php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #76446 zend_variables.c:73: zend_string_destroy: Assertion `!(zval_gc_flags((str)->gc.
Submitted: 2018-06-11 10:29 UTC Modified: 2018-06-13 10:38 UTC
From: spam2 at rhsoft dot net Assigned: cmb (profile)
Status: Closed Package: Reproducible crash
PHP Version: master-Git-2018-06-11 (Git) OS:
Private report: No CVE-ID: None
 [2018-06-11 10:29 UTC] spam2 at rhsoft dot net
Description:
------------
our cms auto-test-suite with "make prof.gen"

* OK: cl_api->navigation_base_internal->test(0.026)
zend_mm_heap corrupted

--------------

our cms auto-test-suite with a debug build at the same place

* OK: cl_api->navigation_base_internal->test(0.183)
php: /home/builduser/rpmbuild/BUILD/php-7.3.0/Zend/zend_variables.c:73: zend_string_destroy: Assertion `!(zval_gc_flags((str)->gc.u.type_info) & (1<<6))' failed.
/rpmbuild/PHP-PGO/profile.sh: line 127: 308554 Aborted                 (core dumped) /usr/bin/valgrind --tool=memcheck --leak-check=yes --leak-check=full --log-file=$PROFILE_ROOT/logs/valgrind-cli.log $CLI_BINARY -c "$PROFILE_ROOT/php.ini" "$PROFILE_DOCROOT/cms/autotest.php"



Patches

disable-ROPE_END-dce (last revision 2018-06-12 22:27 UTC by cmb@php.net)

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2018-06-11 10:41 UTC] nikic@php.net
-Status: Open +Status: Feedback
 [2018-06-11 10:41 UTC] nikic@php.net
Can you please generate a backtrace for the assertion failure? E.g. by running "gdb --args $CLI_BINARY ..." and then "bt" when the assertion occurs.
 [2018-06-11 10:57 UTC] spam2 at rhsoft dot net
gdb starts with a shell instead running the stuff - sorry, but debugging C/C++ programs is not my daily business - but at least i am at a build with the debug binary and a clear reproducer without "gdb --args" in front

[builduser@testserver:/rpmbuild/SPECS]$ gdb --args /home/builduser/rpmbuild/BUILD/php-7.3.0/sapi/cli/php -c /rpmbuild/PHP-PGO/php.ini /php-pgo-docroot/cms/autotest.php
GNU gdb (GDB) Fedora 8.0.1-36.fc27
Copyright (C) 2017 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-redhat-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>.
Find the GDB manual and other documentation resources online at:
<http://www.gnu.org/software/gdb/documentation/>.
For help, type "help".
Type "apropos word" to search for commands related to "word"...
Reading symbols from /home/builduser/rpmbuild/BUILD/php-7.3.0/sapi/cli/php...done.
(gdb)
 [2018-06-11 11:02 UTC] nikic@php.net
Right, sorry. You first need to execute "run" and once it hits the assertion "bt".
 [2018-06-11 11:06 UTC] spam2 at rhsoft dot net
yeah, that works after set "kernel.yama.ptrace_scope = 2" to "kernel.yama.ptrace_scope = 1" in sysctl.conf :-)

php: /home/builduser/rpmbuild/BUILD/php-7.3.0/Zend/zend_variables.c:73: zend_string_destroy: Assertion `!(zval_gc_flags((str)->gc.u.type_info) & (1<<6))' failed.

Program received signal SIGABRT, Aborted.
0x00007ffff68e2660 in raise () from /lib64/libc.so.6
Missing separate debuginfos, use: dnf debuginfo-install bzip2-libs-1.0.6-24.fc27.x86_64 cyrus-sasl-lib-2.1.26-34.fc27.x86_64 expat-2.2.5-1.fc27.x86_64 fontconfig-2.12.6-4.fc27.x86_64 freetype-2.8-8.fc27.x86_64 gd-2.2.5-3.fc27.x86_64 jbigkit-libs-2.1-8.fc27.x86_64 keyutils-libs-1.5.10-3.fc27.x86_64 krb5-libs-1.15.2-9.fc27.x86_64 libX11-1.6.5-4.fc27.x86_64 libXau-1.0.8-9.fc27.x86_64 libXpm-3.5.12-4.fc27.x86_64 libcom_err-1.43.5-2.fc27.x86_64 libcrypt-nss-2.26-28.fc27.x86_64 libcurl-7.55.1-12.fc27.x86_64 libgcc-7.3.1-5.fc27.x86_64 libgomp-7.3.1-5.fc27.x86_64 libicu-57.1-9.fc27.x86_64 libidn2-2.0.5-1.fc27.x86_64 libjpeg-turbo-1.5.3-1.fc27.x86_64 libnghttp2-1.31.1-1.fc27.x86_64 libpng-1.6.31-1.fc27.x86_64 libpsl-0.18.0-3.fc27.x86_64 libselinux-2.7-3.fc27.x86_64 libssh2-1.8.0-5.fc27.x86_64 libstdc++-7.3.1-5.fc27.x86_64 libtidy-5.4.0-3.fc27.x86_64 libtiff-4.0.9-10.fc27.x86_64 libunistring-0.9.10-1.fc27.x86_64 libwebp-1.0.0-1.fc27.x86_64 libxcb-1.12-5.fc27.x86_64 libxml2-2.9.7-1.fc27.x86_64 libzip-1.3.2-1.fc27.x86_64 nspr-4.19.0-1.fc27.x86_64 nss-3.37.3-1.0.fc27.x86_64 nss-softokn-freebl-3.37.3-1.0.fc27.x86_64 nss-util-3.37.3-1.0.fc27.x86_64 openldap-2.4.45-4.fc27.x86_64 openssl-libs-1.1.0h-3.fc27.x86_64 pcre2-10.31-4.fc27.x86_64 systemd-libs-234-11.git5f8984e.fc27.x86_64 xz-libs-5.2.3-4.fc27.x86_64
(gdb) bt
#0  0x00007ffff68e2660 in raise () from /lib64/libc.so.6
#1  0x00007ffff68e3c41 in abort () from /lib64/libc.so.6
#2  0x00007ffff68daf7a in __assert_fail_base () from /lib64/libc.so.6
#3  0x00007ffff68daff2 in __assert_fail () from /lib64/libc.so.6
#4  0x000055555588a52e in zend_string_destroy (str=0x7fffe3d08b18, __zend_filename=0x5555559ce468 "/home/builduser/rpmbuild/BUILD/php-7.3.0/Zend/zend_vm_execute.h",
    __zend_lineno=12424) at /home/builduser/rpmbuild/BUILD/php-7.3.0/Zend/zend_variables.c:73
#5  0x000055555588a4a4 in _zval_dtor_func (p=0x7fffe3d08b18, __zend_filename=0x5555559ce468 "/home/builduser/rpmbuild/BUILD/php-7.3.0/Zend/zend_vm_execute.h",
    __zend_lineno=12424) at /home/builduser/rpmbuild/BUILD/php-7.3.0/Zend/zend_variables.c:67
#6  0x00005555558e8ec5 in _zval_ptr_dtor_nogc (zval_ptr=0x7ffff60206b0, __zend_filename=0x5555559ce468 "/home/builduser/rpmbuild/BUILD/php-7.3.0/Zend/zend_vm_execute.h",
    __zend_lineno=12424) at /home/builduser/rpmbuild/BUILD/php-7.3.0/Zend/zend_variables.h:40
#7  0x000055555590a8a5 in ZEND_FREE_SPEC_TMPVAR_HANDLER () at /home/builduser/rpmbuild/BUILD/php-7.3.0/Zend/zend_vm_execute.h:12424
#8  0x00005555559605c9 in execute_ex (ex=0x7ffff6020030) at /home/builduser/rpmbuild/BUILD/php-7.3.0/Zend/zend_vm_execute.h:55857
#9  0x00005555559646d1 in zend_execute (op_array=0x7ffff607d700, return_value=0x0) at /home/builduser/rpmbuild/BUILD/php-7.3.0/Zend/zend_vm_execute.h:59895
#10 0x000055555588e3c8 in zend_execute_scripts (type=8, retval=0x0, file_count=3) at /home/builduser/rpmbuild/BUILD/php-7.3.0/Zend/zend.c:1564
#11 0x00005555557fc9b0 in php_execute_script (primary_file=0x7fffffffdf10) at /home/builduser/rpmbuild/BUILD/php-7.3.0/main/main.c:2467
#12 0x0000555555967082 in do_cli (argc=4, argv=0x555555d1a100) at /home/builduser/rpmbuild/BUILD/php-7.3.0/sapi/cli/php_cli.c:1011
#13 0x000055555596803d in main (argc=4, argv=0x555555d1a100) at /home/builduser/rpmbuild/BUILD/php-7.3.0/sapi/cli/php_cli.c:1404
 [2018-06-11 13:19 UTC] nikic@php.net
Thanks for the backtrace. What is happening is that we're trying to destroy an interned string, which means that at some point we did not mark a zval as !refcounted when storing the string into it.

However, the backtrace is extremely generic, so it's hard to say where the string came from. Can you please run "f 4" followed by "p (char*)str->val" when the assertion occurs? This will print the contents of the string and may help in tracking down where it is coming from (e.g. class name, method name or similar).
 [2018-06-11 13:33 UTC] spam2 at rhsoft dot net
there a 3 codelines in the whole codebase containing "&amp;openmenu=" from the last gdb-output which are basically "use rope instead of concat"

$openstr = "&amp;openmenu={$local_row['hid']}{$addlang}";
$openstr2 = "&amp;openmenu={$openmenu}{$addlang}";
$open_part = "&amp;openmenu={$sid}{$langadd}";

Program received signal SIGABRT, Aborted.
0x00007ffff68e2660 in raise () from /lib64/libc.so.6
Missing separate debuginfos, use: dnf debuginfo-install bzip2-libs-1.0.6-24.fc27.x86_64 cyrus-sasl-lib-2.1.26-34.fc27.x86_64 expat-2.2.5-1.fc27.x86_64 fontconfig-2.12.6-4.fc27.x86_64 freetype-2.8-8.fc27.x86_64 gd-2.2.5-3.fc27.x86_64 jbigkit-libs-2.1-8.fc27.x86_64 keyutils-libs-1.5.10-3.fc27.x86_64 krb5-libs-1.15.2-9.fc27.x86_64 libX11-1.6.5-4.fc27.x86_64 libXau-1.0.8-9.fc27.x86_64 libXpm-3.5.12-4.fc27.x86_64 libcom_err-1.43.5-2.fc27.x86_64 libcrypt-nss-2.26-28.fc27.x86_64 libcurl-7.55.1-12.fc27.x86_64 libgcc-7.3.1-5.fc27.x86_64 libgomp-7.3.1-5.fc27.x86_64 libicu-57.1-9.fc27.x86_64 libidn2-2.0.5-1.fc27.x86_64 libjpeg-turbo-1.5.3-1.fc27.x86_64 libnghttp2-1.31.1-1.fc27.x86_64 libpng-1.6.31-1.fc27.x86_64 libpsl-0.18.0-3.fc27.x86_64 libselinux-2.7-3.fc27.x86_64 libssh2-1.8.0-5.fc27.x86_64 libstdc++-7.3.1-5.fc27.x86_64 libtidy-5.4.0-3.fc27.x86_64 libtiff-4.0.9-10.fc27.x86_64 libunistring-0.9.10-1.fc27.x86_64 libwebp-1.0.0-1.fc27.x86_64 libxcb-1.12-5.fc27.x86_64 libxml2-2.9.7-1.fc27.x86_64 libzip-1.3.2-1.fc27.x86_64 nspr-4.19.0-1.fc27.x86_64 nss-3.37.3-1.0.fc27.x86_64 nss-softokn-freebl-3.37.3-1.0.fc27.x86_64 nss-util-3.37.3-1.0.fc27.x86_64 openldap-2.4.45-4.fc27.x86_64 openssl-libs-1.1.0h-3.fc27.x86_64 pcre2-10.31-4.fc27.x86_64 systemd-libs-234-11.git5f8984e.fc27.x86_64 xz-libs-5.2.3-4.fc27.x86_64

(gdb) f 4
#4  0x000055555588a52e in zend_string_destroy (str=0x7fffe3d08b18, __zend_filename=0x5555559ce468 "/home/builduser/rpmbuild/BUILD/php-7.3.0/Zend/zend_vm_execute.h",
    __zend_lineno=12424) at /home/builduser/rpmbuild/BUILD/php-7.3.0/Zend/zend_variables.c:73
73              ZEND_ASSERT(!ZSTR_IS_INTERNED(str));

(gdb) p (char*)str->val
$1 = 0x7fffe3d08b30 "&amp;openmenu="
 [2018-06-11 13:48 UTC] nikic@php.net
-Status: Feedback +Status: Analyzed
 [2018-06-11 13:48 UTC] nikic@php.net
Can't say if it's *the* issue, but at least an issue is this:

<?php  
"x{$a}y";

Crashes under opcache. Reason is that the ROPE_END is optimized away as dead code, leading to a FREE on ROPE_ADD, which is illegal. I think something similar to this would also cause your case.
 [2018-06-11 20:46 UTC] spam2 at rhsoft dot net
https://git.php.net/?p=php-src.git;a=commit;h=e4e334effb9d8b6945e045fa97133f5a65d45ea6 (Remove dead code for ADD_STRING/ADD_CHAR optimization) still don't fix that

* OK: cl_api->navigation_base_internal->test(0.023)
zend_mm_heap corrupted

php: /home/builduser/rpmbuild/BUILD/php-7.3.0/Zend/zend_variables.c:73: zend_string_destroy: Assertion `!(zval_gc_flags((str)->gc.u.type_info) & (1<<6))' failed.

Program received signal SIGABRT, Aborted.
0x00007ffff68e2660 in raise () from /lib64/libc.so.6
Missing separate debuginfos, use: dnf debuginfo-install bzip2-libs-1.0.6-24.fc27.x86_64 cyrus-sasl-lib-2.1.26-34.fc27.x86_64 expat-2.2.5-1.fc27.x86_64 fontconfig-2.12.6-4.fc27.x86_64 freetype-2.8-8.fc27.x86_64 gd-2.2.5-3.fc27.x86_64 jbigkit-libs-2.1-8.fc27.x86_64 keyutils-libs-1.5.10-3.fc27.x86_64 krb5-libs-1.15.2-9.fc27.x86_64 libX11-1.6.5-4.fc27.x86_64 libXau-1.0.8-9.fc27.x86_64 libXpm-3.5.12-4.fc27.x86_64 libcom_err-1.43.5-2.fc27.x86_64 libcrypt-nss-2.26-28.fc27.x86_64 libcurl-7.55.1-12.fc27.x86_64 libgcc-7.3.1-5.fc27.x86_64 libgomp-7.3.1-5.fc27.x86_64 libicu-57.1-9.fc27.x86_64 libidn2-2.0.5-1.fc27.x86_64 libjpeg-turbo-1.5.3-1.fc27.x86_64 libnghttp2-1.31.1-1.fc27.x86_64 libpng-1.6.31-1.fc27.x86_64 libpsl-0.18.0-3.fc27.x86_64 libselinux-2.7-3.fc27.x86_64 libssh2-1.8.0-5.fc27.x86_64 libstdc++-7.3.1-5.fc27.x86_64 libtidy-5.4.0-3.fc27.x86_64 libtiff-4.0.9-10.fc27.x86_64 libunistring-0.9.10-1.fc27.x86_64 libwebp-1.0.0-1.fc27.x86_64 libxcb-1.12-5.fc27.x86_64 libxml2-2.9.7-1.fc27.x86_64 libzip-1.3.2-1.fc27.x86_64 nspr-4.19.0-1.fc27.x86_64 nss-3.37.3-1.0.fc27.x86_64 nss-softokn-freebl-3.37.3-1.0.fc27.x86_64 nss-util-3.37.3-1.0.fc27.x86_64 openldap-2.4.45-4.fc27.x86_64 openssl-libs-1.1.0h-3.fc27.x86_64 pcre2-10.31-4.fc27.x86_64 systemd-libs-234-11.git5f8984e.fc27.x86_64 xz-libs-5.2.3-4.fc27.x86_64
(gdb) f 4
#4  0x000055555588a52e in zend_string_destroy (str=0x7fffe3d08b18, __zend_filename=0x5555559ce4a8 "/home/builduser/rpmbuild/BUILD/php-7.3.0/Zend/zend_vm_execute.h",
    __zend_lineno=12424) at /home/builduser/rpmbuild/BUILD/php-7.3.0/Zend/zend_variables.c:73
73              ZEND_ASSERT(!ZSTR_IS_INTERNED(str));
(gdb) p (char*)str->val
$1 = 0x7fffe3d08b30 "&amp;openmenu="
 [2018-06-12 04:01 UTC] laruence@php.net
is that possible that you could grant me a ssh access to your box to debugging it? (vid mail)

that will be much helpful :)
 [2018-06-12 06:35 UTC] spam2 at rhsoft dot net
sorry, no, way too much stuff on the machine nad i also don't see a way to isolate the affected code for now but that's something i will try sooner or later (currently at vacation and made the mistake "hey let's look if our codebase triggers any php-warning with the current master")
 [2018-06-12 06:53 UTC] nikic@php.net
@rhsoft: That commit was just some drive-by cleanup, it wasn't supposed to fix anything :)

I think we should first fix the DCE issue and see if it also resolves your problem. If not we'll have to debug further...
 [2018-06-12 06:59 UTC] spam2 at rhsoft dot net
https://access.thelounge.net/harry/bug76446_php.txt is the affected function which is basically the navigation on the left at https://www.rhsoft.net/

probably you are faster to create a way smaller and database independent reproducer with the interals of the zendengine in mind, basicly the lines with "&amp;openmenu" seems to be the trigger for hwatever reson given that i work that way on thousands of other places
 [2018-06-12 07:07 UTC] nikic@php.net
@rhsoft: Thanks. From that code it seems pretty clear that this is really the DCE bug mentioned above. The variable $openstr2 = "&amp;openmenu={$openmenu}{$addlang}"; is not used anywhere, so it will be DCEd together with the rope expression.
 [2018-06-12 10:51 UTC] laruence@php.net
as nikic said. a short reproduciable script is:

<?php
function test()
{
    $addlang = '';
    $openstr2 = "&amp;openmenu={$openmenu}{$addlang} \"";
}

test('1');
 [2018-06-12 11:41 UTC] spam2 at rhsoft dot net
$openstr2 = "&amp;openmenu={$openmenu}{$addlang}"; is not used anywhere, so it will be DCEd together with the rope

hell, yeah, that line is obsolete, now the testsuite crashes in a different file 

can we have a php.ini option to trigger warnings in error_log when DCE steps in but without crashes :-) 

seriously
 [2018-06-12 11:45 UTC] spam2 at rhsoft dot net
in the current case there are additional outputs which maybe are helpful for you guys 

In function cl_podcast_eintraege::edit (before dfa):
var 11 (TMP) has array key type but not value type
var 12 (TMP) has array key type but not value type
var 14 (TMP) has array key type but not value type
var 15 (CV $old_data) has array key type but not value type

In function cl_podcast_eintraege::edit (after sccp):
var 11 (TMP) has array key type but not value type
var 12 (TMP) has array key type but not value type
var 14 (TMP) has array key type but not value type
var 15 (CV $old_data) has array key type but not value type

In function cl_podcast_eintraege::edit (after calls):
var 11 (TMP) has array key type but not value type
var 12 (TMP) has array key type but not value type
var 14 (TMP) has array key type but not value type
var 15 (CV $old_data) has array key type but not value type

In function cl_podcast_eintraege::edit (after dce):
var 11 (TMP) has array key type but not value type
var 12 (TMP) has array key type but not value type
var 14 (TMP) has array key type but not value type
var 15 (CV $old_data) has array key type but not value type

In function cl_podcast_eintraege::edit (after dfa):
var 11 (TMP) has array key type but not value type
var 12 (TMP) has array key type but not value type
var 14 (TMP) has array key type but not value type
var 15 (CV $old_data) has array key type but not value type
php: /home/builduser/rpmbuild/BUILD/php-7.3.0/Zend/zend_variables.c:73: zend_string_destroy: Assertion `!(zval_gc_flags((str)->gc.u.type_info) & (1<<6))' failed.

Program received signal SIGABRT, Aborted.
0x00007ffff68e2660 in raise () from /lib64/libc.so.6
Missing separate debuginfos, use: dnf debuginfo-install bzip2-libs-1.0.6-24.fc27.x86_64 cyrus-sasl-lib-2.1.26-34.fc27.x86_64 expat-2.2.5-1.fc27.x86_64 fontconfig-2.12.6-4.fc27.x86_64 freetype-2.8-8.fc27.x86_64 gd-2.2.5-3.fc27.x86_64 jbigkit-libs-2.1-8.fc27.x86_64 keyutils-libs-1.5.10-3.fc27.x86_64 krb5-libs-1.15.2-9.fc27.x86_64 libX11-1.6.5-4.fc27.x86_64 libXau-1.0.8-9.fc27.x86_64 libXpm-3.5.12-4.fc27.x86_64 libcom_err-1.43.5-2.fc27.x86_64 libcrypt-nss-2.26-28.fc27.x86_64 libcurl-7.55.1-12.fc27.x86_64 libgcc-7.3.1-5.fc27.x86_64 libgomp-7.3.1-5.fc27.x86_64 libicu-57.1-9.fc27.x86_64 libidn2-2.0.5-1.fc27.x86_64 libjpeg-turbo-1.5.3-1.fc27.x86_64 libnghttp2-1.31.1-1.fc27.x86_64 libpng-1.6.31-1.fc27.x86_64 libpsl-0.18.0-3.fc27.x86_64 libselinux-2.7-3.fc27.x86_64 libssh2-1.8.0-5.fc27.x86_64 libstdc++-7.3.1-5.fc27.x86_64 libtidy-5.4.0-3.fc27.x86_64 libtiff-4.0.9-10.fc27.x86_64 libunistring-0.9.10-1.fc27.x86_64 libwebp-1.0.0-1.fc27.x86_64 libxcb-1.12-5.fc27.x86_64 libxml2-2.9.7-1.fc27.x86_64 libzip-1.3.2-1.fc27.x86_64 nspr-4.19.0-1.fc27.x86_64 nss-3.37.3-1.0.fc27.x86_64 nss-softokn-freebl-3.37.3-1.0.fc27.x86_64 nss-util-3.37.3-1.0.fc27.x86_64 openldap-2.4.45-4.fc27.x86_64 openssl-libs-1.1.0h-3.fc27.x86_64 pcre2-10.31-4.fc27.x86_64 systemd-libs-234-11.git5f8984e.fc27.x86_64 xz-libs-5.2.3-4.fc27.x86_64

(gdb) f 4
#4  0x000055555588a52e in zend_string_destroy (str=0x7fffe3c7e6e0, __zend_filename=0x5555559ce4a8 "/home/builduser/rpmbuild/BUILD/php-7.3.0/Zend/zend_vm_execute.h",
    __zend_lineno=12424) at /home/builduser/rpmbuild/BUILD/php-7.3.0/Zend/zend_variables.c:73
73              ZEND_ASSERT(!ZSTR_IS_INTERNED(str));

(gdb) p (char*)str->val
$1 = 0x7fffe3c7e6f8 "http://localhost"
 [2018-06-12 11:53 UTC] spam2 at rhsoft dot net
- $old_data = isset($old_data) ? (array)$old_data : [];
+ $old_data = [];

is silencing that ones:

In function cl_podcast_eintraege::edit (before dfa):
var 11 (TMP) has array key type but not value type
var 12 (TMP) has array key type but not value type
var 14 (TMP) has array key type but not value type
var 15 (CV $old_data) has array key type but not value type
 [2018-06-12 12:57 UTC] laruence@php.net
this one has been fixed https://bugs.php.net/bug.php?id=76463

about the original problem, a simple fix is make ROPE_END as side-affect instrction, however I am still thinking maybe we should remove the whole ROPE_INIT/ADD/END all-togther
 [2018-06-12 13:08 UTC] spam2 at rhsoft dot net
BTW: would it be possible to extend the "zend_variables.c:73: zend_string_destroy: Assertion `!(zval_gc_flags((str)->gc" at least with the path to the script/include and if possible method/function/line

strace, gdb, valgrind - no chance to find out where it is triggered and besides the bug i would like to remove the dead code anyways
 [2018-06-12 20:19 UTC] nikic@php.net
> about the original problem, a simple fix is make ROPE_END as side-affect instrction, however I am still thinking maybe we should remove the whole ROPE_INIT/ADD/END all-togther

We already do that is we can. However, in this case we are not able to prove that the ROPE_ADD will not generate an error (e.g. array to string conversion warning). As such, in this case we can only determine that the ROPE_END is dead, but not the ROPE_ADD.

Our options are to either a) just don't DCE ropes, b) only DCE them if they are dead in their entirety, or c) DCE as much dead suffix as we can, but making sure to terminate with ROPE_END+FREE if the rope does not become empty through this.

I think for now we should just mark ROPE_END as having side-effects with a FIXME that this may be improved.
 [2018-06-12 21:39 UTC] cmb@php.net
> I think for now we should just mark ROPE_END as having
> side-effects with a FIXME that this may be improved.

I'd very much appreciate to have *some* fix for this nasty *abort*
in 7.3.0alpha2, if possible; otherwise we might hamper further
testing of other stuff.  Your suggestion seems to be rather
innocuous – to my knowledge, it would just mean to move a single
line, and to loose a somwehat rare and minor optimization.
 [2018-06-12 21:47 UTC] spam2 at rhsoft dot net
whatever optimization it was - it's not worth the trouble - frankly half of my codebase segfaults without the slightest chance to make any workarounds because it segfaults long before any code is executed and so even trigger_error(__FILE__ . ' ' . __LINE__) spread around source files don't help becaus eit never get executed

"just mark ROPE_END as having side-effects with a FIXME that this may be improved" don't help anybody - i can't even build a binary because as long as the test-suite crashes the rpmbuild is stopped for good reasons and all my gdb-stuff was with the intermediate binary after the build crashed
 [2018-06-12 22:27 UTC] cmb@php.net
The following patch has been added/updated:

Patch Name: disable-ROPE_END-dce
Revision:   1528842426
URL:        https://bugs.php.net/patch-display.php?bug=76446&patch=disable-ROPE_END-dce&revision=1528842426
 [2018-06-12 22:27 UTC] cmb@php.net
> "just mark ROPE_END as having side-effects with a FIXME that
> this may be improved" don't help anybody […]

Please try “disable-ROPE_END-dce.patch”.
 [2018-06-13 07:09 UTC] laruence@php.net
> However, in this case we are not able to prove that the ROPE_ADD will not generate an error (e.g. array to string conversion warning).

this is checked in may_throw , I think make ROPE_END having side-affect is a safe way for 7.3, we could seek more aggressive way for 7.4

I am going to commit the fix, thanks
 [2018-06-13 07:17 UTC] laruence@php.net
Automatic comment on behalf of laruence@gmail.com
Revision: http://git.php.net/?p=php-src.git;a=commit;h=609385bbf8fc82f334778bdfef5e16b7a3bd72c6
Log: Fixed bug #76446 (zend_variables.c:73: zend_string_destroy: Assertion `!(zval_gc_flags((str)-&gt;gc)).
 [2018-06-13 07:17 UTC] laruence@php.net
-Status: Analyzed +Status: Closed
 [2018-06-13 09:02 UTC] spam2 at rhsoft dot net
this one is indeed fixed now bu topcache obviously ha still terrible problems given that with opcache disabled the complete testsuite runs without any warning

hell, how can that lead to Duplicate column name 'pal_field1'

 /**
  * Ziel-Tabelle neu anlegen
  *
  * @param  bool $only_if_not_exists
  * @param  bool $tmp
  * @return void
  * @access private
 */
 private function create_clear_table($only_if_not_exists=false, $tmp=false): void
 {
  /** Wenn angegeben abrechen falls Tabelle existiert */
  if($only_if_not_exists)
  {
   if($this->cl_api->db->table_exists($this->get_table_name($tmp)))
   {
    return;
   }
  }
  /** Datenfeld-Array generieren */
  $field_array =
  [
   ['name'=>'pal_id'],
   ['name'=>'pal_kat', 'type'=>'varchar', 'length'=>255, 'unsigned'=>1]
  ];
  for($i=1; $i<=$this->maxfield; $i++)
  {
   if($i == 4 || $i == 6 || $i == 12 || $i == 13)
   {
    $type = 'text';
   }
   else
   {
    $type = 'varchar';
   }
   $field_array[] = ['name'=>"pal_field{$i}", 'type'=>$type, 'length'=>255, 'unsigned'=>1];
  }
  $field_array[] = ['name'=>'pal_checksum',  'type'=>'varchar', 'length'=>255, 'unsigned'=>1];
  $field_array[] = ['name'=>'pal_timestamp', 'type'=>'int',     'length'=>10,  'unsigned'=>1];
  /** Tabelle erzeugen und wenn bereits vorhanden im Vorfeld loeschen */
  $this->cl_api->db->create_table
  (
   /**$name*/$this->get_table_name($tmp),
   /**$field_array*/$field_array,
   /**$key_array*/
   [
    'pal_key'      => ['type'=>'key',      'fields'=>['pal_kat']],
    'pal_fulltext' => ['type'=>'fulltext', 'fields'=>['pal_field2', 'pal_field3', 'pal_field4', 'pal_field5', 'pal_field6', 'pal_field12']],
    'import_key'   => ['type'=>'unique',   'fields'=>[$this->artikel_nr_field, 'pal_checksum']],
   ],
   /**$drop_if_exists*/1
  );
 }

DATABASE-ERROR 1060: localhost/autotest.php - /cms/cms/modules/pal/api_pal.php line 567 (parent call: /cms/cms/modules/pal/api_pal.php on line 645): create table `cl_autotest_pal_zsp_stock_tmp` (`pal_id` mediumint(7) unsigned not null auto_increment, `pal_kat` varchar(255) not null default '', `pal_field1` varchar(255) not null default '', `pal_field1` varchar(255) not null default '', `pal_field1` varchar(255) not null default '', `pal_field1` varchar(255) not null default '', `pal_field1` varchar(255) not null default '', `pal_field1` varchar(255) not null default '', `pal_field1` varchar(255) not null default '', `pal_field1` varchar(255) not null default '', `pal_field1` varchar(255) not null default '', `pal_field1` varchar(255) not null default '', `pal_field1` varchar(255) not null default '', `pal_field1` varchar(255) not null default '', `pal_field1` varchar(255) not null default '', `pal_field1` varchar(255) not null default '', `pal_field1` varchar(255) not null default '', `pal_field1` varchar(255) not null default '', `pal_field1` varchar(255) not null default '', `pal_field1` varchar(255) not null default '', `pal_field1` varchar(255) not n - Duplicate column name 'pal_field1' - 127.0.0.1
 [2018-06-13 10:38 UTC] cmb@php.net
-Assigned To: +Assigned To: cmb
 [2018-06-13 10:38 UTC] cmb@php.net
> this one is indeed fixed now bu topcache obviously ha still
> terrible problems given that with opcache disabled the complete
> testsuite runs without any warning

Thanks for reporting!  Since this is apparently another issue,
though, I've filed it as bug #76466.
 [2018-06-13 10:48 UTC] spam2 at rhsoft dot net
thank you for the additional report, i had no idea for a proper subject :-)

guys if you want a specific tarball from https://git.php.net/?p=php-src.git tested just ping me, i typicall download the tar.gz, unpack it, rename it to "php-7.3.0" and put the new tar.xz in rpmbuild/SOURCES - the whole autotest-suite as well as spider a full-featured demo cms is part of my rpm-build-process becaue fo profile-guided-optimization
 
PHP Copyright © 2001-2018 The PHP Group
All rights reserved.
Last updated: Thu Dec 13 23:01:24 2018 UTC