|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #76752 Crash in ZEND_COALESCE_SPEC_TMP_HANDLER - assertion in _get_zval_ptr_tmp failed
Submitted: 2018-08-16 12:47 UTC Modified: 2018-08-16 21:27 UTC
From: bugs dot php dot net at majkl578 dot cz Assigned:
Status: Closed Package: Reproducible crash
PHP Version: 7.3Git-2018-08-16 (Git) OS: Linux
Private report: No CVE-ID: None
 [2018-08-16 12:47 UTC] bugs dot php dot net at majkl578 dot cz
While testing PHP 7.3 with Roave/BetterReflection library, I ran into PHP assertion errors [1], possibly regarding corrupted zvals.

Crashes on the following statement [2]:
$namespace->stmts ?? []

When PHP is not compiled in debug mode, this reproduces as "TypeError: array_filter() expects parameter 1 to be array, array given".


Test script:
I was unable to reproduce it in a standalone script, so providing a simple functional reproducer instead:

git clone --depth=1 --branch=3.1.1
cd BetterReflection
composer update
php7.3 vendor/bin/phpunit test/unit/TypesFinder/FindPropertyTypeTest.php --filter testNamespaceRes

Expected result:
No crash.

Actual result:
$ gdb -q --args <php-binary> vendor/bin/phpunit test/unit/TypesFinder/FindPropertyTypeTest.php --filter testNamespaceRes
Reading symbols from <php-binary>...done.

(gdb) run
Starting program: <php-binary> vendor/bin/phpunit test/unit/TypesFinder/FindPropertyTypeTest.php --filter testNamespaceRes
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/".
[Detaching after fork from child process 2653]
PHPUnit 7.3.1 by Sebastian Bergmann and contributors.

php: <php-root>/Zend/zend_execute.c:233: _get_zval_ptr_tmp: Assertion `zval_get_type(&(*(ret))) != 10' failed.

Program received signal SIGABRT, Aborted.
__GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:51
51	../sysdeps/unix/sysv/linux/raise.c: No such file or directory.

(gdb) bt
#0  __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:51
#1  0x00007ffff783d2f1 in __GI_abort () at abort.c:79
#2  0x00007ffff7834a8a in __assert_fail_base (fmt=0x7ffff7988ec8 "%s%s%s:%u: %s%sAssertion `%s' failed.\n%n", assertion=assertion@entry=0x55555645b808 "zval_get_type(&(*(ret))) != 10", file=file@entry=0x55555645b7e0 "<php-root>/Zend/zend_execute.c", line=line@entry=233, 
    function=function@entry=0x55555645de90 <__PRETTY_FUNCTION__.13265> "_get_zval_ptr_tmp") at assert.c:92
#3  0x00007ffff7834b02 in __GI___assert_fail (assertion=0x55555645b808 "zval_get_type(&(*(ret))) != 10", file=0x55555645b7e0 "<php-root>/Zend/zend_execute.c", line=233, function=0x55555645de90 <__PRETTY_FUNCTION__.13265> "_get_zval_ptr_tmp") at assert.c:101
#4  0x0000555555c48a3d in _get_zval_ptr_tmp (var=96, should_free=0x7fffffffa3a0) at <php-root>/Zend/zend_execute.c:233
#5  0x0000555555c774f2 in ZEND_COALESCE_SPEC_TMP_HANDLER () at <php-root>/Zend/zend_vm_execute.h:18404
#6  0x0000555555cbb89c in execute_ex (ex=0x7ffff4c1f030) at <php-root>/Zend/zend_vm_execute.h:57446
#7  0x0000555555cbf0e2 in zend_execute (op_array=0x7ffff4c85300, return_value=0x0) at <php-root>/Zend/zend_vm_execute.h:60882
#8  0x0000555555bee6e7 in zend_execute_scripts (type=8, retval=0x0, file_count=3) at <php-root>/Zend/zend.c:1562
#9  0x0000555555b5e33e in php_execute_script (primary_file=0x7fffffffdbb0) at <php-root>/main/main.c:2630
#10 0x0000555555cc1b02 in do_cli (argc=5, argv=0x555556633240) at <php-root>/sapi/cli/php_cli.c:997
#11 0x0000555555cc2a82 in main (argc=5, argv=0x555556633240) at <php-root>/sapi/cli/php_cli.c:1390


Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2018-08-16 21:27 UTC]
-Status: Open +Status: Verified
 [2018-08-16 21:27 UTC]
Simple reproducer:

    $obj = new stdClass;
    $val = 'foo';
    $obj->prop = &$val;
    var_dump($obj->prop ?? []);

Running with `-d opcache.opt_debug_level=0x10000` yields:

    $_main: ; (lines=13, args=0, vars=2, tmps=9)
        ; (before optimizer)
        ; C:\Users\cmb\php-sdk\phpdev\vc15\x64\76752.php:1-6
    L0 (3):     V2 = NEW 0 string("stdClass")
    L1 (3):     DO_FCALL
    L2 (3):     ASSIGN CV0($obj) V2
    L3 (4):     ASSIGN CV1($val) string("foo")
    L4 (5):     V6 = FETCH_OBJ_W CV0($obj) string("prop")
    L5 (5):     ASSIGN_REF V6 CV1($val)
    L6 (6):     INIT_FCALL 1 96 string("var_dump")
    L7 (6):     T8 = FETCH_OBJ_IS CV0($obj) string("prop")
    L8 (6):     T9 = COALESCE T8 L10
    L9 (6):     T9 = QM_ASSIGN array(...)
    L10 (6):    SEND_VAL T9 1
    L11 (6):    DO_ICALL
    L12 (6):    RETURN int(1)
    Assertion failed: zval_get_type(&(*(ret))) != 10, file Zend\zend_execute.c, line 233

Apparently, T8 is a reference, although TMPs are not supposed to
be references.
 [2018-08-17 04:20 UTC]
Automatic comment on behalf of
Log: Fixed bug #76752 (Crash in ZEND_COALESCE_SPEC_TMP_HANDLER - assertion in _get_zval_ptr_tmp failed).
 [2018-08-17 04:20 UTC]
-Status: Verified +Status: Closed
PHP Copyright © 2001-2023 The PHP Group
All rights reserved.
Last updated: Wed Sep 27 06:01:24 2023 UTC