php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #71435 Reproducible crash using opcache.file_cache_only=1 and class constant
Submitted: 2016-01-23 13:46 UTC Modified: 2016-01-24 07:15 UTC
From: wegvonhier+phpbugs at gmail dot com Assigned: laruence (profile)
Status: Closed Package: opcache
PHP Version: master-Git-2016-01-23 (snap) OS: Linux/Windows (x64)
Private report: No CVE-ID: None
 [2016-01-23 13:46 UTC] wegvonhier+phpbugs at gmail dot com
Description:
------------
PHP crashes reproducibly (using the script listed below) on the **second** time the script is executed using the cli with the latest snapshotbuild(php-master-ts-windows-vc14-x64-r1091cec.zip) from windows.php.net using opcache.file_cache_only=1 (file cache path is set and a corresponding file is generated).

Version Info:
<snip>\php7-m>php --version
PHP 7.1.0-dev (cli) (built: Jan 23 2016 12:23:18) ( ZTS )
Copyright (c) 1997-2016 The PHP Group
Zend Engine v3.1.0-dev, Copyright (c) 1998-2016 Zend Technologies
    with Zend OPcache v7.0.6-dev, Copyright (c) 1999-2016, by Zend Technologies

Test script:
---------------
<?php

class Foo {
	const BAR = '13';
}
echo Foo::BAR;

Expected result:
----------------
13

Actual result:
--------------
Access violation reading location 0x74B60403019

>	php_opcache.dll!zend_file_cache_unserialize_class_constant(_zval_struct * zv=0x0000074b60403019, _zend_persistent_script * script=0x0000014560403018, void * buf=0x0000014560403018) Zeile 1084	C
 	php_opcache.dll!zend_file_cache_unserialize_class_constant(_zval_struct * zv, _zend_persistent_script * script=0x0000014560403018, void * buf=0x0000014560403018) Zeile 1091	C
 	php_opcache.dll!zend_file_cache_unserialize_class_constant(_zval_struct * zv, _zend_persistent_script * script=0x0000014560403018, void * buf=0x0000014560403018) Zeile 1091	C
 	php_opcache.dll!zend_file_cache_unserialize_class_constant(_zval_struct * zv, _zend_persistent_script * script=0x0000014560403018, void * buf=0x0000014560403018) Zeile 1091	C
 	php_opcache.dll!zend_file_cache_unserialize_hash(_zend_array * ht, _zend_persistent_script * script=0x0000014560403018, void * buf=0x0000014560403018, void(*)(_zval_struct *, _zend_persistent_script *, void *) func=0x00007ffdd8b5eb70, void(*)(_zval_struct *) dtor=0x0000000000000000) Zeile 850	C
 	php_opcache.dll!zend_file_cache_unserialize_class(_zval_struct * zv, _zend_persistent_script * script=0x0000014560403018, void * buf=0x0000014560403018) Zeile 1136	C
 	php_opcache.dll!zend_file_cache_unserialize_hash(_zend_array * ht, _zend_persistent_script * script=0x0000014560403018, void * buf=0x0000014560403018, void(*)(_zval_struct *, _zend_persistent_script *, void *) func=0x00007ffdd8b5ece0, void(*)(_zval_struct *) dtor=0x00007ffdc6034760) Zeile 850	C
 	php_opcache.dll!zend_file_cache_unserialize(_zend_persistent_script * script=0x0000014560403018, void * buf=0x0000014560403018) Zeile 1241	C
 	php_opcache.dll!zend_file_cache_script_load(_zend_file_handle * file_handle) Zeile 1398	C
 	php_opcache.dll!file_cache_compile_file(_zend_file_handle * file_handle=0x00000035d2dff440, int type=8) Zeile 1565	C
 	php_opcache.dll!persistent_compile_file(_zend_file_handle * file_handle=0x00000035d2dff440, int type=8) Zeile 1625	C
 	php7ts.dll!zend_execute_scripts(int type=8, _zval_struct * retval=0x0000000000000000, int file_count=3, ...) Zeile 1422	C
 	php7ts.dll!php_execute_script(_zend_file_handle * primary_file=0x00000035d2dff440) Zeile 2484	C
 	php.exe!do_cli(int argc=2, char * * argv=0x000001455ea9f6c0) Zeile 975	C
 	php.exe!main(int argc=2, char * * argv=0x000001455ea9f6c0) Zeile 1345	C
 	[Externer Code]	

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2016-01-23 14:53 UTC] wegvonhier+phpbugs at gmail dot com
-Operating System: Windows 10 x64 +Operating System: Linux/Windows (x64)
 [2016-01-23 14:53 UTC] wegvonhier+phpbugs at gmail dot com
Compiled master(1091cec28) on a Mint 17.3 vm and reproduced the issue:

Program received signal SIGSEGV, Segmentation fault.
zend_file_cache_unserialize_class_constant (zv=0x8605f6803041, 
    script=0x7ffff6803040, buf=0x7ffff6803040)
    at /home/vm/php-src/ext/opcache/zend_file_cache.c:1084
1084		if (!IS_UNSERIALIZED(Z_PTR_P(zv))) {
(gdb) bt
#0  zend_file_cache_unserialize_class_constant (zv=0x8605f6803041, 
    script=0x7ffff6803040, buf=0x7ffff6803040)
    at /home/vm/php-src/ext/opcache/zend_file_cache.c:1084
#1  0x00007ffff617764d in zend_file_cache_unserialize_class_constant (
    zv=<optimized out>, script=0x7ffff6803040, buf=0x7ffff6803040)
    at /home/vm/php-src/ext/opcache/zend_file_cache.c:1090
#2  0x00007ffff617764d in zend_file_cache_unserialize_class_constant (
    zv=<optimized out>, script=0x7ffff6803040, buf=0x7ffff6803040)
    at /home/vm/php-src/ext/opcache/zend_file_cache.c:1090
#3  0x00007ffff617764d in zend_file_cache_unserialize_class_constant (
    zv=<optimized out>, script=0x7ffff6803040, buf=0x7ffff6803040)
    at /home/vm/php-src/ext/opcache/zend_file_cache.c:1090
#4  0x00007ffff617781c in zend_file_cache_unserialize_hash (ht=0x8605f6803041, 
    script=0x7ffff6803040, buf=0x7ffff6803040, 
    func=0x7ffff61775f0 <zend_file_cache_unserialize_class_constant>, dtor=0x0)
    at /home/vm/php-src/ext/opcache/zend_file_cache.c:850
#5  0x00007ffff6177ce3 in zend_file_cache_unserialize_class (
    zv=<optimized out>, script=0x7ffff6803040, buf=0x7ffff6803040)
    at /home/vm/php-src/ext/opcache/zend_file_cache.c:1134
#6  0x00007ffff617781c in zend_file_cache_unserialize_hash (ht=0x8605f6803041, 
    script=0x7ffff6803040, buf=0x7ffff6803040, 
    func=0x7ffff6177be0 <zend_file_cache_unserialize_class>, dtor=0x0)
    at /home/vm/php-src/ext/opcache/zend_file_cache.c:850
 [2016-01-24 07:15 UTC] laruence@php.net
-Assigned To: +Assigned To: laruence
 [2016-01-24 11:57 UTC] laruence@php.net
Automatic comment on behalf of laruence@gmail.com
Revision: http://git.php.net/?p=php-src.git;a=commit;h=d74cc3afcf4a3df3eb123546d471b2a58bbfc4d2
Log: Fixed Bug #71435 (Reproducible crash using opcache.file_cache_only=1 and class constant)
 [2016-01-24 11:57 UTC] laruence@php.net
-Status: Assigned +Status: Closed
 [2016-04-18 09:29 UTC] bwoebi@php.net
Automatic comment on behalf of laruence@gmail.com
Revision: http://git.php.net/?p=php-src.git;a=commit;h=d74cc3afcf4a3df3eb123546d471b2a58bbfc4d2
Log: Fixed Bug #71435 (Reproducible crash using opcache.file_cache_only=1 and class constant)
 [2016-07-20 11:33 UTC] davey@php.net
Automatic comment on behalf of laruence@gmail.com
Revision: http://git.php.net/?p=php-src.git;a=commit;h=d74cc3afcf4a3df3eb123546d471b2a58bbfc4d2
Log: Fixed Bug #71435 (Reproducible crash using opcache.file_cache_only=1 and class constant)
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Thu Mar 28 09:01:26 2024 UTC