|
|
php.net | support | documentation | report a bug | advanced search | search howto | statistics | random bug | login |
[2018-12-14 11:47 UTC] conorycom at gmail dot com
Description:
------------
segfault occurs when add property to unserialized ArrayObject
Test script:
---------------
<?php
// 1
$a = unserialize('C:11:"ArrayObject":21:{x:i:2;a:0:{};m:a:0:{}}C:11:"ArrayObject":21:{x:i:2;a:0:{};m:a:0:{}}C:11:"ArrayObject":21:{x:i:2;a:0:{};m:a:0:{}}');
$a->c = 'test';
// 2
$b = new \ArrayObject;
$b->unserialize('x:i:2;a:0:{};m:a:0:{}x:i:2;a:0:{};m:a:0:{}x:i:2;a:0:{};m:a:0:{}');
$b->c = 'test';
Actual result:
--------------
segfault!
PatchesPull Requests
Pull requests:
HistoryAllCommentsChangesGit/SVN commits
|
|||||||||||||||||||||||||||||||||||||
Copyright © 2001-2025 The PHP GroupAll rights reserved. |
Last updated: Fri Oct 31 18:00:01 2025 UTC |
A debug build yields: php: /mnt/c/Users/cmb/php-dev/php-src/Zend/zend_hash.c:658: _zend_hash_add_or_update_i: Assertion `(zend_gc_refcount(&(ht)->gc) == 1) || ((ht)->u.flags & (1<<6))' failed. Program received signal SIGABRT, Aborted. __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:51 51 ../sysdeps/unix/sysv/linux/raise.c: No such file or directory. (gdb) bt #0 __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:51 #1 0x00007ffffe07442a in __GI_abort () at abort.c:89 #2 0x00007ffffe06be67 in __assert_fail_base (fmt=<optimized out>, assertion=assertion@entry=0x85a2820 "(zend_gc_refcount(&(ht)->gc) == 1) || ((ht)->u.flags & (1<<6))", file=file@entry=0x85a2780 "/mnt/c/Users/cmb/php-dev/php-src/Zend/zend_hash.c", line=line@entry=658, function=function@entry=0x85a2c10 <__PRETTY_FUNCTION__.11061> "_zend_hash_add_or_update_i") at assert.c:92 #3 0x00007ffffe06bf12 in __GI___assert_fail ( assertion=0x85a2820 "(zend_gc_refcount(&(ht)->gc) == 1) || ((ht)->u.flags & (1<<6))", file=0x85a2780 "/mnt/c/Users/cmb/php-dev/php-src/Zend/zend_hash.c", line=658, function=0x85a2c10 <__PRETTY_FUNCTION__.11061> "_zend_hash_add_or_update_i") at assert.c:101 #4 0x00000000083b6cfb in _zend_hash_add_or_update_i ( ht=0x88dba20 <zend_empty_array>, key=0x8b084a0, pData=0x7ffffdc72210, flag=5) at /mnt/c/Users/cmb/php-dev/php-src/Zend/zend_hash.c:658 #5 0x00000000083b75c8 in zend_hash_update_ind ( ht=0x88dba20 <zend_empty_array>, key=0x8b084a0, pData=0x7ffffdc72210) at /mnt/c/Users/cmb/php-dev/php-src/Zend/zend_hash.c:828 #6 0x0000000008205e76 in zend_symtable_update_ind ( ht=0x88dba20 <zend_empty_array>, key=0x8b084a0, pData=0x7ffffdc72210) at /mnt/c/Users/cmb/php-dev/php-src/Zend/zend_hash.h:414 #7 0x0000000008207536 in spl_array_write_dimension_ex (check_inherited=1, object=0x7ffffdc1e080, offset=0x7ffffdc72200, value=0x7ffffdc72210) at /mnt/c/Users/cmb/php-dev/php-src/ext/spl/spl_array.c:485 #8 0x0000000008207650 in spl_array_write_dimension (object=0x7ffffdc1e080, offset=0x7ffffdc72200, value=0x7ffffdc72210) at /mnt/c/Users/cmb/php-dev/php-src/ext/spl/spl_array.c:521 #9 0x000000000820859f in spl_array_write_property (object=0x7ffffdc1e080, member=0x7ffffdc72200, value=0x7ffffdc72210, cache_slot=0x7ffffdc63368) at /mnt/c/Users/cmb/php-dev/php-src/ext/spl/spl_array.c:885 #10 0x000000000845654c in ZEND_ASSIGN_OBJ_SPEC_CV_CONST_OP_DATA_CONST_HANDLER () at /mnt/c/Users/cmb/php-dev/php-src/Zend/zend_vm_execute.h:40116 #11 0x00000000084717e7 in execute_ex (ex=0x7ffffdc1e030) at /mnt/c/Users/cmb/php-dev/php-src/Zend/zend_vm_execute.h:59694 #12 0x00000000084729d7 in zend_execute (op_array=0x7ffffdc7b300, return_value=0x0) at /mnt/c/Users/cmb/php-dev/php-src/Zend/zend_vm_execute.h:60834 #13 0x00000000083a4956 in zend_execute_scripts (type=8, retval=0x0, file_count=3) at /mnt/c/Users/cmb/php-dev/php-src/Zend/zend.c:1568 #14 0x000000000831b289 in php_execute_script (primary_file=0x7ffffffedf10) at /mnt/c/Users/cmb/php-dev/php-src/main/main.c:2630 #15 0x00000000084753cb in do_cli (argc=2, argv=0x8afcd10) at /mnt/c/Users/cmb/php-dev/php-src/sapi/cli/php_cli.c:997 #16 0x0000000008476281 in main (argc=2, argv=0x8afcd10) at /mnt/c/Users/cmb/php-dev/php-src/sapi/cli/php_cli.c:1389