php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #80030 Optimizer segfault with isset on static property with undef dynamic class name
Submitted: 2020-08-28 10:58 UTC Modified: 2020-08-31 10:35 UTC
From: sjon@php.net Assigned: nikic (profile)
Status: Closed Package: opcache
PHP Version: 8.0.0beta2 OS:
Private report: No CVE-ID: None
View Developer Edit
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: sjon@php.net
New email:
PHP Version: OS:

 

 [2020-08-28 10:58 UTC] sjon@php.net 
Description:
------------
not separately reproducible yet, this is with opcache.file_cache enabled

Actual result:
--------------
#0  0x0000555555b6e542
    in zend_create_member_string (class_name=0x2, member_name=0x40872f68) 
    at php-8.0.0beta2/Zend/zend_compile.c:847
#1  0x00007ffff52a0ade 
    in add_static_slot (hash=0x7fffffffa330, op_array=0x7ffff3be0448, op1=0, op2=20, kind=1792, cache_size=0x7fffffffa260)
    at php-8.0.0beta2/ext/opcache/Optimizer/compact_literals.c:99
#2  0x00007ffff52a30d1
    in zend_optimizer_compact_literals (op_array=0x7ffff3be0448, ctx=0x7fffffffa4b0)
    at php-8.0.0beta2/ext/opcache/Optimizer/compact_literals.c:712
#3  0x00007ffff52906ec
    in zend_optimize_script (script=0x7ffff3d88200, optimization_level=2147401727, debug_level=0)
    at php-8.0.0beta2/ext/opcache/Optimizer/zend_optimizer.c:1459
#4  0x00007ffff52579f6
    in cache_script_in_shared_memory (new_persistent_script=0x7ffff3d88200, key=0x7ffff3bf80d8 "xxx.php", key_length=105, from_shared_memory=0x7fffffffa570)
    at php-8.0.0beta2/ext/opcache/ZendAccelerator.c:1440
#5  0x00007ffff5259df4
    in persistent_compile_file (file_handle=0x7fffffffa6c0, type=2)
    at php-8.0.0beta2/ext/opcache/ZendAccelerator.c:2178
#6  0x0000555555bd9f59
    in zend_include_or_eval (inc_filename=0x7ffff5414870, type=4)
    at php-8.0.0beta2/Zend/zend_execute.c:4193
#7  0x0000555555c2d838
    in ZEND_INCLUDE_OR_EVAL_SPEC_CV_HANDLER ()
    at php-8.0.0beta2/Zend/zend_vm_execute.h:37190
#8  0x0000555555c4e245
    in execute_ex (ex=0x7ffff54145a0)
    at php-8.0.0beta2/Zend/zend_vm_execute.h:56770
#9  0x0000555555b8d849
    in zend_call_function (fci=0x7fffffffaab0, fci_cache=0x7fffffffaa90)
    at php-8.0.0beta2/Zend/zend_execute_API.c:855
#10 0x0000555555b8dbf8
    in zend_call_known_function (fn=0x421b4380, object=0x7ffff54db580, called_scope=0x421b2f60, retval_ptr=0x7ffff5414590, param_count=1, params=0x7fffffffabc0, named_params=0x0)
    at php-8.0.0beta2/Zend/zend_execute_API.c:945
#11 0x0000555555c7c12a
    in zend_call_known_instance_method (fn=0x421b4380, object=0x7ffff54db580, retval_ptr=0x7ffff5414590, param_count=1, params=0x7fffffffabc0)
    at php-8.0.0beta2/Zend/zend_API.h:587
#12 0x0000555555c7c19f
    in zend_call_known_instance_method_with_1_params (fn=0x421b4380, object=0x7ffff54db580, retval_ptr=0x7ffff5414590, param=0x7fffffffabc0)
    at php-8.0.0beta2/Zend/zend_API.h:599
#13 0x0000555555c7c7f2
    in zend_std_call_getter (zobj=0x7ffff54db580, prop_name=0x7ffff54b9c30, retval=0x7ffff5414590)
    at php-8.0.0beta2/Zend/zend_object_handlers.c:182
#14 0x0000555555c7dc1d
    in zend_std_read_property (zobj=0x7ffff54db580, name=0x7ffff54b9c30, type=0, cache_slot=0x0, rv=0x7ffff5414590)
    at php-8.0.0beta2/Zend/zend_object_handlers.c:645
#15 0x0000555555c297e8
    in ZEND_FETCH_OBJ_R_SPEC_UNUSED_CV_HANDLER ()
    at php-8.0.0beta2/Zend/zend_vm_execute.h:34874
#16 0x0000555555c4dda4
    in execute_ex (ex=0x7ffff5414020)
    at php-8.0.0beta2/Zend/zend_vm_execute.h:56537
#17 0x0000555555c4f1da
    in zend_execute (op_array=0x7ffff545c3c0, return_value=0x0)
    at php-8.0.0beta2/Zend/zend_vm_execute.h:57766
#18 0x0000555555ba5651
    in zend_execute_scripts (type=8, retval=0x0, file_count=3)
    at php-8.0.0beta2/Zend/zend.c:1696
#19 0x0000555555b07d22
    in php_execute_script (primary_file=0x7fffffffd400)
    at php-8.0.0beta2/main/main.c:2535
#20 0x0000555555c8e026
    in do_cli (argc=9, argv=0x55555698f710)
    at php-8.0.0beta2/sapi/cli/php_cli.c:949
#21 0x0000555555c8f09d
    in main (argc=9, argv=0x55555698f710)
    at php-8.0.0beta2/sapi/cli/php_cli.c:1336

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2020-08-28 12:25 UTC] sjon@php.net 
I managed to create a testcase, just including this file should be enough:

<?php

class P
{   
    protected function _p(string $t = null, int $i = null, bool $a = false): array
    {
        while (($line = current($this->_stack)) !== false)
            if ($a)
                if (isset($className::$p))
                    throw new Ex('');
    }
}
 [2020-08-31 10:34 UTC] nikic@php.net
-Assigned To: +Assigned To: nikic
 [2020-08-31 10:34 UTC] nikic@php.net 
<?php

function test() {
    var_dump(isset($className::$test));
}
 [2020-08-31 10:35 UTC] nikic@php.net
-Summary: segfault in zend_optimizer_compact_literals > zend_create_member_string +Summary: Optimizer segfault with isset on static property with undef dynamic class name
 [2020-08-31 10:38 UTC] nikic@php.net 
Automatic comment on behalf of nikita.ppv@gmail.com
Revision: http://git.php.net/?p=php-src.git;a=commit;h=50975640bc2bd86f4aa1c1eb00bd9dc3a9764e72
Log: Fixed bug #80030
 [2020-08-31 10:38 UTC] nikic@php.net
-Status: Assigned +Status: Closed
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Sat Dec 21 16:01:28 2024 UTC