php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #77530 PHP crashes when parsing `(2)::class`
Submitted: 2019-01-27 21:49 UTC Modified: 2019-01-28 13:34 UTC
From: tysonandre775 at hotmail dot com Assigned: kalle (profile)
Status: Closed Package: *General Issues
PHP Version: 7.3.2RC1 OS:
Private report: No CVE-ID: None
View Developer Edit
 [2019-01-27 21:49 UTC] tysonandre775 at hotmail dot com 
Description:
------------
When an expression such as `(2)::class` (with brackets) is parsed in source code, PHP (debug and non-debug) crashes.

Debug builds emit this failure: "/path/to/php-src/Zend/zend_ast.h:298: zend_ast_get_str: Assertion `zval_get_type(&(*(zv))) == 6' failed."

This may also affect stable php versions. I also saw this in a recent PHP 7.4 build.

Non-debug builds segfault:

Program received signal SIGSEGV, Segmentation fault.
0x00000000009b5e19 in zend_get_class_fetch_type ()
(gdb) bt
#0  0x00000000009b5e19 in zend_get_class_fetch_type ()
#1  0x00000000009b62e0 in zend_try_compile_const_expr_resolve_class_name.part ()
#2  0x00000000009bcc5a in zend_compile_class_const ()
#3  0x00000000009bd255 in zend_compile_expr ()
#4  0x00000000009be6ab in zend_compile_echo ()
#5  0x00000000009c55e8 in zend_compile_stmt ()
#6  0x00000000009c972a in zend_compile_top_stmt ()
#7  0x00000000009c977f in zend_compile_top_stmt ()
#8  0x00000000009c977f in zend_compile_top_stmt ()
#9  0x000000000099c3dd in zend_compile ()
#10 0x000000000099dfb8 in compile_string ()
#11 0x00000000009cd00b in zend_eval_stringl ()
#12 0x00000000007e6967 in readline_shell_run ()
#13 0x0000000000a822c5 in do_cli ()
#14 0x000000000045f56c in main ()


Test script:
---------------
<?php
if (false) {
    echo (2)::class;
}

Expected result:
----------------
Should not segfault. Instead, it should emit a similar error to what PHP already does in other cases

```
php > echo []::class;
Fatal error: Dynamic class names are not allowed in compile-time ::class fetch in php shell code on line 1
```

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2019-01-28 07:17 UTC] rasmus@php.net 
Nice one, how did you run across that?
(2)::class is pretty obscure.
 [2019-01-28 07:57 UTC] bugsnet at ekins dot space 
Hi! I've submitted a PR for this bug: https://github.com/php/php-src/pull/3768
 [2019-01-28 08:26 UTC] nikic@php.net 
Automatic comment on behalf of me@ekins.space
Revision: http://git.php.net/?p=php-src.git;a=commit;h=ef68cd324923d81565debef8939b015a3f4b8a6f
Log: Fixed bug #77530: PHP crashes when parsing &quot;(2)::class&quot;
 [2019-01-28 08:26 UTC] nikic@php.net
-Status: Open +Status: Closed
 [2019-01-28 13:34 UTC] kalle@php.net
-Assigned To: +Assigned To: kalle
 [2019-01-28 13:34 UTC] kalle@php.net 
@rasmus: see comments on https://github.com/nikic/php-ast/pull/111
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Thu Nov 21 09:01:32 2024 UTC