php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #55578 Segfault on implode/concat
Submitted: 2011-09-03 17:58 UTC Modified: 2011-09-14 13:18 UTC
From: kontakt at beberlei dot de Assigned: dmitry
Status: Closed Package: Reproducible crash
PHP Version: 5.4.0alpha3 OS:
Private report: No CVE-ID:
 [2011-09-03 17:58 UTC] kontakt at beberlei dot de
Description:
------------
I found this issue running the Doctrine 2 testsuite with PHP 5.4.0 alpha 3 and could isolate the segfault behavior to a very simple php script.

I cant make anything out of the backtrace with regard to the nature of the failing. But it seems to have something to do with the __toString() that gets implicitly called.

Test script:
---------------
<?php

$options = array(
    'pre' => '(',
    'post' => ')',
    'separator' => ' AND ',
);

class Foo
{
    public function __toString()
    {
        return 'Foo';
    }
}   

function test($options, $queryPart)
{
        return (isset($options['pre']) ? $options['pre'] : '')
             . (is_array($queryPart) ? implode($options['separator'], $queryPart) : $queryPart)
             . (isset($options['post']) ? $options['post'] : '');
}

#echo test($options, "test"); // comment this in and the line after works aswell
echo test($options, new Foo()); // this segfaults

Expected result:
----------------
(Foo)




Actual result:
--------------
Segfault, Backtrace is:

#0  gc_remove_zval_from_buffer (zv=0xb5f5b1b0) at /home/benny/downloads/php-5.4.0alpha3/Zend/zend_gc.c:265
#1  0x083723c8 in _zval_ptr_dtor (zval_ptr=0x8913da8) at /home/benny/downloads/php-5.4.0alpha3/Zend/zend_execute_API.c:437
#2  0x08374065 in zend_call_function (fci=0xbfffc8ac, fci_cache=0xbfffc8d0) at /home/benny/downloads/php-5.4.0alpha3/Zend/zend_execute_API.c:1018
#3  0x0839660b in zend_call_method (object_pp=0xbfffc9a0, obj_ce=<value optimized out>, fn_proxy=0xb5f76d38, function_name=0x8866e95 "__tostring", function_name_len=10, 
    retval_ptr_ptr=0xbfffc97c, param_count=0, arg1=0x0, arg2=0x0) at /home/benny/downloads/php-5.4.0alpha3/Zend/zend_interfaces.c:97
#4  0x083a0f11 in zend_std_cast_object_tostring (readobj=0xb5f5b1b0, writeobj=0xbfffca48, type=6)
    at /home/benny/downloads/php-5.4.0alpha3/Zend/zend_object_handlers.c:1472
#5  0x0838152b in zend_make_printable_zval (expr=0xb5f5b1b0, expr_copy=0xbfffca48, use_copy=0xbfffca68) at /home/benny/downloads/php-5.4.0alpha3/Zend/zend.c:260
#6  0x0837c678 in concat_function (result=0xb5f5b1c0, op1=0xb5f5b170, op2=0xb5f5b1b0) at /home/benny/downloads/php-5.4.0alpha3/Zend/zend_operators.c:1243
#7  0x083d4d53 in ZEND_CONCAT_SPEC_TMP_TMP_HANDLER (execute_data=0xb5f5b0f8) at /home/benny/downloads/php-5.4.0alpha3/Zend/zend_vm_execute.h:8133
#8  0x083e52e6 in execute (op_array=0x8a5e7b0) at /home/benny/downloads/php-5.4.0alpha3/Zend/zend_vm_execute.h:410
#9  0x08381d82 in zend_execute_scripts (type=8, retval=0x0, file_count=3) at /home/benny/downloads/php-5.4.0alpha3/Zend/zend.c:1262
#10 0x083247a2 in php_execute_script (primary_file=0xbfffeebc) at /home/benny/downloads/php-5.4.0alpha3/main/main.c:2385
#11 0x0842005e in do_cli (argc=2, argv=0xbffff144) at /home/benny/downloads/php-5.4.0alpha3/sapi/cli/php_cli.c:983
#12 0x084208d7 in main (argc=2, argv=0xbffff144) at /home/benny/downloads/php-5.4.0alpha3/sapi/cli/php_cli.c:1356

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2011-09-03 19:00 UTC] felipe@php.net
-Status: Open +Status: Assigned -Assigned To: +Assigned To: dmitry
 [2011-09-03 19:00 UTC] felipe@php.net
Minor test case:

<?php  
$options = array();

class Foo {
    public function __toString() {
        return 'Foo';
    }
}   

function test($options, $queryPart) {
	return ''. (0 ? 1 : $queryPart);
}

test($options, new Foo());

==3019== Conditional jump or move depends on uninitialised value(s)
==3019==    at 0x83F00C8: zend_call_function (zend_execute_API.c:924)
==3019==    by 0x8420106: zend_call_method (zend_interfaces.c:97)
==3019==    by 0x8437226: zend_std_cast_object_tostring (zend_object_handlers.c:1472)
==3019==    by 0x83FF743: zend_make_printable_zval (zend.c:260)
==3019==    by 0x83FB1AD: concat_function (zend_operators.c:1243)
==3019==    by 0x844D780: ZEND_CONCAT_SPEC_CONST_TMP_HANDLER (zend_vm_execute.h:3944)
==3019==    by 0x843EDE8: execute (zend_vm_execute.h:410)
==3019==    by 0x8402B71: zend_execute_scripts (zend.c:1262)
==3019==    by 0x836AFF5: php_execute_script (main.c:2388)
==3019==    by 0x854615F: do_cli (php_cli.c:983)
==3019==    by 0x8547547: main (php_cli.c:1356)
==3019== 
==3019== Conditional jump or move depends on uninitialised value(s)
==3019==    at 0x83EDAFE: _zval_ptr_dtor (zend_execute_API.c:433)
==3019==    by 0x83F0BEF: zend_call_function (zend_execute_API.c:1018)
==3019==    by 0x8420106: zend_call_method (zend_interfaces.c:97)
==3019==    by 0x8437226: zend_std_cast_object_tostring (zend_object_handlers.c:1472)
==3019==    by 0x83FF743: zend_make_printable_zval (zend.c:260)
==3019==    by 0x83FB1AD: concat_function (zend_operators.c:1243)
==3019==    by 0x844D780: ZEND_CONCAT_SPEC_CONST_TMP_HANDLER (zend_vm_execute.h:3944)
==3019==    by 0x843EDE8: execute (zend_vm_execute.h:410)
==3019==    by 0x8402B71: zend_execute_scripts (zend.c:1262)
==3019==    by 0x836AFF5: php_execute_script (main.c:2388)
==3019==    by 0x854615F: do_cli (php_cli.c:983)
==3019==    by 0x8547547: main (php_cli.c:1356)
==3019== 
==3019== Conditional jump or move depends on uninitialised value(s)
==3019==    at 0x83EDB4D: _zval_ptr_dtor (zend_execute_API.c:437)
==3019==    by 0x83F0BEF: zend_call_function (zend_execute_API.c:1018)
==3019==    by 0x8420106: zend_call_method (zend_interfaces.c:97)
==3019==    by 0x8437226: zend_std_cast_object_tostring (zend_object_handlers.c:1472)
==3019==    by 0x83FF743: zend_make_printable_zval (zend.c:260)
==3019==    by 0x83FB1AD: concat_function (zend_operators.c:1243)
==3019==    by 0x844D780: ZEND_CONCAT_SPEC_CONST_TMP_HANDLER (zend_vm_execute.h:3944)
==3019==    by 0x843EDE8: execute (zend_vm_execute.h:410)
==3019==    by 0x8402B71: zend_execute_scripts (zend.c:1262)
==3019==    by 0x836AFF5: php_execute_script (main.c:2388)
==3019==    by 0x854615F: do_cli (php_cli.c:983)
==3019==    by 0x8547547: main (php_cli.c:1356)
==3019== 
==3019== Invalid free() / delete / delete[]
==3019==    at 0x402421C: free (in /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so)
==3019==    by 0x83CAA1A: _efree (zend_alloc.c:2433)
==3019==    by 0x83EDBC1: _zval_ptr_dtor (zend_execute_API.c:439)
==3019==    by 0x83F0BEF: zend_call_function (zend_execute_API.c:1018)
==3019==    by 0x8420106: zend_call_method (zend_interfaces.c:97)
==3019==    by 0x8437226: zend_std_cast_object_tostring (zend_object_handlers.c:1472)
==3019==    by 0x83FF743: zend_make_printable_zval (zend.c:260)
==3019==    by 0x83FB1AD: concat_function (zend_operators.c:1243)
==3019==    by 0x844D780: ZEND_CONCAT_SPEC_CONST_TMP_HANDLER (zend_vm_execute.h:3944)
==3019==    by 0x843EDE8: execute (zend_vm_execute.h:410)
==3019==    by 0x8402B71: zend_execute_scripts (zend.c:1262)
==3019==    by 0x836AFF5: php_execute_script (main.c:2388)
==3019==    by 0x854615F: do_cli (php_cli.c:983)
==3019==    by 0x8547547: main (php_cli.c:1356)
==3019==  Address 0x45d42e0 is 304 bytes inside a block of size 65,484 alloc'd
==3019==    at 0x4025018: malloc (in /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so)
==3019==    by 0x83CA970: _emalloc (zend_alloc.c:2423)
==3019==    by 0x83EC78F: init_executor (zend_execute.h:184)
==3019==    by 0x840155A: zend_activate (zend.c:900)
==3019==    by 0x83688CD: php_request_startup (main.c:1452)
==3019==    by 0x8545FAB: do_cli (php_cli.c:954)
==3019==    by 0x8547547: main (php_cli.c:1356)
 [2011-09-04 21:18 UTC] tyrael@php.net
an even shorter test case:

<?php
(string)(0?1:new Exception);

:)

Tyrael
 [2011-09-04 23:24 UTC] tyrael@php.net
I've just bisected the changes, the bug was introduced with 
http://svn.php.net/viewvc?view=revision&revision=298207

Tyrael
 [2011-09-14 13:18 UTC] dmitry@php.net
Automatic comment from SVN on behalf of dmitry
Revision: http://svn.php.net/viewvc/?view=revision&amp;revision=316744
Log: Fixed bug #55578 (Segfault on implode/concat)
 [2011-09-14 13:18 UTC] dmitry@php.net
-Status: Assigned +Status: Closed
 [2011-09-14 13:18 UTC] dmitry@php.net
This bug has been fixed in SVN.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.

 For Windows:

http://windows.php.net/snapshots/
 
Thank you for the report, and for helping us make PHP better.


 [2012-04-18 09:48 UTC] laruence@php.net
Automatic comment on behalf of dmitry
Revision: http://git.php.net/?p=php-src.git;a=commit;h=65cb18dd5fbfb0f8174d29e7a812f47a16c3425a
Log: Fixed bug #55578 (Segfault on implode/concat)
 [2012-07-24 23:39 UTC] rasmus@php.net
Automatic comment on behalf of dmitry
Revision: http://git.php.net/?p=php-src.git;a=commit;h=65cb18dd5fbfb0f8174d29e7a812f47a16c3425a
Log: Fixed bug #55578 (Segfault on implode/concat)
 [2013-11-17 09:36 UTC] laruence@php.net
Automatic comment on behalf of dmitry
Revision: http://git.php.net/?p=php-src.git;a=commit;h=65cb18dd5fbfb0f8174d29e7a812f47a16c3425a
Log: Fixed bug #55578 (Segfault on implode/concat)
 
PHP Copyright © 2001-2015 The PHP Group
All rights reserved.
Last updated: Mon Jun 15 18:01:54 2015 UTC