php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #60169 Conjunction of ternary and list crashes PHP
Submitted: 2011-10-29 13:40 UTC Modified: 2011-11-03 04:00 UTC
From: thekid@php.net Assigned: laruence
Status: Closed Package: Scripting Engine problem
PHP Version: 5.4.0beta2 OS: Windows Vista
Private report: No CVE-ID:
 [2011-10-29 13:40 UTC] thekid@php.net
Description:
------------
This code makes PHP exit with exit code #127:

list($a, $b)= is_array($argv) ? $argv : explode("@", $argv[1]);

Test script:
---------------
$ php.exe -r 'list($a, $b)= is_array($argv) ? $argv : explode("@", $argv[1]);' ; echo $?


Expected result:
----------------
0

Actual result:
--------------
127

Patches

bug60169.diff (last revision 2011-10-31 06:48 UTC) by laruence@php.net)
invalid.patch (last revision 2011-10-31 03:24 UTC) by laruence@php.net)
bug60169.phpt (last revision 2011-10-30 02:08 UTC) by laruence@php.net)

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2011-10-29 14:26 UTC] pajoye@php.net
I can't reproduce it. Please provide a script without external data (arg).
 [2011-10-29 14:26 UTC] pajoye@php.net
-Status: Open +Status: Feedback
 [2011-10-30 01:37 UTC] laruence@php.net
backtrace:

#0  0x00000000008d69e5 in zend_fetch_dimension_address_read (result=0x2a95dac1d0, container_ptr=0x0, 
dim=0x2a95de57f8, dim_type=1, type=0)
    at /home/huixc/opensource/php-src/trunk/Zend/zend_execute.c:1244
1244		zval *container = *container_ptr;
(gdb) bt
#0  0x00000000008d69e5 in zend_fetch_dimension_address_read (result=0x2a95dac1d0, container_ptr=0x0, 
dim=0x2a95de57f8, dim_type=1, type=0)
    at /home/huixc/opensource/php-src/trunk/Zend/zend_execute.c:1244
#1  0x000000000091630d in ZEND_FETCH_DIM_R_SPEC_VAR_CONST_HANDLER (execute_data=0x2a95dac0e8)
    at /home/huixc/opensource/php-src/trunk/Zend/zend_vm_execute.h:12694
#2  0x00000000008d79ae in execute (op_array=0x2a95de36e8) at /home/huixc/opensource/php-
src/trunk/Zend/zend_vm_execute.h:410
#3  0x00000000008a0063 in zend_execute_scripts (type=8, retval=0x0, file_count=3) at 
/home/huixc/opensource/php-src/trunk/Zend/zend.c:1272
#4  0x0000000000820850 in php_execute_script (primary_file=0x7fbffff2a0) at /home/huixc/opensource/php-
src/trunk/main/main.c:2414
#5  0x00000000009c12dd in do_cli (argc=2, argv=0x7fbffff588) at /home/huixc/opensource/php-
src/trunk/sapi/cli/php_cli.c:983
#6  0x00000000009c217e in main (argc=2, argv=0x7fbffff588) at /home/huixc/opensource/php-
src/trunk/sapi/cli/php_cli.c:1356
 [2011-10-30 01:56 UTC] laruence@php.net
I can reproduce this on linux with a more simple script:
<?php
$arr  = array("test");
list($a)= is_array($arr)? $arr : $arr;
?>

and I have pasted the bt above~
 [2011-10-30 02:01 UTC] pajoye@php.net
-Status: Feedback +Status: Assigned -Assigned To: +Assigned To: lbarnaud
 [2011-10-30 02:01 UTC] pajoye@php.net
Arnaud, could you try to give a look please? Happens only in 5.4, the recent 
optimization in this area could be the cause.
 [2011-10-30 02:03 UTC] laruence@php.net
The following patch has been added/updated:

Patch Name: bug60169.diff
Revision:   1319940233
URL:        https://bugs.php.net/patch-display.php?bug=60169&patch=bug60169.diff&revision=1319940233
 [2011-10-30 02:08 UTC] laruence@php.net
The following patch has been added/updated:

Patch Name: bug60169.phpt
Revision:   1319940509
URL:        https://bugs.php.net/patch-display.php?bug=60169&patch=bug60169.phpt&revision=1319940509
 [2011-10-31 03:21 UTC] laruence@php.net
there is also segfault in (***)?:value notation.
like:
   <?php
     $str = array('test');
     list($a, $b) = is_array($str)?:$str;

and this make *the patch doesn't work* (a memory leak)
 [2011-10-31 03:24 UTC] laruence@php.net
The following patch has been added/updated:

Patch Name: invalid.patch
Revision:   1320031445
URL:        https://bugs.php.net/patch-display.php?bug=60169&patch=invalid.patch&revision=1320031445
 [2011-10-31 06:48 UTC] laruence@php.net
The following patch has been added/updated:

Patch Name: bug60169.diff
Revision:   1320043736
URL:        https://bugs.php.net/patch-display.php?bug=60169&patch=bug60169.diff&revision=1320043736
 [2011-10-31 06:50 UTC] laruence@php.net
I have submitted a new patch. lbarnaud, plz review it , thanks
 [2011-11-03 03:59 UTC] laruence@php.net
Automatic comment from SVN on behalf of laruence
Revision: http://svn.php.net/viewvc/?view=revision&amp;revision=318716
Log: Fix bug #60169 Conjunction of ternary and list crashes PHP
 [2011-11-03 03:59 UTC] laruence@php.net
-Status: Assigned +Status: Closed
 [2011-11-03 03:59 UTC] laruence@php.net
This bug has been fixed in SVN.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.

 For Windows:

http://windows.php.net/snapshots/
 
Thank you for the report, and for helping us make PHP better.


 [2011-11-03 04:00 UTC] laruence@php.net
-Assigned To: lbarnaud +Assigned To: laruence
 [2012-04-18 09:48 UTC] laruence@php.net
Automatic comment on behalf of laruence
Revision: http://git.php.net/?p=php-src.git;a=commit;h=a9dbbf6dea71ae8918667fe1d4bccc3ca0dd4664
Log: Fix bug #60169 Conjunction of ternary and list crashes PHP
 [2012-07-24 23:39 UTC] rasmus@php.net
Automatic comment on behalf of laruence
Revision: http://git.php.net/?p=php-src.git;a=commit;h=a9dbbf6dea71ae8918667fe1d4bccc3ca0dd4664
Log: Fix bug #60169 Conjunction of ternary and list crashes PHP
 [2013-11-17 09:35 UTC] laruence@php.net
Automatic comment on behalf of laruence
Revision: http://git.php.net/?p=php-src.git;a=commit;h=a9dbbf6dea71ae8918667fe1d4bccc3ca0dd4664
Log: Fix bug #60169 Conjunction of ternary and list crashes PHP
 
PHP Copyright © 2001-2014 The PHP Group
All rights reserved.
Last updated: Sat Apr 19 14:01:50 2014 UTC