php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #70111 Segfault when a function uses both an explicit return type and an explicit cast
Submitted: 2015-07-22 10:31 UTC Modified: 2015-07-22 19:59 UTC
From: malte dot skoruppa at gmail dot com Assigned: laruence
Status: Closed Package: Reproducible crash
PHP Version: 7.0Git-2015-07-22 (Git) OS: Ubuntu 14.04 LTS
Private report: No CVE-ID:
 [2015-07-22 10:31 UTC] malte dot skoruppa at gmail dot com
Description:
------------
When a function both
* specifies an explicit return type
* AND uses an explicit cast of the return value,
then the PHP interpreter segfaults non-deterministically with high probability.

To reproduce, execute the following script with the PHP interpreter several times in a row. Sometimes it works, sometimes it segfaults.


Test script:
---------------
<?php

foo();

function foo() : string {
  return (string) 42;
}


Expected result:
----------------
PHP interpreter should not crash, no matter how many times the script is run.


Actual result:
--------------
The PHP interpreter segfaults when running this script. Not always, but very often:

$ php crash.php
Segmentation fault (core dumped)


gdb backtrace:

Core was generated by `php crash.php'.
Program terminated with signal SIGSEGV, Segmentation fault.
#0  0x0000000000000000 in ?? ()
(gdb) bt
#0  0x0000000000000000 in ?? ()
#1  0x0000000000888c20 in execute_ex (ex=0x7fa8daa14030) at /home/malte/php7/php-src/Zend/zend_vm_execute.h:406
#2  0x0000000000888d32 in zend_execute (op_array=0x7fa8daa75100, return_value=0x0) at /home/malte/php7/php-src/Zend/zend_vm_execute.h:450
#3  0x000000000082ee86 in zend_execute_scripts (type=8, retval=0x0, file_count=3) at /home/malte/php7/php-src/Zend/zend.c:1399
#4  0x000000000079aefc in php_execute_script (primary_file=0x7ffdb976c850) at /home/malte/php7/php-src/main/main.c:2475
#5  0x00000000008ec6ac in do_cli (argc=2, argv=0x2f6b0e0) at /home/malte/php7/php-src/sapi/cli/php_cli.c:971
#6  0x00000000008ed870 in main (argc=2, argv=0x2f6b0e0) at /home/malte/php7/php-src/sapi/cli/php_cli.c:1338


Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2015-07-22 11:30 UTC] laruence@php.net
-Assigned To: +Assigned To: laruence
 [2015-07-22 11:30 UTC] laruence@php.net
this is an opcache issue...
 [2015-07-22 14:48 UTC] laruence@php.net
Automatic comment on behalf of laruence
Revision: http://git.php.net/?p=php-src.git;a=commit;h=3e479ef424b2193f41a28fda18bde076a79ea71e
Log: Fixed bug #70111 (Segfault when a function uses both an explicit return type and an explicit cast)
 [2015-07-22 14:48 UTC] laruence@php.net
-Status: Assigned +Status: Closed
 [2015-07-22 19:59 UTC] malte dot skoruppa at gmail dot com
Great! That was incredibly fast. :)

Please note that the bug did not happen everytime (especially the first 1-2 times when executing the script), so the test case you added might randomly pass even if the bug reappears. Is there a facility to run the regresstion test more than once?
 [2015-08-04 20:54 UTC] ab@php.net
Automatic comment on behalf of laruence
Revision: http://git.php.net/?p=php-src.git;a=commit;h=3e479ef424b2193f41a28fda18bde076a79ea71e
Log: Fixed bug #70111 (Segfault when a function uses both an explicit return type and an explicit cast)
 [2016-07-20 11:37 UTC] davey@php.net
Automatic comment on behalf of laruence
Revision: http://git.php.net/?p=php-src.git;a=commit;h=3e479ef424b2193f41a28fda18bde076a79ea71e
Log: Fixed bug #70111 (Segfault when a function uses both an explicit return type and an explicit cast)
 
PHP Copyright © 2001-2017 The PHP Group
All rights reserved.
Last updated: Sat Apr 29 17:01:36 2017 UTC