php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #68775 yield in a function argument crashes or loops indefinitely
Submitted: 2015-01-09 09:35 UTC Modified: 2015-01-09 09:35 UTC
From: bwoebi@php.net Assigned: nikic (profile)
Status: Closed Package: Reproducible crash
PHP Version: master-Git-2015-01-09 (Git) OS: Irrelevant
Private report: No CVE-ID: None
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: bwoebi@php.net
New email:
PHP Version: OS:

 

 [2015-01-09 09:35 UTC] bwoebi@php.net
Description:
------------
Variants of that code (dependent on where execute_data->prev_execute_data is first needed) may also crash.

My longer analysis resumed:
EG(vm_stack_top) is reset to generator->stack->top in the next resume after zend_vm_stack_push_call_frame was called in the ZEND_INIT_FCALL_BY_NAME, that stack frame is now equal to EG(vm_stack_top), which is then returned in the next stack frame allocation (the var_dump one in the example) and prev_execute_data is set there to the address of the stack frame itself.

Adding generator->stack->top = EG(vm_stack_top); on line 330 of zend_generators.c fixed the bug for me, but not sure if that's safe...

Test script:
---------------
function a($x) {
    var_dump($x);
}

function gen() {
     a(yield);
}

$g = gen();
$g->send(1);

Expected result:
----------------
int(1)

Actual result:
--------------
Infinite loop: execute_data->prev_execute_data == execute_data

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2015-01-09 09:35 UTC] bwoebi@php.net
-Status: Open +Status: Assigned -Assigned To: +Assigned To: nikic
 [2015-01-09 16:59 UTC] nikic@php.net
Automatic comment on behalf of nikic
Revision: http://git.php.net/?p=php-src.git;a=commit;h=41a249fef602b8cbfdc70fc8179e48cc1387b821
Log: Fix bug #68775
 [2015-01-09 16:59 UTC] nikic@php.net
-Status: Assigned +Status: Closed
 [2016-07-20 11:40 UTC] davey@php.net
Automatic comment on behalf of nikic
Revision: http://git.php.net/?p=php-src.git;a=commit;h=41a249fef602b8cbfdc70fc8179e48cc1387b821
Log: Fix bug #68775
 
PHP Copyright © 2001-2025 The PHP Group
All rights reserved.
Last updated: Mon Jul 07 05:01:36 2025 UTC