PHP :: Bug #60169 :: Conjunction of ternary and list crashes PHP

Bug #60169	Conjunction of ternary and list crashes PHP
Submitted:	2011-10-29 13:40 UTC	Modified:	2011-11-03 04:00 UTC
From:	thekid@php.net	Assigned:	laruence (profile)
Status:	Closed	Package:	Scripting Engine problem
PHP Version:	5.4.0beta2	OS:	Windows Vista
Private report:	No	CVE-ID:	None

View Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	thekid@php.net
New email:
PHP Version:		OS:

New Comment:

[2011-10-29 13:40 UTC] thekid@php.net

Description:
------------
This code makes PHP exit with exit code #127:

list($a, $b)= is_array($argv) ? $argv : explode("@", $argv[1]);

Test script:
---------------
$ php.exe -r 'list($a, $b)= is_array($argv) ? $argv : explode("@", $argv[1]);' ; echo $?


Expected result:
----------------
0

Actual result:
--------------
127

Patches

bug60169.diff (last revision 2011-10-31 06:48 UTC by laruence@php.net)
invalid.patch (last revision 2011-10-31 03:24 UTC by laruence@php.net)
bug60169.phpt (last revision 2011-10-30 02:08 UTC by laruence@php.net)

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2011-10-29 14:26 UTC] pajoye@php.net

I can't reproduce it. Please provide a script without external data (arg).

[2011-10-29 14:26 UTC] pajoye@php.net

-Status: Open +Status: Feedback

[2011-10-30 01:37 UTC] laruence@php.net

backtrace:

#0  0x00000000008d69e5 in zend_fetch_dimension_address_read (result=0x2a95dac1d0, container_ptr=0x0, 
dim=0x2a95de57f8, dim_type=1, type=0)
    at /home/huixc/opensource/php-src/trunk/Zend/zend_execute.c:1244
1244		zval *container = *container_ptr;
(gdb) bt
#0  0x00000000008d69e5 in zend_fetch_dimension_address_read (result=0x2a95dac1d0, container_ptr=0x0, 
dim=0x2a95de57f8, dim_type=1, type=0)
    at /home/huixc/opensource/php-src/trunk/Zend/zend_execute.c:1244
#1  0x000000000091630d in ZEND_FETCH_DIM_R_SPEC_VAR_CONST_HANDLER (execute_data=0x2a95dac0e8)
    at /home/huixc/opensource/php-src/trunk/Zend/zend_vm_execute.h:12694
#2  0x00000000008d79ae in execute (op_array=0x2a95de36e8) at /home/huixc/opensource/php-
src/trunk/Zend/zend_vm_execute.h:410
#3  0x00000000008a0063 in zend_execute_scripts (type=8, retval=0x0, file_count=3) at 
/home/huixc/opensource/php-src/trunk/Zend/zend.c:1272
#4  0x0000000000820850 in php_execute_script (primary_file=0x7fbffff2a0) at /home/huixc/opensource/php-
src/trunk/main/main.c:2414
#5  0x00000000009c12dd in do_cli (argc=2, argv=0x7fbffff588) at /home/huixc/opensource/php-
src/trunk/sapi/cli/php_cli.c:983
#6  0x00000000009c217e in main (argc=2, argv=0x7fbffff588) at /home/huixc/opensource/php-
src/trunk/sapi/cli/php_cli.c:1356

[2011-10-30 01:56 UTC] laruence@php.net

I can reproduce this on linux with a more simple script:
<?php
$arr  = array("test");
list($a)= is_array($arr)? $arr : $arr;
?>

and I have pasted the bt above~

[2011-10-30 02:01 UTC] pajoye@php.net

-Status: Feedback +Status: Assigned -Assigned To: +Assigned To: lbarnaud

[2011-10-30 02:01 UTC] pajoye@php.net

Arnaud, could you try to give a look please? Happens only in 5.4, the recent 
optimization in this area could be the cause.

[2011-10-30 02:03 UTC] laruence@php.net

The following patch has been added/updated:

Patch Name: bug60169.diff
Revision:   1319940233
URL:        https://bugs.php.net/patch-display.php?bug=60169&patch=bug60169.diff&revision=1319940233

[2011-10-30 02:08 UTC] laruence@php.net

The following patch has been added/updated:

Patch Name: bug60169.phpt
Revision:   1319940509
URL:        https://bugs.php.net/patch-display.php?bug=60169&patch=bug60169.phpt&revision=1319940509

[2011-10-31 03:21 UTC] laruence@php.net

there is also segfault in (***)?:value notation.
like:
   <?php
     $str = array('test');
     list($a, $b) = is_array($str)?:$str;

and this make *the patch doesn't work* (a memory leak)

[2011-10-31 03:24 UTC] laruence@php.net

The following patch has been added/updated:

Patch Name: invalid.patch
Revision:   1320031445
URL:        https://bugs.php.net/patch-display.php?bug=60169&patch=invalid.patch&revision=1320031445

[2011-10-31 06:48 UTC] laruence@php.net

The following patch has been added/updated:

Patch Name: bug60169.diff
Revision:   1320043736
URL:        https://bugs.php.net/patch-display.php?bug=60169&patch=bug60169.diff&revision=1320043736

[2011-10-31 06:50 UTC] laruence@php.net

I have submitted a new patch. lbarnaud, plz review it , thanks

[2011-11-03 03:59 UTC] laruence@php.net

Automatic comment from SVN on behalf of laruence
Revision: http://svn.php.net/viewvc/?view=revision&amp;revision=318716
Log: Fix bug #60169 Conjunction of ternary and list crashes PHP

[2011-11-03 03:59 UTC] laruence@php.net

-Status: Assigned +Status: Closed

[2011-11-03 03:59 UTC] laruence@php.net

This bug has been fixed in SVN.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.

 For Windows:

http://windows.php.net/snapshots/
 
Thank you for the report, and for helping us make PHP better.

[2011-11-03 04:00 UTC] laruence@php.net

-Assigned To: lbarnaud +Assigned To: laruence

[2012-04-18 09:48 UTC] laruence@php.net

Automatic comment on behalf of laruence
Revision: http://git.php.net/?p=php-src.git;a=commit;h=a9dbbf6dea71ae8918667fe1d4bccc3ca0dd4664
Log: Fix bug #60169 Conjunction of ternary and list crashes PHP

[2012-07-24 23:39 UTC] rasmus@php.net

Automatic comment on behalf of laruence
Revision: http://git.php.net/?p=php-src.git;a=commit;h=a9dbbf6dea71ae8918667fe1d4bccc3ca0dd4664
Log: Fix bug #60169 Conjunction of ternary and list crashes PHP

[2013-11-17 09:35 UTC] laruence@php.net

Automatic comment on behalf of laruence
Revision: http://git.php.net/?p=php-src.git;a=commit;h=a9dbbf6dea71ae8918667fe1d4bccc3ca0dd4664
Log: Fix bug #60169 Conjunction of ternary and list crashes PHP

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2025 The PHP Group All rights reserved.	Last updated: Tue Feb 04 00:01:31 2025 UTC