PHP 7.1 get_called_class

[Jurigag]

Zephir on php 7.1 returns wrong value from get_called_class. Script to reproduce:

abstract class Test
{
    public static function count()
    {
        var_dump(get_called_class());
    }
}

class Xyz extends Test
{
}

Xyz::count();

actual "Test"
expected "Xyz"

---

Refs: #1390, #1389, #1372

[Jurigag]

As I see we use current_execute_data in php src there is execute_data used, is there any difference? Are those same stuff? @andresgutierrez @steffengy

[Jurigag]

#1390 perhaps this changes are causing the problem cuz i checked on this zephir.

[Jurigag]

Well the problem now is that it seg faults on such code:

class Test2
{
	public function testCalled()
	{

		self::testCalled3();
	}
	
	public static function testCalled2()
	{
		self::testCalled3();
	}
	
	protected static function testCalled3()
	{
		var_dump(get_called_class());
	}
}

$test = new Test3\Test();
$test->testCalled2();
$test->testCalled();

First call works, but second seg fault.

I think problem is in zephir_call_user_function or zephir_call_function_opt

[dreamsxin]

I will try use PHP Built-in methods zend_call_function test again.

[Jurigag]

Sure, but i don't think ti's a solution really.

[dreamsxin]

@Jurigag The least, Narrow search range.

[sergeyklay]

@dreamsxin

Zephir

namespace Group;

abstract class Model
{
	public function testCalled()
	{
		return self::testCalled3();
	}

	public static function testCalled2()
	{
		return self::testCalled3();
	}

	protected static function testCalled3()
	{
		return get_called_class();
	}
}

test.php

class Phpized extends Group\Model {

}

$test = new Phpized();
echo $test->testCalled() . PHP_EOL;

With xdebug

Reading symbols from /usr/local/bin/php...(no debugging symbols found)...done.
[New LWP 25915]
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
Core was generated by 'php test.php'.
Program terminated with signal SIGSEGV, Segmentation fault.
#0  0x00007fe6d90c3087 in zend_string_dup (s=0xf273140400000001, persistent=0) at /usr/local/include/php/Zend/zend_string.h:175
175		if (ZSTR_IS_INTERNED(s)) {
(gdb) (gdb) #0  0x00007fe6d90c3087 in zend_string_dup (s=0xf273140400000001, persistent=0) at /usr/local/include/php/Zend/zend_string.h:175
No locals.
#1  0x00007fe6d90c3525 in zephir_get_called_class (return_value=0x7fe6d9c140a0) at /usr/src/cphalcon/example/ext/kernel/object.c:107
        __z = 0x7fe6d9c140a0
        __s = 0xfec0f800
        called_scope = 0x7fe6d9c73640
#2  0x00007fe6d90dbc20 in zim_Group_Model_testCalled3 (execute_data=0x7fe6d9c14100, return_value=0x7fe6d9c140a0) at /usr/src/cphalcon/example/ext/group/model.zep.c:61
        this_zv = {value = {lval = 0, dval = 0, counted = 0x0, str = 0x0, arr = 0x0, obj = 0x0, res = 0x0, ref = 0x0, ast = 0x0, zv = 0x0, ptr = 0x0, ce = 0x0, func = 0x0, ww = {w1 = 0, w2 = 0}}, u1 = {v = {type = 19 '\023', type_flags = 8 '\b', const_flags = 13 '\r', reserved = 217 '\331'}, type_info = 3641509907}, u2 = {next = 0, cache_slot = 0, lineno = 0, num_args = 0, fe_pos = 0, fe_iter_idx = 0, access_flags = 0, property_guard = 0, extra = 0}}
        this_ptr = 0x0
#3  0x000055ead9c382c4 in execute_internal ()
No symbol table info available.
#4  0x00007fe6d9717f01 in xdebug_execute_internal (current_execute_data=0x7fe6d9c14100, return_value=0x7fe6d9c140a0) at /tmp/pear/temp/xdebug/xdebug.c:2147
        edata = 0x7fe6d9c14100
        fse = 0x55eadb3dffb0
        do_return = 0
        function_nr = 3
        restore_error_handler_situation = 0
        tmp_error_cb = 0x0
#5  0x00007fe6d90d575e in zephir_call_function_opt (fci=0x7ffc92976c50, fci_cache=0x7ffc92976c20, info=0x7ffc92976d50, params=0x7ffc92976e80) at /usr/src/cphalcon/example/ext/kernel/extended/fcall.c:1264
        call_via_handler = 0
        i = 0
        calling_scope = 0x55eadafa9340
        call = 0x7fe6d9c14100
        dummy_execute_data = {opline = 0x7ffc92976bd0, call = 0x7fe6df95bdc7 <_dl_fixup+247>, return_value = 0xd3385ed6eed95c77, func = 0x7fe6d92e3550, This = {value = {lval = 0, dval = 0, counted = 0x0, str = 0x0, arr = 0x0, obj = 0x0, res = 0x0, ref = 0x0, ast = 0x0, zv = 0x0, ptr = 0x0, ce = 0x0, func = 0x0, ww = {w1 = 0, w2 = 0}}, u1 = {v = {type = 144 '\220', type_flags = 170 '\252', const_flags = 151 '\227', reserved = 146 '\222'}, type_info = 2459413136}, u2 = {next = 32764, cache_slot = 32764, lineno = 32764, num_args = 32764, fe_pos = 32764, fe_iter_idx = 32764, access_flags = 32764, property_guard = 32764, extra = 32764}}, prev_execute_data = 0x7fe6d9c14030, symbol_table = 0x7fe6b0de77b8, run_time_cache = 0x7ffc92976cf0, literals = 0x7fe6df95bdc7 <_dl_fixup+247>}
        fci_cache_local = {initialized = 0 '\000', function_handler = 0x7fe6d92e3898, calling_scope = 0x0, called_scope = 0x7ffc9297aa90, object = 0x7fe6d9c14030}
        func = 0x55eadafacdf0
        __PRETTY_FUNCTION__ = "zephir_call_function_opt"
#6  0x00007fe6d90cf1cf in zephir_call_user_function (object_pp=0x7fe6d9c140d0, obj_ce=0x7fe6d9c03240, type=zephir_fcall_self, function_name=0x0, retval_ptr=0x7fe6d9c140a0, cache_entry=0x0, cache_slot=0, param_count=0, params=0x7ffc92976e80, info=0x7ffc92976d50) at /usr/src/cphalcon/example/ext/kernel/fcall.c:498
        local_retval_ptr = {value = {lval = 2, dval = 9.8813129168249309e-324, counted = 0x2, str = 0x2, arr = 0x2, obj = 0x2, res = 0x2, ref = 0x2, ast = 0x2, zv = 0x2, ptr = 0x2, ce = 0x2, func = 0x2, ww = {w1 = 2, w2 = 0}}, u1 = {v = {type = 0 '\000', type_flags = 0 '\000', const_flags = 0 '\000', reserved = 0 '\000'}, type_info = 0}, u2 = {next = 32764, cache_slot = 32764, lineno = 32764, num_args = 32764, fe_pos = 32764, fe_iter_idx = 32764, access_flags = 32764, property_guard = 32764, extra = 32764}}
        status = 0
        fci = {size = 56, function_name = {value = {lval = 140628786575288, dval = 6.9479852263190487e-310, counted = 0x7fe6b0de77b8, str = 0x7fe6b0de77b8, arr = 0x7fe6b0de77b8, obj = 0x7fe6b0de77b8, res = 0x7fe6b0de77b8, ref = 0x7fe6b0de77b8, ast = 0x7fe6b0de77b8, zv = 0x7fe6b0de77b8, ptr = 0x7fe6b0de77b8, ce = 0x7fe6b0de77b8, func = 0x7fe6b0de77b8, ww = {w1 = 2967369656, w2 = 32742}}, u1 = {v = {type = 192 '\300', type_flags = 109 'm', const_flags = 151 '\227', reserved = 146 '\222'}, type_info = 2459397568}, u2 = {next = 32764, cache_slot = 32764, lineno = 32764, num_args = 32764, fe_pos = 32764, fe_iter_idx = 32764, access_flags = 32764, property_guard = 32764, extra = 32764}}, retval = 0x7fe6d9c140a0, params = 0x0, object = 0x0, no_separation = 1 '\001', param_count = 0}
        fcic = {initialized = 1 '\001', function_handler = 0x55eadafacdf0, calling_scope = 0x55eadafa9340, called_scope = 0x7fe6d9c03240, object = 0x7fe6d9c73640}
        zephir_globals_ptr = 0x55eadafabc80
        fcall_key = 0x7fe6d9c74400 "\004testcalled3"
        fcall_key_hash = 15220019217921825911
        fcall_key_len = 30
        temp_cache_entry = 0x0
        reload_cache = 1
        __PRETTY_FUNCTION__ = "zephir_call_user_function"
#7  0x00007fe6d90cf878 in zephir_call_class_method_aparams (return_value_ptr=0x7fe6d9c140a0, ce=0x0, type=zephir_fcall_self, object=0x0, method_name=0x7fe6d90df152 "testcalled3", method_len=11, cache_entry=0x0, cache_slot=0, param_count=0, params=0x7ffc92976e80) at /usr/src/cphalcon/example/ext/kernel/fcall.c:705
        possible_method = 0x55eadadf5780 ""
        rv = {value = {lval = 1, dval = 4.9406564584124654e-324, counted = 0x1, str = 0x1, arr = 0x1, obj = 0x1, res = 0x1, ref = 0x1, ast = 0x1, zv = 0x1, ptr = 0x1, ce = 0x1, func = 0x1, ww = {w1 = 1, w2 = 0}}, u1 = {v = {type = 0 '\000', type_flags = 0 '\000', const_flags = 0 '\000', reserved = 0 '\000'}, type_info = 0}, u2 = {next = 0, cache_slot = 0, lineno = 0, num_args = 0, fe_pos = 0, fe_iter_idx = 0, access_flags = 0, property_guard = 0, extra = 0}}
        rvp = 0x7fe6d9c140a0
        fn = 0x0
        status = 0
        info = {type = 4, ce = 0x7fe6d90b9cb8, object_ptr = 0x2, class_name = 0x7ffc92976e40 "\260n\227\222\374\177", class_length = -648021120, func_name = 0x7fe6d90df152 "testcalled3", func_length = 11}
        __PRETTY_FUNCTION__ = "zephir_call_class_method_aparams"
#8  0x00007fe6d90db79d in zephir_return_call_class_method (return_value=0x7fe6d9c140a0, ce=0x0, type=zephir_fcall_self, object=0x0, method_name=0x7fe6d90df152 "testcalled3", method_len=11, cache_entry=0x0, cache_slot=0, param_count=0, params=0x7ffc92976e80) at ./kernel/fcall.h:417
        rv = {value = {lval = 0, dval = 0, counted = 0x0, str = 0x0, arr = 0x0, obj = 0x0, res = 0x0, ref = 0x0, ast = 0x0, zv = 0x0, ptr = 0x0, ce = 0x0, func = 0x0, ww = {w1 = 0, w2 = 0}}, u1 = {v = {type = 0 '\000', type_flags = 0 '\000', const_flags = 0 '\000', reserved = 0 '\000'}, type_info = 0}, u2 = {next = 21994, cache_slot = 21994, lineno = 21994, num_args = 21994, fe_pos = 21994, fe_iter_idx = 21994, access_flags = 21994, property_guard = 21994, extra = 21994}}
        rvp = 0x7fe6d9c140a0
        status = 32742
#9  0x00007fe6d90dba97 in zim_Group_Model_testCalled (execute_data=0x7fe6d9c140b0, return_value=0x7fe6d9c140a0) at /usr/src/cphalcon/example/ext/group/model.zep.c:36
        params_ = 0x7ffc92976e80
        ZEPHIR_LAST_CALL_STATUS = 0
        this_zv = {value = {lval = 140629472917056, dval = 6.9480191361079362e-310, counted = 0x7fe6d9c73640, str = 0x7fe6d9c73640, arr = 0x7fe6d9c73640, obj = 0x7fe6d9c73640, res = 0x7fe6d9c73640, ref = 0x7fe6d9c73640, ast = 0x7fe6d9c73640, zv = 0x7fe6d9c73640, ptr = 0x7fe6d9c73640, ce = 0x7fe6d9c73640, func = 0x7fe6d9c73640, ww = {w1 = 3653711424, w2 = 32742}}, u1 = {v = {type = 8 '\b', type_flags = 12 '\f', const_flags = 0 '\000', reserved = 0 '\000'}, type_info = 3080}, u2 = {next = 32742, cache_slot = 32742, lineno = 32742, num_args = 32742, fe_pos = 32742, fe_iter_idx = 32742, access_flags = 32742, property_guard = 32742, extra = 32742}}
        this_ptr = 0x7ffc92976e80
#10 0x000055ead9c382c4 in execute_internal ()
No symbol table info available.
#11 0x00007fe6d9717f01 in xdebug_execute_internal (current_execute_data=0x7fe6d9c140b0, return_value=0x7fe6d9c140a0) at /tmp/pear/temp/xdebug/xdebug.c:2147
        edata = 0x7fe6d9c140b0
        fse = 0x55eadb3dfeb0
        do_return = 0
        function_nr = 2
        restore_error_handler_situation = 0
        tmp_error_cb = 0x0
#12 0x000055ead9c3d039 in ?? ()
No symbol table info available.
#13 0x000055ead9c3fcb6 in ?? ()
No symbol table info available.
#14 0x000055ead9c3aae6 in execute_ex ()
No symbol table info available.
#15 0x00007fe6d97174ed in xdebug_execute_ex (execute_data=0x7fe6d9c14030) at /tmp/pear/temp/xdebug/xdebug.c:1995
        op_array = 0x7fe6d9c81000
        edata = 0x0
        dummy = 0x0
        fse = 0x55eadb37b580
        xfse = 0x8000000013
        magic_cookie = 0x0
        do_return = 0
        function_nr = 0
        le = 0x0
        code_coverage_func_info = {class = 0x7fe6d9c81000 "\002", function = 0x7fe6d9c14030 "\270w\336\260\346\177", type = -641200128, internal = 32742}
        code_coverage_function_name = 0x0
        code_coverage_file_name = 0x0
        code_coverage_init = 0
#16 0x000055ead9c3aceb in zend_execute ()
No symbol table info available.
#17 0x000055ead9bd11f4 in zend_execute_scripts ()
No symbol table info available.
#18 0x000055ead9b100ea in php_execute_script ()
No symbol table info available.
#19 0x000055ead9cc533f in ?? ()
No symbol table info available.
#20 0x000055ead9cc65bd in ?? ()
No symbol table info available.
#21 0x00007fe6dd37eb45 in __libc_start_main (main=0x55ead9cc5e20, argc=2, argv=0x7ffc9297aa98, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7ffc9297aa88) at libc-start.c:287
        result = <optimized out>
        unwind_buf = {cancel_jmp_buf = {{jmp_buf = {0, -9179680314510981072, 94467157654400, 140722767899280, 0, 0, 9178930105532893232, 9175665378378336304}, mask_was_saved = 0}}, priv = {pad = {0x0, 0x0, 0x55ead9cd08d0 <__libc_csu_init>, 0x7ffc9297aa98}, data = {prev = 0x0, cleanup = 0x0, canceltype = -640874288}}}
        not_first_call = <optimized out>
#22 0x000055ead95ffba9 in _start ()
No symbol table info available.
(gdb) rax            0xf273140400000001	-976414686796840959
rbx            0x3	3
rcx            0x7fe6de5582e0	140629549351648
rdx            0x55eadaeeceb0	94467183791792
rsi            0x0	0
rdi            0xf273140400000001	-976414686796840959
rbp            0x7ffc92976990	0x7ffc92976990
rsp            0x7ffc92976980	0x7ffc92976980
r8             0xfec0f800	4274059264
r9             0x0	0
r10            0x7ffc929767a0	140722767882144
r11            0x7fe6d90c34c1	140629460661441
r12            0x55ead95ffb80	94467157654400
r13            0x7ffc9297aa90	140722767899280
r14            0x7fe6d9c14030	140629472526384
r15            0x7fe6b0de77b8	140628786575288
rip            0x7fe6d90c3087	0x7fe6d90c3087 <zend_string_dup+19>
eflags         0x10202	[ IF RF ]
cs             0x33	51
ss             0x2b	43
ds             0x0	0
es             0x0	0
fs             0x0	0
gs             0x0	0
(gdb) => 0x7fe6d90c3087 <zend_string_dup+19>:	movzbl 0x5(%rax),%eax
   0x7fe6d90c308b <zend_string_dup+23>:	movzbl %al,%eax
   0x7fe6d90c308e <zend_string_dup+26>:	and    $0x2,%eax
   0x7fe6d90c3091 <zend_string_dup+29>:	test   %eax,%eax
   0x7fe6d90c3093 <zend_string_dup+31>:	je     0x7fe6d90c309b <zend_string_dup+39>
   0x7fe6d90c3095 <zend_string_dup+33>:	mov    -0x8(%rbp),%rax
   0x7fe6d90c3099 <zend_string_dup+37>:	jmp    0x7fe6d90c30b9 <zend_string_dup+69>
   0x7fe6d90c309b <zend_string_dup+39>:	mov    -0x8(%rbp),%rax
   0x7fe6d90c309f <zend_string_dup+43>:	mov    0x10(%rax),%rax
   0x7fe6d90c30a3 <zend_string_dup+47>:	mov    -0x8(%rbp),%rdx
   0x7fe6d90c30a7 <zend_string_dup+51>:	lea    0x18(%rdx),%rcx
   0x7fe6d90c30ab <zend_string_dup+55>:	mov    -0xc(%rbp),%edx
   0x7fe6d90c30ae <zend_string_dup+58>:	mov    %rax,%rsi
   0x7fe6d90c30b1 <zend_string_dup+61>:	mov    %rcx,%rdi
   0x7fe6d90c30b4 <zend_string_dup+64>:	callq  0x7fe6d90c3018 <zend_string_init>
   0x7fe6d90c30b9 <zend_string_dup+69>:	leaveq
(gdb)
Thread 1 (Thread 0x7fe6dfb50800 (LWP 25915)):
#0  0x00007fe6d90c3087 in zend_string_dup (s=0xf273140400000001, persistent=0) at /usr/local/include/php/Zend/zend_string.h:175
#1  0x00007fe6d90c3525 in zephir_get_called_class (return_value=0x7fe6d9c140a0) at /usr/src/cphalcon/example/ext/kernel/object.c:107
#2  0x00007fe6d90dbc20 in zim_Group_Model_testCalled3 (execute_data=0x7fe6d9c14100, return_value=0x7fe6d9c140a0) at /usr/src/cphalcon/example/ext/group/model.zep.c:61
#3  0x000055ead9c382c4 in execute_internal ()
#4  0x00007fe6d9717f01 in xdebug_execute_internal (current_execute_data=0x7fe6d9c14100, return_value=0x7fe6d9c140a0) at /tmp/pear/temp/xdebug/xdebug.c:2147
#5  0x00007fe6d90d575e in zephir_call_function_opt (fci=0x7ffc92976c50, fci_cache=0x7ffc92976c20, info=0x7ffc92976d50, params=0x7ffc92976e80) at /usr/src/cphalcon/example/ext/kernel/extended/fcall.c:1264
#6  0x00007fe6d90cf1cf in zephir_call_user_function (object_pp=0x7fe6d9c140d0, obj_ce=0x7fe6d9c03240, type=zephir_fcall_self, function_name=0x0, retval_ptr=0x7fe6d9c140a0, cache_entry=0x0, cache_slot=0, param_count=0, params=0x7ffc92976e80, info=0x7ffc92976d50) at /usr/src/cphalcon/example/ext/kernel/fcall.c:498
#7  0x00007fe6d90cf878 in zephir_call_class_method_aparams (return_value_ptr=0x7fe6d9c140a0, ce=0x0, type=zephir_fcall_self, object=0x0, method_name=0x7fe6d90df152 "testcalled3", method_len=11, cache_entry=0x0, cache_slot=0, param_count=0, params=0x7ffc92976e80) at /usr/src/cphalcon/example/ext/kernel/fcall.c:705
#8  0x00007fe6d90db79d in zephir_return_call_class_method (return_value=0x7fe6d9c140a0, ce=0x0, type=zephir_fcall_self, object=0x0, method_name=0x7fe6d90df152 "testcalled3", method_len=11, cache_entry=0x0, cache_slot=0, param_count=0, params=0x7ffc92976e80) at ./kernel/fcall.h:417
#9  0x00007fe6d90dba97 in zim_Group_Model_testCalled (execute_data=0x7fe6d9c140b0, return_value=0x7fe6d9c140a0) at /usr/src/cphalcon/example/ext/group/model.zep.c:36
#10 0x000055ead9c382c4 in execute_internal ()
#11 0x00007fe6d9717f01 in xdebug_execute_internal (current_execute_data=0x7fe6d9c140b0, return_value=0x7fe6d9c140a0) at /tmp/pear/temp/xdebug/xdebug.c:2147
#12 0x000055ead9c3d039 in ?? ()
#13 0x000055ead9c3fcb6 in ?? ()
#14 0x000055ead9c3aae6 in execute_ex ()
#15 0x00007fe6d97174ed in xdebug_execute_ex (execute_data=0x7fe6d9c14030) at /tmp/pear/temp/xdebug/xdebug.c:1995
#16 0x000055ead9c3aceb in zend_execute ()
#17 0x000055ead9bd11f4 in zend_execute_scripts ()
#18 0x000055ead9b100ea in php_execute_script ()
#19 0x000055ead9cc533f in ?? ()
#20 0x000055ead9cc65bd in ?? ()
#21 0x00007fe6dd37eb45 in __libc_start_main (main=0x55ead9cc5e20, argc=2, argv=0x7ffc9297aa98, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7ffc9297aa88) at libc-start.c:287
#22 0x000055ead95ffba9 in _start ()

Without xdebug

Reading symbols from /usr/local/bin/php...(no debugging symbols found)...done.
[New LWP 25926]
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
Core was generated by 'php test.php'.
Program terminated with signal SIGSEGV, Segmentation fault.
#0  0x00007f1969d1e087 in zend_string_dup (s=0xf273140400000001, persistent=0) at /usr/local/include/php/Zend/zend_string.h:175
175		if (ZSTR_IS_INTERNED(s)) {
(gdb) (gdb) #0  0x00007f1969d1e087 in zend_string_dup (s=0xf273140400000001, persistent=0) at /usr/local/include/php/Zend/zend_string.h:175
No locals.
#1  0x00007f1969d1e525 in zephir_get_called_class (return_value=0x7f196a6140a0) at /usr/src/cphalcon/example/ext/kernel/object.c:107
        __z = 0x7f196a6140a0
        __s = 0x7f196a603240
        called_scope = 0x7f196a6726e0
#2  0x00007f1969d36c20 in zim_Group_Model_testCalled3 (execute_data=0x7f196a614100, return_value=0x7f196a6140a0) at /usr/src/cphalcon/example/ext/group/model.zep.c:61
        this_zv = {value = {lval = 94230627370704, dval = 4.6556115769932715e-310, counted = 0x55b3c71246d0, str = 0x55b3c71246d0, arr = 0x55b3c71246d0, obj = 0x55b3c71246d0, res = 0x55b3c71246d0, ref = 0x55b3c71246d0, ast = 0x55b3c71246d0, zv = 0x55b3c71246d0, ptr = 0x55b3c71246d0, ce = 0x55b3c71246d0, func = 0x55b3c71246d0, ww = {w1 = 3339863760, w2 = 21939}}, u1 = {v = {type = 0 '\000', type_flags = 0 '\000', const_flags = 0 '\000', reserved = 0 '\000'}, type_info = 0}, u2 = {next = 2, cache_slot = 2, lineno = 2, num_args = 2, fe_pos = 2, fe_iter_idx = 2, access_flags = 2, property_guard = 2, extra = 2}}
        this_ptr = 0x0
#3  0x00007f1969d3073b in zephir_call_function_opt (fci=0x7ffd7d0e58a0, fci_cache=0x7ffd7d0e5870, info=0x7ffd7d0e59a0, params=0x7ffd7d0e5ad0) at /usr/src/cphalcon/example/ext/kernel/extended/fcall.c:1262
        call_via_handler = 0
        i = 0
        calling_scope = 0x55b3c7120c20
        call = 0x7f196a614100
        dummy_execute_data = {opline = 0x7ffd7d0e5820, call = 0x7f1970398dc7 <_dl_fixup+247>, return_value = 0xd40142a0a67bd9a2, func = 0x7f1969f3e550, This = {value = {lval = 0, dval = 0, counted = 0x0, str = 0x0, arr = 0x0, obj = 0x0, res = 0x0, ref = 0x0, ast = 0x0, zv = 0x0, ptr = 0x0, ce = 0x0, func = 0x0, ww = {w1 = 0, w2 = 0}}, u1 = {v = {type = 160 '\240', type_flags = 149 '\225', const_flags = 14 '\016', reserved = 125 '}'}, type_info = 2098107808}, u2 = {next = 32765, cache_slot = 32765, lineno = 32765, num_args = 32765, fe_pos = 32765, fe_iter_idx = 32765, access_flags = 32765, property_guard = 32765, extra = 32765}}, prev_execute_data = 0x7f196a614030, symbol_table = 0x7f1941a426f8, run_time_cache = 0x7ffd7d0e5940, literals = 0x7f1970398dc7 <_dl_fixup+247>}
        fci_cache_local = {initialized = 0 '\000', function_handler = 0x7f1969f3e898, calling_scope = 0x0, called_scope = 0x7ffd7d0e95a0, object = 0x7f196a614030}
        func = 0x55b3c71246d0
        __PRETTY_FUNCTION__ = "zephir_call_function_opt"
#4  0x00007f1969d2a1cf in zephir_call_user_function (object_pp=0x7f196a6140d0, obj_ce=0x7f196a603240, type=zephir_fcall_self, function_name=0x0, retval_ptr=0x7f196a6140a0, cache_entry=0x0, cache_slot=0, param_count=0, params=0x7ffd7d0e5ad0, info=0x7ffd7d0e59a0) at /usr/src/cphalcon/example/ext/kernel/fcall.c:498
        local_retval_ptr = {value = {lval = 0, dval = 0, counted = 0x0, str = 0x0, arr = 0x0, obj = 0x0, res = 0x0, ref = 0x0, ast = 0x0, zv = 0x0, ptr = 0x0, ce = 0x0, func = 0x0, ww = {w1 = 0, w2 = 0}}, u1 = {v = {type = 0 '\000', type_flags = 0 '\000', const_flags = 0 '\000', reserved = 0 '\000'}, type_info = 0}, u2 = {next = 32765, cache_slot = 32765, lineno = 32765, num_args = 32765, fe_pos = 32765, fe_iter_idx = 32765, access_flags = 32765, property_guard = 32765, extra = 32765}}
        status = 0
        fci = {size = 56, function_name = {value = {lval = 139746452186872, dval = 6.9043921153729795e-310, counted = 0x7f1941a426f8, str = 0x7f1941a426f8, arr = 0x7f1941a426f8, obj = 0x7f1941a426f8, res = 0x7f1941a426f8, ref = 0x7f1941a426f8, ast = 0x7f1941a426f8, zv = 0x7f1941a426f8, ptr = 0x7f1941a426f8, ce = 0x7f1941a426f8, func = 0x7f1941a426f8, ww = {w1 = 1101276920, w2 = 32537}}, u1 = {v = {type = 16 '\020', type_flags = 90 'Z', const_flags = 14 '\016', reserved = 125 '}'}, type_info = 2098092560}, u2 = {next = 32765, cache_slot = 32765, lineno = 32765, num_args = 32765, fe_pos = 32765, fe_iter_idx = 32765, access_flags = 32765, property_guard = 32765, extra = 32765}}, retval = 0x7f196a6140a0, params = 0x0, object = 0x0, no_separation = 1 '\001', param_count = 0}
        fcic = {initialized = 1 '\001', function_handler = 0x55b3c71246d0, calling_scope = 0x55b3c7120c20, called_scope = 0x7f196a603240, object = 0x7f196a6726e0}
        zephir_globals_ptr = 0x55b3c7123560
        fcall_key = 0x7f196a601c00 "\004testcalled3"
        fcall_key_hash = 15276564668772768162
        fcall_key_len = 30
        temp_cache_entry = 0x0
        reload_cache = 1
        __PRETTY_FUNCTION__ = "zephir_call_user_function"
#5  0x00007f1969d2a878 in zephir_call_class_method_aparams (return_value_ptr=0x7f196a6140a0, ce=0x0, type=zephir_fcall_self, object=0x0, method_name=0x7f1969d3a152 "testcalled3", method_len=11, cache_entry=0x0, cache_slot=0, param_count=0, params=0x7ffd7d0e5ad0) at /usr/src/cphalcon/example/ext/kernel/fcall.c:705
        possible_method = 0x55b3c6f6d040 ""
        rv = {value = {lval = 1, dval = 4.9406564584124654e-324, counted = 0x1, str = 0x1, arr = 0x1, obj = 0x1, res = 0x1, ref = 0x1, ast = 0x1, zv = 0x1, ptr = 0x1, ce = 0x1, func = 0x1, ww = {w1 = 1, w2 = 0}}, u1 = {v = {type = 0 '\000', type_flags = 0 '\000', const_flags = 0 '\000', reserved = 0 '\000'}, type_info = 0}, u2 = {next = 0, cache_slot = 0, lineno = 0, num_args = 0, fe_pos = 0, fe_iter_idx = 0, access_flags = 0, property_guard = 0, extra = 0}}
        rvp = 0x7f196a6140a0
        fn = 0x0
        status = 0
        info = {type = 4, ce = 0x7f1969d14cb8, object_ptr = 0x0, class_name = 0x7ffd7d0e5a90 "", class_length = -984523904, func_name = 0x7f1969d3a152 "testcalled3", func_length = 11}
        __PRETTY_FUNCTION__ = "zephir_call_class_method_aparams"
#6  0x00007f1969d3679d in zephir_return_call_class_method (return_value=0x7f196a6140a0, ce=0x0, type=zephir_fcall_self, object=0x0, method_name=0x7f1969d3a152 "testcalled3", method_len=11, cache_entry=0x0, cache_slot=0, param_count=0, params=0x7ffd7d0e5ad0) at ./kernel/fcall.h:417
        rv = {value = {lval = 0, dval = 0, counted = 0x0, str = 0x0, arr = 0x0, obj = 0x0, res = 0x0, ref = 0x0, ast = 0x0, zv = 0x0, ptr = 0x0, ce = 0x0, func = 0x0, ww = {w1 = 0, w2 = 0}}, u1 = {v = {type = 0 '\000', type_flags = 0 '\000', const_flags = 0 '\000', reserved = 0 '\000'}, type_info = 0}, u2 = {next = 21939, cache_slot = 21939, lineno = 21939, num_args = 21939, fe_pos = 21939, fe_iter_idx = 21939, access_flags = 21939, property_guard = 21939, extra = 21939}}
        rvp = 0x7f196a6140a0
        status = 32537
#7  0x00007f1969d36a97 in zim_Group_Model_testCalled (execute_data=0x7f196a6140b0, return_value=0x7f196a6140a0) at /usr/src/cphalcon/example/ext/group/model.zep.c:36
        params_ = 0x7ffd7d0e5ad0
        ZEPHIR_LAST_CALL_STATUS = 80
        this_zv = {value = {lval = 139747136055008, dval = 6.9044259029482078e-310, counted = 0x7f196a6726e0, str = 0x7f196a6726e0, arr = 0x7f196a6726e0, obj = 0x7f196a6726e0, res = 0x7f196a6726e0, ref = 0x7f196a6726e0, ast = 0x7f196a6726e0, zv = 0x7f196a6726e0, ptr = 0x7f196a6726e0, ce = 0x7f196a6726e0, func = 0x7f196a6726e0, ww = {w1 = 1785145056, w2 = 32537}}, u1 = {v = {type = 8 '\b', type_flags = 12 '\f', const_flags = 0 '\000', reserved = 0 '\000'}, type_info = 3080}, u2 = {next = 64, cache_slot = 64, lineno = 64, num_args = 64, fe_pos = 64, fe_iter_idx = 64, access_flags = 64, property_guard = 64, extra = 64}}
        this_ptr = 0x7ffd7d0e5ad0
#8  0x000055b3c5b5301d in ?? ()
No symbol table info available.
#9  0x000055b3c5b50ae6 in execute_ex ()
No symbol table info available.
#10 0x000055b3c5b50ceb in zend_execute ()
No symbol table info available.
#11 0x000055b3c5ae71f4 in zend_execute_scripts ()
No symbol table info available.
#12 0x000055b3c5a260ea in php_execute_script ()
No symbol table info available.
#13 0x000055b3c5bdb33f in ?? ()
No symbol table info available.
#14 0x000055b3c5bdc5bd in ?? ()
No symbol table info available.
#15 0x00007f196ddbbb45 in __libc_start_main (main=0x55b3c5bdbe20, argc=2, argv=0x7ffd7d0e95a8, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7ffd7d0e9598) at libc-start.c:287
        result = <optimized out>
        unwind_buf = {cancel_jmp_buf = {{jmp_buf = {0, 5061757463585601933, 94230597950336, 140726701561248, 0, 0, -5060916209653663347, -5184731484916172403}, mask_was_saved = 0}}, priv = {pad = {0x0, 0x0, 0x55b3c5be68d0 <__libc_csu_init>, 0x7ffd7d0e95a8}, data = {prev = 0x0, cleanup = 0x0, canceltype = -977377072}}}
        not_first_call = <optimized out>
#16 0x000055b3c5515ba9 in _start ()
No symbol table info available.
(gdb) rax            0xf273140400000001	-976414686796840959
rbx            0x0	0
rcx            0x7f196ef952e0	139747212743392
rdx            0x55b3c7064790	94230626584464
rsi            0x0	0
rdi            0xf273140400000001	-976414686796840959
rbp            0x7ffd7d0e5660	0x7ffd7d0e5660
rsp            0x7ffd7d0e5650	0x7ffd7d0e5650
r8             0x7f196a603240	139747135599168
r9             0x0	0
r10            0x7ffd7d0e5470	140726701544560
r11            0x7f1969d1e4c1	139747126273217
r12            0x55b3c5515b80	94230597950336
r13            0x7ffd7d0e95a0	140726701561248
r14            0x7f196a614030	139747135668272
r15            0x7f1941a426f8	139746452186872
rip            0x7f1969d1e087	0x7f1969d1e087 <zend_string_dup+19>
eflags         0x10206	[ PF IF RF ]
cs             0x33	51
ss             0x2b	43
ds             0x0	0
es             0x0	0
fs             0x0	0
gs             0x0	0
(gdb) => 0x7f1969d1e087 <zend_string_dup+19>:	movzbl 0x5(%rax),%eax
   0x7f1969d1e08b <zend_string_dup+23>:	movzbl %al,%eax
   0x7f1969d1e08e <zend_string_dup+26>:	and    $0x2,%eax
   0x7f1969d1e091 <zend_string_dup+29>:	test   %eax,%eax
   0x7f1969d1e093 <zend_string_dup+31>:	je     0x7f1969d1e09b <zend_string_dup+39>
   0x7f1969d1e095 <zend_string_dup+33>:	mov    -0x8(%rbp),%rax
   0x7f1969d1e099 <zend_string_dup+37>:	jmp    0x7f1969d1e0b9 <zend_string_dup+69>
   0x7f1969d1e09b <zend_string_dup+39>:	mov    -0x8(%rbp),%rax
   0x7f1969d1e09f <zend_string_dup+43>:	mov    0x10(%rax),%rax
   0x7f1969d1e0a3 <zend_string_dup+47>:	mov    -0x8(%rbp),%rdx
   0x7f1969d1e0a7 <zend_string_dup+51>:	lea    0x18(%rdx),%rcx
   0x7f1969d1e0ab <zend_string_dup+55>:	mov    -0xc(%rbp),%edx
   0x7f1969d1e0ae <zend_string_dup+58>:	mov    %rax,%rsi
   0x7f1969d1e0b1 <zend_string_dup+61>:	mov    %rcx,%rdi
   0x7f1969d1e0b4 <zend_string_dup+64>:	callq  0x7f1969d1e018 <zend_string_init>
   0x7f1969d1e0b9 <zend_string_dup+69>:	leaveq
(gdb)
Thread 1 (Thread 0x7f197058d800 (LWP 25926)):
#0  0x00007f1969d1e087 in zend_string_dup (s=0xf273140400000001, persistent=0) at /usr/local/include/php/Zend/zend_string.h:175
#1  0x00007f1969d1e525 in zephir_get_called_class (return_value=0x7f196a6140a0) at /usr/src/cphalcon/example/ext/kernel/object.c:107
#2  0x00007f1969d36c20 in zim_Group_Model_testCalled3 (execute_data=0x7f196a614100, return_value=0x7f196a6140a0) at /usr/src/cphalcon/example/ext/group/model.zep.c:61
#3  0x00007f1969d3073b in zephir_call_function_opt (fci=0x7ffd7d0e58a0, fci_cache=0x7ffd7d0e5870, info=0x7ffd7d0e59a0, params=0x7ffd7d0e5ad0) at /usr/src/cphalcon/example/ext/kernel/extended/fcall.c:1262
#4  0x00007f1969d2a1cf in zephir_call_user_function (object_pp=0x7f196a6140d0, obj_ce=0x7f196a603240, type=zephir_fcall_self, function_name=0x0, retval_ptr=0x7f196a6140a0, cache_entry=0x0, cache_slot=0, param_count=0, params=0x7ffd7d0e5ad0, info=0x7ffd7d0e59a0) at /usr/src/cphalcon/example/ext/kernel/fcall.c:498
#5  0x00007f1969d2a878 in zephir_call_class_method_aparams (return_value_ptr=0x7f196a6140a0, ce=0x0, type=zephir_fcall_self, object=0x0, method_name=0x7f1969d3a152 "testcalled3", method_len=11, cache_entry=0x0, cache_slot=0, param_count=0, params=0x7ffd7d0e5ad0) at /usr/src/cphalcon/example/ext/kernel/fcall.c:705
#6  0x00007f1969d3679d in zephir_return_call_class_method (return_value=0x7f196a6140a0, ce=0x0, type=zephir_fcall_self, object=0x0, method_name=0x7f1969d3a152 "testcalled3", method_len=11, cache_entry=0x0, cache_slot=0, param_count=0, params=0x7ffd7d0e5ad0) at ./kernel/fcall.h:417
#7  0x00007f1969d36a97 in zim_Group_Model_testCalled (execute_data=0x7f196a6140b0, return_value=0x7f196a6140a0) at /usr/src/cphalcon/example/ext/group/model.zep.c:36
#8  0x000055b3c5b5301d in ?? ()
#9  0x000055b3c5b50ae6 in execute_ex ()
#10 0x000055b3c5b50ceb in zend_execute ()
#11 0x000055b3c5ae71f4 in zend_execute_scripts ()
#12 0x000055b3c5a260ea in php_execute_script ()
#13 0x000055b3c5bdb33f in ?? ()
#14 0x000055b3c5bdc5bd in ?? ()
#15 0x00007f196ddbbb45 in __libc_start_main (main=0x55b3c5bdbe20, argc=2, argv=0x7ffd7d0e95a8, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7ffd7d0e9598) at libc-start.c:287
#16 0x000055b3c5515ba9 in _start ()

So yes,
zim_Group_Model_testCalled ->
zephir_return_call_class_method ->
zephir_call_class_method_aparams ->
zephir_call_user_function ->
zephir_call_function_opt ->
zim_Group_Model_testCalled3 ->
zephir_get_called_class ->
zend_string_dup

php-config

Options:
  --prefix            [/usr/local]
  --includes          [-I/usr/local/include/php -I/usr/local/include/php/main -I/usr/local/include/php/TSRM -I/usr/local/include/php/Zend -I/usr/local/include/php/ext -I/usr/local/include/php/ext/date/lib]
  --ldflags           [ -Wl,-O1 -Wl,--hash-style=both -pie -L/usr/lib/x86_64-linux-gnu]
  --libs              [-lcrypt   -lresolv -lcrypt -ledit -ltermcap -lrt -lcurl -lz -lrt -lm -ldl -lnsl  -lpthread -lxml2 -lssl -lcrypto -lcurl -lxml2 -lssl -lcrypto -lxml2 -lcrypt -lxml2 -lxml2 -lxml2 -lssl -lcrypto -lcrypt ]
  --extension-dir     [/usr/local/lib/php/extensions/debug-zts-20160303]
  --include-dir       [/usr/local/include/php]
  --man-dir           [/usr/local/php/man]
  --php-binary        [/usr/local/bin/php]
  --php-sapis         [ cli phpdbg cgi]
  --configure-options [--with-config-file-path=/usr/local/etc/php --with-config-file-scan-dir=/usr/local/etc/php/conf.d --enable-debug --enable-cgi --enable-cli --enable-ftp --enable-mbstring --enable-mysqlnd --with-curl --with-libedit --with-openssl --with-zlib --enable-maintainer-zts]
  --version           [7.1.3]
  --vernum            [70103]

[sergeyklay]

Cc: @rafmichalak84

[dreamsxin]

@sjinks Help, check the bug.

[sjinks]

==8101== Invalid read of size 1
==8101==    at 0xF7B5A05: zend_string_dup (in /home/vladimir/workspace/zephir/1/issue1392/ext/issue1392.so)
==8101==    by 0xF7B5EA2: zephir_get_called_class (in /home/vladimir/workspace/zephir/1/issue1392/ext/issue1392.so)
==8101==    by 0xF79EAC3: zim_Issue1392_Model_testCalled3 (in /home/vladimir/workspace/zephir/1/issue1392/ext/issue1392.so)
==8101==    by 0xF7A3D5B: zephir_call_function_opt (in /home/vladimir/workspace/zephir/1/issue1392/ext/issue1392.so)
==8101==    by 0xF7AA886: zephir_call_user_function (in /home/vladimir/workspace/zephir/1/issue1392/ext/issue1392.so)
==8101==    by 0xF7AAF38: zephir_call_class_method_aparams (in /home/vladimir/workspace/zephir/1/issue1392/ext/issue1392.so)
==8101==    by 0xF79E64E: zephir_return_call_class_method (in /home/vladimir/workspace/zephir/1/issue1392/ext/issue1392.so)
==8101==    by 0xF79E93C: zim_Issue1392_Model_testCalled (in /home/vladimir/workspace/zephir/1/issue1392/ext/issue1392.so)
==8101==    by 0x9C0AD3: ZEND_DO_FCALL_SPEC_RETVAL_USED_HANDLER (zend_vm_execute.h:1097)
==8101==    by 0x9BE4D6: execute_ex (zend_vm_execute.h:429)
==8101==    by 0x9BE6D7: zend_execute (zend_vm_execute.h:474)
==8101==    by 0x950C79: zend_execute_scripts (zend.c:1474)
==8101==  Address 0xfcd88e6a00000006 is not stack'd, malloc'd or (recently) free'd

[sjinks]

No. As far as I can tell, the issue lies somewhere in zephir_call_user_function. If I replace testCalled's body with

        zend_fcall_info fci;

        fci.size = sizeof(fci);
        fci.object = getThis() ? Z_OBJ_P(getThis()) : NULL;
        ZVAL_STRING(&fci.function_name, "testcalled3");
        fci.retval = return_value;
        fci.param_count = 0;
        fci.params = NULL;
        fci.no_separation = 1;

        zend_call_function(&fci, NULL);
        return;

I get the expected behavior.

[Jurigag]

It's defintely not a problem with get_called_class itself because it works overall, it just happens only when there is call from non-static method to static method. Something happens with scope.

[sjinks]

One of the issues:

#if PHP_VERSION_ID >= 70100
                fcic.called_scope = obj_ce ? obj_ce : (EG(current_execute_data) ? Z_OBJ(EG(current_execute_data)->This) : NULL);
#endif

Z_OBJ returns zend_object* but zend_class_entry* is expected

[sergeyklay]

I've modified this for my example:

#if PHP_VERSION_ID >= 70100
---                fcic.called_scope = obj_ce ? obj_ce : (EG(current_execute_data) ? Z_OBJ(EG(current_execute_data)->This) : NULL);
+++                fcic.called_scope = obj_ce ? obj_ce : (EG(current_execute_data) ? Z_OBJCE(EG(current_execute_data)->This) : NULL);

#endif

and got this trace:

Reading symbols from /usr/local/bin/php...(no debugging symbols found)...done.
[New LWP 24389]
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
Core was generated by 'php test.php'.
Program terminated with signal SIGSEGV, Segmentation fault.
#0  0x00007fe4e0f1d8cf in zend_string_dup (s=0xf273140400000001, persistent=0) at /usr/local/include/php/Zend/zend_string.h:175
175		if (ZSTR_IS_INTERNED(s)) {
(gdb) (gdb) #0  0x00007fe4e0f1d8cf in zend_string_dup (s=0xf273140400000001, persistent=0) at /usr/local/include/php/Zend/zend_string.h:175
No locals.
#1  0x00007fe4e0f1dd6d in zephir_get_called_class (return_value=0x7fe4e18140a0) at /usr/src/cphalcon/example/ext/kernel/object.c:107
        __z = 0x7fe4e18140a0
        __s = 0x7fe4e1814100
        called_scope = 0x7fe4e18726e0
#2  0x00007fe4e0f3646c in zim_Group_Model_testCalled3 (execute_data=0x7fe4e1814100, return_value=0x7fe4e18140a0) at /usr/src/cphalcon/example/ext/group/model.zep.c:61
        this_zv = {value = {lval = 94749969974992, dval = 4.6812705109133141e-310, counted = 0x562cb24d86d0, str = 0x562cb24d86d0, arr = 0x562cb24d86d0, obj = 0x562cb24d86d0, res = 0x562cb24d86d0, ref = 0x562cb24d86d0, ast = 0x562cb24d86d0, zv = 0x562cb24d86d0, ptr = 0x562cb24d86d0, ce = 0x562cb24d86d0, func = 0x562cb24d86d0, ww = {w1 = 2991425232, w2 = 22060}}, u1 = {v = {type = 0 '\000', type_flags = 0 '\000', const_flags = 0 '\000', reserved = 0 '\000'}, type_info = 0}, u2 = {next = 2, cache_slot = 2, lineno = 2, num_args = 2, fe_pos = 2, fe_iter_idx = 2, access_flags = 2, property_guard = 2, extra = 2}}
        this_ptr = 0x0
#3  0x00007fe4e0f2ff87 in zephir_call_function_opt (fci=0x7ffe415a4e50, fci_cache=0x7ffe415a4e20, info=0x7ffe415a4f50, params=0x7ffe415a5080) at /usr/src/cphalcon/example/ext/kernel/extended/fcall.c:1262
        call_via_handler = 0
        i = 0
        calling_scope = 0x562cb24d4c20
        call = 0x7fe4e1814100
        dummy_execute_data = {opline = 0x7ffe415a4dd0, call = 0x7fe4e73fadc7 <_dl_fixup+247>, return_value = 0xf401f5188f8ec4c4, func = 0x1e, This = {value = {lval = 140621012540416, dval = 6.947601137963066e-310, counted = 0x7fe4e1801c00, str = 0x7fe4e1801c00, arr = 0x7fe4e1801c00, obj = 0x7fe4e1801c00, res = 0x7fe4e1801c00, ref = 0x7fe4e1801c00, ast = 0x7fe4e1801c00, zv = 0x7fe4e1801c00, ptr = 0x7fe4e1801c00, ce = 0x7fe4e1801c00, func = 0x7fe4e1801c00, ww = {w1 = 3783269376, w2 = 32740}}, u1 = {v = {type = 160 '\240', type_flags = 228 '\344', const_flags = 141 '\215', reserved = 178 '\262'}, type_info = 2995643552}, u2 = {next = 22060, cache_slot = 22060, lineno = 22060, num_args = 22060, fe_pos = 22060, fe_iter_idx = 22060, access_flags = 22060, property_guard = 22060, extra = 22060}}, prev_execute_data = 0x6, symbol_table = 0xfffffffee1801c1e, run_time_cache = 0x562cb05048dc, literals = 0xffffffff8f8ec4c4}
        fci_cache_local = {initialized = 0 '\000', function_handler = 0x7fe4e113e7a8, calling_scope = 0x0, called_scope = 0x7ffe415a8b50, object = 0x7fe4e1814030}
        func = 0x562cb24d86d0
        __PRETTY_FUNCTION__ = "zephir_call_function_opt"
#4  0x00007fe4e0f29a1b in zephir_call_user_function (object_pp=0x7fe4e18140d0, obj_ce=0x7fe4e1803240, type=zephir_fcall_self, function_name=0x0, retval_ptr=0x7fe4e18140a0, cache_entry=0x0, cache_slot=0, param_count=0, params=0x7ffe415a5080, info=0x7ffe415a4f50) at /usr/src/cphalcon/example/ext/kernel/fcall.c:499
        local_retval_ptr = {value = {lval = 140729994858176, dval = 6.9529855798840031e-310, counted = 0x7ffe415a4ec0, str = 0x7ffe415a4ec0, arr = 0x7ffe415a4ec0, obj = 0x7ffe415a4ec0, res = 0x7ffe415a4ec0, ref = 0x7ffe415a4ec0, ast = 0x7ffe415a4ec0, zv = 0x7ffe415a4ec0, ptr = 0x7ffe415a4ec0, ce = 0x7ffe415a4ec0, func = 0x7ffe415a4ec0, ww = {w1 = 1096437440, w2 = 32766}}, u1 = {v = {type = 0 '\000', type_flags = 0 '\000', const_flags = 0 '\000', reserved = 0 '\000'}, type_info = 0}, u2 = {next = 32766, cache_slot = 32766, lineno = 32766, num_args = 32766, fe_pos = 32766, fe_iter_idx = 32766, access_flags = 32766, property_guard = 32766, extra = 32766}}
        status = -1
        fci = {size = 56, function_name = {value = {lval = 94749968175168, dval = 4.6812704219901934e-310, counted = 0x562cb2321040, str = 0x562cb2321040, arr = 0x562cb2321040, obj = 0x562cb2321040, res = 0x562cb2321040, ref = 0x562cb2321040, ast = 0x562cb2321040, zv = 0x562cb2321040, ptr = 0x562cb2321040, ce = 0x562cb2321040, func = 0x562cb2321040, ww = {w1 = 2989625408, w2 = 22060}}, u1 = {v = {type = 128 '\200', type_flags = 2 '\002', const_flags = 0 '\000', reserved = 0 '\000'}, type_info = 640}, u2 = {next = 32740, cache_slot = 32740, lineno = 32740, num_args = 32740, fe_pos = 32740, fe_iter_idx = 32740, access_flags = 32740, property_guard = 32740, extra = 32740}}, retval = 0x7fe4e18140a0, params = 0x0, object = 0x0, no_separation = 1 '\001', param_count = 0}
        fcic = {initialized = 1 '\001', function_handler = 0x562cb24d86d0, calling_scope = 0x562cb24d4c20, called_scope = 0x7fe4e1803240, object = 0x7fe4e18726e0}
        zephir_globals_ptr = 0x562cb24d7560
        fcall_key = 0x7fe4e1801c00 "\004testcalled3"
        fcall_key_hash = 8359231869212869828
        fcall_key_len = 30
        temp_cache_entry = 0x0
        reload_cache = 1
        __PRETTY_FUNCTION__ = "zephir_call_user_function"
#5  0x00007fe4e0f2a0c4 in zephir_call_class_method_aparams (return_value_ptr=0x7fe4e18140a0, ce=0x0, type=zephir_fcall_self, object=0x0, method_name=0x7fe4e0f39992 "testcalled3", method_len=11, cache_entry=0x0, cache_slot=0, param_count=0, params=0x7ffe415a5080) at /usr/src/cphalcon/example/ext/kernel/fcall.c:706
        possible_method = 0x562cafe6f449 <_zval_ptr_dtor+41> "\311\303UH\211\345H\203\354 H\211}\370H\211u\360\211U\354H\213E\370\017\266@\t\017\266\300\203\340\004\205\300t4H\213E\370H\211\307\350z\305\377\377H\213E\370H\211\307\350\305\304\377\377\205\300u\030H\213E\370\272/\002"
        rv = {value = {lval = 94749923720064, dval = 4.6812682256162265e-310, counted = 0x562caf8bbb80 <_start>, str = 0x562caf8bbb80 <_start>, arr = 0x562caf8bbb80 <_start>, obj = 0x562caf8bbb80 <_start>, res = 0x562caf8bbb80 <_start>, ref = 0x562caf8bbb80 <_start>, ast = 0x562caf8bbb80 <_start>, zv = 0x562caf8bbb80 <_start>, ptr = 0x562caf8bbb80 <_start>, ce = 0x562caf8bbb80 <_start>, func = 0x562caf8bbb80 <_start>, ww = {w1 = 2945170304, w2 = 22060}}, u1 = {v = {type = 0 '\000', type_flags = 0 '\000', const_flags = 0 '\000', reserved = 0 '\000'}, type_info = 0}, u2 = {next = 413, cache_slot = 413, lineno = 413, num_args = 413, fe_pos = 413, fe_iter_idx = 413, access_flags = 413, property_guard = 413, extra = 413}}
        rvp = 0x7fe4e18140a0
        fn = 0x0
        status = 32766
        info = {type = 4, ce = 0x7fe4e73fadc7 <_dl_fixup+247>, object_ptr = 0x7fe400000001, class_name = 0x0, class_length = 592200, func_name = 0x7fe4e0f39992 "testcalled3", func_length = 11}
        __PRETTY_FUNCTION__ = "zephir_call_class_method_aparams"
#6  0x00007fe4e0f35fe9 in zephir_return_call_class_method (return_value=0x7fe4e18140a0, ce=0x0, type=zephir_fcall_self, object=0x0, method_name=0x7fe4e0f39992 "testcalled3", method_len=11, cache_entry=0x0, cache_slot=0, param_count=0, params=0x7ffe415a5080) at ./kernel/fcall.h:417
        rv = {value = {lval = 140621012546112, dval = 6.9476011382444858e-310, counted = 0x7fe4e1803240, str = 0x7fe4e1803240, arr = 0x7fe4e1803240, obj = 0x7fe4e1803240, res = 0x7fe4e1803240, ref = 0x7fe4e1803240, ast = 0x7fe4e1803240, zv = 0x7fe4e1803240, ptr = 0x7fe4e1803240, ce = 0x7fe4e1803240, func = 0x7fe4e1803240, ww = {w1 = 3783275072, w2 = 32740}}, u1 = {v = {type = 0 '\000', type_flags = 0 '\000', const_flags = 0 '\000', reserved = 0 '\000'}, type_info = 0}, u2 = {next = 22060, cache_slot = 22060, lineno = 22060, num_args = 22060, fe_pos = 22060, fe_iter_idx = 22060, access_flags = 22060, property_guard = 22060, extra = 22060}}
        rvp = 0x7fe4e18140a0
        status = 32740
#7  0x00007fe4e0f362e3 in zim_Group_Model_testCalled (execute_data=0x7fe4e18140b0, return_value=0x7fe4e18140a0) at /usr/src/cphalcon/example/ext/group/model.zep.c:36
        params_ = 0x7ffe415a5080
        ZEPHIR_LAST_CALL_STATUS = 80
        this_zv = {value = {lval = 140621013001952, dval = 6.9476011607659742e-310, counted = 0x7fe4e18726e0, str = 0x7fe4e18726e0, arr = 0x7fe4e18726e0, obj = 0x7fe4e18726e0, res = 0x7fe4e18726e0, ref = 0x7fe4e18726e0, ast = 0x7fe4e18726e0, zv = 0x7fe4e18726e0, ptr = 0x7fe4e18726e0, ce = 0x7fe4e18726e0, func = 0x7fe4e18726e0, ww = {w1 = 3783730912, w2 = 32740}}, u1 = {v = {type = 8 '\b', type_flags = 12 '\f', const_flags = 0 '\000', reserved = 0 '\000'}, type_info = 3080}, u2 = {next = 64, cache_slot = 64, lineno = 64, num_args = 64, fe_pos = 64, fe_iter_idx = 64, access_flags = 64, property_guard = 64, extra = 64}}
        this_ptr = 0x7ffe415a5080
#8  0x0000562cafef901d in ?? ()
No symbol table info available.
#9  0x0000562cafef6ae6 in execute_ex ()
No symbol table info available.
#10 0x0000562cafef6ceb in zend_execute ()
No symbol table info available.
#11 0x0000562cafe8d1f4 in zend_execute_scripts ()
No symbol table info available.
#12 0x0000562cafdcc0ea in php_execute_script ()
No symbol table info available.
#13 0x0000562caff8133f in ?? ()
No symbol table info available.
#14 0x0000562caff825bd in ?? ()
No symbol table info available.
#15 0x00007fe4e4e1db45 in __libc_start_main (main=0x562caff81e20, argc=2, argv=0x7ffe415a8b58, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7ffe415a8b48) at libc-start.c:287
        result = <optimized out>
        unwind_buf = {cancel_jmp_buf = {{jmp_buf = {0, 133306455996490140, 94749923720064, 140729994873680, 0, 0, -133670691320897124, -139523351464517220}, mask_was_saved = 0}}, priv = {pad = {0x0, 0x0, 0x562caff8c8d0 <__libc_csu_init>, 0x7ffe415a8b58}, data = {prev = 0x0, cleanup = 0x0, canceltype = -1342650160}}}
        not_first_call = <optimized out>
#16 0x0000562caf8bbba9 in _start ()
No symbol table info available.
(gdb) rax            0xf273140400000001	-976414686796840959
rbx            0x0	0
rcx            0x7fe4e5ff72e0	140621087994592
rdx            0x562cb2418790	94749969188752
rsi            0x0	0
rdi            0xf273140400000001	-976414686796840959
rbp            0x7ffe415a4c10	0x7ffe415a4c10
rsp            0x7ffe415a4c00	0x7ffe415a4c00
r8             0x7fe4e1803240	140621012546112
r9             0x0	0
r10            0x7ffe415a49e0	140729994856928
r11            0x7fe4e4f68f90	140621070634896
r12            0x562caf8bbb80	94749923720064
r13            0x7ffe415a8b50	140729994873680
r14            0x7fe4e1814030	140621012615216
r15            0x7fe4b8c456f8	140620329146104
rip            0x7fe4e0f1d8cf	0x7fe4e0f1d8cf <zend_string_dup+19>
eflags         0x10206	[ PF IF RF ]
cs             0x33	51
ss             0x2b	43
ds             0x0	0
es             0x0	0
fs             0x0	0
gs             0x0	0
(gdb) => 0x7fe4e0f1d8cf <zend_string_dup+19>:	movzbl 0x5(%rax),%eax
   0x7fe4e0f1d8d3 <zend_string_dup+23>:	movzbl %al,%eax
   0x7fe4e0f1d8d6 <zend_string_dup+26>:	and    $0x2,%eax
   0x7fe4e0f1d8d9 <zend_string_dup+29>:	test   %eax,%eax
   0x7fe4e0f1d8db <zend_string_dup+31>:	je     0x7fe4e0f1d8e3 <zend_string_dup+39>
   0x7fe4e0f1d8dd <zend_string_dup+33>:	mov    -0x8(%rbp),%rax
   0x7fe4e0f1d8e1 <zend_string_dup+37>:	jmp    0x7fe4e0f1d901 <zend_string_dup+69>
   0x7fe4e0f1d8e3 <zend_string_dup+39>:	mov    -0x8(%rbp),%rax
   0x7fe4e0f1d8e7 <zend_string_dup+43>:	mov    0x10(%rax),%rax
   0x7fe4e0f1d8eb <zend_string_dup+47>:	mov    -0x8(%rbp),%rdx
   0x7fe4e0f1d8ef <zend_string_dup+51>:	lea    0x18(%rdx),%rcx
   0x7fe4e0f1d8f3 <zend_string_dup+55>:	mov    -0xc(%rbp),%edx
   0x7fe4e0f1d8f6 <zend_string_dup+58>:	mov    %rax,%rsi
   0x7fe4e0f1d8f9 <zend_string_dup+61>:	mov    %rcx,%rdi
   0x7fe4e0f1d8fc <zend_string_dup+64>:	callq  0x7fe4e0f1d860 <zend_string_init>
   0x7fe4e0f1d901 <zend_string_dup+69>:	leaveq
(gdb)
Thread 1 (Thread 0x7fe4e75ef800 (LWP 24389)):
#0  0x00007fe4e0f1d8cf in zend_string_dup (s=0xf273140400000001, persistent=0) at /usr/local/include/php/Zend/zend_string.h:175
#1  0x00007fe4e0f1dd6d in zephir_get_called_class (return_value=0x7fe4e18140a0) at /usr/src/cphalcon/example/ext/kernel/object.c:107
#2  0x00007fe4e0f3646c in zim_Group_Model_testCalled3 (execute_data=0x7fe4e1814100, return_value=0x7fe4e18140a0) at /usr/src/cphalcon/example/ext/group/model.zep.c:61
#3  0x00007fe4e0f2ff87 in zephir_call_function_opt (fci=0x7ffe415a4e50, fci_cache=0x7ffe415a4e20, info=0x7ffe415a4f50, params=0x7ffe415a5080) at /usr/src/cphalcon/example/ext/kernel/extended/fcall.c:1262
#4  0x00007fe4e0f29a1b in zephir_call_user_function (object_pp=0x7fe4e18140d0, obj_ce=0x7fe4e1803240, type=zephir_fcall_self, function_name=0x0, retval_ptr=0x7fe4e18140a0, cache_entry=0x0, cache_slot=0, param_count=0, params=0x7ffe415a5080, info=0x7ffe415a4f50) at /usr/src/cphalcon/example/ext/kernel/fcall.c:499
#5  0x00007fe4e0f2a0c4 in zephir_call_class_method_aparams (return_value_ptr=0x7fe4e18140a0, ce=0x0, type=zephir_fcall_self, object=0x0, method_name=0x7fe4e0f39992 "testcalled3", method_len=11, cache_entry=0x0, cache_slot=0, param_count=0, params=0x7ffe415a5080) at /usr/src/cphalcon/example/ext/kernel/fcall.c:706
#6  0x00007fe4e0f35fe9 in zephir_return_call_class_method (return_value=0x7fe4e18140a0, ce=0x0, type=zephir_fcall_self, object=0x0, method_name=0x7fe4e0f39992 "testcalled3", method_len=11, cache_entry=0x0, cache_slot=0, param_count=0, params=0x7ffe415a5080) at ./kernel/fcall.h:417
#7  0x00007fe4e0f362e3 in zim_Group_Model_testCalled (execute_data=0x7fe4e18140b0, return_value=0x7fe4e18140a0) at /usr/src/cphalcon/example/ext/group/model.zep.c:36
#8  0x0000562cafef901d in ?? ()
#9  0x0000562cafef6ae6 in execute_ex ()
#10 0x0000562cafef6ceb in zend_execute ()
#11 0x0000562cafe8d1f4 in zend_execute_scripts ()
#12 0x0000562cafdcc0ea in php_execute_script ()
#13 0x0000562caff8133f in ?? ()
#14 0x0000562caff825bd in ?? ()
#15 0x00007fe4e4e1db45 in __libc_start_main (main=0x562caff81e20, argc=2, argv=0x7ffe415a8b58, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7ffe415a8b48) at libc-start.c:287
#16 0x0000562caf8bbba9 in _start ()

==24397== Invalid read of size 1
==24397==    at 0xB6C88CF: zend_string_dup (/usr/local/include/php/Zend/zend_string.h:175)
==24397==    by 0xB6C8D6C: zephir_get_called_class (/usr/src/cphalcon/example/ext/kernel/object.c:107)
==24397==    by 0xB6E146B: zim_Group_Model_testCalled3 (/usr/src/cphalcon/example/ext/group/model.zep.c:61)
==24397==    by 0xB6DAF86: zephir_call_function_opt (/usr/src/cphalcon/example/ext/kernel/extended/fcall.c:1262)
==24397==    by 0xB6D4A1A: zephir_call_user_function (/usr/src/cphalcon/example/ext/kernel/fcall.c:499)
==24397==    by 0xB6D50C3: zephir_call_class_method_aparams (/usr/src/cphalcon/example/ext/kernel/fcall.c:706)
==24397==    by 0xB6E0FE8: zephir_return_call_class_method (/usr/src/cphalcon/example/ext/./kernel/fcall.h:417)
==24397==    by 0xB6E12E2: zim_Group_Model_testCalled (/usr/src/cphalcon/example/ext/group/model.zep.c:36)
==24397==    by 0x85701C: ??? (in /usr/local/bin/php)
==24397==    by 0x854AE5: execute_ex (in /usr/local/bin/php)
==24397==    by 0x854CEA: zend_execute (in /usr/local/bin/php)
==24397==    by 0x7EB1F3: zend_execute_scripts (in /usr/local/bin/php)
==24397==  Address 0xf273140400000006 is not stack'd, malloc'd or (recently) free'd

[sjinks]

That's a bit different issue (yet still a bug), I am still trying to find out where the scope is misset.

[sjinks]

I suspect that this happens in zephir_call_function_opt, as commenting out all FCI cache-related things still produce the same result. It seems that the bad data come in zephir_fcall_info* parameter

[sergeyklay]

Well, what we tested (with @ovr )

This pasted directly in generated code, to avoid calling zephir_get_called_class

PHP_METHOD(Group_Model, testCalled3) {

	ZEPHIR_INIT_THIS();

+++	zend_class_entry *called_scope = zend_get_called_scope(EG(current_execute_data));
+++	if (called_scope) {
+++		ZVAL_STR(return_value, zend_string_dup(called_scope->name, 0));
+++	}
---	zephir_get_called_class(return_value TSRMLS_CC);
	return;

}

bit different issue, but I've fixed it too

#if PHP_VERSION_ID >= 70100
+++                fcic.called_scope = obj_ce ? obj_ce : (EG(current_execute_data) ? Z_OBJCE(EG(current_execute_data)->This) : NULL);
---                fcic.called_scope = obj_ce ? obj_ce : (EG(current_execute_data) ? Z_OBJ(EG(current_execute_data)->This) : NULL);
#endif

zephir_call_user_function

	if (type != zephir_fcall_function && !object_pp) {
+++		object_pp = EG(current_execute_data) && Z_OBJCE(EG(current_execute_data)->This) ? &EG(current_execute_data)->This : NULL;
---		object_pp = EG(current_execute_data) && Z_OBJ(EG(current_execute_data)->This) ? &EG(current_execute_data)->This : NULL;
		if (!obj_ce && object_pp) {
			obj_ce = Z_OBJCE_P(object_pp);
		}
	}

Lets debug:

gdb --args /usr/bin/php test.php # Contents of test.php see ^

(gdb) run
Starting program: /usr/bin/php test.php
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
PHP Warning:  PHP Startup: Unable to load dynamic library '/usr/lib/php/20160303/phalcon.so' - /usr/lib/php/20160303/phalcon.so: cannot open shared object file: No such file or directory in Unknown on line 0

Program received signal SIGSEGV, Segmentation fault.
0x00007ffff598e838 in zend_string_dup (persistent=0, s=0xf273140400000001) at /usr/include/php/20160303/Zend/zend_string.h:175
175		if (ZSTR_IS_INTERNED(s)) {

Ok

(gdb) print execute_data.This
$2 = {value = {lval = 0, dval = 0, counted = 0x0, str = 0x0, arr = 0x0, obj = 0x0, res = 0x0, ref = 0x0, ast = 0x0, zv = 0x0, ptr = 0x0, ce = 0x0, func = 0x0, ww = {w1 = 0, w2 = 0}}, u1 = {v = {type = 0 '\000', type_flags = 0 '\000',
      const_flags = 19 '\023', reserved = 0 '\000'}, type_info = 1245184}, u2 = {next = 0, cache_slot = 0, lineno = 0, num_args = 0, fe_pos = 0, fe_iter_idx = 0, access_flags = 0, property_guard = 0, extra = 0}}

Empty This. Just checked frames from 1 to 9. This always empty. The same for current_execute_data.

Ok, lets return back to the 1st frame and see executor_globals.

(gdb) f 1
(gdb) print executor_globals.current_execute_data.This
$10 = {value = {lval = 140737318496128, dval = 6.9533474156754693e-310, counted = 0x7ffff5e02780, str = 0x7ffff5e02780, arr = 0x7ffff5e02780, obj = 0x7ffff5e02780, res = 0x7ffff5e02780, ref = 0x7ffff5e02780, ast = 0x7ffff5e02780,
    zv = 0x7ffff5e02780, ptr = 0x7ffff5e02780, ce = 0x7ffff5e02780, func = 0x7ffff5e02780, ww = {w1 = 4125108096, w2 = 32767}}, u1 = {v = {type = 0 '\000', type_flags = 0 '\000', const_flags = 2 '\002', reserved = 0 '\000'},
    type_info = 131072}, u2 = {next = 0, cache_slot = 0, lineno = 0, num_args = 0, fe_pos = 0, fe_iter_idx = 0, access_flags = 0, property_guard = 0, extra = 0}}

[sergeyklay]

So now bt is

[New LWP 19239]
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
Core was generated by '/usr/local/bin/php test.php'.
Program terminated with signal SIGSEGV, Segmentation fault.
#0  0x00007fe583935f6e in zend_string_dup (s=0xf273140400000001, persistent=0) at /usr/local/include/php/Zend/zend_string.h:175
175		if (ZSTR_IS_INTERNED(s)) {
(gdb) (gdb) #0  0x00007fe583935f6e in zend_string_dup (s=0xf273140400000001, persistent=0) at /usr/local/include/php/Zend/zend_string.h:175
No locals.
#1  0x00007fe583936503 in zim_Group_Model_testCalled3 (execute_data=0x7fe584214100, return_value=0x7fe5842140a0) at /usr/src/cphalcon/example/ext/group/model.zep.c:62
        __z = 0x7fe5842140a0
        __s = 0x7fe584203240
        this_zv = {value = {lval = 140734817501424, dval = 6.9532238501191016e-310, counted = 0x7fff60ce00f0, str = 0x7fff60ce00f0, arr = 0x7fff60ce00f0, obj = 0x7fff60ce00f0, res = 0x7fff60ce00f0, ref = 0x7fff60ce00f0, ast = 0x7fff60ce00f0, zv = 0x7fff60ce00f0, ptr = 0x7fff60ce00f0, ce = 0x7fff60ce00f0, func = 0x7fff60ce00f0, ww = {w1 = 1624113392, w2 = 32767}}, u1 = {v = {type = 29 '\035', type_flags = 177 '\261', const_flags = 146 '\222', reserved = 131 '\203'}, type_info = 2207428893}, u2 = {next = 32741, cache_slot = 32741, lineno = 32741, num_args = 32741, fe_pos = 32741, fe_iter_idx = 32741, access_flags = 32741, property_guard = 32741, extra = 32741}}
        this_ptr = 0x0
        called_scope = 0x7fe5842726e0
#2  0x00007fe58392ff8b in zephir_call_function_opt (fci=0x7fff60ce02b0, fci_cache=0x7fff60ce0280, info=0x7fff60ce03b0, params=0x7fff60ce04e0) at /usr/src/cphalcon/example/ext/kernel/extended/fcall.c:1262
        call_via_handler = 0
        i = 0
        calling_scope = 0x55aecfb02c20
        call = 0x7fe584214100
        dummy_execute_data = {opline = 0x7fff60ce0230, call = 0x7fe589ec3dc7 <_dl_fixup+247>, return_value = 0xd0b062499e308449, func = 0x1e, This = {value = {lval = 140623740935168, dval = 6.9477359385745917e-310, counted = 0x7fe584201c00, str = 0x7fe584201c00, arr = 0x7fe584201c00, obj = 0x7fe584201c00, res = 0x7fe584201c00, ref = 0x7fe584201c00, ast = 0x7fe584201c00, zv = 0x7fe584201c00, ptr = 0x7fe584201c00, ce = 0x7fe584201c00, func = 0x7fe584201c00, ww = {w1 = 2216696832, w2 = 32741}}, u1 = {v = {type = 160 '\240', type_flags = 196 '\304', const_flags = 240 '\360', reserved = 207 '\317'}, type_info = 3488662688}, u2 = {next = 21934, cache_slot = 21934, lineno = 21934, num_args = 21934, fe_pos = 21934, fe_iter_idx = 21934, access_flags = 21934, property_guard = 21934, extra = 21934}}, prev_execute_data = 0x6, symbol_table = 0xffffffff84201c1e, run_time_cache = 0x55aecf1a28dc, literals = 0xffffffff9e308449}
        fci_cache_local = {initialized = 0 '\000', function_handler = 0x7fe583b3e7a8, calling_scope = 0x0, called_scope = 0x7fff60ce3fb0, object = 0x7fe584214030}
        func = 0x55aecfb066d0
        __PRETTY_FUNCTION__ = "zephir_call_function_opt"
#3  0x00007fe583929a1f in zephir_call_user_function (object_pp=0x7fe5842140d0, obj_ce=0x7fe584203240, type=zephir_fcall_self, function_name=0x0, retval_ptr=0x7fe5842140a0, cache_entry=0x0, cache_slot=0, param_count=0, params=0x7fff60ce04e0, info=0x7fff60ce03b0) at /usr/src/cphalcon/example/ext/kernel/fcall.c:499
        local_retval_ptr = {value = {lval = 140734817501984, dval = 6.9532238501467693e-310, counted = 0x7fff60ce0320, str = 0x7fff60ce0320, arr = 0x7fff60ce0320, obj = 0x7fff60ce0320, res = 0x7fff60ce0320, ref = 0x7fff60ce0320, ast = 0x7fff60ce0320, zv = 0x7fff60ce0320, ptr = 0x7fff60ce0320, ce = 0x7fff60ce0320, func = 0x7fff60ce0320, ww = {w1 = 1624113952, w2 = 32767}}, u1 = {v = {type = 0 '\000', type_flags = 0 '\000', const_flags = 0 '\000', reserved = 0 '\000'}, type_info = 0}, u2 = {next = 32767, cache_slot = 32767, lineno = 32767, num_args = 32767, fe_pos = 32767, fe_iter_idx = 32767, access_flags = 32767, property_guard = 32767, extra = 32767}}
        status = -1
        fci = {size = 56, function_name = {value = {lval = 94209295315008, dval = 4.654557633405815e-310, counted = 0x55aecf94f040, str = 0x55aecf94f040, arr = 0x55aecf94f040, obj = 0x55aecf94f040, res = 0x55aecf94f040, ref = 0x55aecf94f040, ast = 0x55aecf94f040, zv = 0x55aecf94f040, ptr = 0x55aecf94f040, ce = 0x55aecf94f040, func = 0x55aecf94f040, ww = {w1 = 3482644544, w2 = 21934}}, u1 = {v = {type = 128 '\200', type_flags = 2 '\002', const_flags = 0 '\000', reserved = 0 '\000'}, type_info = 640}, u2 = {next = 32741, cache_slot = 32741, lineno = 32741, num_args = 32741, fe_pos = 32741, fe_iter_idx = 32741, access_flags = 32741, property_guard = 32741, extra = 32741}}, retval = 0x7fe5842140a0, params = 0x0, object = 0x0, no_separation = 1 '\001', param_count = 0}
        fcic = {initialized = 1 '\001', function_handler = 0x55aecfb066d0, calling_scope = 0x55aecfb02c20, called_scope = 0x7fe584203240, object = 0x7fe5842726e0}
        zephir_globals_ptr = 0x55aecfb05560
        fcall_key = 0x7fe584201c00 "\004testcalled3"
        fcall_key_hash = 5814255187261424713
        fcall_key_len = 30
        temp_cache_entry = 0x0
        reload_cache = 1
        __PRETTY_FUNCTION__ = "zephir_call_user_function"
#4  0x00007fe58392a0c8 in zephir_call_class_method_aparams (return_value_ptr=0x7fe5842140a0, ce=0x0, type=zephir_fcall_self, object=0x0, method_name=0x7fe583939a92 "testcalled3", method_len=11, cache_entry=0x0, cache_slot=0, param_count=0, params=0x7fff60ce04e0) at /usr/src/cphalcon/example/ext/kernel/fcall.c:706
        possible_method = 0x55aeceb0d449 <_zval_ptr_dtor+41> "\311\303UH\211\345H\203\354 H\211}\370H\211u\360\211U\354H\213E\370\017\266@\t\017\266\300\203\340\004\205\300t4H\213E\370H\211\307\350z\305\377\377H\213E\370H\211\307\350\305\304\377\377\205\300u\030H\213E\370\272/\002"
        rv = {value = {lval = 94209274387328, dval = 4.6545565994410415e-310, counted = 0x55aece559b80 <_start>, str = 0x55aece559b80 <_start>, arr = 0x55aece559b80 <_start>, obj = 0x55aece559b80 <_start>, res = 0x55aece559b80 <_start>, ref = 0x55aece559b80 <_start>, ast = 0x55aece559b80 <_start>, zv = 0x55aece559b80 <_start>, ptr = 0x55aece559b80 <_start>, ce = 0x55aece559b80 <_start>, func = 0x55aece559b80 <_start>, ww = {w1 = 3461716864, w2 = 21934}}, u1 = {v = {type = 0 '\000', type_flags = 0 '\000', const_flags = 0 '\000', reserved = 0 '\000'}, type_info = 0}, u2 = {next = 413, cache_slot = 413, lineno = 413, num_args = 413, fe_pos = 413, fe_iter_idx = 413, access_flags = 413, property_guard = 413, extra = 413}}
        rvp = 0x7fe5842140a0
        fn = 0x0
        status = 32767
        info = {type = 4, ce = 0x7fe589ec3dc7 <_dl_fixup+247>, object_ptr = 0x7fe500000001, class_name = 0x0, class_length = 592200, func_name = 0x7fe583939a92 "testcalled3", func_length = 11}
        __PRETTY_FUNCTION__ = "zephir_call_class_method_aparams"
#5  0x00007fe583936034 in zephir_return_call_class_method (return_value=0x7fe5842140a0, ce=0x0, type=zephir_fcall_self, object=0x0, method_name=0x7fe583939a92 "testcalled3", method_len=11, cache_entry=0x0, cache_slot=0, param_count=0, params=0x7fff60ce04e0) at ./kernel/fcall.h:417
        rv = {value = {lval = 140623740940864, dval = 6.9477359388560115e-310, counted = 0x7fe584203240, str = 0x7fe584203240, arr = 0x7fe584203240, obj = 0x7fe584203240, res = 0x7fe584203240, ref = 0x7fe584203240, ast = 0x7fe584203240, zv = 0x7fe584203240, ptr = 0x7fe584203240, ce = 0x7fe584203240, func = 0x7fe584203240, ww = {w1 = 2216702528, w2 = 32741}}, u1 = {v = {type = 0 '\000', type_flags = 0 '\000', const_flags = 0 '\000', reserved = 0 '\000'}, type_info = 0}, u2 = {next = 21934, cache_slot = 21934, lineno = 21934, num_args = 21934, fe_pos = 21934, fe_iter_idx = 21934, access_flags = 21934, property_guard = 21934, extra = 21934}}
        rvp = 0x7fe5842140a0
        status = 32741
#6  0x00007fe58393632e in zim_Group_Model_testCalled (execute_data=0x7fe5842140b0, return_value=0x7fe5842140a0) at /usr/src/cphalcon/example/ext/group/model.zep.c:36
        params_ = 0x7fff60ce04e0
        ZEPHIR_LAST_CALL_STATUS = 80
        this_zv = {value = {lval = 140623741396704, dval = 6.9477359613774999e-310, counted = 0x7fe5842726e0, str = 0x7fe5842726e0, arr = 0x7fe5842726e0, obj = 0x7fe5842726e0, res = 0x7fe5842726e0, ref = 0x7fe5842726e0, ast = 0x7fe5842726e0, zv = 0x7fe5842726e0, ptr = 0x7fe5842726e0, ce = 0x7fe5842726e0, func = 0x7fe5842726e0, ww = {w1 = 2217158368, w2 = 32741}}, u1 = {v = {type = 8 '\b', type_flags = 12 '\f', const_flags = 0 '\000', reserved = 0 '\000'}, type_info = 3080}, u2 = {next = 64, cache_slot = 64, lineno = 64, num_args = 64, fe_pos = 64, fe_iter_idx = 64, access_flags = 64, property_guard = 64, extra = 64}}
        this_ptr = 0x7fff60ce04e0
#7  0x000055aeceb9701d in ?? ()
No symbol table info available.
#8  0x000055aeceb94ae6 in execute_ex ()
No symbol table info available.
#9  0x000055aeceb94ceb in zend_execute ()
No symbol table info available.
#10 0x000055aeceb2b1f4 in zend_execute_scripts ()
No symbol table info available.
#11 0x000055aecea6a0ea in php_execute_script ()
No symbol table info available.
#12 0x000055aecec1f33f in ?? ()
No symbol table info available.
#13 0x000055aecec205bd in ?? ()
No symbol table info available.
#14 0x00007fe5878e6b45 in __libc_start_main (main=0x55aecec1fe20, argc=2, argv=0x7fff60ce3fb8, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fff60ce3fa8) at libc-start.c:287
        result = <optimized out>
        unwind_buf = {cancel_jmp_buf = {{jmp_buf = {0, 1088537785083350436, 94209274387328, 140734817517488, 0, 0, -1088319950814458460, -1094290846162760284}, mask_was_saved = 0}}, priv = {pad = {0x0, 0x0, 0x55aecec2a8d0 <__libc_csu_init>, 0x7fff60ce3fb8}, data = {prev = 0x0, cleanup = 0x0, canceltype = -826103600}}}
        not_first_call = <optimized out>
#15 0x000055aece559ba9 in _start ()
No symbol table info available.
(gdb) rax            0xf273140400000001	-976414686796840959
rbx            0x0	0
rcx            0x7fe588ac02e0	140623817212640
rdx            0x55aecfa46790	94209296328592
rsi            0x0	0
rdi            0xf273140400000001	-976414686796840959
rbp            0x7fff60ce0090	0x7fff60ce0090
rsp            0x7fff60ce0080	0x7fff60ce0080
r8             0x7fe584203240	140623740940864
r9             0x0	0
r10            0x7fff60cdfe40	140734817500736
r11            0x7fe587a31f90	140623799852944
r12            0x55aece559b80	94209274387328
r13            0x7fff60ce3fb0	140734817517488
r14            0x7fe584214030	140623741009968
r15            0x7fe55b6456f8	140623057540856
rip            0x7fe583935f6e	0x7fe583935f6e <zend_string_dup+19>
eflags         0x10202	[ IF RF ]
cs             0x33	51
ss             0x2b	43
ds             0x0	0
es             0x0	0
fs             0x0	0
gs             0x0	0
(gdb) => 0x7fe583935f6e <zend_string_dup+19>:	movzbl 0x5(%rax),%eax
   0x7fe583935f72 <zend_string_dup+23>:	movzbl %al,%eax
   0x7fe583935f75 <zend_string_dup+26>:	and    $0x2,%eax
   0x7fe583935f78 <zend_string_dup+29>:	test   %eax,%eax
   0x7fe583935f7a <zend_string_dup+31>:	je     0x7fe583935f82 <zend_string_dup+39>
   0x7fe583935f7c <zend_string_dup+33>:	mov    -0x8(%rbp),%rax
   0x7fe583935f80 <zend_string_dup+37>:	jmp    0x7fe583935fa0 <zend_string_dup+69>
   0x7fe583935f82 <zend_string_dup+39>:	mov    -0x8(%rbp),%rax
   0x7fe583935f86 <zend_string_dup+43>:	mov    0x10(%rax),%rax
   0x7fe583935f8a <zend_string_dup+47>:	mov    -0x8(%rbp),%rdx
   0x7fe583935f8e <zend_string_dup+51>:	lea    0x18(%rdx),%rcx
   0x7fe583935f92 <zend_string_dup+55>:	mov    -0xc(%rbp),%edx
   0x7fe583935f95 <zend_string_dup+58>:	mov    %rax,%rsi
   0x7fe583935f98 <zend_string_dup+61>:	mov    %rcx,%rdi
   0x7fe583935f9b <zend_string_dup+64>:	callq  0x7fe583935eff <zend_string_init>
   0x7fe583935fa0 <zend_string_dup+69>:	leaveq
(gdb)
Thread 1 (Thread 0x7fe58a0b7800 (LWP 19239)):
#0  0x00007fe583935f6e in zend_string_dup (s=0xf273140400000001, persistent=0) at /usr/local/include/php/Zend/zend_string.h:175
#1  0x00007fe583936503 in zim_Group_Model_testCalled3 (execute_data=0x7fe584214100, return_value=0x7fe5842140a0) at /usr/src/cphalcon/example/ext/group/model.zep.c:62
#2  0x00007fe58392ff8b in zephir_call_function_opt (fci=0x7fff60ce02b0, fci_cache=0x7fff60ce0280, info=0x7fff60ce03b0, params=0x7fff60ce04e0) at /usr/src/cphalcon/example/ext/kernel/extended/fcall.c:1262
#3  0x00007fe583929a1f in zephir_call_user_function (object_pp=0x7fe5842140d0, obj_ce=0x7fe584203240, type=zephir_fcall_self, function_name=0x0, retval_ptr=0x7fe5842140a0, cache_entry=0x0, cache_slot=0, param_count=0, params=0x7fff60ce04e0, info=0x7fff60ce03b0) at /usr/src/cphalcon/example/ext/kernel/fcall.c:499
#4  0x00007fe58392a0c8 in zephir_call_class_method_aparams (return_value_ptr=0x7fe5842140a0, ce=0x0, type=zephir_fcall_self, object=0x0, method_name=0x7fe583939a92 "testcalled3", method_len=11, cache_entry=0x0, cache_slot=0, param_count=0, params=0x7fff60ce04e0) at /usr/src/cphalcon/example/ext/kernel/fcall.c:706
#5  0x00007fe583936034 in zephir_return_call_class_method (return_value=0x7fe5842140a0, ce=0x0, type=zephir_fcall_self, object=0x0, method_name=0x7fe583939a92 "testcalled3", method_len=11, cache_entry=0x0, cache_slot=0, param_count=0, params=0x7fff60ce04e0) at ./kernel/fcall.h:417
#6  0x00007fe58393632e in zim_Group_Model_testCalled (execute_data=0x7fe5842140b0, return_value=0x7fe5842140a0) at /usr/src/cphalcon/example/ext/group/model.zep.c:36
#7  0x000055aeceb9701d in ?? ()
#8  0x000055aeceb94ae6 in execute_ex ()
#9  0x000055aeceb94ceb in zend_execute ()
#10 0x000055aeceb2b1f4 in zend_execute_scripts ()
#11 0x000055aecea6a0ea in php_execute_script ()
#12 0x000055aecec1f33f in ?? ()
#13 0x000055aecec205bd in ?? ()
#14 0x00007fe5878e6b45 in __libc_start_main (main=0x55aecec1fe20, argc=2, argv=0x7fff60ce3fb8, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fff60ce3fa8) at libc-start.c:287
#15 0x000055aece559ba9 in _start ()

[sergeyklay]

@sjinks note:

(gdb) print executor_globals.current_execute_data.This.value.obj.ce.name.val
$10 = "P"
(gdb) print executor_globals.current_execute_data.This.value.obj.ce.name.len
$11 = 7

[sergeyklay]

@sjinks @dreamsxin

I created a separate repo for testing and debugging current issues: https://github.com/sergeyklay/issue1394

My last PR #1407 fixes partially the current PHP 7.1 issue. At least I thought so. But after I merged into the master, I found that, nevertheless, the tests fall for PHP 7.1. Now for another use case (see https://travis-ci.org/phalcon/zephir/jobs/212483707)

In order to simplify debugging and to narrow the search we can edit the kernel directly in this repository.

Within half an hour I'll set up the automated tests for Travis CI

Cc: @ovr

[dreamsxin]

@sergeyklay I use zend_call_function replace test it's work fine.

int zephir_call_class_method_aparams(zval *return_value_ptr, zend_class_entry *ce, zephir_call_type type, zval *object,
	const char *method_name, uint method_len,
	zephir_fcall_cache_entry **cache_entry, int cache_slot,
	uint param_count, zval **params)
{
	char *possible_method;
	zval rv, *rvp = return_value_ptr ? return_value_ptr : &rv, func_name = {}, *arguments;
	zval *fn = NULL;
	int i, status;
	zend_fcall_info fci;
	zend_fcall_info_cache fcc;

	ZVAL_UNDEF(&rv);

	array_init_size(&func_name, 2);
	switch (type) {
		case zephir_fcall_ce:
			assert(ce != NULL);
			add_next_index_string(&func_name, ce->name->val);
			break;
		case zephir_fcall_parent:
			assert(ce != NULL);
			add_next_index_string(&func_name, "parent");
			break;
		case zephir_fcall_self:
			add_next_index_string(&func_name, "self");
			break;
		case zephir_fcall_static:
			add_next_index_string(&func_name, "static");
			break;
		case zephir_fcall_method:
			Z_TRY_ADDREF_P(object);
			add_next_index_zval(&func_name, object);
			break;
		default:
			phalcon_throw_exception_format(spl_ce_RuntimeException, "Error call type %d for cmethod %s", type, method_name);
			return FAILURE;
	}
	add_next_index_stringl(&func_name, method_name, method_len);

	arguments = param_count ? safe_emalloc(sizeof(zval), param_count, 0) : NULL;

	i = 0;
	while(i < param_count) {
		ZVAL_COPY_VALUE(&arguments[i], params[i]);
		i++;
	}

	fci.size = sizeof(fci);
	fci.object = object ? Z_OBJ_P(object) : NULL;
	ZVAL_COPY_VALUE(&fci.function_name, &func_name);
	fci.retval = rvp;
	fci.param_count = param_count;
	fci.params = arguments;
	fci.no_separation = 1;

	status = zend_call_function(&fci, NULL);

[Jurigag]

https://github.com/sergeyklay/issue1394/pull/3#issuecomment-287605361

Managed to fix some issues, right now only one things happens there.

[sergeyklay]

Fixed in master branch.