PHP :: Bug #34310 :: foreach($arr as $c->d => $x) crashes (works with PHP 5.0.3)

Bug #34310	foreach($arr as $c->d => $x) crashes (works with PHP 5.0.3)
Submitted:	2005-08-30 16:14 UTC	Modified:	2005-09-01 12:55 UTC
From:	devriese at cs dot tcd dot ie	Assigned:	dmitry (profile)
Status:	Closed	Package:	Reproducible crash
PHP Version:	5CVS-2005-08-31	OS:	*
Private report:	No	CVE-ID:	None

View Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	devriese at cs dot tcd dot ie
New email:
PHP Version:		OS:

New Comment:

[2005-08-30 16:14 UTC] devriese at cs dot tcd dot ie

Description:
------------
When using an object attribute to store the key in a foreach loop, PHP crashes with a segmentation error (note that using an object attribute to store a value does work; see example code). 

Also: this code runs fine in PHP 5.0.3, but crashes with PHP 5.1.0RC1.

Reproduce code:
---------------
<?php
   class C
   {
      var $d;
   }

   $c = new C();

   $arr = array(1 => 'a', 2 => 'b', 3 => 'c');

   // Works fine:
   foreach($arr as $x => $c->d) echo "$c->d\n";

   // Crashes:
   foreach($arr as $c->d => $x) echo "$c->d\n";
?>

Expected result:
----------------
a
b
c
1
2
3


Actual result:
--------------
(in GDB):

a
b
c

Program received signal SIGSEGV, Segmentation fault.
0x003357c0 in zend_pzval_unlock_func (z=0x0, should_free=0xffbfdd7c)
    at /misc/csw/src/php-5.1.0RC1/Zend/zend_execute.c:66
66              if (!--z->refcount) {
(gdb) bt
#0  0x003357c0 in zend_pzval_unlock_func (z=0x0, should_free=0xffbfdd7c)
    at /misc/csw/src/php-5.1.0RC1/Zend/zend_execute.c:66
#1  0x00335774 in _get_zval_ptr_ptr_var (node=0x50b270, Ts=0xffbfde90, 
    should_free=0xffbfdd7c)
    at /misc/csw/src/php-5.1.0RC1/Zend/zend_execute.c:259
#2  0x00335700 in _get_zval_ptr_ptr (node=0x50b270, Ts=0xffbfde90, 
    should_free=0xffbfdd7c, type=1)
    at /misc/csw/src/php-5.1.0RC1/Zend/zend_execute.c:300
#3  0x00337088 in zend_assign_to_variable (result=0x50b258, op1=0x50b270, 
    op2=0x50b288, value=0xffbfe028, type=2, Ts=0xffbfde90)
    at /misc/csw/src/php-5.1.0RC1/Zend/zend_execute.c:632
#4  0x0035f62c in ZEND_ASSIGN_SPEC_VAR_TMP_HANDLER (execute_data=0xffbfe088)
    at zend_vm_execute.h:10210
#5  0x00333b1c in execute (op_array=0x506618) at zend_vm_execute.h:87
#6  0x002f6e1c in zend_execute_scripts (type=8, retval=0x0, file_count=3)
    at /misc/csw/src/php-5.1.0RC1/Zend/zend.c:1078
#7  0x00286e44 in php_execute_script (primary_file=0xffbfe848)
    at /misc/csw/src/php-5.1.0RC1/main/main.c:1672
#8  0x003a47a0 in main (argc=2, argv=0xffbfe8fc)
    at /misc/csw/src/php-5.1.0RC1/sapi/cgi/cgi_main.c:1574

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2005-08-31 10:43 UTC] sniper@php.net

Dmitry, check this out please.

[2005-08-31 11:18 UTC] sniper@php.net

I added a test for this in Zend/tests/

[2005-09-01 12:55 UTC] dmitry@php.net

Fixed in CVS HEAD and PHP_5_1.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2025 The PHP Group All rights reserved.	Last updated: Mon Oct 27 20:00:01 2025 UTC