|
|
php.net | support | documentation | report a bug | advanced search | search howto | statistics | random bug | login |
[2018-08-16 12:47 UTC] bugs dot php dot net at majkl578 dot cz
Description: ------------ While testing PHP 7.3 with Roave/BetterReflection library, I ran into PHP assertion errors [1], possibly regarding corrupted zvals. Crashes on the following statement [2]: $namespace->stmts ?? [] When PHP is not compiled in debug mode, this reproduces as "TypeError: array_filter() expects parameter 1 to be array, array given". [1] https://github.com/Roave/BetterReflection/issues/440 [2] https://github.com/Roave/BetterReflection/blob/3.1.1/src/TypesFinder/PhpDocumentor/NamespaceNodeToReflectionTypeContext.php#L69 Test script: --------------- I was unable to reproduce it in a standalone script, so providing a simple functional reproducer instead: git clone git@github.com:Roave/BetterReflection --depth=1 --branch=3.1.1 cd BetterReflection composer update php7.3 vendor/bin/phpunit test/unit/TypesFinder/FindPropertyTypeTest.php --filter testNamespaceRes Expected result: ---------------- No crash. Actual result: -------------- $ gdb -q --args <php-binary> vendor/bin/phpunit test/unit/TypesFinder/FindPropertyTypeTest.php --filter testNamespaceRes Reading symbols from <php-binary>...done. (gdb) run Starting program: <php-binary> vendor/bin/phpunit test/unit/TypesFinder/FindPropertyTypeTest.php --filter testNamespaceRes [Thread debugging using libthread_db enabled] Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1". [Detaching after fork from child process 2653] PHPUnit 7.3.1 by Sebastian Bergmann and contributors. php: <php-root>/Zend/zend_execute.c:233: _get_zval_ptr_tmp: Assertion `zval_get_type(&(*(ret))) != 10' failed. Program received signal SIGABRT, Aborted. __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:51 51 ../sysdeps/unix/sysv/linux/raise.c: No such file or directory. (gdb) bt #0 __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:51 #1 0x00007ffff783d2f1 in __GI_abort () at abort.c:79 #2 0x00007ffff7834a8a in __assert_fail_base (fmt=0x7ffff7988ec8 "%s%s%s:%u: %s%sAssertion `%s' failed.\n%n", assertion=assertion@entry=0x55555645b808 "zval_get_type(&(*(ret))) != 10", file=file@entry=0x55555645b7e0 "<php-root>/Zend/zend_execute.c", line=line@entry=233, function=function@entry=0x55555645de90 <__PRETTY_FUNCTION__.13265> "_get_zval_ptr_tmp") at assert.c:92 #3 0x00007ffff7834b02 in __GI___assert_fail (assertion=0x55555645b808 "zval_get_type(&(*(ret))) != 10", file=0x55555645b7e0 "<php-root>/Zend/zend_execute.c", line=233, function=0x55555645de90 <__PRETTY_FUNCTION__.13265> "_get_zval_ptr_tmp") at assert.c:101 #4 0x0000555555c48a3d in _get_zval_ptr_tmp (var=96, should_free=0x7fffffffa3a0) at <php-root>/Zend/zend_execute.c:233 #5 0x0000555555c774f2 in ZEND_COALESCE_SPEC_TMP_HANDLER () at <php-root>/Zend/zend_vm_execute.h:18404 #6 0x0000555555cbb89c in execute_ex (ex=0x7ffff4c1f030) at <php-root>/Zend/zend_vm_execute.h:57446 #7 0x0000555555cbf0e2 in zend_execute (op_array=0x7ffff4c85300, return_value=0x0) at <php-root>/Zend/zend_vm_execute.h:60882 #8 0x0000555555bee6e7 in zend_execute_scripts (type=8, retval=0x0, file_count=3) at <php-root>/Zend/zend.c:1562 #9 0x0000555555b5e33e in php_execute_script (primary_file=0x7fffffffdbb0) at <php-root>/main/main.c:2630 #10 0x0000555555cc1b02 in do_cli (argc=5, argv=0x555556633240) at <php-root>/sapi/cli/php_cli.c:997 #11 0x0000555555cc2a82 in main (argc=5, argv=0x555556633240) at <php-root>/sapi/cli/php_cli.c:1390 PatchesPull RequestsHistoryAllCommentsChangesGit/SVN commits
|
|||||||||||||||||||||||||||
Copyright © 2001-2025 The PHP GroupAll rights reserved. |
Last updated: Sat Nov 08 22:00:01 2025 UTC |
Simple reproducer: <?php $obj = new stdClass; $val = 'foo'; $obj->prop = &$val; var_dump($obj->prop ?? []); Running with `-d opcache.opt_debug_level=0x10000` yields: $_main: ; (lines=13, args=0, vars=2, tmps=9) ; (before optimizer) ; C:\Users\cmb\php-sdk\phpdev\vc15\x64\76752.php:1-6 L0 (3): V2 = NEW 0 string("stdClass") L1 (3): DO_FCALL L2 (3): ASSIGN CV0($obj) V2 L3 (4): ASSIGN CV1($val) string("foo") L4 (5): V6 = FETCH_OBJ_W CV0($obj) string("prop") L5 (5): ASSIGN_REF V6 CV1($val) L6 (6): INIT_FCALL 1 96 string("var_dump") L7 (6): T8 = FETCH_OBJ_IS CV0($obj) string("prop") L8 (6): T9 = COALESCE T8 L10 L9 (6): T9 = QM_ASSIGN array(...) L10 (6): SEND_VAL T9 1 L11 (6): DO_ICALL L12 (6): RETURN int(1) Assertion failed: zval_get_type(&(*(ret))) != 10, file Zend\zend_execute.c, line 233 Apparently, T8 is a reference, although TMPs are not supposed to be references.