|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #81051 Broken property type handling after incrementing reference
Submitted: 2021-05-19 13:34 UTC Modified: 2021-05-27 08:28 UTC
Avg. Score:4.3 ± 0.8
Reproduced:11 of 11 (100.0%)
Same Version:11 (100.0%)
Same OS:11 (100.0%)
From: dktapps at pmmp dot io Assigned: dmitry (profile)
Status: Closed Package: JIT
PHP Version: 8.0.6 OS: Linux
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.
Block user comment
Status: Assign to:
Bug Type:
From: dktapps at pmmp dot io
New email:
PHP Version: OS:


 [2021-05-19 13:34 UTC] dktapps at pmmp dot io
When incrementing a typed property by-reference, it seems like the type gets broken, causing spurious errors and assert failures.

This was discovered in debug mode using opcache.jit=1205.

In debug mode, the following assert is triggered:

(gdb) run php-8-jit-bugs/samples/by-ref-increment-typed-property.php
Starting program: /home/dktapps/pm-dev/bin/php7/bin/php php-8-jit-bugs/samples/by-ref-increment-typed-property.php
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/".
php: /home/dktapps/pm-dev/install_data/subdir/php/Zend/zend_execute.c:895: i_zend_check_property_type: Assertion `!(zval_get_type(&(*(property))) == 10)' failed.

Program received signal SIGABRT, Aborted.
__GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:51
51      ../sysdeps/unix/sysv/linux/raise.c: No such file or directory.
(gdb) bt
#0  __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:51
#1  0x00007ffff47a3921 in __GI_abort () at abort.c:79
#2  0x00007ffff479348a in __assert_fail_base (fmt=0x7ffff491a750 "%s%s%s:%u: %s%sAssertion `%s' failed.\n%n", assertion=assertion@entry=0x555556123548 "!(zval_get_type(&(*(property))) == 10)",
    file=file@entry=0x555556123180 "/home/dktapps/pm-dev/install_data/subdir/php/Zend/zend_execute.c", line=line@entry=895,
    function=function@entry=0x555556126200 <__PRETTY_FUNCTION__.15039> "i_zend_check_property_type") at assert.c:92
#3  0x00007ffff4793502 in __GI___assert_fail (assertion=0x555556123548 "!(zval_get_type(&(*(property))) == 10)", file=0x555556123180 "/home/dktapps/pm-dev/install_data/subdir/php/Zend/zend_execute.c",
    line=895, function=0x555556126200 <__PRETTY_FUNCTION__.15039> "i_zend_check_property_type") at assert.c:101
#4  0x0000555555d984f5 in i_zend_check_property_type (info=0x408d3700, property=0x7ffff44020a8, strict=false) at /home/dktapps/pm-dev/install_data/subdir/php/Zend/zend_execute.c:895
#5  0x0000555555d98615 in i_zend_verify_property_type (info=0x408d3700, property=0x7ffff44020a8, strict=false) at /home/dktapps/pm-dev/install_data/subdir/php/Zend/zend_execute.c:915
#6  0x0000555555d98666 in zend_verify_property_type (info=0x408d3700, property=0x7ffff44020a8, strict=false) at /home/dktapps/pm-dev/install_data/subdir/php/Zend/zend_execute.c:924
#7  0x00007ffff40d0e1d in zend_jit_post_inc_typed_prop (var_ptr=0x7ffff44020a8, prop_info=0x408d3700, result=0x7ffff4414170) at ext/opcache/jit/zend_jit_helpers.c:2359
#8  0x0000000048001f0d in ?? ()
#9  0x00007ffff4402070 in ?? ()
#10 0x00007fff00000001 in ?? ()
#11 0x000000004024a860 in ?? ()
#12 0x00005555565987d0 in ?? ()
#13 0xfffffffffffffed6 in ?? ()
#14 0x000000004024b1a0 in ?? ()
#15 0x00007fffffffa3f0 in ?? ()
#16 0x0000555555d80417 in zend_hash_find_bucket (ht=0x0, key=0x0, known_hash=85) at /home/dktapps/pm-dev/install_data/subdir/php/Zend/zend_hash.c:649
#17 0x0000555555e2324f in zend_execute (op_array=0x7ffff445d280, return_value=0x0) at /home/dktapps/pm-dev/install_data/subdir/php/Zend/zend_vm_execute.h:58875
#18 0x0000555555d6b0a7 in zend_execute_scripts (type=8, retval=0x0, file_count=3) at /home/dktapps/pm-dev/install_data/subdir/php/Zend/zend.c:1680
#19 0x0000555555cb0a87 in php_execute_script (primary_file=0x7fffffffcb50) at /home/dktapps/pm-dev/install_data/subdir/php/main/main.c:2488
#20 0x0000555555e67c23 in do_cli (argc=2, argv=0x555556594020) at /home/dktapps/pm-dev/install_data/subdir/php/sapi/cli/php_cli.c:949
#21 0x0000555555e68eb0 in main (argc=2, argv=0x555556594020) at /home/dktapps/pm-dev/install_data/subdir/php/sapi/cli/php_cli.c:1336

Test script:

class Binary{
	public static function readUnsignedVarInt(string $buffer, int &$offset) : int{
		return 0;

class BinaryStream{

	private string $buffer;
	private int $offset;

	public function __construct(string $buffer, int $offset = 0){
		$this->buffer = $buffer;
		$this->offset = $offset;

	public function getUnsignedVarInt() : int{
		return Binary::readUnsignedVarInt($this->buffer, $this->offset);

	public function get(int $len) : string{
		return $len === 1 ? $this->buffer[$this->offset++] : substr($this->buffer, ($this->offset += $len) - $len, $len);
$stream = new BinaryStream(str_repeat("\x01a", 1000));

Expected result:
string(1) "a"

Actual result:
In release mode:
PHP Fatal error:  Uncaught TypeError: Cannot assign int to property BinaryStream::$offset of type int in /home/runner/work/php-8-jit-bugs/php-8-jit-bugs/samples/by-ref-increment-typed-property.php:25
Stack trace:
#0 /home/runner/work/php-8-jit-bugs/php-8-jit-bugs/samples/by-ref-increment-typed-property.php(30): BinaryStream->get()
#1 {main}
  thrown in /home/runner/work/php-8-jit-bugs/php-8-jit-bugs/samples/by-ref-increment-typed-property.php on line 25

In debug mode:
php: /home/dktapps/pm-dev/install_data/subdir/php/Zend/zend_execute.c:895: i_zend_check_property_type: Assertion `!(zval_get_type(&(*(property))) == 10)' failed.
Aborted (core dumped)


Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2021-05-27 08:28 UTC]
-Status: Open +Status: Verified -Assigned To: +Assigned To: dmitry
 [2021-05-27 08:28 UTC]
Still reproduces on master.
 [2021-05-27 12:23 UTC]
Automatic comment on behalf of dstogov
Log: Fixed bug #81051 (Broken property type handling after incrementing reference)
 [2021-05-27 12:23 UTC]
-Status: Verified +Status: Closed
PHP Copyright © 2001-2021 The PHP Group
All rights reserved.
Last updated: Fri Sep 17 10:03:39 2021 UTC