php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #43505 Assign by reference bug
Submitted: 2007-12-05 17:45 UTC Modified: 2008-01-29 10:46 UTC
Votes:1
Avg. Score:5.0 ± 0.0
Reproduced:1 of 1 (100.0%)
Same Version:0 (0.0%)
Same OS:0 (0.0%)
From: vidmich at gmail dot com Assigned: dmitry (profile)
Status: Closed Package: Scripting Engine problem
PHP Version: 5.2.5 OS: Windows
Private report: No CVE-ID: None
 [2007-12-05 17:45 UTC] vidmich at gmail dot com
Description:
------------
Recently I came across a bug in my work with Zend Framework linked with Smarty. In my investigation I found strange feature of PHP about creation new element in array if we assign by ref some undefined index from it  (ZEND_FETCH_DIM_W implementation). For example:

$a = array();
$b =& $a['test?];

After this code array $a will get new element indexed as ?test? and pointing to NULL. This is strange and I didn?t find documentation for this, but this is rather a feature than a bug.

But I found situation in which above code return _different_ result, which is really bad and breaks Smarty plugins loading. This situation happened when we return undefined field in count function in Countable object. For example

class Test implements Countable
{
  public function count()
  {
    return $this->test;
  }
}

In my opinion calling count on such object (object of class Test) break global variable in Zend Engine named ?uninitialized_zval? and as a result new created elements point to int(0) instead of NULL

Please make this feature more predictable


Reproduce code:
---------------
<?php

class Test implements Countable
{
    public function count()
    {
        return $this->some;
    }
}

$obj = new Test();

$a = array();
$b =& $a['test'];
var_dump($a);

$t = count($obj);

$a = array();
$b =& $a['test'];
var_dump($a);


Expected result:
----------------
array(1) {
  ["test"]=>
  &NULL
}

array(1) {
  ["test"]=>
  &NULL
}


Actual result:
--------------
array(1) {
  ["test"]=>
  &NULL
}

array(1) {
  ["test"]=>
  &int(0)
}


Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2008-01-29 10:46 UTC] dmitry@php.net
This bug has been fixed in CVS.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.
 
Thank you for the report, and for helping us make PHP better.


 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Sat Dec 21 11:01:30 2024 UTC