PHP :: Bug #78151 :: Segfault caused by indirect expressions in PHP 7.4a1

Bug #78151

Segfault caused by indirect expressions in PHP 7.4a1

Submitted:

2019-06-12 19:54 UTC

Modified:

2019-06-13 06:06 UTC

Votes:	1
Avg. Score:	5.0 ± 0.0
Reproduced:	1 of 1 (100.0%)
Same Version:	1 (100.0%)
Same OS:	1 (100.0%)

From:

jfcherng at gmail dot com

Assigned:

dmitry (profile)

Status:

Closed

Package:

Scripting Engine problem

PHP Version:

Next Minor Version

OS:

Win7 x64

Private report:

CVE-ID:

None

View Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	jfcherng at gmail dot com
New email:
PHP Version:		OS:

New Comment:

[2019-06-12 19:54 UTC] jfcherng at gmail dot com

Description:
------------
I downloaded the PHP 7.4 alpha 1 release from "https://windows.php.net/downloads/qa/php-7.4.0alpha1-nts-Win32-vs16-x64.zip" and decompressed it without any modification (I did not even create a php.ini).

I then ran the attached test script with the PHP QA release ( $ php.exe test.php ) and got a segfault. I *cannot* reproduce this issue on my CentOS machine somehow.


Test script:
---------------
<?php

class Arr
{
    private $foo = '';

    public function __construct(array $array = [])
    {
        $property = 'foo';

        // segfault in PHP 7.4.0alpha1 but is fine in PHP 7.3.7RC1
        $this->{$property} = &$array[$property];

        // this is fine in both PHP versions
        // $this->foo = &$array[$property];

        \var_dump($this->foo);
    }
}

$arr = new Arr(['foo' => 'bar']);


Expected result:
----------------
string(3) "bar"

Actual result:
--------------
Segmentation fault

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2019-06-12 20:01 UTC] nikic@php.net

-Status: Open +Status: Verified

[2019-06-12 20:01 UTC] nikic@php.net

Also repros on Ubuntu for me.

[2019-06-12 20:46 UTC] krakjoe@php.net

Test added, first CI build that includes it is: https://dev.azure.com/phpazuredevops/PHP/_build/results?buildId=172

[2019-06-12 20:47 UTC] krakjoe@php.net

First 7.4 build: https://dev.azure.com/phpazuredevops/PHP/_build/results?buildId=173

[2019-06-13 05:41 UTC] krakjoe@php.net

Bisected ...

Okay at: 3820296c42e146cc080bc24314ccdfdd700e743e

Fault introduced by merge: dbd1ecd09f26015451063c6d545c9ab929a12129

Revert of be74ca497680ef544af1f650fe4717a3e0d0af67 fixes fault

[2019-06-13 06:06 UTC] krakjoe@php.net

-Assigned To: +Assigned To: dmitry

[2019-06-13 06:06 UTC] krakjoe@php.net

My mistake, a95014dc101756d93696c5c283578302a8334edd is the bad commit ...

[2019-06-13 07:38 UTC] nikic@php.net

Automatic comment on behalf of nikita.ppv@gmail.com
Revision: http://git.php.net/?p=php-src.git;a=commit;h=b64107531b35e9bc2312cd1ed8c030782e7841d8
Log: Fixed bug #78151

[2019-06-13 07:38 UTC] nikic@php.net

-Status: Verified +Status: Closed

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2025 The PHP Group All rights reserved.	Last updated: Tue Nov 04 07:00:01 2025 UTC