php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #76711 OPcache enabled triggers false-positive "Illegal string offset"
Submitted: 2018-08-06 14:08 UTC Modified: 2018-09-20 08:04 UTC
From: nicolas dot grekas+php at gmail dot com Assigned: dmitry (profile)
Status: Closed Package: opcache
PHP Version: 7.3Git-2018-08-06 (Git) OS:
Private report: No CVE-ID: None
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If this is not your bug, you can add a comment by following this link.
If this is your bug, but you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: nicolas dot grekas+php at gmail dot com
New email:
PHP Version: OS:

 

 [2018-08-06 14:08 UTC] nicolas dot grekas+php at gmail dot com
Description:
------------
when running the Symfony test suite on PHP 7.3 with opcache.enable_cli=1, some tests fail with "Illegal string offset '...'" errors, which make no sense:

Example build is:
https://travis-ci.org/nicolas-grekas/symfony/builds/411802579#L2508

The reported line reads as such:
> if (!$uri || '#' == $uri[0] || '?' == $uri[0]) {
See https://github.com/symfony/symfony/blob/master/src/Symfony/Component/BrowserKit/Client.php#L668

It looks like there is a leak from L649 to L668:
https://github.com/symfony/symfony/blob/master/src/Symfony/Component/BrowserKit/Client.php#L649


Test script:
---------------
No better reproducer sorry:

git clone https://github.com/symfony/symfony
cd symfony
composer install
./phpunit install
php -dopcache.enable_cli=1 ./phpunit src/Symfony/Component/BrowserKit



Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2018-08-06 14:11 UTC] jpauli@php.net
-Status: Open +Status: Verified
 [2018-08-07 07:28 UTC] laruence@php.net
I can not reproduce this,  what I got is:
$ /home/huixinchen/local/php73/bin/php -d opcache.enable_cli=1 -d error_reporting=-1 -d display_errors=1 ./phpunit src/Symfony/Component/BrowserKit
#!/usr/bin/env php
PHPUnit 6.5.10 by Sebastian Bergmann and contributors.

Testing src/Symfony/Component/BrowserKit
.............................................F.................  63 / 136 ( 46%)
............................................................... 126 / 136 ( 92%)
..........                                                      136 / 136 (100%)

Time: 691 ms, Memory: 4.00MB

There was 1 failure:

1) Symfony\Component\BrowserKit\Tests\ClientTest::testFollowMetaRefresh with data set #7 ('<html><head><noscript><meta h.../html>', 'http://www.example.com/redirected')
Failed asserting that two strings are equal.
--- Expected
+++ Actual
@@ @@
-'http://www.example.com/redirected'
+'http://www.example.com/foo/foobar'

/home/huixinchen/opensource/github/symfony/src/Symfony/Component/BrowserKit/Tests/ClientTest.php:669
/home/huixinchen/opensource/github/symfony/.phpunit/phpunit-6.5/phpunit:5

FAILURES!
Tests: 136, Assertions: 312, Failures: 1.
 [2018-09-20 06:47 UTC] nicolas dot grekas+php at gmail dot com
This issue still exists in 7.3.0RC1, see failures at
https://travis-ci.org/nicolas-grekas/symfony/builds/430883587
 [2018-09-20 07:56 UTC] nikic@php.net
Valgrind says:

==5806== Conditional jump or move depends on uninitialised value(s)
==5806==    at 0xA652CA: ZEND_FETCH_DIM_R_INDEX_SPEC_CV_CONST_HANDLER (zend_vm_execute.h:41973)
==5806==    by 0xA7D01D: execute_ex (zend_vm_execute.h:59659)
==5806==    by 0xA7E0D5: zend_execute (zend_vm_execute.h:60703)
==5806==    by 0x9A3D55: zend_execute_scripts (zend.c:1562)
==5806==    by 0x90A5A8: php_execute_script (main.c:2636)
==5806==    by 0xA80E2A: do_cli (php_cli.c:997)
==5806==    by 0xA81FA0: main (php_cli.c:1390)

This is likely a bug in literal compaction. It probably combines two integer literals, one with Z_EXTRA=0 and one with unspecified Z_EXTRA. The unspecified Z_EXTRA is then used in FETCH_DIM_R_INDEX.
 [2018-09-20 07:58 UTC] nikic@php.net
Here is a simple reproduce (under valgrind):

<?php
  
function test($foo) {
    var_dump(0);
    var_dump($foo[0]);
}
test("str");
 [2018-09-20 08:04 UTC] nikic@php.net
-Assigned To: +Assigned To: dmitry
 [2018-09-20 09:34 UTC] dmitry@php.net
Automatic comment on behalf of dmitry@zend.com
Revision: http://git.php.net/?p=php-src.git;a=commit;h=b8ffa3707c07e6edbe5db5a3fdf5516ba1f6bef0
Log: Fixed bug #76711 (OPcache enabled triggers false-positive &quot;Illegal string offset&quot;)
 [2018-09-20 09:34 UTC] dmitry@php.net
-Status: Verified +Status: Closed
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Fri Mar 29 14:01:28 2024 UTC