php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #78230 Incorrect type check optimization
Submitted: 2019-06-28 18:56 UTC Modified: 2019-07-03 08:02 UTC
Votes:1
Avg. Score:5.0 ± 0.0
Reproduced:0 of 0 (0.0%)
From: ASchmidt at Anamera dot net Assigned: nikic (profile)
Status: Closed Package: opcache
PHP Version: 7.3.7RC3 OS: Win x64
Private report: No CVE-ID: None
 [2019-06-28 18:56 UTC] ASchmidt at Anamera dot net
Description:
------------
Problem reproducable on fresh, "out-of-the-box" WordPress 4.9.10, with only "Max Mega Menu" plugin installed.

Crash will occur the moment site's home page is requested (as long as the menu is handled by "Max Mega Menu"), but will not occur for other pages and/or non-WP pages.

Problem can be temporarily circumvented by either:

opcache.enable = 0

or by disabling the plug-in.        



Test script:
---------------
Unfortunately, there is insufficient information for me to pinpoint the particular code sequence in the plug-in that causes OPcache to misbehave.

But I confirmed the consistent nature of the problem by setting up a fresh site from scratch.


Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2019-07-02 20:01 UTC] ASchmidt at Anamera dot net
I have spent days trying to pinpoint this better. It's triggered if an "is_array()" is used against a variable, if that variable was assigned from a  function parameter that is an object property holding an array, and if in the assignment an explicit coercion to an array was performed:

  $thevar = (array) $functionparm->property; // property IS an array
  is_array( $thevar );   // will crash OPcache later in the code path.

It will NOT fail for:
a) is_array( $functionparm->property )  … or
b) is_array( (array) $functionparm->property ) … or
c) if the (array) coercion is omitted: $thevar = $functionparm->property

It will NOT crash AT THE TIME of the "is_array()", but it will crash later, if the code is allowed to proceed from there.


For reference, here the actual code snippet with various var_dumps added to see what works, and what does not:


static $mypass = 0;
	function start_el( &$output, $item, $depth = 0, $args = array(), $id = 0 ) {
var_dump( self::$mypass, $item->classes );
var_dump( is_array( $item->classes ) );
var_dump( is_array( (array) $item->classes ) );
$myvar1 = $item->classes;
$myvar2 = (array) $item->classes;
var_dump( is_array( $myvar1 ) );		
if ( 0 == self::$mypass++ ) {			// It doesn't matter, if the "is_array" only executes once.
	var_dump( is_array( $myvar2 ) );	// This will trigger the crash LATER in the code.
//	die( 'x');							// It will NOT crash, if the code stops here.
}
 [2019-07-02 20:04 UTC] ASchmidt at Anamera dot net
PS: the size of the array is small, only a handful of short strings:

array (size=6)
  0 => string '' (length=0)
  1 => string 'menu-item' (length=9)
  2 => string 'menu-item-type-taxonomy' (length=23)
  3 => string 'menu-item-object-category' (length=25)
  4 => string 'align-bottom-left' (length=17)
  5 => string 'menu-flyout' (length=11)
 [2019-07-02 21:06 UTC] nikic@php.net
Could you please provide the full source code of the relevant file? (To nikic@php.net if not public.) This sounds like an optimization bug.
 [2019-07-02 21:30 UTC] ASchmidt at Anamera dot net
Not sure if I had made that clear enough: the crash occurs in a plug-in of the WordPress CMS. So, it's not just a simple single PHP file.
Here the link to the plug in (there is the download link):
https://wordpress.org/plugins/megamenu/#installation
The particular code section is in "walker.class.php".

Also I have created an "out of the box" WordPress debug site, with that plug-in loaded, to which I can supply FTP access if that would be helpful at all.
 [2019-07-03 08:00 UTC] nikic@php.net
-Status: Open +Status: Assigned -Assigned To: +Assigned To: nikic
 [2019-07-03 08:00 UTC] nikic@php.net
Converting

#230.T15 [bool] = TYPE_CHECK (array) #47.CV7($classes) [array of [any, ref]]

to

FREE #47.CV7($classes) [array of [any, ref]]
 [2019-07-03 08:02 UTC] nikic@php.net
-Summary: c0000005 in PHP7.dll, Offset 0000000000007a05 +Summary: Incorrect type check optimization
 [2019-07-03 08:22 UTC] nikic@php.net
Automatic comment on behalf of nikita.ppv@gmail.com
Revision: http://git.php.net/?p=php-src.git;a=commit;h=4892bbc167dfa0ea188baebbce538225f4a0455a
Log: Fixed bug #78230
 [2019-07-03 08:22 UTC] nikic@php.net
-Status: Assigned +Status: Closed
 [2019-07-03 10:50 UTC] cmb@php.net
Automatic comment on behalf of nikita.ppv@gmail.com
Revision: http://git.php.net/?p=php-src.git;a=commit;h=21465ec0e1c1401751b35a21f45f1d57255d5be9
Log: Fixed bug #78230
 
PHP Copyright © 2001-2021 The PHP Group
All rights reserved.
Last updated: Wed Apr 21 21:01:24 2021 UTC