php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #73654 Segmentation fault in zend_call_function
Submitted: 2016-12-05 13:58 UTC Modified: 2016-12-05 18:20 UTC
From: tom60 at op dot pl Assigned:
Status: Closed Package: opcache
PHP Version: 7.1.0 OS: Debian Jessie 64 bit
Private report: No CVE-ID:
 [2016-12-05 13:58 UTC] tom60 at op dot pl
Description:
------------
Upgrading from PHP 7.0.13 to PHP 7.1.0 we started seeing the following segmentation fault.

Actual result:
--------------
Reading symbols from /opt/apache2/sbin/apache2...done.
[New LWP 6800]
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
Core was generated by `/opt/apache2/sbin/apache2 -k start'.
Program terminated with signal SIGSEGV, Segmentation fault.
#0  execute_ex (ex=<optimized out>) at /src/php-7.1.0/Zend/zend_vm_execute.h:429
429                     ((opcode_handler_t)OPLINE->handler)(ZEND_OPCODE_HANDLER_ARGS_PASSTHRU);
(gdb) bt
#0  execute_ex (ex=<optimized out>) at /src/php-7.1.0/Zend/zend_vm_execute.h:429
#1  0x00007f76565752f7 in zend_call_function (fci=0x7f7650813700, fci@entry=0x7fff1ea11720, fci_cache=<optimized out>, fci_cache@entry=0x7fff1ea116f0)
    at /src/php-7.1.0/Zend/zend_execute_API.c:828
#2  0x00007f76565a0e80 in zend_call_method (object=object@entry=0x7f7650813100, obj_ce=<optimized out>, obj_ce@entry=0x7f763d1c7e40, fn_proxy=fn_proxy@entry=0x7f763d1c7f70, 
    function_name=function_name@entry=0x7f7656b60f61 "__tostring", function_name_len=function_name_len@entry=10, retval_ptr=retval_ptr@entry=0x7fff1ea117c0, param_count=0, 
    arg1=0x0, arg2=0x0) at /src/php-7.1.0/Zend/zend_interfaces.c:101
#3  0x00007f76565bbadd in zend_std_cast_object_tostring (readobj=0x7f7650813100, writeobj=0x7fff1ea11820, type=<optimized out>)
    at /src/php-7.1.0/Zend/zend_object_handlers.c:1631
#4  0x00007f7656585d84 in zend_parse_arg_str_weak (arg=arg@entry=0x7f7650813100, dest=dest@entry=0x7fff1ea11868)
    at /src/php-7.1.0/Zend/zend_API.c:457
#5  0x00007f76565daf9d in zend_verify_weak_scalar_type_hint (arg=0x7f7650813100, type_hint=<optimized out>) at /src/php-7.1.0/Zend/zend_execute.c:782
#6  zend_verify_scalar_type_hint (type_hint=<optimized out>, arg=arg@entry=0x7f7650813100, strict=<optimized out>)
    at /src/php-7.1.0/Zend/zend_execute.c:803
#7  0x00007f76565db223 in zend_check_type (is_return_type=1 '\001', default_value=0x0, cache_slot=<optimized out>, ce=<synthetic pointer>, arg=0x7f7650813100, 
    arg_info=<optimized out>, zf=0x7f763d451c38) at /src/php-7.1.0/Zend/zend_execute.c:936
#8  zend_verify_return_type (cache_slot=<optimized out>, ret=0x7f7650813100, zf=0x7f763d451c38) at /src/php-7.1.0/Zend/zend_execute.c:1063
#9  ZEND_VERIFY_RETURN_TYPE_SPEC_VAR_UNUSED_HANDLER () at /src/php-7.1.0/Zend/zend_vm_execute.h:21869
#10 0x00007f76565ca78b in execute_ex (ex=<optimized out>) at /src/php-7.1.0/Zend/zend_vm_execute.h:429
#11 0x00007f76565752f7 in zend_call_function (fci=0x7f7650813050, fci@entry=0x7fff1ea11a20, fci_cache=<optimized out>, fci_cache@entry=0x7fff1ea119f0)
    at /src/php-7.1.0/Zend/zend_execute_API.c:828
#12 0x00007f765648bb3f in zif_call_user_func (execute_data=<optimized out>, return_value=0x7f76508118e0)
    at /src/php-7.1.0/ext/standard/basic_functions.c:4825
#13 0x00007f7656622932 in ZEND_DO_FCALL_BY_NAME_SPEC_RETVAL_USED_HANDLER () at /src/php-7.1.0/Zend/zend_vm_execute.h:876
#14 0x00007f76565ca78b in execute_ex (ex=<optimized out>) at /src/php-7.1.0/Zend/zend_vm_execute.h:429
#15 0x00007f76565752f7 in zend_call_function (fci=0x7f7650811860, fci@entry=0x7fff1ea11c30, fci_cache=<optimized out>, fci_cache@entry=0x7fff1ea11c00)
    at /src/php-7.1.0/Zend/zend_execute_API.c:828
#16 0x00007f765648bb3f in zif_call_user_func (execute_data=<optimized out>, return_value=0x7f7650811680)
    at /src/php-7.1.0/ext/standard/basic_functions.c:4825
#17 0x00007f7656622932 in ZEND_DO_FCALL_BY_NAME_SPEC_RETVAL_USED_HANDLER () at /src/php-7.1.0/Zend/zend_vm_execute.h:876
#18 0x00007f76565ca78b in execute_ex (ex=<optimized out>) at /src/php-7.1.0/Zend/zend_vm_execute.h:429
#19 0x00007f76566257b0 in zend_execute (op_array=0x7f7650868000, op_array@entry=0x7f7641a815a0, return_value=return_value@entry=0x7f76508115e0)
    at /src/php-7.1.0/Zend/zend_vm_execute.h:474
#20 0x00007f7656583f14 in zend_execute_scripts (type=type@entry=8, retval=0x7f76508115e0, retval@entry=0x0, file_count=file_count@entry=3)
    at /src/php-7.1.0/Zend/zend.c:1474
#21 0x00007f76565245c0 in php_execute_script (primary_file=primary_file@entry=0x7fff1ea14110) at /src/php-7.1.0/main/main.c:2533
#22 0x00007f765662761a in php_handler (r=<optimized out>) at /src/php-7.1.0/sapi/apache2handler/sapi_apache2.c:712
#23 0x000055875f79e2f0 in ap_run_handler (r=r@entry=0x558761288f98) at config.c:170
#24 0x000055875f79e839 in ap_invoke_handler (r=r@entry=0x558761288f98) at config.c:434
#25 0x000055875f7be79c in ap_internal_redirect (new_uri=<optimized out>, r=<optimized out>) at http_request.c:730
#26 0x000055875f816f92 in handler_redirect (r=0x558761297370) at mod_rewrite.c:5184
#27 0x000055875f79e2f0 in ap_run_handler (r=r@entry=0x558761297370) at config.c:170
#28 0x000055875f79e839 in ap_invoke_handler (r=0x558761297370) at config.c:434
#29 0x000055875f7bf502 in ap_process_async_request (r=0x558761297370) at http_request.c:410
#30 0x000055875f7bf6a0 in ap_process_request (r=0x558761297370) at http_request.c:445
#31 0x000055875f7bb7f5 in ap_process_http_sync_connection (c=0x55876122dc10) at http_core.c:210
#32 ap_process_http_connection (c=0x55876122dc10) at http_core.c:251
#33 0x000055875f7a7b20 in ap_run_process_connection (c=0x55876122dc10) at connection.c:42
#34 0x000055875f81eda2 in child_main (child_num_arg=0, child_bucket=513885488) at prefork.c:723
#35 0x000055875f81f020 in make_child (s=0x558760ec41b0, slot=2, bucket=0) at prefork.c:824
#36 0x000055875f81fe75 in perform_idle_server_maintenance (p=<optimized out>) at prefork.c:932
#37 prefork_run (_pconf=0x0, plog=0x7fff1ea14604, s=0x7fff1ea145e0) at prefork.c:1128
#38 0x000055875f782cce in ap_run_mpm (pconf=0x558760e91138, plog=0x558760eccb38, s=0x558760ec41b0) at mpm_common.c:94
#39 0x000055875f77bfd8 in main (argc=3, argv=0x7fff1ea148b8) at main.c:783{code}

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2016-12-05 15:22 UTC] tom60 at op dot pl
-Summary: Segmentation fault in ((opcode_handler_t)OPLINE->handler)(ZEND_OPCODE_HANDLER_A +Summary: Segmentation fault in zend_call_function
 [2016-12-05 15:22 UTC] tom60 at op dot pl
Snippet of code causing the issue:

<?php
echo xyz();

function x () : string {
return 'x';
}

function xyz() : string {
return x().'yz';
}
die();
 [2016-12-05 17:58 UTC] nikic@php.net
This is an optimization bug in opcache. We're not handling op replacement for VERIFY_RETURN_TYPE correctly.
 [2016-12-05 18:20 UTC] cmb@php.net
-Package: Reproducible crash +Package: opcache
 [2016-12-05 19:41 UTC] nikic@php.net
Automatic comment on behalf of nikic
Revision: http://git.php.net/?p=php-src.git;a=commit;h=3b79f8f408ab090825bc15656e517746fdc43db9
Log: Fix bug #73654
 [2016-12-05 19:41 UTC] nikic@php.net
-Status: Open +Status: Closed
 
PHP Copyright © 2001-2017 The PHP Group
All rights reserved.
Last updated: Tue Aug 29 15:01:52 2017 UTC