php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #76711 OPcache enabled triggers false-positive "Illegal string offset"
Submitted: 2018-08-06 14:08 UTC Modified: 2018-09-20 08:04 UTC
From: nicolas dot grekas+php at gmail dot com Assigned: dmitry (profile)
Status: Closed Package: opcache
PHP Version: 7.3Git-2018-08-06 (Git) OS:
Private report: No CVE-ID: None
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: nicolas dot grekas+php at gmail dot com
New email:
PHP Version: OS:

 

 [2018-08-06 14:08 UTC] nicolas dot grekas+php at gmail dot com
Description:
------------
when running the Symfony test suite on PHP 7.3 with opcache.enable_cli=1, some tests fail with "Illegal string offset '...'" errors, which make no sense:

Example build is:
https://travis-ci.org/nicolas-grekas/symfony/builds/411802579#L2508

The reported line reads as such:
> if (!$uri || '#' == $uri[0] || '?' == $uri[0]) {
See https://github.com/symfony/symfony/blob/master/src/Symfony/Component/BrowserKit/Client.php#L668

It looks like there is a leak from L649 to L668:
https://github.com/symfony/symfony/blob/master/src/Symfony/Component/BrowserKit/Client.php#L649


Test script:
---------------
No better reproducer sorry:

git clone https://github.com/symfony/symfony
cd symfony
composer install
./phpunit install
php -dopcache.enable_cli=1 ./phpunit src/Symfony/Component/BrowserKit



Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2018-08-06 14:11 UTC] jpauli@php.net
-Status: Open +Status: Verified
 [2018-08-07 07:28 UTC] laruence@php.net
I can not reproduce this,  what I got is:
$ /home/huixinchen/local/php73/bin/php -d opcache.enable_cli=1 -d error_reporting=-1 -d display_errors=1 ./phpunit src/Symfony/Component/BrowserKit
#!/usr/bin/env php
PHPUnit 6.5.10 by Sebastian Bergmann and contributors.

Testing src/Symfony/Component/BrowserKit
.............................................F.................  63 / 136 ( 46%)
............................................................... 126 / 136 ( 92%)
..........                                                      136 / 136 (100%)

Time: 691 ms, Memory: 4.00MB

There was 1 failure:

1) Symfony\Component\BrowserKit\Tests\ClientTest::testFollowMetaRefresh with data set #7 ('<html><head><noscript><meta h.../html>', 'http://www.example.com/redirected')
Failed asserting that two strings are equal.
--- Expected
+++ Actual
@@ @@
-'http://www.example.com/redirected'
+'http://www.example.com/foo/foobar'

/home/huixinchen/opensource/github/symfony/src/Symfony/Component/BrowserKit/Tests/ClientTest.php:669
/home/huixinchen/opensource/github/symfony/.phpunit/phpunit-6.5/phpunit:5

FAILURES!
Tests: 136, Assertions: 312, Failures: 1.
 [2018-09-20 06:47 UTC] nicolas dot grekas+php at gmail dot com
This issue still exists in 7.3.0RC1, see failures at
https://travis-ci.org/nicolas-grekas/symfony/builds/430883587
 [2018-09-20 07:56 UTC] nikic@php.net
Valgrind says:

==5806== Conditional jump or move depends on uninitialised value(s)
==5806==    at 0xA652CA: ZEND_FETCH_DIM_R_INDEX_SPEC_CV_CONST_HANDLER (zend_vm_execute.h:41973)
==5806==    by 0xA7D01D: execute_ex (zend_vm_execute.h:59659)
==5806==    by 0xA7E0D5: zend_execute (zend_vm_execute.h:60703)
==5806==    by 0x9A3D55: zend_execute_scripts (zend.c:1562)
==5806==    by 0x90A5A8: php_execute_script (main.c:2636)
==5806==    by 0xA80E2A: do_cli (php_cli.c:997)
==5806==    by 0xA81FA0: main (php_cli.c:1390)

This is likely a bug in literal compaction. It probably combines two integer literals, one with Z_EXTRA=0 and one with unspecified Z_EXTRA. The unspecified Z_EXTRA is then used in FETCH_DIM_R_INDEX.
 [2018-09-20 07:58 UTC] nikic@php.net
Here is a simple reproduce (under valgrind):

<?php
  
function test($foo) {
    var_dump(0);
    var_dump($foo[0]);
}
test("str");
 [2018-09-20 08:04 UTC] nikic@php.net
-Assigned To: +Assigned To: dmitry
 [2018-09-20 09:34 UTC] dmitry@php.net
Automatic comment on behalf of dmitry@zend.com
Revision: http://git.php.net/?p=php-src.git;a=commit;h=b8ffa3707c07e6edbe5db5a3fdf5516ba1f6bef0
Log: Fixed bug #76711 (OPcache enabled triggers false-positive &quot;Illegal string offset&quot;)
 [2018-09-20 09:34 UTC] dmitry@php.net
-Status: Verified +Status: Closed
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Mon Oct 07 06:01:27 2024 UTC