PHP :: Bug #71094 :: readline_completion_function corrupts static array on (second) TAB

Bug #71094

readline_completion_function corrupts static array on (second) TAB

Submitted:

2015-12-11 14:54 UTC

Modified:

2015-12-11 15:19 UTC

Votes:	1
Avg. Score:	1.0 ± 0.0
Reproduced:	0 of 0 (0.0%)

From:

ml at visu dot li

Assigned:

nikic (profile)

Status:

Closed

Package:

Readline related

PHP Version:

7.0.0

OS:

Linux

Private report:

CVE-ID:

None

View Developer Edit

[2015-12-11 14:54 UTC] ml at visu dot li

Description:
------------
Module: readline
Function: readline_completion_function
Version: PHP 7.0.0 (cli) (built: Dec  9 2015 16:07:56) ( NTS )

In PHP7 a static array containing possible matches for the readline completion that is returned gets corrupted on the second <TAB>.

If this static array of possible matches contains a string with a length of >= 16, it is changed to "Closure::__invoke".

Other values in the array might simply disappear. (See Test Script Results)

Works fine with PHP5 (5.6.12-0+deb8u1), broken in PHP7.

I'm not an expert in gdb or debugging of C programs, so please forgive me for not adding a gdb backtrace.

Test script:
---------------
<?php
error_reporting(E_ALL);

readline_completion_function(function() {
    static $possible_matches = array(
        'sixteencharacter', // 16 characters or a longer string
        '1',
        '2',
        '3',
        '4',
        '5',
    );

    var_dump($possible_matches);

    return $possible_matches;
});

readline();

Expected result:
----------------
array(6) {
  [0] =>
  string(16) "sixteencharacter"
  [1] =>
  string(1) "1"
  [2] =>
  string(1) "2"
  [3] =>
  string(1) "3"
  [4] =>
  string(1) "4"
  [5] =>
  string(1) "5"
}
array(6) {
  [0] =>
  string(16) "sixteencharacter"
  [1] =>
  string(1) "1"
  [2] =>
  string(1) "2"
  [3] =>
  string(1) "3"
  [4] =>
  string(1) "4"
  [5] =>
  string(1) "5"
}

1                2                3                4                5                sixteencharacter

Actual result:
--------------
array(6) {
  [0]=>
  string(16) "sixteencharacter"
  [1]=>
  string(1) "1"
  [2]=>
  string(1) "2"
  [3]=>
  string(1) "3"
  [4]=>
  string(1) "4"
  [5]=>
  string(1) "5"
}
array(6) {
  [0]=>
  string(17) "Closure::__invoke"
  [1]=>
  string(1) "1"
  [2]=>
  string(1) "2"
  [3]=>
  string(1) "3"
  [4]=>
  string(1) "4"
  [5]=>
  string(0) ""
}

                   1                  2                  3                  4                  Closure::__invoke

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2015-12-11 14:58 UTC] ml at visu dot li

About the Expected and Actual results:

1st TAB click. Outputs var_dump of $possible_matches array.
2nd TAB click. Outputs var_dump of CORRUPTED $possible_matches array.
At the end the possible matches are printed.

So it's basically running the script and hitting TAB twice.

[2015-12-11 15:19 UTC] nikic@php.net

-Assigned To: +Assigned To: nikic

[2015-12-11 15:19 UTC] nikic@php.net

zval_dtor instead of zval_ptr_dtor on line http://lxr.php.net/xref/PHP_MASTER/ext/readline/readline.c#508.

[2015-12-11 15:34 UTC] nikic@php.net

Automatic comment on behalf of nikic
Revision: http://git.php.net/?p=php-src.git;a=commit;h=04407b79dfa41a38a6bce3823b3f80eab9ce3ae8
Log: Fixed bug #71094

[2015-12-11 15:34 UTC] nikic@php.net

-Status: Assigned +Status: Closed

[2016-07-20 11:34 UTC] davey@php.net

Automatic comment on behalf of nikic
Revision: http://git.php.net/?p=php-src.git;a=commit;h=04407b79dfa41a38a6bce3823b3f80eab9ce3ae8
Log: Fixed bug #71094

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2025 The PHP Group All rights reserved.	Last updated: Fri Oct 31 07:00:01 2025 UTC