php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #55578 Segfault on implode/concat
Submitted: 2011-09-03 17:58 UTC Modified: 2011-09-14 13:18 UTC
From: kontakt at beberlei dot de Assigned: dmitry (profile)
Status: Closed Package: Reproducible crash
PHP Version: 5.4.0alpha3 OS:
Private report: No CVE-ID: None
View Developer Edit
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: kontakt at beberlei dot de
New email:
PHP Version: OS:

 

 [2011-09-03 17:58 UTC] kontakt at beberlei dot de 
Description:
------------
I found this issue running the Doctrine 2 testsuite with PHP 5.4.0 alpha 3 and could isolate the segfault behavior to a very simple php script.

I cant make anything out of the backtrace with regard to the nature of the failing. But it seems to have something to do with the __toString() that gets implicitly called.

Test script:
---------------
<?php

$options = array(
    'pre' => '(',
    'post' => ')',
    'separator' => ' AND ',
);

class Foo
{
    public function __toString()
    {
        return 'Foo';
    }
}   

function test($options, $queryPart)
{
        return (isset($options['pre']) ? $options['pre'] : '')
             . (is_array($queryPart) ? implode($options['separator'], $queryPart) : $queryPart)
             . (isset($options['post']) ? $options['post'] : '');
}

#echo test($options, "test"); // comment this in and the line after works aswell
echo test($options, new Foo()); // this segfaults

Expected result:
----------------
(Foo)




Actual result:
--------------
Segfault, Backtrace is:

#0  gc_remove_zval_from_buffer (zv=0xb5f5b1b0) at /home/benny/downloads/php-5.4.0alpha3/Zend/zend_gc.c:265
#1  0x083723c8 in _zval_ptr_dtor (zval_ptr=0x8913da8) at /home/benny/downloads/php-5.4.0alpha3/Zend/zend_execute_API.c:437
#2  0x08374065 in zend_call_function (fci=0xbfffc8ac, fci_cache=0xbfffc8d0) at /home/benny/downloads/php-5.4.0alpha3/Zend/zend_execute_API.c:1018
#3  0x0839660b in zend_call_method (object_pp=0xbfffc9a0, obj_ce=<value optimized out>, fn_proxy=0xb5f76d38, function_name=0x8866e95 "__tostring", function_name_len=10, 
    retval_ptr_ptr=0xbfffc97c, param_count=0, arg1=0x0, arg2=0x0) at /home/benny/downloads/php-5.4.0alpha3/Zend/zend_interfaces.c:97
#4  0x083a0f11 in zend_std_cast_object_tostring (readobj=0xb5f5b1b0, writeobj=0xbfffca48, type=6)
    at /home/benny/downloads/php-5.4.0alpha3/Zend/zend_object_handlers.c:1472
#5  0x0838152b in zend_make_printable_zval (expr=0xb5f5b1b0, expr_copy=0xbfffca48, use_copy=0xbfffca68) at /home/benny/downloads/php-5.4.0alpha3/Zend/zend.c:260
#6  0x0837c678 in concat_function (result=0xb5f5b1c0, op1=0xb5f5b170, op2=0xb5f5b1b0) at /home/benny/downloads/php-5.4.0alpha3/Zend/zend_operators.c:1243
#7  0x083d4d53 in ZEND_CONCAT_SPEC_TMP_TMP_HANDLER (execute_data=0xb5f5b0f8) at /home/benny/downloads/php-5.4.0alpha3/Zend/zend_vm_execute.h:8133
#8  0x083e52e6 in execute (op_array=0x8a5e7b0) at /home/benny/downloads/php-5.4.0alpha3/Zend/zend_vm_execute.h:410
#9  0x08381d82 in zend_execute_scripts (type=8, retval=0x0, file_count=3) at /home/benny/downloads/php-5.4.0alpha3/Zend/zend.c:1262
#10 0x083247a2 in php_execute_script (primary_file=0xbfffeebc) at /home/benny/downloads/php-5.4.0alpha3/main/main.c:2385
#11 0x0842005e in do_cli (argc=2, argv=0xbffff144) at /home/benny/downloads/php-5.4.0alpha3/sapi/cli/php_cli.c:983
#12 0x084208d7 in main (argc=2, argv=0xbffff144) at /home/benny/downloads/php-5.4.0alpha3/sapi/cli/php_cli.c:1356

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2011-09-03 19:00 UTC] felipe@php.net
-Status: Open +Status: Assigned -Assigned To: +Assigned To: dmitry
 [2011-09-03 19:00 UTC] felipe@php.net 
Minor test case:

<?php  
$options = array();

class Foo {
    public function __toString() {
        return 'Foo';
    }
}   

function test($options, $queryPart) {
	return ''. (0 ? 1 : $queryPart);
}

test($options, new Foo());

==3019== Conditional jump or move depends on uninitialised value(s)
==3019==    at 0x83F00C8: zend_call_function (zend_execute_API.c:924)
==3019==    by 0x8420106: zend_call_method (zend_interfaces.c:97)
==3019==    by 0x8437226: zend_std_cast_object_tostring (zend_object_handlers.c:1472)
==3019==    by 0x83FF743: zend_make_printable_zval (zend.c:260)
==3019==    by 0x83FB1AD: concat_function (zend_operators.c:1243)
==3019==    by 0x844D780: ZEND_CONCAT_SPEC_CONST_TMP_HANDLER (zend_vm_execute.h:3944)
==3019==    by 0x843EDE8: execute (zend_vm_execute.h:410)
==3019==    by 0x8402B71: zend_execute_scripts (zend.c:1262)
==3019==    by 0x836AFF5: php_execute_script (main.c:2388)
==3019==    by 0x854615F: do_cli (php_cli.c:983)
==3019==    by 0x8547547: main (php_cli.c:1356)
==3019== 
==3019== Conditional jump or move depends on uninitialised value(s)
==3019==    at 0x83EDAFE: _zval_ptr_dtor (zend_execute_API.c:433)
==3019==    by 0x83F0BEF: zend_call_function (zend_execute_API.c:1018)
==3019==    by 0x8420106: zend_call_method (zend_interfaces.c:97)
==3019==    by 0x8437226: zend_std_cast_object_tostring (zend_object_handlers.c:1472)
==3019==    by 0x83FF743: zend_make_printable_zval (zend.c:260)
==3019==    by 0x83FB1AD: concat_function (zend_operators.c:1243)
==3019==    by 0x844D780: ZEND_CONCAT_SPEC_CONST_TMP_HANDLER (zend_vm_execute.h:3944)
==3019==    by 0x843EDE8: execute (zend_vm_execute.h:410)
==3019==    by 0x8402B71: zend_execute_scripts (zend.c:1262)
==3019==    by 0x836AFF5: php_execute_script (main.c:2388)
==3019==    by 0x854615F: do_cli (php_cli.c:983)
==3019==    by 0x8547547: main (php_cli.c:1356)
==3019== 
==3019== Conditional jump or move depends on uninitialised value(s)
==3019==    at 0x83EDB4D: _zval_ptr_dtor (zend_execute_API.c:437)
==3019==    by 0x83F0BEF: zend_call_function (zend_execute_API.c:1018)
==3019==    by 0x8420106: zend_call_method (zend_interfaces.c:97)
==3019==    by 0x8437226: zend_std_cast_object_tostring (zend_object_handlers.c:1472)
==3019==    by 0x83FF743: zend_make_printable_zval (zend.c:260)
==3019==    by 0x83FB1AD: concat_function (zend_operators.c:1243)
==3019==    by 0x844D780: ZEND_CONCAT_SPEC_CONST_TMP_HANDLER (zend_vm_execute.h:3944)
==3019==    by 0x843EDE8: execute (zend_vm_execute.h:410)
==3019==    by 0x8402B71: zend_execute_scripts (zend.c:1262)
==3019==    by 0x836AFF5: php_execute_script (main.c:2388)
==3019==    by 0x854615F: do_cli (php_cli.c:983)
==3019==    by 0x8547547: main (php_cli.c:1356)
==3019== 
==3019== Invalid free() / delete / delete[]
==3019==    at 0x402421C: free (in /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so)
==3019==    by 0x83CAA1A: _efree (zend_alloc.c:2433)
==3019==    by 0x83EDBC1: _zval_ptr_dtor (zend_execute_API.c:439)
==3019==    by 0x83F0BEF: zend_call_function (zend_execute_API.c:1018)
==3019==    by 0x8420106: zend_call_method (zend_interfaces.c:97)
==3019==    by 0x8437226: zend_std_cast_object_tostring (zend_object_handlers.c:1472)
==3019==    by 0x83FF743: zend_make_printable_zval (zend.c:260)
==3019==    by 0x83FB1AD: concat_function (zend_operators.c:1243)
==3019==    by 0x844D780: ZEND_CONCAT_SPEC_CONST_TMP_HANDLER (zend_vm_execute.h:3944)
==3019==    by 0x843EDE8: execute (zend_vm_execute.h:410)
==3019==    by 0x8402B71: zend_execute_scripts (zend.c:1262)
==3019==    by 0x836AFF5: php_execute_script (main.c:2388)
==3019==    by 0x854615F: do_cli (php_cli.c:983)
==3019==    by 0x8547547: main (php_cli.c:1356)
==3019==  Address 0x45d42e0 is 304 bytes inside a block of size 65,484 alloc'd
==3019==    at 0x4025018: malloc (in /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so)
==3019==    by 0x83CA970: _emalloc (zend_alloc.c:2423)
==3019==    by 0x83EC78F: init_executor (zend_execute.h:184)
==3019==    by 0x840155A: zend_activate (zend.c:900)
==3019==    by 0x83688CD: php_request_startup (main.c:1452)
==3019==    by 0x8545FAB: do_cli (php_cli.c:954)
==3019==    by 0x8547547: main (php_cli.c:1356)
 [2011-09-04 21:18 UTC] tyrael@php.net 
an even shorter test case:

<?php
(string)(0?1:new Exception);

:)

Tyrael
 [2011-09-04 23:24 UTC] tyrael@php.net 
I've just bisected the changes, the bug was introduced with 
http://svn.php.net/viewvc?view=revision&revision=298207

Tyrael
 [2011-09-14 13:18 UTC] dmitry@php.net 
Automatic comment from SVN on behalf of dmitry
Revision: http://svn.php.net/viewvc/?view=revision&amp;revision=316744
Log: Fixed bug #55578 (Segfault on implode/concat)
 [2011-09-14 13:18 UTC] dmitry@php.net
-Status: Assigned +Status: Closed
 [2011-09-14 13:18 UTC] dmitry@php.net 
This bug has been fixed in SVN.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.

 For Windows:

http://windows.php.net/snapshots/
 
Thank you for the report, and for helping us make PHP better.
 [2012-04-18 09:48 UTC] laruence@php.net 
Automatic comment on behalf of dmitry
Revision: http://git.php.net/?p=php-src.git;a=commit;h=65cb18dd5fbfb0f8174d29e7a812f47a16c3425a
Log: Fixed bug #55578 (Segfault on implode/concat)
 [2012-07-24 23:39 UTC] rasmus@php.net 
Automatic comment on behalf of dmitry
Revision: http://git.php.net/?p=php-src.git;a=commit;h=65cb18dd5fbfb0f8174d29e7a812f47a16c3425a
Log: Fixed bug #55578 (Segfault on implode/concat)
 [2013-11-17 09:36 UTC] laruence@php.net 
Automatic comment on behalf of dmitry
Revision: http://git.php.net/?p=php-src.git;a=commit;h=65cb18dd5fbfb0f8174d29e7a812f47a16c3425a
Log: Fixed bug #55578 (Segfault on implode/concat)
 
PHP Copyright © 2001-2025 The PHP Group
All rights reserved. 		Last updated: Mon Apr 28 11:01:30 2025 UTC