PHP :: Bug #74019 :: Segfault with list

Bug #74019	Segfault with list
Submitted:	2017-01-30 18:07 UTC	Modified:	2017-02-10 06:27 UTC
From:	rasmus@php.net	Assigned:	laruence (profile)
Status:	Closed	Package:	Reproducible crash
PHP Version:	7.1Git-2017-01-30 (Git)	OS:	Linux
Private report:	No	CVE-ID:	None

View Developer Edit

[2017-01-30 18:07 UTC] rasmus@php.net

Description:
------------
Playing a bit with the Microsoft Tolerant PHP parser and I noticed a segfault. Filing a bug here so I don't forget about it.

Test script:
---------------
Reproduce steps:

git clone https://github.com/Microsoft/tolerant-php-parser.git
cd tolerant-php-parser
composer install
php -r "require 'vendor/autoload.php'; (new Microsoft\PhpParser\Parser())->parseSourceFile(file_get_contents('src/Parser.php'));"

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2017-01-30 18:09 UTC] rasmus@php.net

(gdb) run -r "require 'vendor/autoload.php'; (new Microsoft\PhpParser\Parser())->parseSourceFile(file_get_contents('src/Parser.php'));"
Starting program: /usr/local/bin/php -r "require 'vendor/autoload.php'; (new Microsoft\PhpParser\Parser())->parseSourceFile(file_get_contents('src/Parser.php'));"
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".

Notice: Undefined offset: 1 in /home/rasmus/src/tolerant-php-parser/src/Parser.php on line 1488

Notice: Undefined offset: 1 in /home/rasmus/src/tolerant-php-parser/src/Parser.php on line 1488

Notice: Undefined offset: 1 in /home/rasmus/src/tolerant-php-parser/src/Parser.php on line 1488

Program received signal SIGSEGV, Segmentation fault.
strlen () at ../sysdeps/x86_64/strlen.S:106
106	../sysdeps/x86_64/strlen.S: No such file or directory.
(gdb) bt
#0  strlen () at ../sysdeps/x86_64/strlen.S:106
#1  0x0000555555a42330 in xbuf_format_converter (xbuf=xbuf@entry=0x7fffffffcb30, is_char=is_char@entry=1 '\001', fmt=<optimized out>, ap=0x7fffffffcc70) at /home/rasmus/php-src/main/spprintf.c:605
#2  0x0000555555a4361a in vspprintf (pbuf=pbuf@entry=0x7fffffffcb98, max_len=1024, format=<optimized out>, ap=<optimized out>) at /home/rasmus/php-src/main/spprintf.c:843
#3  0x000055555569e622 in php_error_cb (type=8, error_filename=0x7fffec4bc200 "/home/rasmus/src/tolerant-php-parser/src/Parser.php", error_lineno=1488, format=<optimized out>, args=<optimized out>)
    at /home/rasmus/php-src/main/main.c:1018
#4  0x000055555569fd89 in zend_error (type=type@entry=8, format=format@entry=0x555556099033 "Undefined variable: %s") at /home/rasmus/php-src/Zend/zend.c:1194
#5  0x00005555556a2481 in zval_undefined_cv (var=<optimized out>, execute_data=<optimized out>) at /home/rasmus/php-src/Zend/zend_execute.c:218
#6  0x0000555555b09957 in zend_fetch_dimension_address_read (slow=0, support_strings=0, type=0, dim_type=2, dim=0x7fffec4e2860, container=0x7fffec413510, result=0x7fffec413520)
    at /home/rasmus/php-src/Zend/zend_execute.c:1893
#7  zend_fetch_dimension_address_read_LIST (result=0x7fffec413520, container=<optimized out>, dim=0x7fffec4e2860) at /home/rasmus/php-src/Zend/zend_execute.c:1919
#8  0x0000555555b09b02 in ZEND_FETCH_LIST_SPEC_TMPVAR_CONST_HANDLER () at /home/rasmus/php-src/Zend/zend_vm_execute.h:52654
#9  0x0000555555ae5e7b in execute_ex (ex=<optimized out>) at /home/rasmus/php-src/Zend/zend_vm_execute.h:429
#10 0x0000555555b3f628 in zend_execute (op_array=op_array@entry=0x7fffec47f000, return_value=return_value@entry=0x7fffffffceb0) at /home/rasmus/php-src/Zend/zend_vm_execute.h:474
#11 0x0000555555a90906 in zend_eval_stringl (str=<optimized out>, str_len=<optimized out>, retval_ptr=0x0, string_name=0x55555609b4b0 "Command line code") at /home/rasmus/php-src/Zend/zend_execute_API.c:1093
#12 0x0000555555a909d9 in zend_eval_stringl_ex (str=<optimized out>, str_len=<optimized out>, retval_ptr=<optimized out>, string_name=<optimized out>, handle_exceptions=1)
    at /home/rasmus/php-src/Zend/zend_execute_API.c:1134
#13 0x0000555555b415b2 in do_cli (argc=3, argv=0x55555648ee80) at /home/rasmus/php-src/sapi/cli/php_cli.c:1024
#14 0x00005555556a2da6 in main (argc=3, argv=0x55555648ee80) at /home/rasmus/php-src/sapi/cli/php_cli.c:1381
(gdb) zbacktrace
[0x7fffec413400] Microsoft\PhpParser\Parser->parseBinaryExpressionOrHigher(0, object[0x7fffec413460]) /home/rasmus/src/tolerant-php-parser/src/Parser.php:1488 
[0x7fffec413350] Microsoft\PhpParser\Parser->Microsoft\PhpParser\{closure}(object[0x7fffec4133a0]) /home/rasmus/src/tolerant-php-parser/src/Parser.php:1410 
[0x7fffec413290] Microsoft\PhpParser\Parser->parseExpression(object[0x7fffec4132e0]) /home/rasmus/src/tolerant-php-parser/src/Parser.php:1382 
[0x7fffec413200] Microsoft\PhpParser\Parser->Microsoft\PhpParser\{closure}(object[0x7fffec413250]) /home/rasmus/src/tolerant-php-parser/src/Parser.php:2000 
[0x7fffec413090] Microsoft\PhpParser\Parser->parseDelimitedList("Microsoft\PhpParser\Node\DelimitedList\ArrayElementList", 251, object[0x7fffec413100], object[0x7fffec413110], object[0x7fffec413120], true) /home/rasmus/src/tolerant-php-parser/src/Parser.php:1090 
[0x7fffec413010] Microsoft\PhpParser\Parser->parseArrayElementList(object[0x7fffec413060], "Microsoft\PhpParser\Node\DelimitedList\ArrayElementList") /home/rasmus/src/tolerant-php-parser/src/Parser.php:2063 
[0x7fffec412f80] Microsoft\PhpParser\Parser->parseArrayCreationExpression(NULL) /home/rasmus/src/tolerant-php-parser/src/Parser.php:2047 
[0x7fffec412ee0] Microsoft\PhpParser\Parser->parsePrimaryExpression(NULL) /home/rasmus/src/tolerant-php-parser/src/Parser.php:913 
[0x7fffec412e30] Microsoft\PhpParser\Parser->parseUnaryExpressionOrHigher(NULL) /home/rasmus/src/tolerant-php-parser/src/Parser.php:1481 
[0x7fffec412cf0] Microsoft\PhpParser\Parser->parseBinaryExpressionOrHigher(9, NULL) /home/rasmus/src/tolerant-php-parser/src/Parser.php:1486 
[0x7fffec412ac0] Microsoft\PhpParser\Parser->parseBinaryExpressionOrHigher(0, object[0x7fffec412b20]) /home/rasmus/src/tolerant-php-parser/src/Parser.php:1566 
[0x7fffec412a10] Microsoft\PhpParser\Parser->Microsoft\PhpParser\{closure}(object[0x7fffec412a60]) /home/rasmus/src/tolerant-php-parser/src/Parser.php:1410 
[0x7fffec412950] Microsoft\PhpParser\Parser->parseExpression(object[0x7fffec4129a0], true) /home/rasmus/src/tolerant-php-parser/src/Parser.php:1382 
[0x7fffec4128a0] Microsoft\PhpParser\Parser->Microsoft\PhpParser\{closure}(object[0x7fffec4128f0]) /home/rasmus/src/tolerant-php-parser/src/Parser.php:521 
[0x7fffec4127c0] Microsoft\PhpParser\Parser->parseList(object[0x7fffec412810], 1) /home/rasmus/src/tolerant-php-parser/src/Parser.php:183 
[0x7fffec412740] Microsoft\PhpParser\Parser->parseCompoundStatement(object[0x7fffec412790]) /home/rasmus/src/tolerant-php-parser/src/Parser.php:627 
[0x7fffec4126a0] Microsoft\PhpParser\Parser->parseFunctionType(object[0x7fffec4126f0], true) /home/rasmus/src/tolerant-php-parser/src/Parser.php:1221 
[0x7fffec412610] Microsoft\PhpParser\Parser->parseMethodDeclaration(object[0x7fffec412660], array(1)[0x7fffec412670]) /home/rasmus/src/tolerant-php-parser/src/Parser.php:585 
[0x7fffec412550] Microsoft\PhpParser\Parser->Microsoft\PhpParser\{closure}(object[0x7fffec4125a0]) /home/rasmus/src/tolerant-php-parser/src/Parser.php:537 
[0x7fffec412470] Microsoft\PhpParser\Parser->parseList(object[0x7fffec4124c0], 2) /home/rasmus/src/tolerant-php-parser/src/Parser.php:183 
[0x7fffec4123f0] Microsoft\PhpParser\Parser->parseClassMembers(object[0x7fffec412440]) /home/rasmus/src/tolerant-php-parser/src/Parser.php:569 
[0x7fffec412370] Microsoft\PhpParser\Parser->parseClassDeclaration(object[0x7fffec4123c0]) /home/rasmus/src/tolerant-php-parser/src/Parser.php:562 
[0x7fffec4122c0] Microsoft\PhpParser\Parser->Microsoft\PhpParser\{closure}(object[0x7fffec412310]) /home/rasmus/src/tolerant-php-parser/src/Parser.php:475 
[0x7fffec4121e0] Microsoft\PhpParser\Parser->parseList(object[0x7fffec412230], 0) /home/rasmus/src/tolerant-php-parser/src/Parser.php:183 
[0x7fffec4120d0] Microsoft\PhpParser\Parser->parseSourceFile("<?php\12/*---------------------------------------------------------------------------------------------\12 * Copyright (c) Microsoft Corporation. All rights reserved.\12 *  Licensed under the MIT License. See License.txt in the project root for license informati...") /home/rasmus/src/tolerant-php-parser/src/Parser.php:149 
[0x7fffec412030] (main) [internal function]
(gdb)

[2017-01-31 05:50 UTC] krakjoe@php.net

-Status: Open +Status: Verified

[2017-02-03 16:04 UTC] g dot sokol99 at g-sokol dot info

Can't reproduce:

gdb ../php-src/sapi/cli/php
GNU gdb (GDB) 7.12
Copyright (C) 2016 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-pc-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>.
Find the GDB manual and other documentation resources online at:
<http://www.gnu.org/software/gdb/documentation/>.
For help, type "help".
Type "apropos word" to search for commands related to "word"...
Reading symbols from ../php-src/sapi/cli/php...done.
(gdb) run -r "require 'vendor/autoload.php'; (new Microsoft\PhpParser\Parser())->parseSourceFile(file_get_contents('src/Parser.php'));"
Starting program: /home/sokol/workspace/php-src/sapi/cli/php -r "require 'vendor/autoload.php'; (new Microsoft\PhpParser\Parser())->parseSourceFile(file_get_contents('src/Parser.php'));"
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/usr/lib/libthread_db.so.1".
[Inferior 1 (process 493) exited normally]

[2017-02-04 07:32 UTC] rasmus@php.net

Hrm.. I saw it on a Debian box. Just to make sure, I tried it on our Centos test.php.net box and was able to reproduce the segfault there. The bt looks a bit different though.

Program received signal SIGSEGV, Segmentation fault.
ZEND_FREE_SPEC_TMPVAR_HANDLER () at /usr/src/php-src/Zend/zend_vm_execute.h:51444
51444		zval_ptr_dtor_nogc(EX_VAR(opline->op1.var));
(gdb) bt
#0  ZEND_FREE_SPEC_TMPVAR_HANDLER () at /usr/src/php-src/Zend/zend_vm_execute.h:51444
#1  0x00000000008342fb in execute_ex (ex=<optimized out>) at /usr/src/php-src/Zend/zend_vm_execute.h:429
#2  0x0000000000887184 in zend_execute (op_array=op_array@entry=0x7fffebc81000, return_value=return_value@entry=0x7fffffffce80) at /usr/src/php-src/Zend/zend_vm_execute.h:474
#3  0x00000000007e16e5 in zend_eval_stringl (
    str=str@entry=0x1192150 "require 'vendor/autoload.php'; (new Microsoft\\PhpParser\\Parser())->parseSourceFile(file_get_contents('src/Parser.php'));", 
    str_len=<optimized out>, retval_ptr=retval_ptr@entry=0x0, string_name=string_name@entry=0xddb150 "Command line code") at /usr/src/php-src/Zend/zend_execute_API.c:1093
#4  0x00000000007e1879 in zend_eval_stringl_ex (
    str=str@entry=0x1192150 "require 'vendor/autoload.php'; (new Microsoft\\PhpParser\\Parser())->parseSourceFile(file_get_contents('src/Parser.php'));", 
    str_len=<optimized out>, retval_ptr=retval_ptr@entry=0x0, string_name=string_name@entry=0xddb150 "Command line code", handle_exceptions=handle_exceptions@entry=1)
    at /usr/src/php-src/Zend/zend_execute_API.c:1134
#5  0x00000000007e18e9 in zend_eval_string_ex (
    str=str@entry=0x1192150 "require 'vendor/autoload.php'; (new Microsoft\\PhpParser\\Parser())->parseSourceFile(file_get_contents('src/Parser.php'));", 
    retval_ptr=retval_ptr@entry=0x0, string_name=string_name@entry=0xddb150 "Command line code", handle_exceptions=handle_exceptions@entry=1)
    at /usr/src/php-src/Zend/zend_execute_API.c:1145
#6  0x00000000008890c3 in do_cli (argc=3, argv=0x11920e0) at /usr/src/php-src/sapi/cli/php_cli.c:1024
#7  0x0000000000452f00 in main (argc=3, argv=0x11920e0) at /usr/src/php-src/sapi/cli/php_cli.c:1381

And Valgrind lights up on it, so there is something amiss here:

# USE_ZEND_ALLOC=0 valgrind --tool=memcheck --leak-check=yes --suppressions=/home/rasmus/.suppressions --track-origins=yes --num-callers=30 --show-reachable=yes php -r "require 'vendor/autoload.php'; (new Microsoft\PhpParser\Parser())->parseSourceFile(file_get_contents('src/Parser.php'));"

See http://lerdorf.com/vg.txt

[2017-02-10 06:20 UTC] laruence@php.net

-Summary: Segfault +Summary: Segfault with list

[2017-02-10 06:26 UTC] laruence@php.net

Automatic comment on behalf of laruence@gmail.com
Revision: http://git.php.net/?p=php-src.git;a=commit;h=185304a61e08c07228e718139ef5284a7021bbbd
Log: Fixed bug #74019 (Segfault with list)

[2017-02-10 06:26 UTC] laruence@php.net

-Status: Verified +Status: Closed

[2017-02-10 06:27 UTC] laruence@php.net

-Assigned To: +Assigned To: laruence

[2017-02-10 06:27 UTC] laruence@php.net

the bug has been fixed, just for the record, a simple reproduce script is:
<?php

class A {
    public function seg() {
        list($a, $b) = A::CONSTS;
        var_dump($a, $b);
        return;
    }
    const CONSTS = [1, 2];
}

$a = new A;
$a->seg();

thanks

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2025 The PHP Group All rights reserved.	Last updated: Thu Oct 30 22:00:01 2025 UTC