php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #80030 Optimizer segfault with isset on static property with undef dynamic class name
Submitted: 2020-08-28 10:58 UTC Modified: 2020-08-31 10:35 UTC
From: sjon@php.net Assigned: nikic (profile)
Status: Closed Package: opcache
PHP Version: 8.0.0beta2 OS:
Private report: No CVE-ID: None
View Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
If you reported this bug, you can edit this bug over here.
(description)
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: sjon@php.net
New email:
PHP Version: OS:

 

 [2020-08-28 10:58 UTC] sjon@php.net
Description:
------------
not separately reproducible yet, this is with opcache.file_cache enabled

Actual result:
--------------
#0  0x0000555555b6e542
    in zend_create_member_string (class_name=0x2, member_name=0x40872f68) 
    at php-8.0.0beta2/Zend/zend_compile.c:847
#1  0x00007ffff52a0ade 
    in add_static_slot (hash=0x7fffffffa330, op_array=0x7ffff3be0448, op1=0, op2=20, kind=1792, cache_size=0x7fffffffa260)
    at php-8.0.0beta2/ext/opcache/Optimizer/compact_literals.c:99
#2  0x00007ffff52a30d1
    in zend_optimizer_compact_literals (op_array=0x7ffff3be0448, ctx=0x7fffffffa4b0)
    at php-8.0.0beta2/ext/opcache/Optimizer/compact_literals.c:712
#3  0x00007ffff52906ec
    in zend_optimize_script (script=0x7ffff3d88200, optimization_level=2147401727, debug_level=0)
    at php-8.0.0beta2/ext/opcache/Optimizer/zend_optimizer.c:1459
#4  0x00007ffff52579f6
    in cache_script_in_shared_memory (new_persistent_script=0x7ffff3d88200, key=0x7ffff3bf80d8 "xxx.php", key_length=105, from_shared_memory=0x7fffffffa570)
    at php-8.0.0beta2/ext/opcache/ZendAccelerator.c:1440
#5  0x00007ffff5259df4
    in persistent_compile_file (file_handle=0x7fffffffa6c0, type=2)
    at php-8.0.0beta2/ext/opcache/ZendAccelerator.c:2178
#6  0x0000555555bd9f59
    in zend_include_or_eval (inc_filename=0x7ffff5414870, type=4)
    at php-8.0.0beta2/Zend/zend_execute.c:4193
#7  0x0000555555c2d838
    in ZEND_INCLUDE_OR_EVAL_SPEC_CV_HANDLER ()
    at php-8.0.0beta2/Zend/zend_vm_execute.h:37190
#8  0x0000555555c4e245
    in execute_ex (ex=0x7ffff54145a0)
    at php-8.0.0beta2/Zend/zend_vm_execute.h:56770
#9  0x0000555555b8d849
    in zend_call_function (fci=0x7fffffffaab0, fci_cache=0x7fffffffaa90)
    at php-8.0.0beta2/Zend/zend_execute_API.c:855
#10 0x0000555555b8dbf8
    in zend_call_known_function (fn=0x421b4380, object=0x7ffff54db580, called_scope=0x421b2f60, retval_ptr=0x7ffff5414590, param_count=1, params=0x7fffffffabc0, named_params=0x0)
    at php-8.0.0beta2/Zend/zend_execute_API.c:945
#11 0x0000555555c7c12a
    in zend_call_known_instance_method (fn=0x421b4380, object=0x7ffff54db580, retval_ptr=0x7ffff5414590, param_count=1, params=0x7fffffffabc0)
    at php-8.0.0beta2/Zend/zend_API.h:587
#12 0x0000555555c7c19f
    in zend_call_known_instance_method_with_1_params (fn=0x421b4380, object=0x7ffff54db580, retval_ptr=0x7ffff5414590, param=0x7fffffffabc0)
    at php-8.0.0beta2/Zend/zend_API.h:599
#13 0x0000555555c7c7f2
    in zend_std_call_getter (zobj=0x7ffff54db580, prop_name=0x7ffff54b9c30, retval=0x7ffff5414590)
    at php-8.0.0beta2/Zend/zend_object_handlers.c:182
#14 0x0000555555c7dc1d
    in zend_std_read_property (zobj=0x7ffff54db580, name=0x7ffff54b9c30, type=0, cache_slot=0x0, rv=0x7ffff5414590)
    at php-8.0.0beta2/Zend/zend_object_handlers.c:645
#15 0x0000555555c297e8
    in ZEND_FETCH_OBJ_R_SPEC_UNUSED_CV_HANDLER ()
    at php-8.0.0beta2/Zend/zend_vm_execute.h:34874
#16 0x0000555555c4dda4
    in execute_ex (ex=0x7ffff5414020)
    at php-8.0.0beta2/Zend/zend_vm_execute.h:56537
#17 0x0000555555c4f1da
    in zend_execute (op_array=0x7ffff545c3c0, return_value=0x0)
    at php-8.0.0beta2/Zend/zend_vm_execute.h:57766
#18 0x0000555555ba5651
    in zend_execute_scripts (type=8, retval=0x0, file_count=3)
    at php-8.0.0beta2/Zend/zend.c:1696
#19 0x0000555555b07d22
    in php_execute_script (primary_file=0x7fffffffd400)
    at php-8.0.0beta2/main/main.c:2535
#20 0x0000555555c8e026
    in do_cli (argc=9, argv=0x55555698f710)
    at php-8.0.0beta2/sapi/cli/php_cli.c:949
#21 0x0000555555c8f09d
    in main (argc=9, argv=0x55555698f710)
    at php-8.0.0beta2/sapi/cli/php_cli.c:1336


Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2020-08-28 12:25 UTC] sjon@php.net
I managed to create a testcase, just including this file should be enough:

<?php

class P
{   
    protected function _p(string $t = null, int $i = null, bool $a = false): array
    {
        while (($line = current($this->_stack)) !== false)
            if ($a)
                if (isset($className::$p))
                    throw new Ex('');
    }
}
 [2020-08-31 10:34 UTC] nikic@php.net
-Assigned To: +Assigned To: nikic
 [2020-08-31 10:34 UTC] nikic@php.net
<?php

function test() {
    var_dump(isset($className::$test));
}
 [2020-08-31 10:35 UTC] nikic@php.net
-Summary: segfault in zend_optimizer_compact_literals > zend_create_member_string +Summary: Optimizer segfault with isset on static property with undef dynamic class name
 [2020-08-31 10:38 UTC] nikic@php.net
Automatic comment on behalf of nikita.ppv@gmail.com
Revision: http://git.php.net/?p=php-src.git;a=commit;h=50975640bc2bd86f4aa1c1eb00bd9dc3a9764e72
Log: Fixed bug #80030
 [2020-08-31 10:38 UTC] nikic@php.net
-Status: Assigned +Status: Closed
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Sat Oct 12 03:01:28 2024 UTC