php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #58001 Bad opcode information for ZEND_RECV_INIT
Submitted: 2008-01-09 22:15 UTC Modified: 2017-04-01 21:15 UTC
From: gjm76 at cornell dot edu Assigned:
Status: Wont fix Package: parsekit (PECL)
PHP Version: 5.2.1 OS: Gentoo Linux
Private report: No CVE-ID: None
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: gjm76 at cornell dot edu
New email:
PHP Version: OS:

 

 [2008-01-09 22:15 UTC] gjm76 at cornell dot edu
Description:
------------
I'm actually using PHP 5.2.5-pl1-gentoo, but the drop-down was not specific enough.

I don't think that my ./configure is really relevant, but if you have trouble reproducing I'll post it.

Regardless, when parsekit encounters a function whose parameters have initializers if they are unspecified, and they are bound to constants, php_parsekit_define_name_ex() is unable to find them in the lookup list and returns UNKNOWN for the 'constant' field of the op2 field for the opcode ZEND_RECV_INIT. This wouldn't necessarily be a problem, except that it is not technically bound as a string variable. It is actually not identified as a type at all by PHP, and results in a segmentation fault when it is parsed as a string (but other operations can be performed on it, specifically anything that would not incur a type-check).

Reproduce code:
---------------
define ('zero', 0);

function y($x = zero) {
        return $x + 1;
}

$opcodes = parsekit_compile_file($_SERVER['PHP_SELF'], $errors, PARSEKIT_QUIET);

foreach ($opcodes['function_table'] as $func) {
        foreach ($func['opcodes'] as $op) {
                if ($op['opcode'] == PARSEKIT_ZEND_RECV_INIT)
                        var_dump($op);
        }
}


Expected result:
----------------
["op1"]=>
  array(3) {
    ["type"]=>
    int(1)
    ["type_name"]=>
    string(8) "IS_CONST"
    ["constant"]=>
    &int(1)
  }
  ["op2"]=>
  array(3) {
    ["type"]=>
    int(1)
    ["type_name"]=>
    string(8) "IS_CONST"
    ["constant"]=>
    &int(0)            <--- This would be most useful as the constant name, i think. But value would be fine too.
  }


Actual result:
--------------
(... earlier var_dump omitted ...)
["op1"]=>
  array(3) {
    ["type"]=>
    int(1)
    ["type_name"]=>
    string(8) "IS_CONST"
    ["constant"]=>
    &int(1)
  }
  ["op2"]=>
  array(3) {
    ["type"]=>
    int(1)
    ["type_name"]=>
    string(8) "IS_CONST"
    ["constant"]=>
    &UNKNOWN:0          <--- This is untyped and may be a wild pointer. It causes a segfault when a typecast happens.
  }
(... var_dump continues ...)


Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2008-11-12 09:56 UTC] sean@php.net
Hi,

I can confirm that it's showing up as &UNKNOWN:0. (parsekit-HEAD & PHP 5.2.6)

Can you please post a script that actually causes the segfault (via typecast)?

S
 [2008-12-14 14:07 UTC] gjm76 at cornell dot edu
Sorry it took me so long to get back to you on this. This code should reproduce the segfault, but if not I've also included a second variant that I had to use on the server I was testing on, but it was due to an unrelated issue, I hope, possibly dealing with using an alpha version of 5.3 or 6.0. The wrong function table was being used and it was complaining about trying to parse itself as a result (redeclaring the function y).

test.php
--------
<?php

define ('zero', 0);

function y($x = zero) {
        return $x + 1;
}

$opcodes = parsekit_compile_file($_SERVER['PHP_SELF'], $errors,
PARSEKIT_QUIET);

foreach ($opcodes['function_table'] as $func) {
        foreach ($func['opcodes'] as $op) {
                if ($op['opcode'] == PARSEKIT_ZEND_RECV_INIT)
                        echo ($op['op2']['constant']."\n");
        }
}

?>

Alternatively, in two separate files:

test2.php
---------
<?php

define ('zero', 0);

function y($x = zero) {
        return $x + 1;
}

?>

test.php
--------
<?php

$opcodes = parsekit_compile_file('test2.php', $errors,
PARSEKIT_QUIET);

foreach ($opcodes['function_table'] as $func) {
        foreach ($func['opcodes'] as $op) {
                if ($op['opcode'] == PARSEKIT_ZEND_RECV_INIT)
                        echo ($op['op2']['constant']."\n");
        }
}

?>
 [2017-04-01 21:15 UTC] tpunt@php.net
-Status: Open +Status: Wont fix
 [2017-04-01 21:15 UTC] tpunt@php.net
Due to this extension not seeing any activity since 2009, this issue will not be fixed. We are therefore closing this now.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Tue Dec 03 05:01:32 2024 UTC