|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #78230 Incorrect type check optimization
Submitted: 2019-06-28 18:56 UTC Modified: 2019-07-03 08:02 UTC
Avg. Score:5.0 ± 0.0
Reproduced:0 of 0 (0.0%)
From: ASchmidt at Anamera dot net Assigned: nikic (profile)
Status: Closed Package: opcache
PHP Version: 7.3.7RC3 OS: Win x64
Private report: No CVE-ID: None
 [2019-06-28 18:56 UTC] ASchmidt at Anamera dot net
Problem reproducable on fresh, "out-of-the-box" WordPress 4.9.10, with only "Max Mega Menu" plugin installed.

Crash will occur the moment site's home page is requested (as long as the menu is handled by "Max Mega Menu"), but will not occur for other pages and/or non-WP pages.

Problem can be temporarily circumvented by either:

opcache.enable = 0

or by disabling the plug-in.        

Test script:
Unfortunately, there is insufficient information for me to pinpoint the particular code sequence in the plug-in that causes OPcache to misbehave.

But I confirmed the consistent nature of the problem by setting up a fresh site from scratch.


Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2019-07-02 20:01 UTC] ASchmidt at Anamera dot net
I have spent days trying to pinpoint this better. It's triggered if an "is_array()" is used against a variable, if that variable was assigned from a  function parameter that is an object property holding an array, and if in the assignment an explicit coercion to an array was performed:

  $thevar = (array) $functionparm->property; // property IS an array
  is_array( $thevar );   // will crash OPcache later in the code path.

It will NOT fail for:
a) is_array( $functionparm->property )  … or
b) is_array( (array) $functionparm->property ) … or
c) if the (array) coercion is omitted: $thevar = $functionparm->property

It will NOT crash AT THE TIME of the "is_array()", but it will crash later, if the code is allowed to proceed from there.

For reference, here the actual code snippet with various var_dumps added to see what works, and what does not:

static $mypass = 0;
	function start_el( &$output, $item, $depth = 0, $args = array(), $id = 0 ) {
var_dump( self::$mypass, $item->classes );
var_dump( is_array( $item->classes ) );
var_dump( is_array( (array) $item->classes ) );
$myvar1 = $item->classes;
$myvar2 = (array) $item->classes;
var_dump( is_array( $myvar1 ) );		
if ( 0 == self::$mypass++ ) {			// It doesn't matter, if the "is_array" only executes once.
	var_dump( is_array( $myvar2 ) );	// This will trigger the crash LATER in the code.
//	die( 'x');							// It will NOT crash, if the code stops here.
 [2019-07-02 20:04 UTC] ASchmidt at Anamera dot net
PS: the size of the array is small, only a handful of short strings:

array (size=6)
  0 => string '' (length=0)
  1 => string 'menu-item' (length=9)
  2 => string 'menu-item-type-taxonomy' (length=23)
  3 => string 'menu-item-object-category' (length=25)
  4 => string 'align-bottom-left' (length=17)
  5 => string 'menu-flyout' (length=11)
 [2019-07-02 21:06 UTC]
Could you please provide the full source code of the relevant file? (To if not public.) This sounds like an optimization bug.
 [2019-07-02 21:30 UTC] ASchmidt at Anamera dot net
Not sure if I had made that clear enough: the crash occurs in a plug-in of the WordPress CMS. So, it's not just a simple single PHP file.
Here the link to the plug in (there is the download link):
The particular code section is in "walker.class.php".

Also I have created an "out of the box" WordPress debug site, with that plug-in loaded, to which I can supply FTP access if that would be helpful at all.
 [2019-07-03 08:00 UTC]
-Status: Open +Status: Assigned -Assigned To: +Assigned To: nikic
 [2019-07-03 08:00 UTC]

#230.T15 [bool] = TYPE_CHECK (array) #47.CV7($classes) [array of [any, ref]]


FREE #47.CV7($classes) [array of [any, ref]]
 [2019-07-03 08:02 UTC]
-Summary: c0000005 in PHP7.dll, Offset 0000000000007a05 +Summary: Incorrect type check optimization
 [2019-07-03 08:22 UTC]
Automatic comment on behalf of
Log: Fixed bug #78230
 [2019-07-03 08:22 UTC]
-Status: Assigned +Status: Closed
 [2019-07-03 10:50 UTC]
Automatic comment on behalf of
Log: Fixed bug #78230
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Sat Jul 13 22:01:29 2024 UTC