory (new_persistent_script=0x7ffff4877000, key=0x7ffff4803000 "/tmp/opcache-crash.php", key_length=22, 
    from_shared_memory=0x7fffffffbe10) at /home/mcrees/packages/user/php7/src/php-7.2.21/ext/opcache/ZendAccelerator.c:1358
#9  0x00007ffff455775c in persistent_compile_file (file_handle=0x7fffffffd4b0, type=8)
    at /home/mcrees/packages/user/php7/src/php-7.2.21/ext/opcache/ZendAccelerator.c:2012
#10 0x0000555555925c71 in zend_execute_scripts (type=8, retval=0x0, file_count=3) at /home/mcrees/packages/user/php7/src/php-7.2.21/Zend/zend.c:1492
#11 0x000055555585cba9 in php_execute_script (primary_file=0x7fffffffd4b0) at /home/mcrees/packages/user/php7/src/php-7.2.21/main/main.c:2596
#12 0x0000555555a33bae in main (argc=2, argv=0x7fffffffd7e8) at /home/mcrees/packages/user/php7/src/php-7.2.21/sapi/cgi/cgi_main.c:2679

Reproducer:

<?php
function HandleUpload($userfile) {
	/* Adding @ to the following switch control expression causes opcache to SIGABRT:
	 *
	 * [01-Jun-2019 09:49:45] WARNING: [pool www] child 12905 said into stderr: "Assertion failed: op_array->opcodes[def].result_type & ((1<<1)|(1<<2)) (php-7.2.19/ext/opcache/Optimizer/dce.c: dce_live_ranges: 589)"
	 * [01-Jun-2019 09:49:45] WARNING: [pool www] child 12905 exited on signal 6 (SIGABRT) after 15.408161 seconds from start
	 *
         * Without the @, there is no SIGABRT produced.
	 */
	switch (@$userfile['error']) {
	//switch ($userfile['error']) {
		case 1: return 'upresult=toobig';
		case 2: return 'upresult=toobig';
		case 3: return 'upresult=partial';
		case 4: return 'upresult=nofile';
	}
	return '';
}
if (array_key_exists('userfile', $_FILES)) {
	$userfile = $_FILES['userfile'];
	echo HandleUpload($userfile);
}
?>

[2019-08-13 09:02 UTC] nikic@php.net

-Status: Open +Status: Verified

[2019-08-13 09:02 UTC] nikic@php.net

Confirming assertion failure on the provided code.

[2019-08-13 09:18 UTC] nikic@php.net

-Summary: Process 22171 (php-fpm72) of user 1002 killed by SIGABRT - dumping core +Summary: Assertion failure in dce_live_ranges() when silencing is used

[2019-08-13 09:24 UTC] nikic@php.net

Automatic comment on behalf of nikita.ppv@gmail.com
Revision: http://git.php.net/?p=php-src.git;a=commit;h=4eeb41d1ea91fe7a44759f788ad5920eac8df0ef
Log: Fixed bug #77191

[2019-08-13 09:24 UTC] nikic@php.net

-Status: Verified +Status: Closed

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2025 The PHP Group All rights reserved.	Last updated: Fri Oct 24 19:00:01 2025 UTC