|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #78973 Destructor during CV freeing causes segfault if opline never saved
Submitted: 2019-12-16 17:45 UTC Modified: -
From: Assigned:
Status: Closed Package: Scripting Engine problem
PHP Version: 7.4Git-2019-12-16 (Git) OS:
Private report: No CVE-ID: None
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If this is not your bug, you can add a comment by following this link.
If this is your bug, but you forgot your password, you can retrieve your password here.
Bug Type:
New email:
PHP Version: OS:


 [2019-12-16 17:45 UTC]
If global regs are used, and during the execution of a function the opline is never stored, then a destructor call during CV freeing may result in a segfault when attempting to read the current opline in zend_call_function.

==20975== Use of uninitialised value of size 8
==20975==    at 0x91F333: zend_call_function (zend_execute_API.c:678)
==20975==    by 0x9895DE: zend_objects_destroy_object (zend_objects.c:179)
==20975==    by 0x990A30: zend_objects_store_del (zend_objects_API.c:178)
==20975==    by 0x93489B: rc_dtor_func (zend_variables.c:57)
==20975==    by 0x9A6C9C: i_free_compiled_variables (zend_execute.c:3407)
==20975==    by 0xA10528: execute_ex (zend_vm_execute.h:53450)
==20975==    by 0xA14ACB: zend_execute (zend_vm_execute.h:57669)
==20975==    by 0x938F4A: zend_execute_scripts (zend.c:1665)
==20975==    by 0x89B078: php_execute_script (main.c:2619)
==20975==    by 0xA1769D: do_cli (php_cli.c:961)
==20975==    by 0xA18807: main (php_cli.c:1352)

In PHP 7.3 this did not happen, because EX(opline) was always written during execute_data initialization. However, the behavior may not have been exactly right, as the opline might still have been stale.

Test script:

function test($x) {
test(new class {
    public function __destruct() {


Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2019-12-16 17:54 UTC]
Automatic comment on behalf of
Log: Fixed bug #78973
 [2019-12-16 17:54 UTC]
-Status: Open +Status: Closed
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Fri May 24 06:01:38 2024 UTC