CRASH in instanceof_function_slow #20469
Description
Description
found following kernel log entry
php-fpm[153638]: segfault at 2f ip 0000634627ccda4d sp 00007fffa385be28 error 4 in php-fpm[634627800000+4fd000] likely on CPU 1 (core 1, socket 0)
Code: 8b 87 b8 01 00 00 48 8d 14 d0 eb 0a 90 48 83 c0 08 48 39 d0 74 27 48 39 30 75 f2 b8 01 00 00 00 c3 0f 1f 40 00 48 85 ff 74 13 <48> 8b 7f 10 48 39 fe 75 f2 eb e6 0f 1f 84 00 00 00 00 00 31 c0 c3
traced the code to the following location:
0x00000000006cda3e <instanceof_function_slow+46>: b8 01 00 00 00 mov $0x1,%eax
0x00000000006cda43 <instanceof_function_slow+51>: c3 ret
0x00000000006cda44 <instanceof_function_slow+52>: 0f 1f 40 00 nopl 0x0(%rax)
0x00000000006cda48 <instanceof_function_slow+56>: 48 85 ff test %rdi,%rdi
0x00000000006cda4b <instanceof_function_slow+59>: 74 13 je 0x6cda60 <instanceof_function_slow+80>
>> 0x00000000006cda4d <instanceof_function_slow+61>: 48 8b 7f 10 mov 0x10(%rdi),%rdi
0x00000000006cda51 <instanceof_function_slow+65>: 48 39 fe cmp %rdi,%rsi
0x00000000006cda54 <instanceof_function_slow+68>: 75 f2 jne 0x6cda48 <instanceof_function_slow+56>
0x00000000006cda56 <instanceof_function_slow+70>: eb e6 jmp 0x6cda3e <instanceof_function_slow+46>
0x00000000006cda58 <instanceof_function_slow+72>: 0f 1f 84 00 00 00 00 00 nopl 0x0(%rax,%rax,1)
0x00000000006cda60 <instanceof_function_slow+80>: 31 c0 xor %eax,%eax
0x00000000006cda62 <instanceof_function_slow+82>: c3 ret
I've re-built php8.4.14 with debugging symbols enabled and traced the location to this line:
(gdb) disassemble /s instanceof_function_slow
Dump of assembler code for function instanceof_function_slow:
/usr/src/php/Zend/zend_operators.c:
2492 if (ce->ce_flags & ZEND_ACC_INTERFACE) {
0x0000000000a2bed1 <+66>: mov -0x20(%rbp),%rax
0x0000000000a2bed5 <+70>: mov 0x1c(%rax),%eax
0x0000000000a2bed8 <+73>: and $0x1,%eax
0x0000000000a2bedb <+76>: test %eax,%eax
0x0000000000a2bedd <+78>: je 0xa2bf71 <instanceof_function_slow+226>
if looks like "ce" is invalid in this case.
following modules are loaded:
[PHP Modules]
bcmath
bz2
Core
ctype
curl
date
dom
fileinfo
filter
gd
hash
iconv
igbinary
json
ldap
libxml
mbstring
mongodb
mysqli
mysqlnd
openssl
pcre
PDO
pdo_mysql
pdo_sqlite
Phar
posix
random
readline
Reflection
session
SimpleXML
sodium
SPL
sqlite3
standard
swoole
tidy
tokenizer
xml
xmlreader
xmlwriter
xsl
Zend OPcache
zip
zlib
[Zend Modules]
Zend OPcache
This is running on a production system, so my debugging abilities are somewhat limited. Unfortunately I can't pin down the location of the script that was being executed due to limited information (for now). I've enabled core dumps and not waiting for the crash to occur again.
PHP Version
PHP 8.4.14 (cli) (built: Nov 4 2025 00:22:08) (NTS)
Copyright (c) The PHP Group
Built by https://github.com/docker-library/php
Zend Engine v4.4.14, Copyright (c) Zend Technologies
with Zend OPcache v8.4.14, Copyright (c), by Zend Technologies
Operating System
Ubuntu 24.04.2 LTS / php8.4.14-fpm-bookworm docker image