|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #80426 Crash when using JIT and an extension replacing zend_execute_ex with custom
Submitted: 2020-11-26 20:33 UTC Modified: 2020-11-30 11:51 UTC
Avg. Score:5.0 ± 0.0
Reproduced:1 of 1 (100.0%)
Same Version:1 (100.0%)
Same OS:1 (100.0%)
From: Assigned: nikic (profile)
Status: Closed Package: JIT
PHP Version: 8.0.0 OS: Linux
Private report: No CVE-ID: None
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If this is not your bug, you can add a comment by following this link.
If this is your bug, but you forgot your password, you can retrieve your password here.
Bug Type:
New email:
PHP Version: OS:


 [2020-11-26 20:33 UTC]
Using a minimal extension [1] that replaces zend_execute_ex with a decorator function and running in cli with JIT enabled a simple PHP script [2] makes it crash.


Test script:

Compile it and run the test.php script with:

php -d zend_extension=opcache -dopcache.enable_cli=1 -dopcache.jit_buffer_size=100M -dextension=extcrash test.php

Expected result:
No crash

Actual result:
Crashes with the following info:

gdb /usr/local/php-8.0-debug/bin/php
(gdb) run -d zend_extension=opcache -dopcache.enable_cli=1 -dopcache.jit_buffer_size=100M -dextension=extcrash test.php
Starting program: /usr/local/php-8.0-debug/bin/php -d zend_extension=opcache -dopcache.enable_cli=1 -dopcache.jit_buffer_size=100M -dextension=extcrash test.php
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib64/".
php: ext/opcache/jit/zend_jit_trace.c:7314: zend_jit_trace_exit: Assertion `((execute_data)->opline) >= ((execute_data)->func)->op_array.opcodes && ((execute_data)->opline) < ((execute_data)->func)->op_array.opcodes + ((execute_data)->func)->op_array.last' failed.

Program received signal SIGABRT, Aborted.
0x00007ffff757fa41 in raise () from /lib64/
(gdb) bt
#0  0x00007ffff757fa41 in raise () from /lib64/
#1  0x00007ffff7569536 in abort () from /lib64/
#2  0x00007ffff756941f in __assert_fail_base.cold () from /lib64/
#3  0x00007ffff7578332 in __assert_fail () from /lib64/
#4  0x00007ffff4fa30c6 in zend_jit_trace_exit (exit_num=3, regs=0x7fffffff9990) at ext/opcache/jit/zend_jit_trace.c:7314
#5  0x000000004800049a in ?? ()
#6  0x00000000408d26a0 in ?? ()
#7  0x0000555556d7a6c8 in executor_globals ()
#8  0x00007ffff50022c8 in ?? ()
#9  0x0000555555c9e769 in _destroy_zend_class_traits_info (ce=0x408d26a0) at /home/patrick.allaert/Projets/php-src/Zend/zend_opcode.c:256
#10 0xff00ffffffffffff in ?? ()
#11 0xffffffff000000ff in ?? ()
#12 0x0000000000000000 in ?? ()


Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2020-11-27 13:16 UTC]
If the assertion is removed from php's source, it segfault with:

Program received signal SIGSEGV, Segmentation fault.
zval_undefined_cv (var=80) at /home/patrick.allaert/Projets/php-src/Zend/zend_execute.c:270
270                     zend_string *cv = CV_DEF_OF(EX_VAR_TO_NUM(var));
(gdb) bt
#0  zval_undefined_cv (var=80) at /home/patrick.allaert/Projets/php-src/Zend/zend_execute.c:270
#1  0x0000555555cf0d59 in _zval_undefined_op1 () at /home/patrick.allaert/Projets/php-src/Zend/zend_execute.c:278
#2  0x0000555555d4f2b1 in zend_pre_inc_helper_SPEC_CV () at /home/patrick.allaert/Projets/php-src/Zend/zend_vm_execute.h:37224
#3  0x0000555555d4f414 in ZEND_PRE_INC_SPEC_CV_RETVAL_UNUSED_HANDLER () at /home/patrick.allaert/Projets/php-src/Zend/zend_vm_execute.h:37261
#4  0x0000555555d721f0 in execute_ex (ex=0x7ffff4e13020) at /home/patrick.allaert/Projets/php-src/Zend/zend_vm_execute.h:57706
#5  0x00007ffff512c114 in custom_zend_execute (execute_data=0x7ffff4e13020) at /home/patrick.allaert/Projets/extcrash/extcrash.c:11
#6  0x0000555555d734fe in zend_execute (op_array=0x7ffff4e5c280, return_value=0x0) at /home/patrick.allaert/Projets/php-src/Zend/zend_vm_execute.h:58856
#7  0x0000555555cc756a in zend_execute_scripts (type=8, retval=0x0, file_count=3) at /home/patrick.allaert/Projets/php-src/Zend/zend.c:1680
#8  0x0000555555c2a5d0 in php_execute_script (primary_file=0x7fffffffc280) at /home/patrick.allaert/Projets/php-src/main/main.c:2488
#9  0x0000555555db3252 in do_cli (argc=7, argv=0x555556d94dd0) at /home/patrick.allaert/Projets/php-src/sapi/cli/php_cli.c:949
#10 0x0000555555db4297 in main (argc=7, argv=0x555556d94dd0) at /home/patrick.allaert/Projets/php-src/sapi/cli/php_cli.c:1336
 [2020-11-30 11:42 UTC]
Should be fixed by commit and, correct me if I am wrong, as part of PHP 8.0.1.
 [2020-11-30 11:51 UTC]
-Status: Open +Status: Closed -Assigned To: +Assigned To: nikic
 [2020-11-30 11:51 UTC]
That's right!
PHP Copyright © 2001-2021 The PHP Group
All rights reserved.
Last updated: Sat Jun 19 10:01:24 2021 UTC