php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #75786 segfault when using spread operator on generator passed by reference
Submitted: 2018-01-09 15:49 UTC Modified: 2018-01-09 17:50 UTC
From: chris at kruining dot eu Assigned:
Status: Closed Package: *General Issues
PHP Version: PHP 7.1.12-1 (Debian does not yet have 7.1.13 or 7.2.1) OS: Debian - buster
Private report: No CVE-ID: None
 [2018-01-09 15:49 UTC] chris at kruining dot eu
Description:
------------
I've encountered this weird segfault

it seems to be a combination of 'newer' techniques that goes wrong somewhere
    - iteration by reference :: demonstrated in the `Foo` class
    - array destruction :: at the end of the example
    - output :: all the var_dump's (both the locations and amount of var_dumps's seems to matter)

I have no clue why this goes wrong, neither does the error log provide useful information(at least for me)

php error log :: 
[Tue Jan 09 16:46:08.907851 2018] [proxy_fcgi:error] [pid 53058:tid 140258613700352] [client 192.168.198.88:55790] AH01067: Failed to read FastCGI header
[Tue Jan 09 16:46:08.907896 2018] [proxy_fcgi:error] [pid 53058:tid 140258613700352] (104)Connection reset by peer: [client 192.168.198.88:55790] AH01075: Error dispatching request to :

sys log ::
Alert from syslog-ng Jan  9 16:46:08 remote kernel: [926537.733411] traps: php-fpm7.1[59524] general protection ip:55a832274080 sp:7ffca575e3d0 error:0 in php-fpm7.1[55a832036000+3d0000]

I hope that I have provided enough information to be helpful :D

Test script:
---------------
<?php

class Foo implements IteratorAggregate
{
    protected $items = [
        'this',
        'is',
        'a',
        'item',
    ];
    
    public function &getIterator(): Generator
    {
        foreach($this->items as $key => &$value)
        {
            yield $key => $value;
        }
        
        unset($value);
    }
}

class Bar
{
    public function doSomething(string $these, string $are, string $some, string $parameters): string
    {
        var_dump($these, $are, $some, $parameters);
        
        return 'success';
    }
}

$data = [
    new Bar,
    'doSomething',
    new Foo,
];

foreach($data[2] as $key => &$value)
{
    $value .= ' foo';
    
    var_dump($value);
}

unset($value);

// Some other code...

[
    $obj,
    $method,
    $arguments,
] = $data;

var_dump($arguments, $obj->$method(...$arguments));

?>


Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2018-01-09 15:51 UTC] chris at kruining dot eu
-Summary: PHP 7.1.12-1 (Debian does not yet have 7.1.13 or 7.2.1) +Summary: segfault when using spread operator on generator passed by reference -PHP Version: 7.1.13 +PHP Version: PHP 7.1.12-1 (Debian does not yet have 7.1.13 or 7.2.1)
 [2018-01-09 15:51 UTC] chris at kruining dot eu
updated the summary
 [2018-01-09 17:50 UTC] nikic@php.net
-Status: Open +Status: Verified
 [2018-01-09 17:50 UTC] nikic@php.net
Verified on master. First memory error:

==24021== Invalid read of size 4
==24021==    at 0xC43FC8: zend_gc_addref (zend_types.h:922)
==24021==    by 0xCAF4B0: ZEND_SEND_VAR_SPEC_CV_HANDLER (zend_vm_execute.h:38478)
==24021==    by 0xCD7924: execute_ex (zend_vm_execute.h:57842)
==24021==    by 0xCD7A78: zend_execute (zend_vm_execute.h:61753)
==24021==    by 0xBE7BA8: zend_execute_scripts (zend.c:1538)
==24021==    by 0xB49FAF: php_execute_script (main.c:2467)
==24021==    by 0xCDA420: do_cli (php_cli.c:1011)
==24021==    by 0xCDB5DD: main (php_cli.c:1404)
==24021==  Address 0xfb67160 is 0 bytes inside a block of size 40 free'd
==24021==    at 0x4C2ED7B: free (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==24021==    by 0xBABC2C: _efree (zend_alloc.c:2499)
==24021==    by 0xBE3A5F: _zval_dtor_func (zend_variables.c:39)
==24021==    by 0xC447AD: i_zval_ptr_dtor (zend_variables.h:49)
==24021==    by 0xCD705D: ZEND_YIELD_SPEC_CV_CV_HANDLER (zend_vm_execute.h:52673)
==24021==    by 0xCD7924: execute_ex (zend_vm_execute.h:57842)
==24021==    by 0xC28894: zend_generator_resume (zend_generators.c:811)
==24021==    by 0xC29B16: zend_generator_iterator_move_forward (zend_generators.c:1156)
==24021==    by 0xC50588: ZEND_SEND_UNPACK_SPEC_HANDLER (zend_vm_execute.h:1330)
==24021==    by 0xCD7924: execute_ex (zend_vm_execute.h:57842)
==24021==    by 0xCD7A78: zend_execute (zend_vm_execute.h:61753)
==24021==    by 0xBE7BA8: zend_execute_scripts (zend.c:1538)
==24021==  Block was alloc'd at
==24021==    at 0x4C2DB4F: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==24021==    by 0xBAC8B4: __zend_malloc (zend_alloc.c:2884)
==24021==    by 0xBABB85: _emalloc (zend_alloc.c:2484)
==24021==    by 0xBE35FF: zend_string_alloc (zend_string.h:136)
==24021==    by 0xBE366F: zend_string_init (zend_string.h:172)
==24021==    by 0xBE36EB: zend_string_dup (zend_string.h:192)
==24021==    by 0xBE3F85: _zval_copy_ctor_func (zend_variables.c:172)
==24021==    by 0xC5047A: ZEND_SEND_UNPACK_SPEC_HANDLER (zend_vm_execute.h:1320)
==24021==    by 0xCD7924: execute_ex (zend_vm_execute.h:57842)
==24021==    by 0xCD7A78: zend_execute (zend_vm_execute.h:61753)
==24021==    by 0xBE7BA8: zend_execute_scripts (zend.c:1538)
==24021==    by 0xB49FAF: php_execute_script (main.c:2467)
 [2018-01-09 19:25 UTC] nikic@php.net
Automatic comment on behalf of nikita.ppv@gmail.com
Revision: http://git.php.net/?p=php-src.git;a=commit;h=fd30c59e041eb4ccaabb2099bb3be15a55e2988d
Log: Fixed bug #75786
 [2018-01-09 19:25 UTC] nikic@php.net
-Status: Verified +Status: Closed
 
PHP Copyright © 2001-2018 The PHP Group
All rights reserved.
Last updated: Sun Nov 19 01:31:42 2017 UTC