PHP :: Bug #65969 :: Chain assignment with T

Bug #65969

Chain assignment with T_LIST failure

Submitted:

2013-10-25 23:04 UTC

Modified:

2013-11-27 06:31 UTC

Votes:	1
Avg. Score:	5.0 ± 0.0
Reproduced:	1 of 1 (100.0%)
Same Version:	0 (0.0%)
Same OS:	0 (0.0%)

From:

mwelinder at gmail dot com

Assigned:

dmitry (profile)

Status:

Closed

Package:

Variables related

PHP Version:

5.4.21

OS:

linux mint 15

Private report:

CVE-ID:

None

View Developer Edit

[2013-10-25 23:04 UTC] mwelinder at gmail dot com

Description:
------------
Chained assignments (a=b=c;) appear to not work in some circumstances.
When sequenced assignments (b=c; a=b;) are used, things work.


Test script:
---------------
<?php

class Test {
  var $c = null;

  function funcall ()
  {
    return array(2,3);
  }
}

$o = new Test;

// Chain assignment
list ($a,$b) = $o->c = $o->funcall();
print "XXX";
print $a;
print "YYY";


// Separate assignment
$o->c = $o->funcall();
list ($a,$b) = $o->c;
print $a;
print "ZZZ";

?>


Expected result:
----------------
Expected: XXX2YYY2ZZZ


Actual result:
--------------
Actual: XXXYYY2ZZZ

Patches

bug65969-2.patch (last revision 2013-11-27 08:56 UTC by dmitry at zend dot com)
bug65969.patch (last revision 2013-11-27 06:32 UTC by laruence@php.net)
bug65969.phpt (last revision 2013-11-27 05:39 UTC by laruence@php.net)

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2013-10-25 23:07 UTC] mwelinder at gmail dot com

Forgot the precise version:

$ php5 --version
PHP 5.4.9-4ubuntu2.3 (cli) (built: Sep  4 2013 19:32:25) 
Copyright (c) 1997-2012 The PHP Group
Zend Engine v2.4.0, Copyright (c) 1998-2012 Zend Technologies

$ php5 -f test.php
XXXYYY2ZZZ

[2013-10-26 17:28 UTC] phpmpan at mpan dot pl

A segfault happens on:
 - 5.5.5 (only in CLI mode), 5.4-snap and 5.5-snap on Arch64
 - 5.5.4 on unknown 64-bit Linux
Works fine on 5.3-snap.

Backtrace (5.5-snap):
#0  0x000000000065db1a in ZEND_FETCH_DIM_R_SPEC_VAR_CONST_HANDLER (
    execute_data=0x7ffff7f8b1c8)
    at /home/user0/Desktop/php5.5-201310261630/Zend/zend_vm_execute.h:14781
#1  0x000000000063dbe6 in execute_ex (execute_data=0x7ffff7f8b1c8)
    at /home/user0/Desktop/php5.5-201310261630/Zend/zend_vm_execute.h:363
#2  0x000000000063dc57 in zend_execute (op_array=0x7ffff7fc2578)
    at /home/user0/Desktop/php5.5-201310261630/Zend/zend_vm_execute.h:388
#3  0x00000000005f1162 in zend_eval_stringl (
    str=0x7ffff7fc1478 "list($a, $b) = $o->c = $o->funcall();\n", str_len=38, 
    retval_ptr=0x0, string_name=0x72bcdb "php shell code")
    at /home/user0/Desktop/php5.5-201310261630/Zend/zend_execute_API.c:1179
#4  0x0000000000496c5a in readline_shell_run ()
    at /home/user0/Desktop/php5.5-201310261630/ext/readline/readline_cli.c:664
#5  0x00000000006a95af in do_cli (argc=2, argv=0xa39aa0)
    at /home/user0/Desktop/php5.5-201310261630/sapi/cli/php_cli.c:992
#6  0x00000000006aa597 in main (argc=2, argv=0xa39aa0)
    at /home/user0/Desktop/php5.5-201310261630/sapi/cli/php_cli.c:1378

Valgrind tells (5.5-snap):
Invalid read of size 8
   at 0x65DB1A: ZEND_FETCH_DIM_R_SPEC_VAR_CONST_HANDLER (zend_vm_execute.h:14781)
   by 0x63DBE5: execute_ex (zend_vm_execute.h:363)
   by 0x63DC56: zend_execute (zend_vm_execute.h:388)
   by 0x5F1161: zend_eval_stringl (zend_execute_API.c:1179)
   by 0x496C59: readline_shell_run (readline_cli.c:664)
   by 0x6A95AE: do_cli (php_cli.c:992)
   by 0x6AA596: main (php_cli.c:1378)
 Address 0xc6c6eb68bec6c600 is not stack'd, malloc'd or (recently) free'd

[2013-10-29 20:17 UTC] nikic@php.net

-Status: Open +Status: Verified

[2013-10-29 20:17 UTC] nikic@php.net

Reduced testcase:

<?php
$obj = new stdClass;
list($a) = $obj->prop = [1];

Valgrind output with ZMM=0:

==7793== Conditional jump or move depends on uninitialised value(s)
==7793==    at 0x826493D: _get_zval_ptr_ptr_var (zend_execute.c:378)
==7793==    by 0x8283546: ZEND_FETCH_DIM_R_SPEC_VAR_CONST_HANDLER (zend_vm_execute.h:12886)
==7793==    by 0x8267F96: execute (zend_vm_execute.h:410)
==7793==    by 0x8234E54: zend_execute_scripts (zend.c:1319)
==7793==    by 0x81B9E8E: php_execute_script (main.c:2502)
==7793==    by 0x82C773C: do_cli (php_cli.c:989)
==7793==    by 0x82C8998: main (php_cli.c:1365)
==7793== 
==7793== Use of uninitialised value of size 4
==7793==    at 0x82673A5: zend_fetch_dimension_address_read (zend_execute.c:1253)
==7793==    by 0x8283580: ZEND_FETCH_DIM_R_SPEC_VAR_CONST_HANDLER (zend_vm_execute.h:12887)
==7793==    by 0x8267F96: execute (zend_vm_execute.h:410)
==7793==    by 0x8234E54: zend_execute_scripts (zend.c:1319)
==7793==    by 0x81B9E8E: php_execute_script (main.c:2502)
==7793==    by 0x82C773C: do_cli (php_cli.c:989)
==7793==    by 0x82C8998: main (php_cli.c:1365)
==7793== 
==7793== Invalid read of size 4
==7793==    at 0x82673A5: zend_fetch_dimension_address_read (zend_execute.c:1253)
==7793==    by 0x8283580: ZEND_FETCH_DIM_R_SPEC_VAR_CONST_HANDLER (zend_vm_execute.h:12887)
==7793==    by 0x8267F96: execute (zend_vm_execute.h:410)
==7793==    by 0x8234E54: zend_execute_scripts (zend.c:1319)
==7793==    by 0x81B9E8E: php_execute_script (main.c:2502)
==7793==    by 0x82C773C: do_cli (php_cli.c:989)
==7793==    by 0x82C8998: main (php_cli.c:1365)
==7793==  Address 0x0 is not stack'd, malloc'd or (recently) free'd

[2013-11-26 19:09 UTC] requinix@php.net

Related To: Bug #66181

[2013-11-27 05:35 UTC] laruence@php.net

-Assigned To: +Assigned To: dmitry

[2013-11-27 05:35 UTC] laruence@php.net

The following patch has been added/updated:

Patch Name: bug65969.patch
Revision:   1385530548
URL:        https://bugs.php.net/patch-display.php?bug=65969&patch=bug65969.patch&revision=1385530548

[2013-11-27 05:36 UTC] laruence@php.net

Dmitry, could you please look into the patch I attached? thanks

[2013-11-27 05:39 UTC] laruence@php.net

-Summary: Chain assignment failure +Summary: Chain assignment with T_LIST failure

[2013-11-27 05:39 UTC] laruence@php.net

The following patch has been added/updated:

Patch Name: bug65969.phpt
Revision:   1385530777
URL:        https://bugs.php.net/patch-display.php?bug=65969&patch=bug65969.phpt&revision=1385530777

[2013-11-27 06:32 UTC] laruence@php.net

The following patch has been added/updated:

Patch Name: bug65969.patch
Revision:   1385533921
URL:        https://bugs.php.net/patch-display.php?bug=65969&patch=bug65969.patch&revision=1385533921

[2013-11-27 10:59 UTC] dmitry@php.net

Automatic comment on behalf of dmitry@zend.com
Revision: http://git.php.net/?p=php-src.git;a=commit;h=16d59aa1718324ff0d4bea62fa9dfc3d4c8b16ce
Log: Fixed bug #65969 (Chain assignment with T_LIST failure)

[2013-11-27 10:59 UTC] dmitry@php.net

-Status: Verified +Status: Closed

[2013-11-28 08:30 UTC] ab@php.net

Automatic comment on behalf of dmitry@zend.com
Revision: http://git.php.net/?p=php-src.git;a=commit;h=16d59aa1718324ff0d4bea62fa9dfc3d4c8b16ce
Log: Fixed bug #65969 (Chain assignment with T_LIST failure)

[2014-10-07 23:16 UTC] stas@php.net

Automatic comment on behalf of dmitry@zend.com
Revision: http://git.php.net/?p=php-src-security.git;a=commit;h=16d59aa1718324ff0d4bea62fa9dfc3d4c8b16ce
Log: Fixed bug #65969 (Chain assignment with T_LIST failure)

[2014-10-07 23:27 UTC] stas@php.net

Automatic comment on behalf of dmitry@zend.com
Revision: http://git.php.net/?p=php-src-security.git;a=commit;h=16d59aa1718324ff0d4bea62fa9dfc3d4c8b16ce
Log: Fixed bug #65969 (Chain assignment with T_LIST failure)

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2025 The PHP Group All rights reserved.	Last updated: Thu Oct 30 16:00:01 2025 UTC