Skip to content


Subversion checkout URL

You can clone with
Download ZIP
A virtual machine designed for executing programs written in Hack and PHP.
C++ PHP Hack C OCaml CMake Other

Don't assume a scalar Map/Set initializer is an integer if its not a …


Summary: HHVM incorrectly allows boolean and floating-point values to be specified in Map
and Set initializers (under certain conditions). IE, Set { true, false } and Map
{ true => 'a', false => 'b' } work, when they should throw an Invalid Argument
exception (just like all the other operations on collections when given booleans
or floats).

The root cause of this is that the bytecode emitter assumes that if a Map or Set
initializer is a scalar, and is not a string, it must be an integer. Under debug
builds, this causes assertions as it means a Variant of type bool or float is
accessed as an integer. Under most conditions, the bytecode emitter will
initialize the collection directly from an array, bypassing the checks in the
collection add method, therefore allowing these types into the collection. The
rest of the collection logic assumes that the contained values are either
integers or strings, possibly leading to odd results (the floating point values
are treated as integer versions of the bit representation of the float).

The fix is to explicitly check if the initializers are integers, and if not,
don't attempt the direct array initialization. Instead the collection
initialization which uses repeated calls to add() will be used, allowing for
proper checking.

Reviewed By: @binliu19, @markw65

Differential Revision: D2202642
latest commit f8f815d06f
@ricklavoie ricklavoie authored hhvm-bot committed


HHVM page | Hacklang page | General group | Dev group | Twitter

HHVM (aka the HipHop Virtual Machine) is an open-source virtual machine designed for executing programs written in Hack and PHP. HHVM uses a just-in-time compilation approach to achieve superior performance while maintaining the flexibility that PHP developers are accustomed to. To date, HHVM (and its predecessor HPHPc before it) has realized over a 9x increase in web request throughput and over a 5x reduction in memory consumption for Facebook compared with the PHP 5.2 engine + APC.

HHVM should be used together with a FastCGI-based webserver like nginx or apache.

Reporting and Fixing Security Issues

Please do not open GitHub issues or pull requests - this makes the problem immediately visible to everyone, including malicious actors. Security issues in HHVM can be safely reported via HHVM's Whitehat Bug Bounty program:

Facebook's security team will triage your report and determine whether or not is it eligible for a bounty under our program.


Our FAQ has answers to many common questions about HHVM, from general questions to questions geared towards those that want to use or contribute to HHVM.


If you're new, try our getting started overview.

You can install a prebuilt package or compile from source.


You can run standalone programs just by passing them to hhvm: hhvm my_script.php.

If you want to host a website:

  • Install your favorite webserver
  • Install our package
  • Start your webserver
  • Run sudo /etc/init.d/hhvm start
  • Visit your site at http://.../index.php

Our getting started overview provides a slightly more detailed introduction as well as links to more information.


We'd love to have your help in making HHVM better. If you're interested, please read our guide to contributing.


HHVM is licensed under the PHP and Zend licenses except as otherwise noted.

The Hack typechecker (hphp/hack) is licensed under the BSD license (hphp/hack/LICENSE) with an additional grant of patent rights (hphp/hack/PATENTS) except as otherwise noted.

Reporting Crashes

See Reporting Crashes for helpful tips on how to report crashes in an actionable manner.

Something went wrong with that request. Please try again.