php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #65969 Chain assignment with T_LIST failure
Submitted: 2013-10-25 23:04 UTC Modified: 2013-11-27 06:31 UTC
Votes:1
Avg. Score:5.0 ± 0.0
Reproduced:1 of 1 (100.0%)
Same Version:0 (0.0%)
Same OS:0 (0.0%)
From: mwelinder at gmail dot com Assigned: dmitry
Status: Closed Package: Variables related
PHP Version: 5.4.21 OS: linux mint 15
Private report: No CVE-ID:
 [2013-10-25 23:04 UTC] mwelinder at gmail dot com
Description:
------------
Chained assignments (a=b=c;) appear to not work in some circumstances.
When sequenced assignments (b=c; a=b;) are used, things work.


Test script:
---------------
<?php

class Test {
  var $c = null;

  function funcall ()
  {
    return array(2,3);
  }
}

$o = new Test;

// Chain assignment
list ($a,$b) = $o->c = $o->funcall();
print "XXX";
print $a;
print "YYY";


// Separate assignment
$o->c = $o->funcall();
list ($a,$b) = $o->c;
print $a;
print "ZZZ";

?>


Expected result:
----------------
Expected: XXX2YYY2ZZZ


Actual result:
--------------
Actual: XXXYYY2ZZZ


Patches

bug65969-2.patch (last revision 2013-11-27 08:56 UTC) by dmitry at zend dot com)
bug65969.patch (last revision 2013-11-27 06:32 UTC) by laruence@php.net)
bug65969.phpt (last revision 2013-11-27 05:39 UTC) by laruence@php.net)

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2013-10-25 23:07 UTC] mwelinder at gmail dot com
Forgot the precise version:

$ php5 --version
PHP 5.4.9-4ubuntu2.3 (cli) (built: Sep  4 2013 19:32:25) 
Copyright (c) 1997-2012 The PHP Group
Zend Engine v2.4.0, Copyright (c) 1998-2012 Zend Technologies

$ php5 -f test.php
XXXYYY2ZZZ
 [2013-10-26 17:28 UTC] phpmpan at mpan dot pl
A segfault happens on:
 - 5.5.5 (only in CLI mode), 5.4-snap and 5.5-snap on Arch64
 - 5.5.4 on unknown 64-bit Linux
Works fine on 5.3-snap.

Backtrace (5.5-snap):
#0  0x000000000065db1a in ZEND_FETCH_DIM_R_SPEC_VAR_CONST_HANDLER (
    execute_data=0x7ffff7f8b1c8)
    at /home/user0/Desktop/php5.5-201310261630/Zend/zend_vm_execute.h:14781
#1  0x000000000063dbe6 in execute_ex (execute_data=0x7ffff7f8b1c8)
    at /home/user0/Desktop/php5.5-201310261630/Zend/zend_vm_execute.h:363
#2  0x000000000063dc57 in zend_execute (op_array=0x7ffff7fc2578)
    at /home/user0/Desktop/php5.5-201310261630/Zend/zend_vm_execute.h:388
#3  0x00000000005f1162 in zend_eval_stringl (
    str=0x7ffff7fc1478 "list($a, $b) = $o->c = $o->funcall();\n", str_len=38, 
    retval_ptr=0x0, string_name=0x72bcdb "php shell code")
    at /home/user0/Desktop/php5.5-201310261630/Zend/zend_execute_API.c:1179
#4  0x0000000000496c5a in readline_shell_run ()
    at /home/user0/Desktop/php5.5-201310261630/ext/readline/readline_cli.c:664
#5  0x00000000006a95af in do_cli (argc=2, argv=0xa39aa0)
    at /home/user0/Desktop/php5.5-201310261630/sapi/cli/php_cli.c:992
#6  0x00000000006aa597 in main (argc=2, argv=0xa39aa0)
    at /home/user0/Desktop/php5.5-201310261630/sapi/cli/php_cli.c:1378

Valgrind tells (5.5-snap):
Invalid read of size 8
   at 0x65DB1A: ZEND_FETCH_DIM_R_SPEC_VAR_CONST_HANDLER (zend_vm_execute.h:14781)
   by 0x63DBE5: execute_ex (zend_vm_execute.h:363)
   by 0x63DC56: zend_execute (zend_vm_execute.h:388)
   by 0x5F1161: zend_eval_stringl (zend_execute_API.c:1179)
   by 0x496C59: readline_shell_run (readline_cli.c:664)
   by 0x6A95AE: do_cli (php_cli.c:992)
   by 0x6AA596: main (php_cli.c:1378)
 Address 0xc6c6eb68bec6c600 is not stack'd, malloc'd or (recently) free'd
 [2013-10-29 20:17 UTC] nikic@php.net
-Status: Open +Status: Verified
 [2013-10-29 20:17 UTC] nikic@php.net
Reduced testcase:

<?php
$obj = new stdClass;
list($a) = $obj->prop = [1];

Valgrind output with ZMM=0:

==7793== Conditional jump or move depends on uninitialised value(s)
==7793==    at 0x826493D: _get_zval_ptr_ptr_var (zend_execute.c:378)
==7793==    by 0x8283546: ZEND_FETCH_DIM_R_SPEC_VAR_CONST_HANDLER (zend_vm_execute.h:12886)
==7793==    by 0x8267F96: execute (zend_vm_execute.h:410)
==7793==    by 0x8234E54: zend_execute_scripts (zend.c:1319)
==7793==    by 0x81B9E8E: php_execute_script (main.c:2502)
==7793==    by 0x82C773C: do_cli (php_cli.c:989)
==7793==    by 0x82C8998: main (php_cli.c:1365)
==7793== 
==7793== Use of uninitialised value of size 4
==7793==    at 0x82673A5: zend_fetch_dimension_address_read (zend_execute.c:1253)
==7793==    by 0x8283580: ZEND_FETCH_DIM_R_SPEC_VAR_CONST_HANDLER (zend_vm_execute.h:12887)
==7793==    by 0x8267F96: execute (zend_vm_execute.h:410)
==7793==    by 0x8234E54: zend_execute_scripts (zend.c:1319)
==7793==    by 0x81B9E8E: php_execute_script (main.c:2502)
==7793==    by 0x82C773C: do_cli (php_cli.c:989)
==7793==    by 0x82C8998: main (php_cli.c:1365)
==7793== 
==7793== Invalid read of size 4
==7793==    at 0x82673A5: zend_fetch_dimension_address_read (zend_execute.c:1253)
==7793==    by 0x8283580: ZEND_FETCH_DIM_R_SPEC_VAR_CONST_HANDLER (zend_vm_execute.h:12887)
==7793==    by 0x8267F96: execute (zend_vm_execute.h:410)
==7793==    by 0x8234E54: zend_execute_scripts (zend.c:1319)
==7793==    by 0x81B9E8E: php_execute_script (main.c:2502)
==7793==    by 0x82C773C: do_cli (php_cli.c:989)
==7793==    by 0x82C8998: main (php_cli.c:1365)
==7793==  Address 0x0 is not stack'd, malloc'd or (recently) free'd
 [2013-11-27 05:35 UTC] laruence@php.net
-Assigned To: +Assigned To: dmitry
 [2013-11-27 05:35 UTC] laruence@php.net
The following patch has been added/updated:

Patch Name: bug65969.patch
Revision:   1385530548
URL:        https://bugs.php.net/patch-display.php?bug=65969&patch=bug65969.patch&revision=1385530548
 [2013-11-27 05:36 UTC] laruence@php.net
Dmitry, could you please look into the patch I attached? thanks
 [2013-11-27 05:39 UTC] laruence@php.net
-Summary: Chain assignment failure +Summary: Chain assignment with T_LIST failure
 [2013-11-27 05:39 UTC] laruence@php.net
The following patch has been added/updated:

Patch Name: bug65969.phpt
Revision:   1385530777
URL:        https://bugs.php.net/patch-display.php?bug=65969&patch=bug65969.phpt&revision=1385530777
 [2013-11-27 06:32 UTC] laruence@php.net
The following patch has been added/updated:

Patch Name: bug65969.patch
Revision:   1385533921
URL:        https://bugs.php.net/patch-display.php?bug=65969&patch=bug65969.patch&revision=1385533921
 [2013-11-27 10:59 UTC] dmitry@php.net
Automatic comment on behalf of dmitry@zend.com
Revision: http://git.php.net/?p=php-src.git;a=commit;h=16d59aa1718324ff0d4bea62fa9dfc3d4c8b16ce
Log: Fixed bug #65969 (Chain assignment with T_LIST failure)
 [2013-11-27 10:59 UTC] dmitry@php.net
-Status: Verified +Status: Closed
 [2013-11-28 08:30 UTC] ab@php.net
Automatic comment on behalf of dmitry@zend.com
Revision: http://git.php.net/?p=php-src.git;a=commit;h=16d59aa1718324ff0d4bea62fa9dfc3d4c8b16ce
Log: Fixed bug #65969 (Chain assignment with T_LIST failure)
 
PHP Copyright © 2001-2014 The PHP Group
All rights reserved.
Last updated: Thu Apr 24 20:02:09 2014 UTC