php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #79578 Crash using JIT on Windows 64-bit
Submitted: 2020-05-10 00:48 UTC Modified: 2020-06-22 08:06 UTC
From: mberchtold at gmail dot com Assigned: cmb (profile)
Status: Closed Package: opcache
PHP Version: master-Git-2020-05-09 (snap) OS: Windows 10 64-bit
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.
(description)
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: mberchtold at gmail dot com
New email:
PHP Version: OS:

 

 [2020-05-10 00:48 UTC] mberchtold at gmail dot com
Description:
------------
I was testing the JIT with the master branch:
https://windows.php.net/downloads/snaps/master/rb452d59/php-master-nts-windows-vs16-x64-avx-rb452d59.zip

and I have encountered the following crash on Windows 10 64-bit, when accessing several pages which are part of a bigger Zend Framework / Laminas project.

Crash
=====
>	php8.dll!execute_ex(_zend_execute_data * ex) Line 51853	C

		if (UNEXPECTED((ret = ((opcode_handler_t)OPLINE->handler)(ZEND_OPCODE_HANDLER_ARGS_PASSTHRU)) != 0)) {


Stack Trace
============
 	ntdll.dll!LdrpICallHandler()	Unknown
 	ntdll.dll!RtlpExecuteHandlerForException()	Unknown
 	ntdll.dll!RtlDispatchException()	Unknown
 	ntdll.dll!KiUserExceptionDispatch()	Unknown
 	ntdll.dll!LdrpDispatchUserCallTarget()	Unknown
>	php8.dll!execute_ex(_zend_execute_data * ex) Line 51853	C
 	php8.dll!zend_call_function(_zend_fcall_info * fci, _zend_fcall_info_cache * fci_cache) Line 803	C
 	php8.dll!zif_spl_autoload_call(_zend_execute_data * execute_data, _zval_struct * return_value) Line 459	C
 	php8.dll!zend_call_function(_zend_fcall_info * fci, _zend_fcall_info_cache * fci_cache) Line 821	C
 	php8.dll!zend_lookup_class_ex(_zend_string * name, _zend_string * key, unsigned int flags) Line 956	C
 	php8.dll!zend_fetch_class_by_name(_zend_string * class_name, _zend_string * key, int fetch_type) Line 1387	C
 	php8.dll!ZEND_NEW_SPEC_CONST_UNUSED_HANDLER(_zend_execute_data * execute_data) Line 8842	C
 	php8.dll!execute_ex(_zend_execute_data * ex) Line 51853	C
 	php8.dll!zend_execute(_zend_op_array * op_array, _zval_struct * return_value) Line 56148	C
 	php8.dll!zend_execute_scripts(int type, _zval_struct * retval, int file_count, ...) Line 1654	C
 	php8.dll!php_execute_script(_zend_file_handle * primary_file) Line 2585	C
 	php-cgi.exe!main(int argc, char * * argv) Line 2592	C
 	[Inline Frame] php-cgi.exe!invoke_main() Line 78	C++
 	php-cgi.exe!__scrt_common_main_seh() Line 288	C++
 	kernel32.dll!BaseThreadInitThunk()	Unknown
 	ntdll.dll!RtlUserThreadStart()	Unknown



Stack Trace Data
================

	php8.dll!zend_lookup_class_ex(_zend_string * name, _zend_string * key, unsigned int flags) Line 956	C


-		class_name	0x0000100000279be8 {gc={refcount=1 u={type_info=326 } } h=14462732933763410593 len=26 ...}	_zend_string *
+		gc	{refcount=1 u={type_info=326 } }	_zend_refcounted_h
		h	14462732933763410593	unsigned __int64
		len	26	unsigned __int64
+		val	0x0000100000279c00 "Laminas\\Http\\Header\\Cookie"	char[1]



---
>	php8.dll!zend_call_function(_zend_fcall_info * fci, _zend_fcall_info_cache * fci_cache) Line 821	C



		_gc	Variable is optimized away and not available.	
		_gc	Variable is optimized away and not available.	
		_ref	Variable is optimized away and not available.	
		_t	Variable is optimized away and not available.	
		_t	Variable is optimized away and not available.	
+		arg	0x0000007991dfba10 {value={lval=17592188640232 dval=8.691696042297e-311#DEN counted=0x0000100000279be8 {...} ...} ...}	_zval_struct *
		arg_name	Variable is optimized away and not available.	
		call_info	Variable is optimized away and not available.	
		callable_name	Variable is optimized away and not available.	
		current_opline_before_exception	Variable is optimized away and not available.	
+		dummy_execute_data	{opline=0x0000000000000000 <NULL> call=0x0000000000000000 <NULL> return_value=0x0000000000000000 <NULL> ...}	_zend_execute_data
+		error	0x00001000002e4910 "\x1"	char *
-		fci	0x0000007991dfba30 {size=56 function_name={value={lval=17592188163552 dval=8.691695806786e-311#DEN counted=...} ...} ...}	_zend_fcall_info *
		size	56	unsigned __int64
-		function_name	{value={lval=17592188163552 dval=8.691695806786e-311#DEN counted=0x00001000002055e0 {gc={refcount=1 ...} } ...} ...}	_zval_struct
-		value	{lval=17592188163552 dval=8.691695806786e-311#DEN counted=0x00001000002055e0 {gc={refcount=1 u={type_info=...} } } ...}	_zend_value
		lval	17592188163552	__int64
		dval	8.691695806786e-311#DEN	double
+		counted	0x00001000002055e0 {gc={refcount=1 u={type_info=326 } } }	_zend_refcounted *
+		str	0x00001000002055e0 {gc={refcount=1 u={type_info=326 } } h=17083003923120679175 len=17 ...}	_zend_string *
+		arr	0x00001000002055e0 {gc={refcount=1 u={type_info=326 } } u={v={flags=7 '\a' _unused=105 'i' nIteratorsCount=...} ...} ...}	_zend_array *
+		obj	0x00001000002055e0 {gc={refcount=1 u={type_info=326 } } handle=4130760967 ce=0x0000000000000011 {type=...} ...}	_zend_object *
+		res	0x00001000002055e0 {gc={refcount=1 u={type_info=326 } } handle=-164206329 type=-317520498 ...}	_zend_resource *
+		ref	0x00001000002055e0 {gc={refcount=1 u={type_info=326 } } val={value={lval=-1363740150588872441 dval=-2.6229288138858408e+217 ...} ...} ...}	_zend_reference *
+		ast	0x00001000002055e0 {gc={refcount=1 u={type_info=326 } } }	_zend_ast_ref *
+		zv	0x00001000002055e0 {value={lval=1400159338497 dval=6.917706278552e-312#DEN counted=0x0000014600000001 {...} ...} ...}	_zval_struct *
		ptr	0x00001000002055e0	void *
+		ce	0x00001000002055e0 {type=1 '\x1' name=0xed13058ef6366907 {gc={refcount=??? u={type_info=??? } } h=??? ...} ...}	_zend_class_entry *
+		func	0x00001000002055e0 {type=1 '\x1' quick_arg_flags=1 common={type=1 '\x1' arg_flags=0x00001000002055e1 "" ...} ...}	_zend_function *
+		ww	{w1=2119136 w2=4096 }	<unnamed-tag>
+		u1	{type_info=6 v={type=6 '\x6' type_flags=0 '\0' u={extra=0 } } }	<unnamed-tag>
+		u2	{next=0 cache_slot=0 opline_num=0 ...}	<unnamed-tag>
+		retval	0x0000007991dfba20 {value={lval=1749258559168 dval=8.642485597787e-312#DEN counted=0x0000019747ef5ec0 {...} ...} ...}	_zval_struct *
+		params	0x0000007991dfba10 {value={lval=17592188640232 dval=8.691696042297e-311#DEN counted=0x0000100000279be8 {...} ...} ...}	_zval_struct *
+		object	0x0000000000000000 <NULL>	_zend_object *
		no_separation	1 '\x1'	unsigned char
		param_count	1	unsigned int
+		fci_cache	0x0000007991dfba78 {function_handler=0x000001974776cca0 {type=1 '\x1' quick_arg_flags=1 common={type=...} ...} ...}	_zend_fcall_info_cache *
+		fci_cache_local	{function_handler=0x0000000000000000 <NULL> calling_scope=0x0000000000000000 <NULL> called_scope=0x0000000000000000 <NULL> ...}	_zend_fcall_info_cache
+		func	0x000001974776cca0 {type=1 '\x1' quick_arg_flags=1 common={type=1 '\x1' arg_flags=0x000001974776cca1 "" ...} ...}	_zend_function *
		i	Variable is optimized away and not available.	
		object_or_called_scope	0x0000007991dfba10	void *
		param	Variable is optimized away and not available.	


---
>	php8.dll!zif_spl_autoload_call(_zend_execute_data * execute_data, _zval_struct * return_value) Line 459	C



+		alfi	0x0000019747e55090 {func_ptr=0x0000019747e602b8 {type=2 '\x2' quick_arg_flags=2 common={type=2 '\x2' ...} ...} ...}	autoload_func_info *
-		called_scope	0x0000019747ef5ec0 {type=2 '\x2' name=0x000010000027bff8 {gc={refcount=1 u={type_info=326 } } h=15244783603747682148 ...} ...}	_zend_class_entry *
		type	2 '\x2'	char
-		name	0x000010000027bff8 {gc={refcount=1 u={type_info=326 } } h=15244783603747682148 len=35 ...}	_zend_string *
+		gc	{refcount=1 u={type_info=326 } }	_zend_refcounted_h
		h	15244783603747682148	unsigned __int64
		len	35	unsigned __int64
+		val	0x000010000027c010 "Laminas\\Http\\PhpEnvironment\\Request"	char[1]
+		parent	0x0000019747ef7240 {type=2 '\x2' name=0x000010000027c190 {gc={refcount=1 u={type_info=326 } } h=11020879139278794347 ...} ...}	_zend_class_entry *
+		parent_name	0x0000019747ef7240 {gc={refcount=2 u={type_info=1 } } h=17592188649872 len=1749258572480 ...}	_zend_string *
		refcount	2	int
		ce_flags	1708552	unsigned int
		default_properties_count	15	int
		default_static_members_count	0	int
+		default_properties_table	0x0000019747e71a00 {value={lval=17592196681456 dval=8.691700015190e-311#DEN counted=0x0000100000a24ef0 {...} ...} ...}	_zval_struct *
+		default_static_members_table	0x0000000000000000 <NULL>	_zval_struct *
+		static_members_table__ptr	0x0000019747ef5ef0 {0x0000000000000000 <NULL>}	_zval_struct * *
+		function_table	{gc={refcount=1 u={type_info=23 } } u={v={flags=16 '\x10' _unused=0 '\0' nIteratorsCount=0 '\0' ...} ...} ...}	_zend_array
+		properties_info	{gc={refcount=1 u={type_info=23 } } u={v={flags=16 '\x10' _unused=0 '\0' nIteratorsCount=0 '\0' ...} ...} ...}	_zend_array
+		constants_table	{gc={refcount=1 u={type_info=23 } } u={v={flags=16 '\x10' _unused=0 '\0' nIteratorsCount=0 '\0' ...} ...} ...}	_zend_array
+		properties_info_table	0x0000019747efa3e0 {0x0000019747efa090 {offset=40 flags=2 name=0x00001000002e8368 {gc={refcount=1 u=...} ...} ...}}	_zend_property_info * *
+		constructor	0x0000019747ef6088 {type=2 '\x2' quick_arg_flags=2 common={type=2 '\x2' arg_flags=0x0000019747ef6089 "" ...} ...}	_zend_function *
+		destructor	0x0000000000000000 <NULL>	_zend_function *
+		clone	0x0000000000000000 <NULL>	_zend_function *
+		__get	0x0000000000000000 <NULL>	_zend_function *
+		__set	0x0000000000000000 <NULL>	_zend_function *
+		__unset	0x0000000000000000 <NULL>	_zend_function *
+		__isset	0x0000000000000000 <NULL>	_zend_function *
+		__call	0x0000000000000000 <NULL>	_zend_function *
+		__callstatic	0x0000000000000000 <NULL>	_zend_function *
+		__tostring	0x0000019747ef9828 {type=2 '\x2' quick_arg_flags=2 common={type=2 '\x2' arg_flags=0x0000019747ef9829 "" ...} ...}	_zend_function *
+		__debugInfo	0x0000000000000000 <NULL>	_zend_function *
+		serialize_func	0x0000000000000000 <NULL>	_zend_function *
+		unserialize_func	0x0000000000000000 <NULL>	_zend_function *
+		iterator_funcs_ptr	0x0000000000000000 <NULL>	_zend_class_iterator_funcs *
		create_object	0x0000000000000000	_zend_object *(*)(_zend_class_entry *)
		interface_gets_implemented	0x0000000000000000	int(*)(_zend_class_entry *, _zend_class_entry *)
		get_iterator	0x0000000000000000	_zend_object_iterator *(*)(_zend_class_entry *, _zval_struct *, int)
		get_static_method	0x0000000000000000	_zend_function *(*)(_zend_class_entry *, _zend_string *)
		serialize	0x0000000000000000	int(*)(_zval_struct *, unsigned char * *, unsigned __int64 *, _zend_serialize_data *)
		unserialize	0x0000000000000000	int(*)(_zval_struct *, _zend_class_entry *, const unsigned char *, unsigned __int64, _zend_unserialize_data *)
		num_interfaces	3	unsigned int
		num_traits	0	unsigned int
+		interfaces	0x0000019747e680c0 {0x0000019747efa180 {type=2 '\x2' name=0x000010000029a0c8 {gc={refcount=1 u={type_info=...} } ...} ...}}	_zend_class_entry * *
+		interface_names	0x0000019747e680c0 {name=0x0000019747efa180 {gc={refcount=2 u={type_info=0 } } h=17592188772552 len=...} ...}	_zend_class_name *
+		trait_names	0x0000000000000000 <NULL>	_zend_class_name *
+		trait_aliases	0x0000000000000000 {???}	_zend_trait_alias * *
+		trait_precedences	0x0000000000000000 {???}	_zend_trait_precedence * *
+		info	{user={filename=0x0000100000a0b430 {gc={refcount=4 u={type_info=326 } } h=14748078813210313553 len=93 ...} ...} ...}	<unnamed-tag>
+		class_name	0x0000100000279be8 {gc={refcount=1 u={type_info=326 } } h=14462732933763410593 len=26 ...}	_zend_string *
		execute_data	Variable is optimized away and not available.	
		fcall_cache	Variable is optimized away and not available.	
		fcall_info	Variable is optimized away and not available.	
+		fci	{size=56 function_name={value={lval=1748051689473 dval=8.636522869234e-312#DEN counted=0x0000019700000001 {...} ...} ...} ...}	_zend_fcall_info
+		fcic	{function_handler=0x0000019747e602b8 {type=2 '\x2' quick_arg_flags=2 common={type=2 '\x2' arg_flags=...} ...} ...}	_zend_fcall_info_cache
+		func	0x000001974776cca0 {type=1 '\x1' quick_arg_flags=1 common={type=1 '\x1' arg_flags=0x000001974776cca1 "" ...} ...}	_zend_function *
+		func_name	0x0000019747e550c0 {gc={refcount=1 u={type_info=6 } } h=16799306114172298978 len=21 ...}	_zend_string *
		l_autoload_running	0	int
+		lc_name	0x0000019747ea2070 {gc={refcount=1 u={type_info=6 } } h=0 len=26 ...}	_zend_string *
		num_idx	1749257631808	unsigned __int64
+		params	0x0000007991dfb840 {{value={lval=17592188640232 dval=8.691696042297e-311#DEN counted=0x0000100000279be8 {...} ...} ...}}	_zval_struct[1]
		pos	0	unsigned int
		return_value	Variable is optimized away and not available.	
+		retval	{value={lval=0 dval=0.0000000000000000 counted=0x0000000000000000 <NULL> ...} u1={type_info=0 v={type=...} } ...}	_zval_struct


---
>	php8.dll!zend_call_function(_zend_fcall_info * fci, _zend_fcall_info_cache * fci_cache) Line 803	C


		_gc	Variable is optimized away and not available.	
		_gc	Variable is optimized away and not available.	
		_ref	Variable is optimized away and not available.	
		_t	Variable is optimized away and not available.	
		_t	Variable is optimized away and not available.	
		arg	Variable is optimized away and not available.	
		arg_name	Variable is optimized away and not available.	
		call_info	Variable is optimized away and not available.	
		callable_name	Variable is optimized away and not available.	
+		current_opline_before_exception	0x0000000000000000 <NULL>	const _zend_op *
+		dummy_execute_data	{opline=0x0000000000000000 <NULL> call=0x00007fff6f73db23 {php8.dll!zend_hash_find(const _zend_array * ht, _zend_string * key), Line 2242} {...} ...}	_zend_execute_data
+		error	0x0000019747ef5ec0 "\x2"	char *
-		fci	0x0000007991dfb870 {size=56 function_name={value={lval=1748051689473 dval=8.636522869234e-312#DEN counted=...} ...} ...}	_zend_fcall_info *
		size	56	unsigned __int64
-		function_name	{value={lval=1748051689473 dval=8.636522869234e-312#DEN counted=0x0000019700000001 {gc={refcount=??? ...} } ...} ...}	_zval_struct
+		value	{lval=1748051689473 dval=8.636522869234e-312#DEN counted=0x0000019700000001 {gc={refcount=??? u={type_info=...} } } ...}	_zend_value
+		u1	{type_info=0 v={type=0 '\0' type_flags=0 '\0' u={extra=0 } } }	<unnamed-tag>
+		u2	{next=4096 cache_slot=4096 opline_num=4096 ...}	<unnamed-tag>
+		retval	0x0000007991dfb830 {value={lval=0 dval=0.0000000000000000 counted=0x0000000000000000 <NULL> ...} u1=...}	_zval_struct *
+		params	0x0000007991dfb840 {value={lval=17592188640232 dval=8.691696042297e-311#DEN counted=0x0000100000279be8 {...} ...} ...}	_zval_struct *
+		object	0x0000000000000000 <NULL>	_zend_object *
		no_separation	1 '\x1'	unsigned char
		param_count	1	unsigned int
-		fci_cache	0x0000007991dfb850 {function_handler=0x0000019747e602b8 {type=2 '\x2' quick_arg_flags=2 common={type=...} ...} ...}	_zend_fcall_info_cache *
+		function_handler	0x0000019747e602b8 {type=2 '\x2' quick_arg_flags=2 common={type=2 '\x2' arg_flags=0x0000019747e602b9 "" ...} ...}	_zend_function *
+		calling_scope	0x0000019747efa540 {type=2 '\x2' name=0x0000100000299d18 {gc={refcount=1 u={type_info=326 } } h=15662680480698152664 ...} ...}	_zend_class_entry *
+		called_scope	0x00001000008dd7e0 {type=2 '\x2' name=0x00001000002a5070 {gc={refcount=1 u={type_info=326 } } h=11114107239271776542 ...} ...}	_zend_class_entry *
+		object	0x0000000000000000 <NULL>	_zend_object *
+		fci_cache_local	{function_handler=0x0000000000000000 <NULL> calling_scope=0x0000000000000000 <NULL> called_scope=0x0000007991dfb780 {...} ...}	_zend_fcall_info_cache
-		func	0x0000019747e602b8 {type=2 '\x2' quick_arg_flags=2 common={type=2 '\x2' arg_flags=0x0000019747e602b9 "" ...} ...}	_zend_function *
		type	2 '\x2'	unsigned char
		quick_arg_flags	2	unsigned int
-		common	{type=2 '\x2' arg_flags=0x0000019747e602b9 "" fn_flags=38797329 ...}	<unnamed-tag>
		type	2 '\x2'	unsigned char
+		arg_flags	0x0000019747e602b9 ""	unsigned char[3]
		fn_flags	38797329	unsigned int
+		function_name	0x00001000002a8268 {gc={refcount=1 u={type_info=326 } } h=14311678039154087395 len=37 ...}	_zend_string *
+		scope	0x00001000008dd7e0 {type=2 '\x2' name=0x00001000002a5070 {gc={refcount=1 u={type_info=326 } } h=11114107239271776542 ...} ...}	_zend_class_entry *
+		prototype	0x0000000000000000 <NULL>	_zend_function *
		num_args	1	unsigned int
		required_num_args	1	unsigned int
+		arg_info	0x00001000008df608 {name=0x0000100000202390 {gc={refcount=1 u={type_info=326 } } h=9223372247563722459 ...} ...}	_zend_arg_info *
-		op_array	{type=2 '\x2' arg_flags=0x0000019747e602b9 "" fn_flags=38797329 ...}	_zend_op_array
		type	2 '\x2'	unsigned char
+		arg_flags	0x0000019747e602b9 ""	unsigned char[3]
		fn_flags	38797329	unsigned int
+		function_name	0x00001000002a8268 {gc={refcount=1 u={type_info=326 } } h=14311678039154087395 len=37 ...}	_zend_string *
+		scope	0x00001000008dd7e0 {type=2 '\x2' name=0x00001000002a5070 {gc={refcount=1 u={type_info=326 } } h=11114107239271776542 ...} ...}	_zend_class_entry *
+		prototype	0x0000000000000000 <NULL>	_zend_function *
		num_args	1	unsigned int
		required_num_args	1	unsigned int
+		arg_info	0x00001000008df608 {name=0x0000100000202390 {gc={refcount=1 u={type_info=326 } } h=9223372247563722459 ...} ...}	_zend_arg_info *
		cache_size	48	int
		last_var	8	int
		T	3	unsigned int
		last	50	unsigned int
+		opcodes	0x00001000008defc8 {handler=0x00007fff6f6e8cf0 {php8.dll!ZEND_RECV_NOTYPE_SPEC_HANDLER(_zend_execute_data *)} ...}	_zend_op *
+		run_time_cache__ptr	0x0000019747e022d8 {0x0000019747e022e0 {0x000001974777e6b0}}	void * * *
+		static_variables_ptr__ptr	0x0000019747e60310 {0x0000019747e022a0 {gc={refcount=1 u={type_info=23 } } u={v={flags=16 '\x10' _unused=...} ...} ...}}	_zend_array * *
+		static_variables	0x0000019747e022a0 {gc={refcount=1 u={type_info=23 } } u={v={flags=16 '\x10' _unused=0 '\0' nIteratorsCount=...} ...} ...}	_zend_array *
+		vars	0x00001000008df6b0 {0x0000100000202390 {gc={refcount=1 u={type_info=326 } } h=9223372247563722459 len=...}}	_zend_string * *
+		refcount	0x0000000000000000 {???}	unsigned int *
		last_live_range	1	int
		last_try_catch	0	int
+		live_range	0x00001000008df628 {var=224 start=35 end=44 }	_zend_live_range *
+		try_catch_array	0x0000000000000000 <NULL>	_zend_try_catch_element *
+		filename	0x00001000008dd6f0 {gc={refcount=4 u={type_info=326 } } h=10028877981978051896 len=97 ...}	_zend_string *
		line_start	89	unsigned int
		line_end	117	unsigned int
+		doc_comment	0x00001000008df638 {gc={refcount=1 u={type_info=326 } } h=14463541201258958618 len=95 ...}	_zend_string *
		last_literal	12	int
+		literals	0x00001000008dee30 {value={lval=3 dval=1.482196937524e-323#DEN counted=0x0000000000000003 {gc={refcount=...} } ...} ...}	_zval_struct *
+		reserved	0x0000019747e60368 {0x00001000008e04c8, 0x0000000000000000, 0x0000000000000000, 0x0000000000000000, ...}	void *[6]
+		internal_function	{type=2 '\x2' arg_flags=0x0000019747e602b9 "" fn_flags=38797329 ...}	_zend_internal_function
		i	Variable is optimized away and not available.	
		object_or_called_scope	Variable is optimized away and not available.	
		param	Variable is optimized away and not available.	

---
>	php8.dll!execute_ex(_zend_execute_data * ex) Line 51853	C


		ex	Variable is optimized away and not available.	
-		execute_data	0x0000019747e13a70 {opline=0x0000100000c68cb0 {handler=0x0000000000000000 op1={constant=4294967248 var=...} ...} ...}	_zend_execute_data *
+		opline	0x0000100000c68cb0 {handler=0x0000000000000000 op1={constant=4294967248 var=4294967248 num=4294967248 ...} ...}	const _zend_op *
+		call	0x0000000000000000 <NULL>	_zend_execute_data *
+		return_value	0x0000000000000000 <NULL>	_zval_struct *
-		func	0x0000019747e660e0 {type=2 '\x2' quick_arg_flags=2 common={type=2 '\x2' arg_flags=0x0000019747e660e1 "" ...} ...}	_zend_function *
		type	2 '\x2'	unsigned char
		quick_arg_flags	2	unsigned int
+		common	{type=2 '\x2' arg_flags=0x0000019747e660e1 "" fn_flags=37748736 ...}	<unnamed-tag>
+		op_array	{type=2 '\x2' arg_flags=0x0000019747e660e1 "" fn_flags=37748736 ...}	_zend_op_array
-		internal_function	{type=2 '\x2' arg_flags=0x0000019747e660e1 "" fn_flags=37748736 ...}	_zend_internal_function
		type	2 '\x2'	unsigned char
+		arg_flags	0x0000019747e660e1 ""	unsigned char[3]
		fn_flags	37748736	unsigned int
+		function_name	0x0000000000000000 <NULL>	_zend_string *
+		scope	0x0000000000000000 <NULL>	_zend_class_entry *
+		prototype	0x0000000000000000 <NULL>	_zend_function *
		num_args	0	unsigned int
		required_num_args	0	unsigned int
+		arg_info	0x0000000000000000 <NULL>	_zend_internal_arg_info *
		handler	<Unable to read memory>	
+		module	0x0000000200000000 {size=??? zend_api=??? zend_debug=??? ...}	_zend_module_entry *
+		reserved	0x0000019747e66120 {0x0000100000c68cb0, 0x0000019747e010d8, 0x0000019747e66138, 0x0000000000000000, ...}	void *[6]
-		This	{value={lval=0 dval=0.0000000000000000 counted=0x0000000000000000 <NULL> ...} u1={type_info=1114112 ...} ...}	_zval_struct
+		value	{lval=0 dval=0.0000000000000000 counted=0x0000000000000000 <NULL> ...}	_zend_value
+		u1	{type_info=1114112 v={type=0 '\0' type_flags=0 '\0' u={extra=17 } } }	<unnamed-tag>
+		u2	{next=0 cache_slot=0 opline_num=0 ...}	<unnamed-tag>
+		prev_execute_data	0x0000019747e13a10 {opline=0x00001000008c8780 {handler=0x000010000802bb78 op1={constant=80 var=80 num=...} ...} ...}	_zend_execute_data *
-		symbol_table	0x0000019747e021f8 {gc={refcount=1 u={type_info=23 } } u={v={flags=16 '\x10' _unused=0 '\0' nIteratorsCount=...} ...} ...}	_zend_array *
+		gc	{refcount=1 u={type_info=23 } }	_zend_refcounted_h
+		u	{v={flags=16 '\x10' _unused=0 '\0' nIteratorsCount=0 '\0' ...} flags=16 }	<unnamed-tag>
		nTableMask	4294967264	unsigned int
+		arData	0x0000019747e6de80 {val={value={lval=1749257632352 dval=8.642481018707e-312#DEN counted=0x0000019747e13a60 {...} ...} ...} ...}	_Bucket *
		nNumUsed	1	unsigned int
		nNumOfElements	1	unsigned int
		nTableSize	16	unsigned int
		nInternalPointer	0	unsigned int
		nNextFreeElement	-9223372036854775808	__int64
		pDestructor	0x00007fff6f7783b0 {php8.dll!zval_ptr_dtor(_zval_struct *)}	void(*)(_zval_struct *)
-		run_time_cache	0x0000019747e010e0 {0x00001000009dd320}	void * *
			0x00001000009dd320	void *
		ret	Error reading register value.	


Test script:
---------------
I don't have a minimal reproducible script for this crash. It is part of a big Laminas web application, but I hope the data from the stack trace helps in any way.

Expected result:
----------------
No crash

Actual result:
--------------
Unhandled exception at 0x00007FFF8B0AFB5F (ntdll.dll) in php-cgi.exe.6248.dmp: RangeChecks instrumentation code detected an out of range array access.

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2020-05-10 01:00 UTC] mberchtold at gmail dot com
The crash happens in the call to spl_autoload_call, when one of the registered __autoload functions is called. The fci for this function looks invalid:

-		fci	{size=56 function_name={value={lval=1748051689473 dval=8.636522869234e-312#DEN counted=0x0000019700000001 {...} ...} ...} ...}	_zend_fcall_info
		size	56	unsigned __int64
-		function_name	{value={lval=1748051689473 dval=8.636522869234e-312#DEN counted=0x0000019700000001 {gc={refcount=??? ...} } ...} ...}	_zval_struct
-		value	{lval=1748051689473 dval=8.636522869234e-312#DEN counted=0x0000019700000001 {gc={refcount=??? u={type_info=...} } } ...}	_zend_value
		lval	1748051689473	__int64
		dval	8.636522869234e-312#DEN	double
-		counted	0x0000019700000001 {gc={refcount=??? u={type_info=??? } } }	_zend_refcounted *
+		gc	{refcount=??? u={type_info=??? } }	_zend_refcounted_h
+		str	0x0000019700000001 {gc={refcount=??? u={type_info=??? } } h=??? len=??? ...}	_zend_string *
+		arr	0x0000019700000001 {gc={refcount=??? u={type_info=??? } } u={v={flags=??? _unused=??? nIteratorsCount=...} ...} ...}	_zend_array *
+		obj	0x0000019700000001 {gc={refcount=??? u={type_info=??? } } handle=??? ce=??? ...}	_zend_object *
+		res	0x0000019700000001 {gc={refcount=??? u={type_info=??? } } handle=??? type=??? ...}	_zend_resource *
+		ref	0x0000019700000001 {gc={refcount=??? u={type_info=??? } } val={value={lval=??? dval=??? counted=??? ...} ...} ...}	_zend_reference *
+		ast	0x0000019700000001 {gc={refcount=??? u={type_info=??? } } }	_zend_ast_ref *
+		zv	0x0000019700000001 {value={lval=??? dval=??? counted=??? ...} u1={type_info=??? v={type=??? type_flags=...} } ...}	_zval_struct *
		ptr	0x0000019700000001	void *
+		ce	0x0000019700000001 {type=??? name=??? parent=??? ...}	_zend_class_entry *
+		func	0x0000019700000001 {type=??? quick_arg_flags=??? common={type=??? arg_flags=0x0000019700000002 <Error reading characters of string.> ...} ...}	_zend_function *
+		ww	{w1=1 w2=407 }	<unnamed-tag>
+		u1	{type_info=0 v={type=0 '\0' type_flags=0 '\0' u={extra=0 } } }	<unnamed-tag>
+		u2	{next=4096 cache_slot=4096 opline_num=4096 ...}	<unnamed-tag>

It looks like a data corruption of the SPL_G(autoload_functions) global.
 [2020-05-10 21:50 UTC] cmb@php.net
> RangeChecks instrumentation code detected an out of range array
> access.

I think this message is triggered due to compiling and linking
with /guard:cf[1], which might not be suitable for our JIT
implementation.

Can you reproduce this issue somewhat reliably?  Can you also
reproduce it with the non AVX optimized binary (i.e.
php-master-nts-windows-vs16-x64)?  If so, I could provide a
Windows snapshot built without /guard:cf.

[1] <https://docs.microsoft.com/en-us/cpp/build/reference/guard-enable-control-flow-guard?view=vs-2019>
 [2020-06-18 14:10 UTC] cmb@php.net
-Status: Open +Status: Feedback -Assigned To: +Assigned To: cmb
 [2020-06-18 14:10 UTC] cmb@php.net
Could you please check my comment above? :)
 [2020-06-22 03:32 UTC] mberchtold at gmail dot com
-Status: Feedback +Status: Closed
 [2020-06-22 03:32 UTC] mberchtold at gmail dot com
I'm no longer able to reproduce the crash with the latest update from the master branch. However, I have also noticed no performance benefits with JIT enabled (Zend Framework based application on Windows). Maybe JIT suffers from the same issues as preload where most files were excluded for one reason or another.
 [2020-06-22 08:06 UTC] cmb@php.net
> Maybe JIT suffers from the same issues as preload where most
> files were excluded for one reason or another.

I'm not aware of any such issues on Windows, besides that the
shared memory may not be used by all FCGI processes, what is a
general OPcache issue on Windows, not particularly related to JIT.
If you haven't done, you should check the opcache.error_log (you
may need to increase opcache.log_verbosity_level to 2 or 3 to get
relevant info).

Anyhow, for typical Web applications, the performance improvements
due to JIT are likely not that much (yet).
 
PHP Copyright © 2001-2022 The PHP Group
All rights reserved.
Last updated: Wed Aug 10 05:05:46 2022 UTC