PHP :: Bug #26839 :: unexpected results from simple array routine

Bug #26839

unexpected results from simple array routine

Submitted:

2004-01-08 07:01 UTC

Modified:

2004-01-08 20:41 UTC

Votes:	1
Avg. Score:	5.0 ± 0.0
Reproduced:	1 of 1 (100.0%)
Same Version:	0 (0.0%)
Same OS:	0 (0.0%)

From:

dweller at devonweller dot com

Assigned:

Status:

Closed

Package:

Arrays related

PHP Version:

4CVS-2004-01-08 (dev)

OS:

Linux Intel (Redhat)

Private report:

CVE-ID:

None

View Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	dweller at devonweller dot com
New email:
PHP Version:		OS:

New Comment:

[2004-01-08 07:01 UTC] dweller at devonweller dot com

Description:
------------
The attached simple array routine produces unexpected 
results when the loop count is greater than approx. 
33000.  Perhaps this is some kind of reference counting 
bug.

Reproduce code:
---------------
// causes unexpected *RECURSION* references
$var1 = 1;
$array = array();
for($i=0;$i<33000;++$i) {
	$var2 = $var1;
	$array[] = array(
		'var1' => $var1,
		'var2' => $var2,
	);
}
print_r($array[0]);

Expected result:
----------------
Array
(
    [var1] => 1
    [var2] => 1
)

Actual result:
--------------
Array
(
    [var1] => Array
        (
            [var1] => Array
 *RECURSION*
            [var2] => Array
 *RECURSION*
        )

    [var2] => Array
        (
            [var1] => Array
 *RECURSION*
            [var2] => Array
 *RECURSION*
        )

)

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2004-01-08 10:04 UTC] eru@php.net

$i < 32768 results in
array(2) {
  ["var1"]=>
  UNKNOWN:0
  ["var2"]=>
  UNKNOWN:0
}

$i < 32767 results in
array(2) {
  ["var1"]=>
  int(1)
  ["var2"]=>
  int(1)
}

[2004-01-08 14:28 UTC] sniper@php.net

Works fine with PHP 5, crashes for me with PHP 4 (latest CVS):

#0  0x407884ec in mempcpy () from /lib/i686/libc.so.6
#1  0x4077a850 in _IO_new_file_xsputn () from /lib/i686/libc.so.6
#2  0x4076ff9f in fwrite () from /lib/i686/libc.so.6
#3  0x082b0f75 in sapi_cli_single_write (str=0x0, str_length=1515870810) at /usr/src/web/php/php4/sapi/cli/php_cli.c:190
#4  0x082afb2e in sapi_cli_ub_write (str=0x0, str_length=1515870810) at /usr/src/web/php/php4/sapi/cli/php_cli.c:203
#5  0x082699fd in php_ub_body_write_no_header (str=0x0, str_length=1515870810)
    at /usr/src/web/php/php4/main/output.c:689
#6  0x0826863a in php_body_write (str=0x0, str_length=1515870810) at /usr/src/web/php/php4/main/output.c:121
#7  0x08254dc0 in php_body_write_wrapper (str=0x0, str_length=1515870810) at /usr/src/web/php/php4/main/main.c:1022
#8  0x0828c2d8 in zend_print_zval_ex (write_func=0x8254d9f <php_body_write_wrapper>, expr=0xbfffd330, indent=0)
    at /usr/src/web/php/php4/Zend/zend.c:211
#9  0x0828c256 in zend_print_zval (expr=0x864e2cc, indent=0) at /usr/src/web/php/php4/Zend/zend.c:192
#10 0x0828bd0f in zend_print_variable (var=0x864e2cc) at /usr/src/web/php/php4/Zend/zend_variables.c:147
#11 0x0828c45a in zend_print_zval_r_ex (write_func=0x8254d9f <php_body_write_wrapper>, expr=0x864e2cc, indent=8)
    at /usr/src/web/php/php4/Zend/zend.c:253
#12 0x0828c335 in zend_print_zval_r (expr=0x864e2cc, indent=8) at /usr/src/web/php/php4/Zend/zend.c:221
#13 0x0828bf6f in print_hash (ht=0x865337c, indent=4) at /usr/src/web/php/php4/Zend/zend.c:130
#14 0x0828c3c8 in zend_print_zval_r_ex (write_func=0x8254d9f <php_body_write_wrapper>, expr=0x86534e4, indent=0)
    at /usr/src/web/php/php4/Zend/zend.c:235
#15 0x0828c335 in zend_print_zval_r (expr=0x86534e4, indent=0) at /usr/src/web/php/php4/Zend/zend.c:221
#16 0x081e082d in zif_print_r (ht=1, return_value=0x962c23c, this_ptr=0x0, return_value_used=0)
    at /usr/src/web/php/php4/ext/standard/basic_functions.c:2488
#17 0x0829ed0e in execute (op_array=0x864e9f4) at /usr/src/web/php/php4/Zend/zend_execute.c:1616
#18 0x0828d76a in zend_execute_scripts (type=8, retval=0x0, file_count=3) at /usr/src/web/php/php4/Zend/zend.c:884
#19 0x08256573 in php_execute_script (primary_file=0xbffffbc0) at /usr/src/web/php/php4/main/main.c:1727
#20 0x082b0da3 in main (argc=2, argv=0xbffffc54) at /usr/src/web/php/php4/sapi/cli/php_cli.c:820

[2004-01-08 14:29 UTC] sniper@php.net

Without the print_r() call no crash but this:

---------------------------------------
/usr/src/web/php/php4/Zend/zend_execute.h(44) : Block 0x0864E478 status:
Beginning:      Overrun (magic=0x40847B54, expected=0x7312F8DC)
      End:      Unknown
---------------------------------------

[2004-01-08 20:41 UTC] iliaa@php.net

This bug has been fixed in CVS.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.
 
Thank you for the report, and for helping us make PHP better.

This is fixed in PHP 5.0. This will not be fixed in PHP 4 
as that would require an API change. The bug is the result 
of a refcount being defined as a short.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Wed Sep 11 11:01:27 2024 UTC