php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #78986 Opcache segfaults when inheriting ctor from immutable into mutable class
Submitted: 2019-12-18 04:06 UTC Modified: 2019-12-18 10:36 UTC
Votes:1
Avg. Score:5.0 ± 0.0
Reproduced:1 of 1 (100.0%)
Same Version:1 (100.0%)
Same OS:1 (100.0%)
From: j124519951 at gmail dot com Assigned: nikic (profile)
Status: Closed Package: opcache
PHP Version: 7.4.0 OS: Linux
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.
(description)
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: j124519951 at gmail dot com
New email:
PHP Version: OS:

 

 [2019-12-18 04:06 UTC] j124519951 at gmail dot com
Description:
------------
When I run the test script in PHP 7.4.0, 100% run out of memory.

Test script:
---------------
<?php

define('TEST_TEST', 1);

class TestClass2
{
    function __construct() {}
}

class TestClass extends TestClass2
{
    var $test = [
        TEST_TEST => 'test'  
    ];
}

new TestClass();

Actual result:
--------------
Out of memory

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2019-12-18 04:28 UTC] requinix@php.net
-Status: Open +Status: Feedback
 [2019-12-18 04:28 UTC] requinix@php.net
Thank you for this bug report. To properly diagnose the problem, we
need a short but complete example script to be able to reproduce
this bug ourselves.

A proper reproducing script starts with <?php and ends with ?>,
is max. 10-20 lines long and does not require any external
resources such as databases, etc. If the script requires a
database to demonstrate the issue, please make sure it creates
all necessary tables, stored procedures etc.

Please avoid embedding huge scripts into the report.

Seems fine. https://3v4l.org/LhvkT

Do you have any Zend extensions activated? Is there any difference if you enable or disable opcache?
 [2019-12-18 05:11 UTC] j124519951 at gmail dot com
-Status: Feedback +Status: Open
 [2019-12-18 05:11 UTC] j124519951 at gmail dot com
This is no issue if I disable opcache.

I use docker to build the test environment, not install any extensions except opcache.

# Docker file begin
FROM php:7.4-fpm-alpine
RUN docker-php-ext-install opcache
# Docker file end
# make sure enable opcache in php.ini

Test script same as what I send before.
 [2019-12-18 05:33 UTC] requinix@php.net
-Status: Open +Status: Verified -Package: Reproducible crash +Package: opcache
 [2019-12-18 05:33 UTC] requinix@php.net
Backtrace with 7.4.1. Doesn't say much.

(gdb) bt
#0  0x0000000000000000 in ?? ()
#1  0x00000000086fc68c in ZEND_DO_FCALL_SPEC_RETVAL_UNUSED_HANDLER () at /root/php/src/Zend/zend_vm_execute.h:1617
#2  0x0000000008760401 in execute_ex (ex=0x7ffff5013020) at /root/php/src/Zend/zend_vm_execute.h:53584
#3  0x00000000087644bd in zend_execute (op_array=0x7ffff5074300, return_value=0x0) at /root/php/src/Zend/zend_vm_execute.h:57664
#4  0x000000000868880c in zend_execute_scripts (type=8, retval=0x0, file_count=3) at /root/php/src/Zend/zend.c:1663
#5  0x00000000085ea184 in php_execute_script (primary_file=0x7ffffffed070) at /root/php/src/main/main.c:2619
#6  0x000000000876709d in do_cli (argc=6, argv=0x965b940) at /root/php/src/sapi/cli/php_cli.c:961
#7  0x00000000087681ef in main (argc=6, argv=0x965b940) at /root/php/src/sapi/cli/php_cli.c:1352

(gdb) f 1
#1  0x00000000086fc68c in ZEND_DO_FCALL_SPEC_RETVAL_UNUSED_HANDLER () at /root/php/src/Zend/zend_vm_execute.h:1617
1617                            fbc->internal_function.handler(call, ret);

(gdb) f 2
#2  0x0000000008760401 in execute_ex (ex=0x7ffff5013020) at /root/php/src/Zend/zend_vm_execute.h:53584
53584                                   ZEND_DO_FCALL_SPEC_RETVAL_UNUSED_HANDLER(ZEND_OPCODE_HANDLER_ARGS_PASSTHRU);
 [2019-12-18 10:24 UTC] nikic@php.net
First valgrind warning:

==28606== Conditional jump or move depends on uninitialised value(s)
==28606==    at 0x98F5E4: zend_std_get_constructor (zend_object_handlers.c:1579)
==28606==    by 0x9BBA03: ZEND_NEW_SPEC_CONST_UNUSED_HANDLER (zend_vm_execute.h:9226)
==28606==    by 0xA11659: execute_ex (zend_vm_execute.h:54335)
==28606==    by 0xA14B9E: zend_execute (zend_vm_execute.h:57665)
==28606==    by 0x938FEE: zend_execute_scripts (zend.c:1665)
==28606==    by 0x89B0E5: php_execute_script (main.c:2617)
==28606==    by 0xA17770: do_cli (php_cli.c:961)
==28606==    by 0xA188DA: main (php_cli.c:1352)

Pretty weird.
 [2019-12-18 10:33 UTC] nikic@php.net
-Assigned To: +Assigned To: nikic
 [2019-12-18 10:33 UTC] nikic@php.net
The problem is that zend_update_inherited_handler() assumes that handlers are in arena memory, which is not necessarily the case if the parent class is immutable (but the current one is not).
 [2019-12-18 10:36 UTC] nikic@php.net
-Summary: Memory Leak +Summary: Opcache segfaults when inheriting ctor from immutable into mutable class
 [2019-12-18 10:41 UTC] nikic@php.net
Automatic comment on behalf of nikita.ppv@gmail.com
Revision: http://git.php.net/?p=php-src.git;a=commit;h=bd4fce4f6f5f40f71802f0b2ad12a925af0667c1
Log: Fixed bug #78986
 [2019-12-18 10:41 UTC] nikic@php.net
-Status: Verified +Status: Closed
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Thu Mar 28 14:01:29 2024 UTC