php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #58001 Bad opcode information for ZEND_RECV_INIT
Submitted: 2008-01-09 22:15 UTC Modified: 2017-04-01 21:15 UTC
From: gjm76 at cornell dot edu Assigned:
Status: Wont fix Package: parsekit (PECL)
PHP Version: 5.2.1 OS: Gentoo Linux
Private report: No CVE-ID: None
 [2008-01-09 22:15 UTC] gjm76 at cornell dot edu
Description:
------------
I'm actually using PHP 5.2.5-pl1-gentoo, but the drop-down was not specific enough.

I don't think that my ./configure is really relevant, but if you have trouble reproducing I'll post it.

Regardless, when parsekit encounters a function whose parameters have initializers if they are unspecified, and they are bound to constants, php_parsekit_define_name_ex() is unable to find them in the lookup list and returns UNKNOWN for the 'constant' field of the op2 field for the opcode ZEND_RECV_INIT. This wouldn't necessarily be a problem, except that it is not technically bound as a string variable. It is actually not identified as a type at all by PHP, and results in a segmentation fault when it is parsed as a string (but other operations can be performed on it, specifically anything that would not incur a type-check).

Reproduce code:
---------------
define ('zero', 0);

function y($x = zero) {
        return $x + 1;
}

$opcodes = parsekit_compile_file($_SERVER['PHP_SELF'], $errors, PARSEKIT_QUIET);

foreach ($opcodes['function_table'] as $func) {
        foreach ($func['opcodes'] as $op) {
                if ($op['opcode'] == PARSEKIT_ZEND_RECV_INIT)
                        var_dump($op);
        }
}


Expected result:
----------------
["op1"]=>
  array(3) {
    ["type"]=>
    int(1)
    ["type_name"]=>
    string(8) "IS_CONST"
    ["constant"]=>
    &int(1)
  }
  ["op2"]=>
  array(3) {
    ["type"]=>
    int(1)
    ["type_name"]=>
    string(8) "IS_CONST"
    ["constant"]=>
    &int(0)            <--- This would be most useful as the constant name, i think. But value would be fine too.
  }


Actual result:
--------------
(... earlier var_dump omitted ...)
["op1"]=>
  array(3) {
    ["type"]=>
    int(1)
    ["type_name"]=>
    string(8) "IS_CONST"
    ["constant"]=>
    &int(1)
  }
  ["op2"]=>
  array(3) {
    ["type"]=>
    int(1)
    ["type_name"]=>
    string(8) "IS_CONST"
    ["constant"]=>
    &UNKNOWN:0          <--- This is untyped and may be a wild pointer. It causes a segfault when a typecast happens.
  }
(... var_dump continues ...)


Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2008-11-12 09:56 UTC] sean@php.net
Hi,

I can confirm that it's showing up as &UNKNOWN:0. (parsekit-HEAD & PHP 5.2.6)

Can you please post a script that actually causes the segfault (via typecast)?

S
 [2008-12-14 14:07 UTC] gjm76 at cornell dot edu
Sorry it took me so long to get back to you on this. This code should reproduce the segfault, but if not I've also included a second variant that I had to use on the server I was testing on, but it was due to an unrelated issue, I hope, possibly dealing with using an alpha version of 5.3 or 6.0. The wrong function table was being used and it was complaining about trying to parse itself as a result (redeclaring the function y).

test.php
--------
<?php

define ('zero', 0);

function y($x = zero) {
        return $x + 1;
}

$opcodes = parsekit_compile_file($_SERVER['PHP_SELF'], $errors,
PARSEKIT_QUIET);

foreach ($opcodes['function_table'] as $func) {
        foreach ($func['opcodes'] as $op) {
                if ($op['opcode'] == PARSEKIT_ZEND_RECV_INIT)
                        echo ($op['op2']['constant']."\n");
        }
}

?>

Alternatively, in two separate files:

test2.php
---------
<?php

define ('zero', 0);

function y($x = zero) {
        return $x + 1;
}

?>

test.php
--------
<?php

$opcodes = parsekit_compile_file('test2.php', $errors,
PARSEKIT_QUIET);

foreach ($opcodes['function_table'] as $func) {
        foreach ($func['opcodes'] as $op) {
                if ($op['opcode'] == PARSEKIT_ZEND_RECV_INIT)
                        echo ($op['op2']['constant']."\n");
        }
}

?>
 [2017-04-01 21:15 UTC] tpunt@php.net
-Status: Open +Status: Wont fix
 [2017-04-01 21:15 UTC] tpunt@php.net
Due to this extension not seeing any activity since 2009, this issue will not be fixed. We are therefore closing this now.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Fri Nov 08 08:01:29 2024 UTC