php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #78986 Opcache segfaults when inheriting ctor from immutable into mutable class
Submitted: 2019-12-18 04:06 UTC Modified: 2019-12-18 10:36 UTC
Votes:1
Avg. Score:5.0 ± 0.0
Reproduced:1 of 1 (100.0%)
Same Version:1 (100.0%)
Same OS:1 (100.0%)
From: j124519951 at gmail dot com Assigned: nikic (profile)
Status: Closed Package: opcache
PHP Version: 7.4.0 OS: Linux
Private report: No CVE-ID: None
View Developer Edit
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: j124519951 at gmail dot com
New email:
PHP Version: OS:

 

 [2019-12-18 04:06 UTC] j124519951 at gmail dot com 
Description:
------------
When I run the test script in PHP 7.4.0, 100% run out of memory.

Test script:
---------------
<?php

define('TEST_TEST', 1);

class TestClass2
{
    function __construct() {}
}

class TestClass extends TestClass2
{
    var $test = [
        TEST_TEST => 'test'  
    ];
}

new TestClass();

Actual result:
--------------
Out of memory

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2019-12-18 04:28 UTC] requinix@php.net
-Status: Open +Status: Feedback
 [2019-12-18 04:28 UTC] requinix@php.net 
Thank you for this bug report. To properly diagnose the problem, we
need a short but complete example script to be able to reproduce
this bug ourselves.

A proper reproducing script starts with <?php and ends with ?>,
is max. 10-20 lines long and does not require any external
resources such as databases, etc. If the script requires a
database to demonstrate the issue, please make sure it creates
all necessary tables, stored procedures etc.

Please avoid embedding huge scripts into the report.

Seems fine. https://3v4l.org/LhvkT

Do you have any Zend extensions activated? Is there any difference if you enable or disable opcache?
 [2019-12-18 05:11 UTC] j124519951 at gmail dot com
-Status: Feedback +Status: Open
 [2019-12-18 05:11 UTC] j124519951 at gmail dot com 
This is no issue if I disable opcache.

I use docker to build the test environment, not install any extensions except opcache.

# Docker file begin
FROM php:7.4-fpm-alpine
RUN docker-php-ext-install opcache
# Docker file end
# make sure enable opcache in php.ini

Test script same as what I send before.
 [2019-12-18 05:33 UTC] requinix@php.net
-Status: Open +Status: Verified -Package: Reproducible crash +Package: opcache
 [2019-12-18 05:33 UTC] requinix@php.net 
Backtrace with 7.4.1. Doesn't say much.

(gdb) bt
#0  0x0000000000000000 in ?? ()
#1  0x00000000086fc68c in ZEND_DO_FCALL_SPEC_RETVAL_UNUSED_HANDLER () at /root/php/src/Zend/zend_vm_execute.h:1617
#2  0x0000000008760401 in execute_ex (ex=0x7ffff5013020) at /root/php/src/Zend/zend_vm_execute.h:53584
#3  0x00000000087644bd in zend_execute (op_array=0x7ffff5074300, return_value=0x0) at /root/php/src/Zend/zend_vm_execute.h:57664
#4  0x000000000868880c in zend_execute_scripts (type=8, retval=0x0, file_count=3) at /root/php/src/Zend/zend.c:1663
#5  0x00000000085ea184 in php_execute_script (primary_file=0x7ffffffed070) at /root/php/src/main/main.c:2619
#6  0x000000000876709d in do_cli (argc=6, argv=0x965b940) at /root/php/src/sapi/cli/php_cli.c:961
#7  0x00000000087681ef in main (argc=6, argv=0x965b940) at /root/php/src/sapi/cli/php_cli.c:1352

(gdb) f 1
#1  0x00000000086fc68c in ZEND_DO_FCALL_SPEC_RETVAL_UNUSED_HANDLER () at /root/php/src/Zend/zend_vm_execute.h:1617
1617                            fbc->internal_function.handler(call, ret);

(gdb) f 2
#2  0x0000000008760401 in execute_ex (ex=0x7ffff5013020) at /root/php/src/Zend/zend_vm_execute.h:53584
53584                                   ZEND_DO_FCALL_SPEC_RETVAL_UNUSED_HANDLER(ZEND_OPCODE_HANDLER_ARGS_PASSTHRU);
 [2019-12-18 10:24 UTC] nikic@php.net 
First valgrind warning:

==28606== Conditional jump or move depends on uninitialised value(s)
==28606==    at 0x98F5E4: zend_std_get_constructor (zend_object_handlers.c:1579)
==28606==    by 0x9BBA03: ZEND_NEW_SPEC_CONST_UNUSED_HANDLER (zend_vm_execute.h:9226)
==28606==    by 0xA11659: execute_ex (zend_vm_execute.h:54335)
==28606==    by 0xA14B9E: zend_execute (zend_vm_execute.h:57665)
==28606==    by 0x938FEE: zend_execute_scripts (zend.c:1665)
==28606==    by 0x89B0E5: php_execute_script (main.c:2617)
==28606==    by 0xA17770: do_cli (php_cli.c:961)
==28606==    by 0xA188DA: main (php_cli.c:1352)

Pretty weird.
 [2019-12-18 10:33 UTC] nikic@php.net
-Assigned To: +Assigned To: nikic
 [2019-12-18 10:33 UTC] nikic@php.net 
The problem is that zend_update_inherited_handler() assumes that handlers are in arena memory, which is not necessarily the case if the parent class is immutable (but the current one is not).
 [2019-12-18 10:36 UTC] nikic@php.net
-Summary: Memory Leak +Summary: Opcache segfaults when inheriting ctor from immutable into mutable class
 [2019-12-18 10:41 UTC] nikic@php.net 
Automatic comment on behalf of nikita.ppv@gmail.com
Revision: http://git.php.net/?p=php-src.git;a=commit;h=bd4fce4f6f5f40f71802f0b2ad12a925af0667c1
Log: Fixed bug #78986
 [2019-12-18 10:41 UTC] nikic@php.net
-Status: Verified +Status: Closed
 [2020-01-09 12:46 UTC] nikic@php.net 
Related To: Bug #79088
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Sun Oct 27 16:01:27 2024 UTC