PHP :: Bug #65969 :: Chain assignment with T

Bug #65969

Chain assignment with T_LIST failure

Submitted:

2013-10-25 23:04 UTC

Modified:

2013-11-27 06:31 UTC

Votes:	1
Avg. Score:	5.0 ± 0.0
Reproduced:	1 of 1 (100.0%)
Same Version:	0 (0.0%)
Same OS:	0 (0.0%)

From:

mwelinder at gmail dot com

Assigned:

dmitry (profile)

Status:

Closed

Package:

Variables related

PHP Version:

5.4.21

OS:

linux mint 15

Private report:

CVE-ID:

None

View Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	mwelinder at gmail dot com
New email:
PHP Version:		OS:

New Comment:

[2013-10-25 23:04 UTC] mwelinder at gmail dot com

Description:
------------
Chained assignments (a=b=c;) appear to not work in some circumstances.
When sequenced assignments (b=c; a=b;) are used, things work.


Test script:
---------------
<?php

class Test {
  var $c = null;

  function funcall ()
  {
    return array(2,3);
  }
}

$o = new Test;

// Chain assignment
list ($a,$b) = $o->c = $o->funcall();
print "XXX";
print $a;
print "YYY";


// Separate assignment
$o->c = $o->funcall();
list ($a,$b) = $o->c;
print $a;
print "ZZZ";

?>


Expected result:
----------------
Expected: XXX2YYY2ZZZ


Actual result:
--------------
Actual: XXXYYY2ZZZ

Patches

bug65969-2.patch (last revision 2013-11-27 08:56 UTC by dmitry at zend dot com)
bug65969.patch (last revision 2013-11-27 06:32 UTC by laruence@php.net)
bug65969.phpt (last revision 2013-11-27 05:39 UTC by laruence@php.net)

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2013-10-25 23:07 UTC] mwelinder at gmail dot com

Forgot the precise version:

$ php5 --version
PHP 5.4.9-4ubuntu2.3 (cli) (built: Sep  4 2013 19:32:25) 
Copyright (c) 1997-2012 The PHP Group
Zend Engine v2.4.0, Copyright (c) 1998-2012 Zend Technologies

$ php5 -f test.php
XXXYYY2ZZZ

[2013-10-26 17:28 UTC] phpmpan at mpan dot pl

A segfault happens on:
 - 5.5.5 (only in CLI mode), 5.4-snap and 5.5-snap on Arch64
 - 5.5.4 on unknown 64-bit Linux
Works fine on 5.3-snap.

Backtrace (5.5-snap):
#0  0x000000000065db1a in ZEND_FETCH_DIM_R_SPEC_VAR_CONST_HANDLER (
    execute_data=0x7ffff7f8b1c8)
    at /home/user0/Desktop/php5.5-201310261630/Zend/zend_vm_execute.h:14781
#1  0x000000000063dbe6 in execute_ex (execute_data=0x7ffff7f8b1c8)
    at /home/user0/Desktop/php5.5-201310261630/Zend/zend_vm_execute.h:363
#2  0x000000000063dc57 in zend_execute (op_array=0x7ffff7fc2578)
    at /home/user0/Desktop/php5.5-201310261630/Zend/zend_vm_execute.h:388
#3  0x00000000005f1162 in zend_eval_stringl (
    str=0x7ffff7fc1478 "list($a, $b) = $o->c = $o->funcall();\n", str_len=38, 
    retval_ptr=0x0, string_name=0x72bcdb "php shell code")
    at /home/user0/Desktop/php5.5-201310261630/Zend/zend_execute_API.c:1179
#4  0x0000000000496c5a in readline_shell_run ()
    at /home/user0/Desktop/php5.5-201310261630/ext/readline/readline_cli.c:664
#5  0x00000000006a95af in do_cli (argc=2, argv=0xa39aa0)
    at /home/user0/Desktop/php5.5-201310261630/sapi/cli/php_cli.c:992
#6  0x00000000006aa597 in main (argc=2, argv=0xa39aa0)
    at /home/user0/Desktop/php5.5-201310261630/sapi/cli/php_cli.c:1378

Valgrind tells (5.5-snap):
Invalid read of size 8
   at 0x65DB1A: ZEND_FETCH_DIM_R_SPEC_VAR_CONST_HANDLER (zend_vm_execute.h:14781)
   by 0x63DBE5: execute_ex (zend_vm_execute.h:363)
   by 0x63DC56: zend_execute (zend_vm_execute.h:388)
   by 0x5F1161: zend_eval_stringl (zend_execute_API.c:1179)
   by 0x496C59: readline_shell_run (readline_cli.c:664)
   by 0x6A95AE: do_cli (php_cli.c:992)
   by 0x6AA596: main (php_cli.c:1378)
 Address 0xc6c6eb68bec6c600 is not stack'd, malloc'd or (recently) free'd

[2013-10-29 20:17 UTC] nikic@php.net

-Status: Open +Status: Verified

[2013-10-29 20:17 UTC] nikic@php.net

Reduced testcase:

<?php
$obj = new stdClass;
list($a) = $obj->prop = [1];

Valgrind output with ZMM=0:

==7793== Conditional jump or move depends on uninitialised value(s)
==7793==    at 0x826493D: _get_zval_ptr_ptr_var (zend_execute.c:378)
==7793==    by 0x8283546: ZEND_FETCH_DIM_R_SPEC_VAR_CONST_HANDLER (zend_vm_execute.h:12886)
==7793==    by 0x8267F96: execute (zend_vm_execute.h:410)
==7793==    by 0x8234E54: zend_execute_scripts (zend.c:1319)
==7793==    by 0x81B9E8E: php_execute_script (main.c:2502)
==7793==    by 0x82C773C: do_cli (php_cli.c:989)
==7793==    by 0x82C8998: main (php_cli.c:1365)
==7793== 
==7793== Use of uninitialised value of size 4
==7793==    at 0x82673A5: zend_fetch_dimension_address_read (zend_execute.c:1253)
==7793==    by 0x8283580: ZEND_FETCH_DIM_R_SPEC_VAR_CONST_HANDLER (zend_vm_execute.h:12887)
==7793==    by 0x8267F96: execute (zend_vm_execute.h:410)
==7793==    by 0x8234E54: zend_execute_scripts (zend.c:1319)
==7793==    by 0x81B9E8E: php_execute_script (main.c:2502)
==7793==    by 0x82C773C: do_cli (php_cli.c:989)
==7793==    by 0x82C8998: main (php_cli.c:1365)
==7793== 
==7793== Invalid read of size 4
==7793==    at 0x82673A5: zend_fetch_dimension_address_read (zend_execute.c:1253)
==7793==    by 0x8283580: ZEND_FETCH_DIM_R_SPEC_VAR_CONST_HANDLER (zend_vm_execute.h:12887)
==7793==    by 0x8267F96: execute (zend_vm_execute.h:410)
==7793==    by 0x8234E54: zend_execute_scripts (zend.c:1319)
==7793==    by 0x81B9E8E: php_execute_script (main.c:2502)
==7793==    by 0x82C773C: do_cli (php_cli.c:989)
==7793==    by 0x82C8998: main (php_cli.c:1365)
==7793==  Address 0x0 is not stack'd, malloc'd or (recently) free'd

[2013-11-26 19:09 UTC] requinix@php.net

Related To: Bug #66181

[2013-11-27 05:35 UTC] laruence@php.net

-Assigned To: +Assigned To: dmitry

[2013-11-27 05:35 UTC] laruence@php.net

The following patch has been added/updated:

Patch Name: bug65969.patch
Revision:   1385530548
URL:        https://bugs.php.net/patch-display.php?bug=65969&patch=bug65969.patch&revision=1385530548

[2013-11-27 05:36 UTC] laruence@php.net

Dmitry, could you please look into the patch I attached? thanks

[2013-11-27 05:39 UTC] laruence@php.net

-Summary: Chain assignment failure +Summary: Chain assignment with T_LIST failure

[2013-11-27 05:39 UTC] laruence@php.net

The following patch has been added/updated:

Patch Name: bug65969.phpt
Revision:   1385530777
URL:        https://bugs.php.net/patch-display.php?bug=65969&patch=bug65969.phpt&revision=1385530777

[2013-11-27 06:32 UTC] laruence@php.net

The following patch has been added/updated:

Patch Name: bug65969.patch
Revision:   1385533921
URL:        https://bugs.php.net/patch-display.php?bug=65969&patch=bug65969.patch&revision=1385533921

[2013-11-27 10:59 UTC] dmitry@php.net

Automatic comment on behalf of dmitry@zend.com
Revision: http://git.php.net/?p=php-src.git;a=commit;h=16d59aa1718324ff0d4bea62fa9dfc3d4c8b16ce
Log: Fixed bug #65969 (Chain assignment with T_LIST failure)

[2013-11-27 10:59 UTC] dmitry@php.net

-Status: Verified +Status: Closed

[2013-11-28 08:30 UTC] ab@php.net

Automatic comment on behalf of dmitry@zend.com
Revision: http://git.php.net/?p=php-src.git;a=commit;h=16d59aa1718324ff0d4bea62fa9dfc3d4c8b16ce
Log: Fixed bug #65969 (Chain assignment with T_LIST failure)

[2014-10-07 23:16 UTC] stas@php.net

Automatic comment on behalf of dmitry@zend.com
Revision: http://git.php.net/?p=php-src-security.git;a=commit;h=16d59aa1718324ff0d4bea62fa9dfc3d4c8b16ce
Log: Fixed bug #65969 (Chain assignment with T_LIST failure)

[2014-10-07 23:27 UTC] stas@php.net

Automatic comment on behalf of dmitry@zend.com
Revision: http://git.php.net/?p=php-src-security.git;a=commit;h=16d59aa1718324ff0d4bea62fa9dfc3d4c8b16ce
Log: Fixed bug #65969 (Chain assignment with T_LIST failure)

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Tue Dec 03 17:01:29 2024 UTC