php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #77530 PHP crashes when parsing `(2)::class`
Submitted: 2019-01-27 21:49 UTC Modified: 2019-01-28 13:34 UTC
From: tysonandre775 at hotmail dot com Assigned: kalle (profile)
Status: Closed Package: *General Issues
PHP Version: 7.3.2RC1 OS:
Private report: No CVE-ID: None
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: tysonandre775 at hotmail dot com
New email:
PHP Version: OS:

 

 [2019-01-27 21:49 UTC] tysonandre775 at hotmail dot com
Description:
------------
When an expression such as `(2)::class` (with brackets) is parsed in source code, PHP (debug and non-debug) crashes.

Debug builds emit this failure: "/path/to/php-src/Zend/zend_ast.h:298: zend_ast_get_str: Assertion `zval_get_type(&(*(zv))) == 6' failed."

This may also affect stable php versions. I also saw this in a recent PHP 7.4 build.

Non-debug builds segfault:

Program received signal SIGSEGV, Segmentation fault.
0x00000000009b5e19 in zend_get_class_fetch_type ()
(gdb) bt
#0  0x00000000009b5e19 in zend_get_class_fetch_type ()
#1  0x00000000009b62e0 in zend_try_compile_const_expr_resolve_class_name.part ()
#2  0x00000000009bcc5a in zend_compile_class_const ()
#3  0x00000000009bd255 in zend_compile_expr ()
#4  0x00000000009be6ab in zend_compile_echo ()
#5  0x00000000009c55e8 in zend_compile_stmt ()
#6  0x00000000009c972a in zend_compile_top_stmt ()
#7  0x00000000009c977f in zend_compile_top_stmt ()
#8  0x00000000009c977f in zend_compile_top_stmt ()
#9  0x000000000099c3dd in zend_compile ()
#10 0x000000000099dfb8 in compile_string ()
#11 0x00000000009cd00b in zend_eval_stringl ()
#12 0x00000000007e6967 in readline_shell_run ()
#13 0x0000000000a822c5 in do_cli ()
#14 0x000000000045f56c in main ()


Test script:
---------------
<?php
if (false) {
    echo (2)::class;
}

Expected result:
----------------
Should not segfault. Instead, it should emit a similar error to what PHP already does in other cases

```
php > echo []::class;
Fatal error: Dynamic class names are not allowed in compile-time ::class fetch in php shell code on line 1
```


Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2019-01-28 07:17 UTC] rasmus@php.net
Nice one, how did you run across that?
(2)::class is pretty obscure.
 [2019-01-28 07:57 UTC] bugsnet at ekins dot space
Hi! I've submitted a PR for this bug: https://github.com/php/php-src/pull/3768
 [2019-01-28 08:26 UTC] nikic@php.net
Automatic comment on behalf of me@ekins.space
Revision: http://git.php.net/?p=php-src.git;a=commit;h=ef68cd324923d81565debef8939b015a3f4b8a6f
Log: Fixed bug #77530: PHP crashes when parsing &quot;(2)::class&quot;
 [2019-01-28 08:26 UTC] nikic@php.net
-Status: Open +Status: Closed
 [2019-01-28 13:34 UTC] kalle@php.net
-Assigned To: +Assigned To: kalle
 [2019-01-28 13:34 UTC] kalle@php.net
@rasmus: see comments on https://github.com/nikic/php-ast/pull/111
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Sun Oct 13 04:01:26 2024 UTC