php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #73668 "SIGFPE Arithmetic exception" in opcache when divide by minus 1
Submitted: 2016-12-06 12:44 UTC Modified: 2016-12-06 21:28 UTC
From: richardh at channelgrabber dot com Assigned: nikic
Status: Closed Package: opcache
PHP Version: 7.1.0 OS: Ubuntu 14.04.1 LTS
Private report: No CVE-ID:
 [2016-12-06 12:44 UTC] richardh at channelgrabber dot com
Description:
------------
We recently switched to PHP 7.1.0 and noticed that when https://github.com/Setasign/FPDF/blob/master/fpdf.php was included it caused PHP to exit with SIGFPE.

We installed the debug symbols and ran it through GDB a few times, reducing the issue down to lines 901 and 902 (https://github.com/Setasign/FPDF/blob/master/fpdf.php#L901).

From this we created the reduced test case attached below.

The backtrace from the error is:
#0  0x00007ffff5b069a7 in zend_inference_calc_range (op_array=op_array@entry=0x7ffff6075008, ssa=ssa@entry=0x7ffff6097028, var=var@entry=1, 
    widening=widening@entry=0, narrowing=narrowing@entry=1, tmp=tmp@entry=0x7fffffffa7f0)
    at /build/php7.1-kMIlXM/php7.1-7.1.0/ext/opcache/Optimizer/zend_inference.c:727
#1  0x00007ffff5b0c21f in zend_infer_ranges (op_array=op_array@entry=0x7ffff6075008, ssa=ssa@entry=0x7ffff6097028)
    at /build/php7.1-kMIlXM/php7.1-7.1.0/ext/opcache/Optimizer/zend_inference.c:1954
#2  0x00007ffff5b133f3 in zend_ssa_inference (arena=arena@entry=0x7fffffffa960, op_array=op_array@entry=0x7ffff6075008, script=0x7ffff6075000, 
    ssa=ssa@entry=0x7ffff6097028) at /build/php7.1-kMIlXM/php7.1-7.1.0/ext/opcache/Optimizer/zend_inference.c:4181
#3  0x00007ffff5afb7f7 in zend_dfa_analyze_op_array (op_array=0x7ffff6075008, ctx=ctx@entry=0x7fffffffa960, ssa=0x7ffff6097028, flags=0x7ffff6097024)
    at /build/php7.1-kMIlXM/php7.1-7.1.0/ext/opcache/Optimizer/dfa_pass.c:106
#4  0x00007ffff5aef7e7 in zend_optimize_script (script=script@entry=0x7ffff6075000, optimization_level=2147467263, debug_level=0)
    at /build/php7.1-kMIlXM/php7.1-7.1.0/ext/opcache/Optimizer/zend_optimizer.c:967
#5  0x00007ffff5adf1c4 in cache_script_in_shared_memory (from_shared_memory=<synthetic pointer>, key_length=22, 
    key=0x7ffff5d2e6cc <accel_globals+556> "test.php:223344:223384", new_persistent_script=0x7ffff6075000)
    at /build/php7.1-kMIlXM/php7.1-7.1.0/ext/opcache/ZendAccelerator.c:1271
#6  persistent_compile_file (file_handle=<optimized out>, type=8) at /build/php7.1-kMIlXM/php7.1-7.1.0/ext/opcache/ZendAccelerator.c:1863
#7  0x00007ffff589ff9d in xdebug_compile_file (file_handle=<optimized out>, type=<optimized out>) at /build/xdebug-_hXbf9/xdebug-2.5.0/build-7.1/xdebug.c:2153
#8  0x00005555557b469d in zend_execute_scripts ()
#9  0x0000555555754b18 in php_execute_script ()
#10 0x000055555584e1c9 in ?? ()
#11 0x000055555563d92f in main ()


Test script:
---------------
<?php
$a/-1;



Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2016-12-06 21:26 UTC] nikic@php.net
Automatic comment on behalf of nikic
Revision: http://git.php.net/?p=php-src.git;a=commit;h=76c4a3db080e347663a3999ae38b78cf26dd4c84
Log: Fix bug #73668
 [2016-12-06 21:26 UTC] nikic@php.net
-Status: Open +Status: Closed
 [2016-12-06 21:28 UTC] nikic@php.net
-Assigned To: +Assigned To: nikic
 [2016-12-06 21:28 UTC] nikic@php.net
That must be a record length reproduce script...
 
PHP Copyright © 2001-2017 The PHP Group
All rights reserved.
Last updated: Wed Apr 26 02:01:38 2017 UTC