PHP :: Bug #60169 :: Conjunction of ternary and list crashes PHP

Bug #60169	Conjunction of ternary and list crashes PHP
Submitted:	2011-10-29 13:40 UTC	Modified:	2011-11-03 04:00 UTC
From:	thekid@php.net	Assigned:	laruence (profile)
Status:	Closed	Package:	Scripting Engine problem
PHP Version:	5.4.0beta2	OS:	Windows Vista
Private report:	No	CVE-ID:	None

View Developer Edit

[2011-10-29 13:40 UTC] thekid@php.net

Description:
------------
This code makes PHP exit with exit code #127:

list($a, $b)= is_array($argv) ? $argv : explode("@", $argv[1]);

Test script:
---------------
$ php.exe -r 'list($a, $b)= is_array($argv) ? $argv : explode("@", $argv[1]);' ; echo $?


Expected result:
----------------
0

Actual result:
--------------
127

Patches

bug60169.diff (last revision 2011-10-31 06:48 UTC by laruence@php.net)
invalid.patch (last revision 2011-10-31 03:24 UTC by laruence@php.net)
bug60169.phpt (last revision 2011-10-30 02:08 UTC by laruence@php.net)

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2011-10-29 14:26 UTC] pajoye@php.net

I can't reproduce it. Please provide a script without external data (arg).

[2011-10-29 14:26 UTC] pajoye@php.net

-Status: Open +Status: Feedback

[2011-10-30 01:37 UTC] laruence@php.net

backtrace:

#0  0x00000000008d69e5 in zend_fetch_dimension_address_read (result=0x2a95dac1d0, container_ptr=0x0, 
dim=0x2a95de57f8, dim_type=1, type=0)
    at /home/huixc/opensource/php-src/trunk/Zend/zend_execute.c:1244
1244		zval *container = *container_ptr;
(gdb) bt
#0  0x00000000008d69e5 in zend_fetch_dimension_address_read (result=0x2a95dac1d0, container_ptr=0x0, 
dim=0x2a95de57f8, dim_type=1, type=0)
    at /home/huixc/opensource/php-src/trunk/Zend/zend_execute.c:1244
#1  0x000000000091630d in ZEND_FETCH_DIM_R_SPEC_VAR_CONST_HANDLER (execute_data=0x2a95dac0e8)
    at /home/huixc/opensource/php-src/trunk/Zend/zend_vm_execute.h:12694
#2  0x00000000008d79ae in execute (op_array=0x2a95de36e8) at /home/huixc/opensource/php-
src/trunk/Zend/zend_vm_execute.h:410
#3  0x00000000008a0063 in zend_execute_scripts (type=8, retval=0x0, file_count=3) at 
/home/huixc/opensource/php-src/trunk/Zend/zend.c:1272
#4  0x0000000000820850 in php_execute_script (primary_file=0x7fbffff2a0) at /home/huixc/opensource/php-
src/trunk/main/main.c:2414
#5  0x00000000009c12dd in do_cli (argc=2, argv=0x7fbffff588) at /home/huixc/opensource/php-
src/trunk/sapi/cli/php_cli.c:983
#6  0x00000000009c217e in main (argc=2, argv=0x7fbffff588) at /home/huixc/opensource/php-
src/trunk/sapi/cli/php_cli.c:1356

[2011-10-30 01:56 UTC] laruence@php.net

I can reproduce this on linux with a more simple script:
<?php
$arr  = array("test");
list($a)= is_array($arr)? $arr : $arr;
?>

and I have pasted the bt above~

[2011-10-30 02:01 UTC] pajoye@php.net

-Status: Feedback +Status: Assigned -Assigned To: +Assigned To: lbarnaud

[2011-10-30 02:01 UTC] pajoye@php.net

Arnaud, could you try to give a look please? Happens only in 5.4, the recent 
optimization in this area could be the cause.

[2011-10-30 02:03 UTC] laruence@php.net

The following patch has been added/updated:

Patch Name: bug60169.diff
Revision:   1319940233
URL:        https://bugs.php.net/patch-display.php?bug=60169&patch=bug60169.diff&revision=1319940233

[2011-10-30 02:08 UTC] laruence@php.net

The following patch has been added/updated:

Patch Name: bug60169.phpt
Revision:   1319940509
URL:        https://bugs.php.net/patch-display.php?bug=60169&patch=bug60169.phpt&revision=1319940509

[2011-10-31 03:21 UTC] laruence@php.net

there is also segfault in (***)?:value notation.
like:
   <?php
     $str = array('test');
     list($a, $b) = is_array($str)?:$str;

and this make *the patch doesn't work* (a memory leak)

[2011-10-31 03:24 UTC] laruence@php.net

The following patch has been added/updated:

Patch Name: invalid.patch
Revision:   1320031445
URL:        https://bugs.php.net/patch-display.php?bug=60169&patch=invalid.patch&revision=1320031445

[2011-10-31 06:48 UTC] laruence@php.net

The following patch has been added/updated:

Patch Name: bug60169.diff
Revision:   1320043736
URL:        https://bugs.php.net/patch-display.php?bug=60169&patch=bug60169.diff&revision=1320043736

[2011-10-31 06:50 UTC] laruence@php.net

I have submitted a new patch. lbarnaud, plz review it , thanks

[2011-11-03 03:59 UTC] laruence@php.net

Automatic comment from SVN on behalf of laruence
Revision: http://svn.php.net/viewvc/?view=revision&amp;revision=318716
Log: Fix bug #60169 Conjunction of ternary and list crashes PHP

[2011-11-03 03:59 UTC] laruence@php.net

-Status: Assigned +Status: Closed

[2011-11-03 03:59 UTC] laruence@php.net

This bug has been fixed in SVN.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.

 For Windows:

http://windows.php.net/snapshots/
 
Thank you for the report, and for helping us make PHP better.

[2011-11-03 04:00 UTC] laruence@php.net

-Assigned To: lbarnaud +Assigned To: laruence

[2012-04-18 09:48 UTC] laruence@php.net

Automatic comment on behalf of laruence
Revision: http://git.php.net/?p=php-src.git;a=commit;h=a9dbbf6dea71ae8918667fe1d4bccc3ca0dd4664
Log: Fix bug #60169 Conjunction of ternary and list crashes PHP

[2012-07-24 23:39 UTC] rasmus@php.net

Automatic comment on behalf of laruence
Revision: http://git.php.net/?p=php-src.git;a=commit;h=a9dbbf6dea71ae8918667fe1d4bccc3ca0dd4664
Log: Fix bug #60169 Conjunction of ternary and list crashes PHP

[2013-11-17 09:35 UTC] laruence@php.net

Automatic comment on behalf of laruence
Revision: http://git.php.net/?p=php-src.git;a=commit;h=a9dbbf6dea71ae8918667fe1d4bccc3ca0dd4664
Log: Fix bug #60169 Conjunction of ternary and list crashes PHP

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2025 The PHP Group All rights reserved.	Last updated: Sun Oct 26 10:00:01 2025 UTC