Memory leak during constant expression evaluation

[dstogov]

Description

The following code:

<?php
#[Attribute(+[[][2]?->y]->y)]
class y {
}

Resulted in this output:

Warning: Undefined array key 2 in /home/dmitry/tmp/fuzz-53766.php on line 3

=================================================================
==150605==ERROR: LeakSanitizer: detected memory leaks

Direct leak of 56 byte(s) in 1 object(s) allocated from:
    #0 0x7f2687cae91f in __interceptor_malloc (/lib64/libasan.so.6+0xae91f)
    #1 0x1f19fa2 in __zend_malloc /home/dmitry/php/php-master/Zend/zend_alloc.c:3114
    #2 0x1f153ee in _malloc_custom /home/dmitry/php/php-master/Zend/zend_alloc.c:2472
    #3 0x1f157cc in _emalloc /home/dmitry/php/php-master/Zend/zend_alloc.c:2591
    #4 0x2082fbd in _zend_new_array /home/dmitry/php/php-master/Zend/zend_hash.c:279
    #5 0x2494b35 in zend_ast_evaluate_ex /home/dmitry/php/php-master/Zend/zend_ast.c:694
    #6 0x24974fc in zend_ast_evaluate_ex /home/dmitry/php/php-master/Zend/zend_ast.c:912
    #7 0x249465a in zend_ast_evaluate_ex /home/dmitry/php/php-master/Zend/zend_ast.c:668
    #8 0x1fb9194 in zval_update_constant_with_ctx /home/dmitry/php/php-master/Zend/zend_execute_API.c:690
    #9 0x1fb94db in zval_update_constant_ex /home/dmitry/php/php-master/Zend/zend_execute_API.c:704
    #10 0x20ebde7 in zend_get_attribute_value /home/dmitry/php/php-master/Zend/zend_attributes.c:198
    #11 0x20e9a76 in validate_attribute /home/dmitry/php/php-master/Zend/zend_attributes.c:46
    #12 0x1f6eaab in zend_compile_attributes /home/dmitry/php/php-master/Zend/zend_compile.c:6792
    #13 0x1f7eeb4 in zend_compile_class_decl /home/dmitry/php/php-master/Zend/zend_compile.c:7967
    #14 0x1f9d2f2 in zend_compile_top_stmt /home/dmitry/php/php-master/Zend/zend_compile.c:10154
    #15 0x1f9cfd7 in zend_compile_top_stmt /home/dmitry/php/php-master/Zend/zend_compile.c:10143
    #16 0x1ea6ce0 in zend_compile Zend/zend_language_scanner.l:619
    #17 0x1ea73e8 in compile_file Zend/zend_language_scanner.l:654
    #18 0x1558377 in phar_compile_file /home/dmitry/php/php-master/ext/phar/phar.c:3355
    #19 0x7f2671bfc286 in opcache_compile_file /home/dmitry/php/php-master/ext/opcache/ZendAccelerator.c:1820
    #20 0x7f2671c01808 in persistent_compile_file /home/dmitry/php/php-master/ext/opcache/ZendAccelerator.c:2164
    #21 0x202c28b in zend_execute_scripts /home/dmitry/php/php-master/Zend/zend.c:1776
    #22 0x1dc3e02 in php_execute_script /home/dmitry/php/php-master/main/main.c:2480
    #23 0x27882cb in do_cli /home/dmitry/php/php-master/sapi/cli/php_cli.c:964
    #24 0x278a95e in main /home/dmitry/php/php-master/sapi/cli/php_cli.c:1333
    #25 0x7f2683e3feaf in __libc_start_call_main (/lib64/libc.so.6+0x3feaf)

Indirect leak of 136 byte(s) in 1 object(s) allocated from:
    #0 0x7f2687cae91f in __interceptor_malloc (/lib64/libasan.so.6+0xae91f)
    #1 0x1f19fa2 in __zend_malloc /home/dmitry/php/php-master/Zend/zend_alloc.c:3114
    #2 0x1f153ee in _malloc_custom /home/dmitry/php/php-master/Zend/zend_alloc.c:2472
    #3 0x1f157cc in _emalloc /home/dmitry/php/php-master/Zend/zend_alloc.c:2591
    #4 0x2081324 in zend_hash_real_init_packed_ex /home/dmitry/php/php-master/Zend/zend_hash.c:154
    #5 0x208f825 in _zend_hash_index_add_or_update_i /home/dmitry/php/php-master/Zend/zend_hash.c:1068
    #6 0x20907c5 in zend_hash_next_index_insert /home/dmitry/php/php-master/Zend/zend_hash.c:1142
    #7 0x2491524 in zend_ast_add_array_element /home/dmitry/php/php-master/Zend/zend_ast.c:453
    #8 0x24950e3 in zend_ast_evaluate_ex /home/dmitry/php/php-master/Zend/zend_ast.c:723
    #9 0x24974fc in zend_ast_evaluate_ex /home/dmitry/php/php-master/Zend/zend_ast.c:912
    #10 0x249465a in zend_ast_evaluate_ex /home/dmitry/php/php-master/Zend/zend_ast.c:668
    #11 0x1fb9194 in zval_update_constant_with_ctx /home/dmitry/php/php-master/Zend/zend_execute_API.c:690
    #12 0x1fb94db in zval_update_constant_ex /home/dmitry/php/php-master/Zend/zend_execute_API.c:704
    #13 0x20ebde7 in zend_get_attribute_value /home/dmitry/php/php-master/Zend/zend_attributes.c:198
    #14 0x20e9a76 in validate_attribute /home/dmitry/php/php-master/Zend/zend_attributes.c:46
    #15 0x1f6eaab in zend_compile_attributes /home/dmitry/php/php-master/Zend/zend_compile.c:6792
    #16 0x1f7eeb4 in zend_compile_class_decl /home/dmitry/php/php-master/Zend/zend_compile.c:7967
    #17 0x1f9d2f2 in zend_compile_top_stmt /home/dmitry/php/php-master/Zend/zend_compile.c:10154
    #18 0x1f9cfd7 in zend_compile_top_stmt /home/dmitry/php/php-master/Zend/zend_compile.c:10143
    #19 0x1ea6ce0 in zend_compile Zend/zend_language_scanner.l:619
    #20 0x1ea73e8 in compile_file Zend/zend_language_scanner.l:654
    #21 0x1558377 in phar_compile_file /home/dmitry/php/php-master/ext/phar/phar.c:3355
    #22 0x7f2671bfc286 in opcache_compile_file /home/dmitry/php/php-master/ext/opcache/ZendAccelerator.c:1820
    #23 0x7f2671c01808 in persistent_compile_file /home/dmitry/php/php-master/ext/opcache/ZendAccelerator.c:2164
    #24 0x202c28b in zend_execute_scripts /home/dmitry/php/php-master/Zend/zend.c:1776
    #25 0x1dc3e02 in php_execute_script /home/dmitry/php/php-master/main/main.c:2480
    #26 0x27882cb in do_cli /home/dmitry/php/php-master/sapi/cli/php_cli.c:964
    #27 0x278a95e in main /home/dmitry/php/php-master/sapi/cli/php_cli.c:1333
    #28 0x7f2683e3feaf in __libc_start_call_main (/lib64/libc.so.6+0x3feaf)

But I expected this output instead:

Warning: Undefined array key 2 in %s on line %d

Warning: Attempt to read property "y" on array in %s on line %d

PHP Version

master

Operating System

[dstogov]

@iluuu1994 please take a look. The leak occurs only in master branch. I'm not sure if you are responsible for this, but reverting 8731fb2 fixes the problem.

[iluuu1994]

@dstogov Thanks for identifying this. I will have a look on Thursday.