|
|
php.net | support | documentation | report a bug | advanced search | search howto | statistics | random bug | login |
PatchesPull RequestsHistoryAllCommentsChangesGit/SVN commits
[2021-05-27 08:28 UTC] nikic@php.net
-Status: Open
+Status: Verified
-Assigned To:
+Assigned To: dmitry
[2021-05-27 08:28 UTC] nikic@php.net
[2021-05-27 12:23 UTC] git@php.net
[2021-05-27 12:23 UTC] git@php.net
-Status: Verified
+Status: Closed
|
|||||||||||||||||||||||||||||||||||||
Copyright © 2001-2025 The PHP GroupAll rights reserved. |
Last updated: Sat Oct 25 16:00:02 2025 UTC |
Description: ------------ When incrementing a typed property by-reference, it seems like the type gets broken, causing spurious errors and assert failures. This was discovered in debug mode using opcache.jit=1205. In debug mode, the following assert is triggered: (gdb) run php-8-jit-bugs/samples/by-ref-increment-typed-property.php Starting program: /home/dktapps/pm-dev/bin/php7/bin/php php-8-jit-bugs/samples/by-ref-increment-typed-property.php [Thread debugging using libthread_db enabled] Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1". int(0) php: /home/dktapps/pm-dev/install_data/subdir/php/Zend/zend_execute.c:895: i_zend_check_property_type: Assertion `!(zval_get_type(&(*(property))) == 10)' failed. Program received signal SIGABRT, Aborted. __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:51 51 ../sysdeps/unix/sysv/linux/raise.c: No such file or directory. (gdb) bt #0 __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:51 #1 0x00007ffff47a3921 in __GI_abort () at abort.c:79 #2 0x00007ffff479348a in __assert_fail_base (fmt=0x7ffff491a750 "%s%s%s:%u: %s%sAssertion `%s' failed.\n%n", assertion=assertion@entry=0x555556123548 "!(zval_get_type(&(*(property))) == 10)", file=file@entry=0x555556123180 "/home/dktapps/pm-dev/install_data/subdir/php/Zend/zend_execute.c", line=line@entry=895, function=function@entry=0x555556126200 <__PRETTY_FUNCTION__.15039> "i_zend_check_property_type") at assert.c:92 #3 0x00007ffff4793502 in __GI___assert_fail (assertion=0x555556123548 "!(zval_get_type(&(*(property))) == 10)", file=0x555556123180 "/home/dktapps/pm-dev/install_data/subdir/php/Zend/zend_execute.c", line=895, function=0x555556126200 <__PRETTY_FUNCTION__.15039> "i_zend_check_property_type") at assert.c:101 #4 0x0000555555d984f5 in i_zend_check_property_type (info=0x408d3700, property=0x7ffff44020a8, strict=false) at /home/dktapps/pm-dev/install_data/subdir/php/Zend/zend_execute.c:895 #5 0x0000555555d98615 in i_zend_verify_property_type (info=0x408d3700, property=0x7ffff44020a8, strict=false) at /home/dktapps/pm-dev/install_data/subdir/php/Zend/zend_execute.c:915 #6 0x0000555555d98666 in zend_verify_property_type (info=0x408d3700, property=0x7ffff44020a8, strict=false) at /home/dktapps/pm-dev/install_data/subdir/php/Zend/zend_execute.c:924 #7 0x00007ffff40d0e1d in zend_jit_post_inc_typed_prop (var_ptr=0x7ffff44020a8, prop_info=0x408d3700, result=0x7ffff4414170) at ext/opcache/jit/zend_jit_helpers.c:2359 #8 0x0000000048001f0d in ?? () #9 0x00007ffff4402070 in ?? () #10 0x00007fff00000001 in ?? () #11 0x000000004024a860 in ?? () #12 0x00005555565987d0 in ?? () #13 0xfffffffffffffed6 in ?? () #14 0x000000004024b1a0 in ?? () #15 0x00007fffffffa3f0 in ?? () #16 0x0000555555d80417 in zend_hash_find_bucket (ht=0x0, key=0x0, known_hash=85) at /home/dktapps/pm-dev/install_data/subdir/php/Zend/zend_hash.c:649 #17 0x0000555555e2324f in zend_execute (op_array=0x7ffff445d280, return_value=0x0) at /home/dktapps/pm-dev/install_data/subdir/php/Zend/zend_vm_execute.h:58875 #18 0x0000555555d6b0a7 in zend_execute_scripts (type=8, retval=0x0, file_count=3) at /home/dktapps/pm-dev/install_data/subdir/php/Zend/zend.c:1680 #19 0x0000555555cb0a87 in php_execute_script (primary_file=0x7fffffffcb50) at /home/dktapps/pm-dev/install_data/subdir/php/main/main.c:2488 #20 0x0000555555e67c23 in do_cli (argc=2, argv=0x555556594020) at /home/dktapps/pm-dev/install_data/subdir/php/sapi/cli/php_cli.c:949 #21 0x0000555555e68eb0 in main (argc=2, argv=0x555556594020) at /home/dktapps/pm-dev/install_data/subdir/php/sapi/cli/php_cli.c:1336 Test script: --------------- <?php class Binary{ public static function readUnsignedVarInt(string $buffer, int &$offset) : int{ $offset++; return 0; } } class BinaryStream{ private string $buffer; private int $offset; public function __construct(string $buffer, int $offset = 0){ $this->buffer = $buffer; $this->offset = $offset; } public function getUnsignedVarInt() : int{ return Binary::readUnsignedVarInt($this->buffer, $this->offset); } public function get(int $len) : string{ return $len === 1 ? $this->buffer[$this->offset++] : substr($this->buffer, ($this->offset += $len) - $len, $len); } } $stream = new BinaryStream(str_repeat("\x01a", 1000)); var_dump($stream->getUnsignedVarInt()); var_dump($stream->get(1)); Expected result: ---------------- int(0) string(1) "a" Actual result: -------------- In release mode: ``` int(0) PHP Fatal error: Uncaught TypeError: Cannot assign int to property BinaryStream::$offset of type int in /home/runner/work/php-8-jit-bugs/php-8-jit-bugs/samples/by-ref-increment-typed-property.php:25 Stack trace: #0 /home/runner/work/php-8-jit-bugs/php-8-jit-bugs/samples/by-ref-increment-typed-property.php(30): BinaryStream->get() #1 {main} thrown in /home/runner/work/php-8-jit-bugs/php-8-jit-bugs/samples/by-ref-increment-typed-property.php on line 25 ``` In debug mode: ``` int(0) php: /home/dktapps/pm-dev/install_data/subdir/php/Zend/zend_execute.c:895: i_zend_check_property_type: Assertion `!(zval_get_type(&(*(property))) == 10)' failed. Aborted (core dumped) ```