php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #81607 Segmentation fault for opcache.enable_cli=1
Submitted: 2021-11-10 22:36 UTC Modified: 2021-11-11 15:57 UTC
From: mails at thomasbley dot de Assigned:
Status: Closed Package: opcache
PHP Version: 8.1.0RC5 OS: linux
Private report: No CVE-ID: None
 [2021-11-10 22:36 UTC] mails at thomasbley dot de
Description:
------------
php -dopcache.enable_cli=1 psalm --config=psalm.xml.dist --no-cache --threads=8
Scanning files...
Segmentation fault

php -v
PHP 8.1.0RC5 (cli) (built: Nov  4 2021 14:57:53) (NTS)

php -r "echo implode(',', get_loaded_extensions());"
Core,date,libxml,openssl,pcre,zlib,filter,hash,json,pcntl,Reflection,SPL,session,standard,sodium,mysqlnd,PDO,xml,apcu,calendar,ctype,curl,dom,mbstring,FFI,fileinfo,ftp,gettext,iconv,intl,exif,mysqli,pcov,pdo_mysql,Phar,posix,readline,shmop,SimpleXML,soap,sockets,sysvmsg,sysvsem,sysvshm,tokenizer,xmlreader,xmlwriter,xsl,zip,Zend OPcache

Test script:
---------------
error case:

git clone --depth=1 git@github.com:vimeo/psalm.git
cd psalm/
composer install
php -dopcache.enable_cli=1 psalm --config=psalm.xml.dist --no-cache --threads=8
Scanning files...
Segmentation fault

ok case:
php -dopcache.enable_cli=0 psalm --config=psalm.xml.dist --no-cache --threads=8
php -dopcache.enable_cli=1 psalm --config=psalm.xml.dist --no-cache --threads=1

Expected result:
----------------
no segfault

Actual result:
--------------
Segmentation fault

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2021-11-10 22:43 UTC] requinix@php.net
-Status: Open +Status: Feedback
 [2021-11-10 22:43 UTC] requinix@php.net
Thank you for this bug report. To properly diagnose the problem, we
need a backtrace to see what is happening behind the scenes. To
find out how to generate a backtrace, please read
http://bugs.php.net/bugs-generating-backtrace.php for *NIX and
http://bugs.php.net/bugs-generating-backtrace-win32.php for Win32

Once you have generated a backtrace, please submit it to this bug
report and change the status back to "Open". Thank you for helping
us make PHP better.


 [2021-11-11 11:46 UTC] mails at thomasbley dot de
-Status: Feedback +Status: Open
 [2021-11-11 11:46 UTC] mails at thomasbley dot de
php -dopcache.enable_cli=1 psalm --config=psalm.xml.dist --no-cache --threads=8
Scanning files...
Segmentation fault (core dumped)

I've uploaded the dumps to https://github.com/thomasbley/core-dumps
 [2021-11-11 11:50 UTC] mails at thomasbley dot de
core-php.19213

#0  0x00005601a8052b67 in ?? ()
#1  0x00005601a80544fe in php_var_unserialize ()
#2  0x00005601a804320a in php_unserialize_with_options ()
#3  0x00005601a8043457 in ?? ()
#4  0x00005601a7ef1d1c in ?? ()
#5  0x00005601a8138d10 in zend_vm_call_opcode_handler ()
#6  0x00007ff860169d28 in php_pcov_execute_ex () from /usr/lib/php/20210902/pcov.so
#7  0x00005601a7ef27a2 in ?? ()
#8  0x00005601a8138d10 in zend_vm_call_opcode_handler ()
#9  0x00007ff860169d28 in php_pcov_execute_ex () from /usr/lib/php/20210902/pcov.so
#10 0x00005601a7ef27a2 in ?? ()
#11 0x00005601a8138d10 in zend_vm_call_opcode_handler ()
#12 0x00007ff860169d28 in php_pcov_execute_ex () from /usr/lib/php/20210902/pcov.so
#13 0x00005601a7ef27a2 in ?? ()
#14 0x00005601a8138d10 in zend_vm_call_opcode_handler ()
#15 0x00007ff860169d28 in php_pcov_execute_ex () from /usr/lib/php/20210902/pcov.so
#16 0x00005601a7ef27a2 in ?? ()
#17 0x00005601a8138d10 in zend_vm_call_opcode_handler ()
#18 0x00007ff860169d28 in php_pcov_execute_ex () from /usr/lib/php/20210902/pcov.so
#19 0x00005601a7ef24f0 in ?? ()
#20 0x00005601a8138d10 in zend_vm_call_opcode_handler ()
#21 0x00007ff860169d28 in php_pcov_execute_ex () from /usr/lib/php/20210902/pcov.so
#22 0x00005601a7ef24f0 in ?? ()
#23 0x00005601a8138d10 in zend_vm_call_opcode_handler ()
#24 0x00007ff860169d28 in php_pcov_execute_ex () from /usr/lib/php/20210902/pcov.so
#25 0x00005601a7ef24f0 in ?? ()
#26 0x00005601a8138d10 in zend_vm_call_opcode_handler ()
#27 0x00007ff860169d28 in php_pcov_execute_ex () from /usr/lib/php/20210902/pcov.so
#28 0x00005601a813824d in zend_execute ()
#29 0x00005601a80c9615 in zend_execute_scripts ()
#30 0x00005601a80668ca in php_execute_script ()
#31 0x00005601a81b0e1e in ?? ()
#32 0x00005601a7f0bea8 in ?? ()
#33 0x00007ff8639610b3 in __libc_start_main (main=0x5601a7f0baa0, argc=7, argv=0x7ffd53709558, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7ffd53709548) at ../csu/libc-start.c:308
#34 0x00005601a7f0c04e in _start ()
 [2021-11-11 11:55 UTC] mails at thomasbley dot de
core-php.19219

#0  0x00005601a80bfcc4 in instanceof_function_slow ()
#1  0x00005601a80ebcfa in ?? ()
#2  0x00005601a8138d10 in zend_vm_call_opcode_handler ()
#3  0x00007ff860169d28 in php_pcov_execute_ex () from /usr/lib/php/20210902/pcov.so
#4  0x00005601a7ef24f0 in ?? ()
#5  0x00005601a8138d10 in zend_vm_call_opcode_handler ()
#6  0x00007ff860169d28 in php_pcov_execute_ex () from /usr/lib/php/20210902/pcov.so
#7  0x00005601a7ef27a2 in ?? ()
#8  0x00005601a8138d10 in zend_vm_call_opcode_handler ()
#9  0x00007ff860169d28 in php_pcov_execute_ex () from /usr/lib/php/20210902/pcov.so
#10 0x00005601a7ef27a2 in ?? ()
#11 0x00005601a8138d10 in zend_vm_call_opcode_handler ()
#12 0x00007ff860169d28 in php_pcov_execute_ex () from /usr/lib/php/20210902/pcov.so
#13 0x00005601a7ef27a2 in ?? ()
#14 0x00005601a8138d10 in zend_vm_call_opcode_handler ()
#15 0x00007ff860169d28 in php_pcov_execute_ex () from /usr/lib/php/20210902/pcov.so
#16 0x00005601a7ef27a2 in ?? ()
#17 0x00005601a8138d10 in zend_vm_call_opcode_handler ()
#18 0x00007ff860169d28 in php_pcov_execute_ex () from /usr/lib/php/20210902/pcov.so
#19 0x00005601a7ef27a2 in ?? ()
#20 0x00005601a8138d10 in zend_vm_call_opcode_handler ()
#21 0x00007ff860169d28 in php_pcov_execute_ex () from /usr/lib/php/20210902/pcov.so
#22 0x00005601a7ef27a2 in ?? ()
#23 0x00005601a8138d10 in zend_vm_call_opcode_handler ()
#24 0x00007ff860169d28 in php_pcov_execute_ex () from /usr/lib/php/20210902/pcov.so
#25 0x00005601a7ef27a2 in ?? ()
#26 0x00005601a8138d10 in zend_vm_call_opcode_handler ()
#27 0x00007ff860169d28 in php_pcov_execute_ex () from /usr/lib/php/20210902/pcov.so
#28 0x00005601a7ef27a2 in ?? ()
#29 0x00005601a8138d10 in zend_vm_call_opcode_handler ()
#30 0x00007ff860169d28 in php_pcov_execute_ex () from /usr/lib/php/20210902/pcov.so
#31 0x00005601a7ef27a2 in ?? ()
#32 0x00005601a8138d10 in zend_vm_call_opcode_handler ()
#33 0x00007ff860169d28 in php_pcov_execute_ex () from /usr/lib/php/20210902/pcov.so
#34 0x00005601a7ef24f0 in ?? ()
#35 0x00005601a8138d10 in zend_vm_call_opcode_handler ()
#36 0x00007ff860169d28 in php_pcov_execute_ex () from /usr/lib/php/20210902/pcov.so
#37 0x00005601a7ef24f0 in ?? ()
#38 0x00005601a8138d10 in zend_vm_call_opcode_handler ()
#39 0x00007ff860169d28 in php_pcov_execute_ex () from /usr/lib/php/20210902/pcov.so
#40 0x00005601a7ef24f0 in ?? ()
#41 0x00005601a8138d10 in zend_vm_call_opcode_handler ()
#42 0x00007ff860169d28 in php_pcov_execute_ex () from /usr/lib/php/20210902/pcov.so
#43 0x00005601a7ef27a2 in ?? ()
#44 0x00005601a8138d10 in zend_vm_call_opcode_handler ()
#45 0x00007ff860169d28 in php_pcov_execute_ex () from /usr/lib/php/20210902/pcov.so
#46 0x00005601a7ef24f0 in ?? ()
#47 0x00005601a8138d10 in zend_vm_call_opcode_handler ()
#48 0x00007ff860169d28 in php_pcov_execute_ex () from /usr/lib/php/20210902/pcov.so
#49 0x00005601a7ef27a2 in ?? ()
#50 0x00005601a8138d10 in zend_vm_call_opcode_handler ()
#51 0x00007ff860169d28 in php_pcov_execute_ex () from /usr/lib/php/20210902/pcov.so
#52 0x00005601a7ef27a2 in ?? ()
#53 0x00005601a8138d10 in zend_vm_call_opcode_handler ()
#54 0x00007ff860169d28 in php_pcov_execute_ex () from /usr/lib/php/20210902/pcov.so
#55 0x00005601a7ef24f0 in ?? ()
#56 0x00005601a8138d10 in zend_vm_call_opcode_handler ()
#57 0x00007ff860169d28 in php_pcov_execute_ex () from /usr/lib/php/20210902/pcov.so
#58 0x00005601a7ef24f0 in ?? ()
#59 0x00005601a8138d10 in zend_vm_call_opcode_handler ()
#60 0x00007ff860169d28 in php_pcov_execute_ex () from /usr/lib/php/20210902/pcov.so
#61 0x00005601a7ef24f0 in ?? ()
#62 0x00005601a8138d10 in zend_vm_call_opcode_handler ()
#63 0x00007ff860169d28 in php_pcov_execute_ex () from /usr/lib/php/20210902/pcov.so
#64 0x00005601a813824d in zend_execute ()
#65 0x00005601a80c9615 in zend_execute_scripts ()
#66 0x00005601a80668ca in php_execute_script ()
#67 0x00005601a81b0e1e in ?? ()
#68 0x00005601a7f0bea8 in ?? ()
#69 0x00007ff8639610b3 in __libc_start_main (main=0x5601a7f0baa0, argc=7, argv=0x7ffd53709558, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7ffd53709548) at ../csu/libc-start.c:308
#70 0x00005601a7f0c04e in _start ()

core-php.19220

#0  0x00005601a80cbc74 in object_init_ex ()
#1  0x00005601a8106495 in ?? ()
#2  0x00005601a8138d10 in zend_vm_call_opcode_handler ()
#3  0x00007ff860169d28 in php_pcov_execute_ex () from /usr/lib/php/20210902/pcov.so
#4  0x00005601a7ef24f0 in ?? ()
#5  0x00005601a8138d10 in zend_vm_call_opcode_handler ()
#6  0x00007ff860169d28 in php_pcov_execute_ex () from /usr/lib/php/20210902/pcov.so
#7  0x00005601a7ef27a2 in ?? ()
#8  0x00005601a8138d10 in zend_vm_call_opcode_handler ()
#9  0x00007ff860169d28 in php_pcov_execute_ex () from /usr/lib/php/20210902/pcov.so
#10 0x00005601a7ef27a2 in ?? ()
#11 0x00005601a8138d10 in zend_vm_call_opcode_handler ()
#12 0x00007ff860169d28 in php_pcov_execute_ex () from /usr/lib/php/20210902/pcov.so
#13 0x00005601a7ef24f0 in ?? ()
#14 0x00005601a8138d10 in zend_vm_call_opcode_handler ()
#15 0x00007ff860169d28 in php_pcov_execute_ex () from /usr/lib/php/20210902/pcov.so
#16 0x00005601a7ef24f0 in ?? ()
#17 0x00005601a8138d10 in zend_vm_call_opcode_handler ()
#18 0x00007ff860169d28 in php_pcov_execute_ex () from /usr/lib/php/20210902/pcov.so
#19 0x00005601a7ef24f0 in ?? ()
#20 0x00005601a8138d10 in zend_vm_call_opcode_handler ()
#21 0x00007ff860169d28 in php_pcov_execute_ex () from /usr/lib/php/20210902/pcov.so
#22 0x00005601a813824d in zend_execute ()
#23 0x00005601a80c9615 in zend_execute_scripts ()
#24 0x00005601a80668ca in php_execute_script ()
#25 0x00005601a81b0e1e in ?? ()
#26 0x00005601a7f0bea8 in ?? ()
#27 0x00007ff8639610b3 in __libc_start_main (main=0x5601a7f0baa0, argc=7, argv=0x7ffd53709558, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7ffd53709548) at ../csu/libc-start.c:308
#28 0x00005601a7f0c04e in _start ()

core-php.19221

#0  0x00005601a80cbc74 in object_init_ex ()
#1  0x00005601a8106495 in ?? ()
#2  0x00005601a8138d10 in zend_vm_call_opcode_handler ()
#3  0x00007ff860169d28 in php_pcov_execute_ex () from /usr/lib/php/20210902/pcov.so
#4  0x00005601a7ef24f0 in ?? ()
#5  0x00005601a8138d10 in zend_vm_call_opcode_handler ()
#6  0x00007ff860169d28 in php_pcov_execute_ex () from /usr/lib/php/20210902/pcov.so
#7  0x00005601a7ef27a2 in ?? ()
#8  0x00005601a8138d10 in zend_vm_call_opcode_handler ()
#9  0x00007ff860169d28 in php_pcov_execute_ex () from /usr/lib/php/20210902/pcov.so
#10 0x00005601a7ef27a2 in ?? ()
#11 0x00005601a8138d10 in zend_vm_call_opcode_handler ()
#12 0x00007ff860169d28 in php_pcov_execute_ex () from /usr/lib/php/20210902/pcov.so
#13 0x00005601a7ef24f0 in ?? ()
#14 0x00005601a8138d10 in zend_vm_call_opcode_handler ()
#15 0x00007ff860169d28 in php_pcov_execute_ex () from /usr/lib/php/20210902/pcov.so
#16 0x00005601a7ef24f0 in ?? ()
#17 0x00005601a8138d10 in zend_vm_call_opcode_handler ()
#18 0x00007ff860169d28 in php_pcov_execute_ex () from /usr/lib/php/20210902/pcov.so
#19 0x00005601a7ef24f0 in ?? ()
#20 0x00005601a8138d10 in zend_vm_call_opcode_handler ()
#21 0x00007ff860169d28 in php_pcov_execute_ex () from /usr/lib/php/20210902/pcov.so
#22 0x00005601a813824d in zend_execute ()
#23 0x00005601a80c9615 in zend_execute_scripts ()
#24 0x00005601a80668ca in php_execute_script ()
#25 0x00005601a81b0e1e in ?? ()
#26 0x00005601a7f0bea8 in ?? ()
#27 0x00007ff8639610b3 in __libc_start_main (main=0x5601a7f0baa0, argc=7, argv=0x7ffd53709558, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7ffd53709548) at ../csu/libc-start.c:308
#28 0x00005601a7f0c04e in _start ()

core-php.19222

#0  0x00005601a80cbc74 in object_init_ex ()
#1  0x00005601a8106495 in ?? ()
#2  0x00005601a8138d10 in zend_vm_call_opcode_handler ()
#3  0x00007ff860169d28 in php_pcov_execute_ex () from /usr/lib/php/20210902/pcov.so
#4  0x00005601a7ef24f0 in ?? ()
#5  0x00005601a8138d10 in zend_vm_call_opcode_handler ()
#6  0x00007ff860169d28 in php_pcov_execute_ex () from /usr/lib/php/20210902/pcov.so
#7  0x00005601a7ef27a2 in ?? ()
#8  0x00005601a8138d10 in zend_vm_call_opcode_handler ()
#9  0x00007ff860169d28 in php_pcov_execute_ex () from /usr/lib/php/20210902/pcov.so
#10 0x00005601a7ef27a2 in ?? ()
#11 0x00005601a8138d10 in zend_vm_call_opcode_handler ()
#12 0x00007ff860169d28 in php_pcov_execute_ex () from /usr/lib/php/20210902/pcov.so
#13 0x00005601a7ef24f0 in ?? ()
#14 0x00005601a8138d10 in zend_vm_call_opcode_handler ()
#15 0x00007ff860169d28 in php_pcov_execute_ex () from /usr/lib/php/20210902/pcov.so
#16 0x00005601a7ef24f0 in ?? ()
#17 0x00005601a8138d10 in zend_vm_call_opcode_handler ()
#18 0x00007ff860169d28 in php_pcov_execute_ex () from /usr/lib/php/20210902/pcov.so
#19 0x00005601a7ef24f0 in ?? ()
#20 0x00005601a8138d10 in zend_vm_call_opcode_handler ()
#21 0x00007ff860169d28 in php_pcov_execute_ex () from /usr/lib/php/20210902/pcov.so
#22 0x00005601a813824d in zend_execute ()
#23 0x00005601a80c9615 in zend_execute_scripts ()
#24 0x00005601a80668ca in php_execute_script ()
#25 0x00005601a81b0e1e in ?? ()
#26 0x00005601a7f0bea8 in ?? ()
#27 0x00007ff8639610b3 in __libc_start_main (main=0x5601a7f0baa0, argc=7, argv=0x7ffd53709558, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7ffd53709548) at ../csu/libc-start.c:308
#28 0x00005601a7f0c04e in _start ()
 [2021-11-11 12:05 UTC] cmb@php.net
-Status: Open +Status: Feedback
 [2021-11-11 12:05 UTC] cmb@php.net
Thank you for the backtraces (although backtraces with debug
symbols might be more helpful).  Anyhow, does it also segfault
when pcov is disabled?
 [2021-11-11 12:54 UTC] mails at thomasbley dot de
-Status: Feedback +Status: Open
 [2021-11-11 12:54 UTC] mails at thomasbley dot de
yes

core-php.27635

#0  0x0000557656c14b67 in ?? ()
#1  0x0000557656c164fe in php_var_unserialize ()
#2  0x0000557656c0520a in php_unserialize_with_options ()
#3  0x0000557656c05457 in ?? ()
#4  0x0000557656cf4081 in execute_ex ()
#5  0x0000557656cfa24d in zend_execute ()
#6  0x0000557656c8b615 in zend_execute_scripts ()
#7  0x0000557656c288ca in php_execute_script ()
#8  0x0000557656d72e1e in ?? ()
#9  0x0000557656acdea8 in ?? ()
#10 0x00007f61a2a310b3 in __libc_start_main (main=0x557656acdaa0, argc=6, argv=0x7ffd37a1c568, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7ffd37a1c558) at ../csu/libc-start.c:308
#11 0x0000557656ace04e in _start ()

core-php.27636

#0  0x0000557656c81cc4 in instanceof_function_slow ()
#1  0x0000557656cadcfa in ?? ()
#2  0x0000557656cf29f6 in execute_ex ()
#3  0x0000557656cfa24d in zend_execute ()
#4  0x0000557656c8b615 in zend_execute_scripts ()
#5  0x0000557656c288ca in php_execute_script ()
#6  0x0000557656d72e1e in ?? ()
#7  0x0000557656acdea8 in ?? ()
#8  0x00007f61a2a310b3 in __libc_start_main (main=0x557656acdaa0, argc=6, argv=0x7ffd37a1c568, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7ffd37a1c558) at ../csu/libc-start.c:308
#9  0x0000557656ace04e in _start ()

core-php.27637

#0  0x0000557656c8dc74 in object_init_ex ()
#1  0x0000557656cc8495 in ?? ()
#2  0x0000557656cf147d in execute_ex ()
#3  0x0000557656cfa24d in zend_execute ()
#4  0x0000557656c8b615 in zend_execute_scripts ()
#5  0x0000557656c288ca in php_execute_script ()
#6  0x0000557656d72e1e in ?? ()
#7  0x0000557656acdea8 in ?? ()
#8  0x00007f61a2a310b3 in __libc_start_main (main=0x557656acdaa0, argc=6, argv=0x7ffd37a1c568, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7ffd37a1c558) at ../csu/libc-start.c:308
#9  0x0000557656ace04e in _start ()

core-php.27638

#0  0x0000557656c8dc74 in object_init_ex ()
#1  0x0000557656cc8495 in ?? ()
#2  0x0000557656cf147d in execute_ex ()
#3  0x0000557656cfa24d in zend_execute ()
#4  0x0000557656c8b615 in zend_execute_scripts ()
#5  0x0000557656c288ca in php_execute_script ()
#6  0x0000557656d72e1e in ?? ()
#7  0x0000557656acdea8 in ?? ()
#8  0x00007f61a2a310b3 in __libc_start_main (main=0x557656acdaa0, argc=6, argv=0x7ffd37a1c568, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7ffd37a1c558) at ../csu/libc-start.c:308
#9  0x0000557656ace04e in _start ()

core-php.27639

#0  0x0000557656c8dc74 in object_init_ex ()
#1  0x0000557656cc8495 in ?? ()
#2  0x0000557656cf147d in execute_ex ()
#3  0x0000557656cfa24d in zend_execute ()
#4  0x0000557656c8b615 in zend_execute_scripts ()
#5  0x0000557656c288ca in php_execute_script ()
#6  0x0000557656d72e1e in ?? ()
#7  0x0000557656acdea8 in ?? ()
#8  0x00007f61a2a310b3 in __libc_start_main (main=0x557656acdaa0, argc=6, argv=0x7ffd37a1c568, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7ffd37a1c558) at ../csu/libc-start.c:308
#9  0x0000557656ace04e in _start ()
 [2021-11-11 13:17 UTC] mails at thomasbley dot de
seems this code causes the segfault:

./src/Psalm/Internal/Fork/Pool.php:352
$message = unserialize(base64_decode($serialized_message, true));

data is:

O:39:"Psalm\Internal\Fork\ForkTaskDoneMessage":1:{s:4:"data";N;}

interface ForkMessage
{
}

class ForkTaskDoneMessage implements ForkMessage
{
    /** @var mixed */
    public $data;

    /**
     * @param mixed $data
     */
    public function __construct($data)
    {
        $this->data = $data;
    }
}
 [2021-11-11 15:44 UTC] nikic@php.net
-Status: Open +Status: Verified
 [2021-11-11 15:44 UTC] nikic@php.net
Can at least confirm the segfault. The class entry read from CE cache is corrupted.
 [2021-11-11 15:51 UTC] nikic@php.net
I believe this is a suspected issue where one process allocates a new map ptr slot on an existing shm interned string and another tries to use it with a too small map ptr segment.

At least the ce cache slot seems to be one past the end of the map ptr segment.
 [2021-11-11 15:57 UTC] nikic@php.net
Here's a small reproducer:

<?php

// Create a SHM interned string for FooBar.
var_dump("FooBar");

$pid = pcntl_fork();
if ($pid == 0) {
    // Child: Declare class FooBar {} to allocate CE cache slot.
    require __DIR__ . '/t480_2.php';
} else if ($pid > 0) {
    pcntl_wait($status);
    var_dump(new FooBar); // Crash.
} else {
    echo "pcntl_fork() failed\n";
}

t480_2.php:
<?php
class FooBar {}
 [2021-11-12 18:23 UTC] mails at thomasbley dot de
Here is an update with 8.1.0RC6 and more debugging information:

git clone --branch=php-8.1.0RC6 --depth=1 git@github.com:php/php-src.git
cd php-src
./buildconf --force
./configure --enable-debug --without-sqlite3 --without-pdo-sqlite --enable-pcntl --enable-opcache --enable-mbstring
make


/home/***/code/php-src/sapi/cli/php -dextension_dir=/home/***/code/php-src/modules -dzend_extension=opcache.so -dopcache.enable_cli=1 psalm --config=psalm.xml.dist --no-cache --threads=8

#0  0x00005640d022ee2d in php_var_unserialize_internal (rval=0x7fa1d8214940, p=0x7ffcb9318390, max=0x7fa1d5aab2d8 "", var_hash=0x7ffcb9318398)
    at ext/standard/var_unserializer.re:1271
#1  0x00005640d022d01a in php_var_unserialize (rval=0x7fa1d8214940, p=0x7ffcb9318390, max=0x7fa1d5aab2d8 "", var_hash=0x7ffcb9318398)
    at ext/standard/var_unserializer.re:831
#2  0x00005640d0218637 in php_unserialize_with_options (return_value=0x7fa1d8214940, 
    buf=0x7fa1d5aab298 "O:39:\"Psalm\\Internal\\Fork\\ForkTaskDoneMessage\":1:{s:4:\"data\";N;}", buf_len=64, options=0x0, 
    function_name=0x5640d0cd8091 "unserialize") at /home/***/code/php-src/ext/standard/var.c:1397
#3  0x00005640d0218af5 in zif_unserialize (execute_data=0x7fa1d8214960, return_value=0x7fa1d8214940)
    at /home/***/code/php-src/ext/standard/var.c:1447
#4  0x00005640d0349faa in ZEND_DO_ICALL_SPEC_RETVAL_USED_HANDLER () at /home/***/code/php-src/Zend/zend_vm_execute.h:1297
#5  0x00005640d03bcea8 in execute_ex (ex=0x7fa1d8214020) at /home/***/code/php-src/Zend/zend_vm_execute.h:54509
#6  0x00005640d03c26d4 in zend_execute (op_array=0x7fa1d825d500, return_value=0x0) at /home/***/code/php-src/Zend/zend_vm_execute.h:58868
#7  0x00005640d030e17b in zend_execute_scripts (type=8, retval=0x0, file_count=3) at /home/***/code/php-src/Zend/zend.c:1761
#8  0x00005640d026b56a in php_execute_script (primary_file=0x7ffcb931ace0) at /home/***/code/php-src/main/main.c:2534
#9  0x00005640d047e790 in do_cli (argc=8, argv=0x5640d28574f0) at /home/***/code/php-src/sapi/cli/php_cli.c:965
#10 0x00005640d047f898 in main (argc=8, argv=0x5640d28574f0) at /home/***/code/php-src/sapi/cli/php_cli.c:1367

#0  0x00005640d031556c in _object_and_properties_init (arg=0x7fa1d8214890, class_type=0x657270707573006f, properties=0x0)
    at /home/***/code/php-src/Zend/zend_API.c:1618
#1  0x00005640d03157c1 in object_init_ex (arg=0x7fa1d8214890, class_type=0x657270707573006f) at /home/***/code/php-src/Zend/zend_API.c:1665
#2  0x00005640d035eccc in ZEND_NEW_SPEC_CONST_UNUSED_HANDLER () at /home/***/code/php-src/Zend/zend_vm_execute.h:10143
#3  0x00005640d03be2ef in execute_ex (ex=0x7fa1d8214020) at /home/***/code/php-src/Zend/zend_vm_execute.h:55412
#4  0x00005640d03c26d4 in zend_execute (op_array=0x7fa1d825d500, return_value=0x0) at /home/***/code/php-src/Zend/zend_vm_execute.h:58868
#5  0x00005640d030e17b in zend_execute_scripts (type=8, retval=0x0, file_count=3) at /home/***/code/php-src/Zend/zend.c:1761
#6  0x00005640d026b56a in php_execute_script (primary_file=0x7ffcb931ace0) at /home/***/code/php-src/main/main.c:2534
#7  0x00005640d047e790 in do_cli (argc=8, argv=0x5640d28574f0) at /home/***/code/php-src/sapi/cli/php_cli.c:965
#8  0x00005640d047f898 in main (argc=8, argv=0x5640d28574f0) at /home/***/code/php-src/sapi/cli/php_cli.c:1367

#0  0x00005640d031556c in _object_and_properties_init (arg=0x7fa1d8214890, class_type=0x657270707573006f, properties=0x0)
    at /home/***/code/php-src/Zend/zend_API.c:1618
#1  0x00005640d03157c1 in object_init_ex (arg=0x7fa1d8214890, class_type=0x657270707573006f) at /home/***/code/php-src/Zend/zend_API.c:1665
#2  0x00005640d035eccc in ZEND_NEW_SPEC_CONST_UNUSED_HANDLER () at /home/***/code/php-src/Zend/zend_vm_execute.h:10143
#3  0x00005640d03be2ef in execute_ex (ex=0x7fa1d8214020) at /home/***/code/php-src/Zend/zend_vm_execute.h:55412
#4  0x00005640d03c26d4 in zend_execute (op_array=0x7fa1d825d500, return_value=0x0) at /home/***/code/php-src/Zend/zend_vm_execute.h:58868
#5  0x00005640d030e17b in zend_execute_scripts (type=8, retval=0x0, file_count=3) at /home/***/code/php-src/Zend/zend.c:1761
#6  0x00005640d026b56a in php_execute_script (primary_file=0x7ffcb931ace0) at /home/***/code/php-src/main/main.c:2534
#7  0x00005640d047e790 in do_cli (argc=8, argv=0x5640d28574f0) at /home/***/code/php-src/sapi/cli/php_cli.c:965
#8  0x00005640d047f898 in main (argc=8, argv=0x5640d28574f0) at /home/***/code/php-src/sapi/cli/php_cli.c:1367

#0  0x00005640d031556c in _object_and_properties_init (arg=0x7fa1d8214890, class_type=0x657270707573006f, properties=0x0)
    at /home/***/code/php-src/Zend/zend_API.c:1618
#1  0x00005640d03157c1 in object_init_ex (arg=0x7fa1d8214890, class_type=0x657270707573006f) at /home/***/code/php-src/Zend/zend_API.c:1665
#2  0x00005640d035eccc in ZEND_NEW_SPEC_CONST_UNUSED_HANDLER () at /home/***/code/php-src/Zend/zend_vm_execute.h:10143
#3  0x00005640d03be2ef in execute_ex (ex=0x7fa1d8214020) at /home/***/code/php-src/Zend/zend_vm_execute.h:55412
#4  0x00005640d03c26d4 in zend_execute (op_array=0x7fa1d825d500, return_value=0x0) at /home/***/code/php-src/Zend/zend_vm_execute.h:58868
#5  0x00005640d030e17b in zend_execute_scripts (type=8, retval=0x0, file_count=3) at /home/***/code/php-src/Zend/zend.c:1761
#6  0x00005640d026b56a in php_execute_script (primary_file=0x7ffcb931ace0) at /home/***/code/php-src/main/main.c:2534
#7  0x00005640d047e790 in do_cli (argc=8, argv=0x5640d28574f0) at /home/***/code/php-src/sapi/cli/php_cli.c:965
#8  0x00005640d047f898 in main (argc=8, argv=0x5640d28574f0) at /home/***/code/php-src/sapi/cli/php_cli.c:1367



/home/***/code/php-src/sapi/cli/php -e -dextension_dir=/home/***/code/php-src/modules -dzend_extension=opcache.so -dopcache.enable_cli=1 psalm --config=psalm.xml.dist --no-cache --threads=8

#0  zend_update_class_constants (class_type=0x55597c8bbec0) at /home/***/code/php-src/Zend/zend_API.c:1384
#1  0x000055597a574693 in _object_and_properties_init (arg=0x7f82a8a14940, class_type=0x55597c8bbec0, properties=0x0)
    at /home/***/code/php-src/Zend/zend_API.c:1634
#2  0x000055597a5747c1 in object_init_ex (arg=0x7f82a8a14940, class_type=0x55597c8bbec0) at /home/***/code/php-src/Zend/zend_API.c:1665
#3  0x000055597a48e09b in php_var_unserialize_internal (rval=0x7f82a8a14940, p=0x7ffd7e5b1a60, max=0x7f82a62d52d8 "", var_hash=0x7ffd7e5b1a68)
    at ext/standard/var_unserializer.re:1316
#4  0x000055597a48c01a in php_var_unserialize (rval=0x7f82a8a14940, p=0x7ffd7e5b1a60, max=0x7f82a62d52d8 "", var_hash=0x7ffd7e5b1a68)
    at ext/standard/var_unserializer.re:831
#5  0x000055597a477637 in php_unserialize_with_options (return_value=0x7f82a8a14940, 
    buf=0x7f82a62d5298 "O:39:\"Psalm\\Internal\\Fork\\ForkTaskDoneMessage\":1:{s:4:\"data\";N;}", buf_len=64, options=0x0, 
    function_name=0x55597af37091 "unserialize") at /home/***/code/php-src/ext/standard/var.c:1397
#6  0x000055597a477af5 in zif_unserialize (execute_data=0x7f82a8a14960, return_value=0x7f82a8a14940)
    at /home/***/code/php-src/ext/standard/var.c:1447
#7  0x000055597a5a8faa in ZEND_DO_ICALL_SPEC_RETVAL_USED_HANDLER () at /home/***/code/php-src/Zend/zend_vm_execute.h:1297
#8  0x000055597a61bea8 in execute_ex (ex=0x7f82a8a14020) at /home/***/code/php-src/Zend/zend_vm_execute.h:54509
#9  0x000055597a6216d4 in zend_execute (op_array=0x7f82a8a5d280, return_value=0x0) at /home/***/code/php-src/Zend/zend_vm_execute.h:58868
#10 0x000055597a56d17b in zend_execute_scripts (type=8, retval=0x0, file_count=3) at /home/***/code/php-src/Zend/zend.c:1761
#11 0x000055597a4ca56a in php_execute_script (primary_file=0x7ffd7e5b43b0) at /home/***/code/php-src/main/main.c:2534
#12 0x000055597a6dd790 in do_cli (argc=9, argv=0x55597c6d94f0) at /home/***/code/php-src/sapi/cli/php_cli.c:965
#13 0x000055597a6de898 in main (argc=9, argv=0x55597c6d94f0) at /home/***/code/php-src/sapi/cli/php_cli.c:1367

#0  zend_update_class_constants (class_type=0x55597c8bbec0) at /home/***/code/php-src/Zend/zend_API.c:1384
#1  0x000055597a574693 in _object_and_properties_init (arg=0x7f82a8a14890, class_type=0x55597c8bbec0, properties=0x0)
    at /home/***/code/php-src/Zend/zend_API.c:1634
#2  0x000055597a5747c1 in object_init_ex (arg=0x7f82a8a14890, class_type=0x55597c8bbec0) at /home/***/code/php-src/Zend/zend_API.c:1665
#3  0x000055597a5bdccc in ZEND_NEW_SPEC_CONST_UNUSED_HANDLER () at /home/***/code/php-src/Zend/zend_vm_execute.h:10143
#4  0x000055597a61d2ef in execute_ex (ex=0x7f82a8a14020) at /home/***/code/php-src/Zend/zend_vm_execute.h:55412
#5  0x000055597a6216d4 in zend_execute (op_array=0x7f82a8a5d280, return_value=0x0) at /home/***/code/php-src/Zend/zend_vm_execute.h:58868
#6  0x000055597a56d17b in zend_execute_scripts (type=8, retval=0x0, file_count=3) at /home/***/code/php-src/Zend/zend.c:1761
#7  0x000055597a4ca56a in php_execute_script (primary_file=0x7ffd7e5b43b0) at /home/***/code/php-src/main/main.c:2534
#8  0x000055597a6dd790 in do_cli (argc=9, argv=0x55597c6d94f0) at /home/***/code/php-src/sapi/cli/php_cli.c:965
#9  0x000055597a6de898 in main (argc=9, argv=0x55597c6d94f0) at /home/***/code/php-src/sapi/cli/php_cli.c:1367

#0  zend_update_class_constants (class_type=0x55597c8bbec0) at /home/***/code/php-src/Zend/zend_API.c:1384
#1  0x000055597a574693 in _object_and_properties_init (arg=0x7f82a8a14890, class_type=0x55597c8bbec0, properties=0x0)
    at /home/***/code/php-src/Zend/zend_API.c:1634
#2  0x000055597a5747c1 in object_init_ex (arg=0x7f82a8a14890, class_type=0x55597c8bbec0) at /home/***/code/php-src/Zend/zend_API.c:1665
#3  0x000055597a5bdccc in ZEND_NEW_SPEC_CONST_UNUSED_HANDLER () at /home/***/code/php-src/Zend/zend_vm_execute.h:10143
#4  0x000055597a61d2ef in execute_ex (ex=0x7f82a8a14020) at /home/***/code/php-src/Zend/zend_vm_execute.h:55412
#5  0x000055597a6216d4 in zend_execute (op_array=0x7f82a8a5d280, return_value=0x0) at /home/***/code/php-src/Zend/zend_vm_execute.h:58868
#6  0x000055597a56d17b in zend_execute_scripts (type=8, retval=0x0, file_count=3) at /home/***/code/php-src/Zend/zend.c:1761
#7  0x000055597a4ca56a in php_execute_script (primary_file=0x7ffd7e5b43b0) at /home/***/code/php-src/main/main.c:2534
#8  0x000055597a6dd790 in do_cli (argc=9, argv=0x55597c6d94f0) at /home/***/code/php-src/sapi/cli/php_cli.c:965
#9  0x000055597a6de898 in main (argc=9, argv=0x55597c6d94f0) at /home/***/code/php-src/sapi/cli/php_cli.c:1367

#0  zend_update_class_constants (class_type=0x55597c8bbec0) at /home/***/code/php-src/Zend/zend_API.c:1384
#1  0x000055597a574693 in _object_and_properties_init (arg=0x7f82a8a14890, class_type=0x55597c8bbec0, properties=0x0)
    at /home/***/code/php-src/Zend/zend_API.c:1634
#2  0x000055597a5747c1 in object_init_ex (arg=0x7f82a8a14890, class_type=0x55597c8bbec0) at /home/***/code/php-src/Zend/zend_API.c:1665
#3  0x000055597a5bdccc in ZEND_NEW_SPEC_CONST_UNUSED_HANDLER () at /home/***/code/php-src/Zend/zend_vm_execute.h:10143
#4  0x000055597a61d2ef in execute_ex (ex=0x7f82a8a14020) at /home/***/code/php-src/Zend/zend_vm_execute.h:55412
#5  0x000055597a6216d4 in zend_execute (op_array=0x7f82a8a5d280, return_value=0x0) at /home/***/code/php-src/Zend/zend_vm_execute.h:58868
#6  0x000055597a56d17b in zend_execute_scripts (type=8, retval=0x0, file_count=3) at /home/***/code/php-src/Zend/zend.c:1761
#7  0x000055597a4ca56a in php_execute_script (primary_file=0x7ffd7e5b43b0) at /home/***/code/php-src/main/main.c:2534
#8  0x000055597a6dd790 in do_cli (argc=9, argv=0x55597c6d94f0) at /home/***/code/php-src/sapi/cli/php_cli.c:965
#9  0x000055597a6de898 in main (argc=9, argv=0x55597c6d94f0) at /home/***/code/php-src/sapi/cli/php_cli.c:1367

#0  zend_update_class_constants (class_type=0x55597c89a730) at /home/***/code/php-src/Zend/zend_API.c:1384
#1  0x000055597a574693 in _object_and_properties_init (arg=0x7f82a8a151f0, class_type=0x55597c89a730, properties=0x0)
    at /home/***/code/php-src/Zend/zend_API.c:1634
#2  0x000055597a5747c1 in object_init_ex (arg=0x7f82a8a151f0, class_type=0x55597c89a730) at /home/***/code/php-src/Zend/zend_API.c:1665
#3  0x000055597a5bdccc in ZEND_NEW_SPEC_CONST_UNUSED_HANDLER () at /home/***/code/php-src/Zend/zend_vm_execute.h:10143
#4  0x000055597a61d2ef in execute_ex (ex=0x7f82a8a14020) at /home/***/code/php-src/Zend/zend_vm_execute.h:55412
#5  0x000055597a6216d4 in zend_execute (op_array=0x7f82a8a5d280, return_value=0x0) at /home/***/code/php-src/Zend/zend_vm_execute.h:58868
#6  0x000055597a56d17b in zend_execute_scripts (type=8, retval=0x0, file_count=3) at /home/***/code/php-src/Zend/zend.c:1761
#7  0x000055597a4ca56a in php_execute_script (primary_file=0x7ffd7e5b43b0) at /home/***/code/php-src/main/main.c:2534
#8  0x000055597a6dd790 in do_cli (argc=9, argv=0x55597c6d94f0) at /home/***/code/php-src/sapi/cli/php_cli.c:965
#9  0x000055597a6de898 in main (argc=9, argv=0x55597c6d94f0) at /home/***/code/php-src/sapi/cli/php_cli.c:1367
 [2021-11-17 15:25 UTC] git@php.net
Automatic comment on behalf of dstogov
Revision: https://github.com/php/php-src/commit/76548e509346383468439c3bdce0c290eb1aa3af
Log: Fixed bug #81607 (CE_CACHE allocation with concurrent access)
 [2021-11-17 15:25 UTC] git@php.net
-Status: Verified +Status: Closed
 
PHP Copyright © 2001-2021 The PHP Group
All rights reserved.
Last updated: Sun Nov 28 09:03:14 2021 UTC