php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #71094 readline_completion_function corrupts static array on (second) TAB
Submitted: 2015-12-11 14:54 UTC Modified: 2015-12-11 15:19 UTC
Votes:1
Avg. Score:1.0 ± 0.0
Reproduced:0 of 0 (0.0%)
From: ml at visu dot li Assigned: nikic
Status: Closed Package: Readline related
PHP Version: 7.0.0 OS: Linux
Private report: No CVE-ID:
 [2015-12-11 14:54 UTC] ml at visu dot li
Description:
------------
Module: readline
Function: readline_completion_function
Version: PHP 7.0.0 (cli) (built: Dec  9 2015 16:07:56) ( NTS )

In PHP7 a static array containing possible matches for the readline completion that is returned gets corrupted on the second <TAB>.

If this static array of possible matches contains a string with a length of >= 16, it is changed to "Closure::__invoke".

Other values in the array might simply disappear. (See Test Script Results)

Works fine with PHP5 (5.6.12-0+deb8u1), broken in PHP7.

I'm not an expert in gdb or debugging of C programs, so please forgive me for not adding a gdb backtrace.

Test script:
---------------
<?php
error_reporting(E_ALL);

readline_completion_function(function() {
    static $possible_matches = array(
        'sixteencharacter', // 16 characters or a longer string
        '1',
        '2',
        '3',
        '4',
        '5',
    );

    var_dump($possible_matches);

    return $possible_matches;
});

readline();

Expected result:
----------------
array(6) {
  [0] =>
  string(16) "sixteencharacter"
  [1] =>
  string(1) "1"
  [2] =>
  string(1) "2"
  [3] =>
  string(1) "3"
  [4] =>
  string(1) "4"
  [5] =>
  string(1) "5"
}
array(6) {
  [0] =>
  string(16) "sixteencharacter"
  [1] =>
  string(1) "1"
  [2] =>
  string(1) "2"
  [3] =>
  string(1) "3"
  [4] =>
  string(1) "4"
  [5] =>
  string(1) "5"
}

1                2                3                4                5                sixteencharacter

Actual result:
--------------
array(6) {
  [0]=>
  string(16) "sixteencharacter"
  [1]=>
  string(1) "1"
  [2]=>
  string(1) "2"
  [3]=>
  string(1) "3"
  [4]=>
  string(1) "4"
  [5]=>
  string(1) "5"
}
array(6) {
  [0]=>
  string(17) "Closure::__invoke"
  [1]=>
  string(1) "1"
  [2]=>
  string(1) "2"
  [3]=>
  string(1) "3"
  [4]=>
  string(1) "4"
  [5]=>
  string(0) ""
}

                   1                  2                  3                  4                  Closure::__invoke

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2015-12-11 14:58 UTC] ml at visu dot li
About the Expected and Actual results:

1st TAB click. Outputs var_dump of $possible_matches array.
2nd TAB click. Outputs var_dump of CORRUPTED $possible_matches array.
At the end the possible matches are printed.

So it's basically running the script and hitting TAB twice.
 [2015-12-11 15:19 UTC] nikic@php.net
-Assigned To: +Assigned To: nikic
 [2015-12-11 15:19 UTC] nikic@php.net
zval_dtor instead of zval_ptr_dtor on line http://lxr.php.net/xref/PHP_MASTER/ext/readline/readline.c#508.
 [2015-12-11 15:34 UTC] nikic@php.net
Automatic comment on behalf of nikic
Revision: http://git.php.net/?p=php-src.git;a=commit;h=04407b79dfa41a38a6bce3823b3f80eab9ce3ae8
Log: Fixed bug #71094
 [2015-12-11 15:34 UTC] nikic@php.net
-Status: Assigned +Status: Closed
 [2016-07-20 11:34 UTC] davey@php.net
Automatic comment on behalf of nikic
Revision: http://git.php.net/?p=php-src.git;a=commit;h=04407b79dfa41a38a6bce3823b3f80eab9ce3ae8
Log: Fixed bug #71094
 
PHP Copyright © 2001-2017 The PHP Group
All rights reserved.
Last updated: Sat Apr 29 17:01:36 2017 UTC