PHP :: Bug #76711 :: OPcache enabled triggers false-positive "Illegal string offset"

Bug #76711	OPcache enabled triggers false-positive "Illegal string offset"
Submitted:	2018-08-06 14:08 UTC	Modified:	2018-09-20 08:04 UTC
From:	nicolas dot grekas+php at gmail dot com	Assigned:	dmitry (profile)
Status:	Closed	Package:	opcache
PHP Version:	7.3Git-2018-08-06 (Git)	OS:
Private report:	No	CVE-ID:	None

View Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	nicolas dot grekas+php at gmail dot com
New email:
PHP Version:		OS:

New Comment:

[2018-08-06 14:08 UTC] nicolas dot grekas+php at gmail dot com

Description:
------------
when running the Symfony test suite on PHP 7.3 with opcache.enable_cli=1, some tests fail with "Illegal string offset '...'" errors, which make no sense:

Example build is:
https://travis-ci.org/nicolas-grekas/symfony/builds/411802579#L2508

The reported line reads as such:
> if (!$uri || '#' == $uri[0] || '?' == $uri[0]) {
See https://github.com/symfony/symfony/blob/master/src/Symfony/Component/BrowserKit/Client.php#L668

It looks like there is a leak from L649 to L668:
https://github.com/symfony/symfony/blob/master/src/Symfony/Component/BrowserKit/Client.php#L649


Test script:
---------------
No better reproducer sorry:

git clone https://github.com/symfony/symfony
cd symfony
composer install
./phpunit install
php -dopcache.enable_cli=1 ./phpunit src/Symfony/Component/BrowserKit

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2018-08-06 14:11 UTC] jpauli@php.net

-Status: Open +Status: Verified

[2018-08-07 07:28 UTC] laruence@php.net

I can not reproduce this,  what I got is:
$ /home/huixinchen/local/php73/bin/php -d opcache.enable_cli=1 -d error_reporting=-1 -d display_errors=1 ./phpunit src/Symfony/Component/BrowserKit
#!/usr/bin/env php
PHPUnit 6.5.10 by Sebastian Bergmann and contributors.

Testing src/Symfony/Component/BrowserKit
.............................................F.................  63 / 136 ( 46%)
............................................................... 126 / 136 ( 92%)
..........                                                      136 / 136 (100%)

Time: 691 ms, Memory: 4.00MB

There was 1 failure:

1) Symfony\Component\BrowserKit\Tests\ClientTest::testFollowMetaRefresh with data set #7 ('<html><head><noscript><meta h.../html>', 'http://www.example.com/redirected')
Failed asserting that two strings are equal.
--- Expected
+++ Actual
@@ @@
-'http://www.example.com/redirected'
+'http://www.example.com/foo/foobar'

/home/huixinchen/opensource/github/symfony/src/Symfony/Component/BrowserKit/Tests/ClientTest.php:669
/home/huixinchen/opensource/github/symfony/.phpunit/phpunit-6.5/phpunit:5

FAILURES!
Tests: 136, Assertions: 312, Failures: 1.

[2018-09-20 06:47 UTC] nicolas dot grekas+php at gmail dot com

This issue still exists in 7.3.0RC1, see failures at
https://travis-ci.org/nicolas-grekas/symfony/builds/430883587

[2018-09-20 07:56 UTC] nikic@php.net

Valgrind says:

==5806== Conditional jump or move depends on uninitialised value(s)
==5806==    at 0xA652CA: ZEND_FETCH_DIM_R_INDEX_SPEC_CV_CONST_HANDLER (zend_vm_execute.h:41973)
==5806==    by 0xA7D01D: execute_ex (zend_vm_execute.h:59659)
==5806==    by 0xA7E0D5: zend_execute (zend_vm_execute.h:60703)
==5806==    by 0x9A3D55: zend_execute_scripts (zend.c:1562)
==5806==    by 0x90A5A8: php_execute_script (main.c:2636)
==5806==    by 0xA80E2A: do_cli (php_cli.c:997)
==5806==    by 0xA81FA0: main (php_cli.c:1390)

This is likely a bug in literal compaction. It probably combines two integer literals, one with Z_EXTRA=0 and one with unspecified Z_EXTRA. The unspecified Z_EXTRA is then used in FETCH_DIM_R_INDEX.

[2018-09-20 07:58 UTC] nikic@php.net

Here is a simple reproduce (under valgrind):

<?php
  
function test($foo) {
    var_dump(0);
    var_dump($foo[0]);
}
test("str");

[2018-09-20 08:04 UTC] nikic@php.net

-Assigned To: +Assigned To: dmitry

[2018-09-20 09:34 UTC] dmitry@php.net

Automatic comment on behalf of dmitry@zend.com
Revision: http://git.php.net/?p=php-src.git;a=commit;h=b8ffa3707c07e6edbe5db5a3fdf5516ba1f6bef0
Log: Fixed bug #76711 (OPcache enabled triggers false-positive &quot;Illegal string offset&quot;)

[2018-09-20 09:34 UTC] dmitry@php.net

-Status: Verified +Status: Closed

[2018-09-26 08:38 UTC] nikic@php.net

Related To: Bug #76933

[2018-12-10 11:33 UTC] nikic@php.net

Related To: Bug #77275

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Sat Nov 23 08:01:28 2024 UTC