php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #40833 Crash when using unset() on an ArrayAccess object retrieved via __get()
Submitted: 2007-03-16 11:33 UTC Modified: 2007-03-19 18:37 UTC
Votes:1
Avg. Score:5.0 ± 0.0
Reproduced:0 of 0 (0.0%)
From: daan at parse dot nl Assigned: dmitry (profile)
Status: Closed Package: Reproducible crash
PHP Version: 5.2.1 OS: Slackware 10.2
Private report: No CVE-ID: None
View Developer Edit
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: daan at parse dot nl
New email:
PHP Version: OS:

 

 [2007-03-16 11:33 UTC] daan at parse dot nl 
Description:
------------
When trying to trigger the magic offsetUnset() method on a variable which itself is retrieved via a magic __get() method, some sort of object/variable corruption occurs.
If the unset() is applied in two operations, it does not crash.

Also, to trigger this crash, the object must be re-assigned via 'resetSelf()'.

Reproduce code:
---------------
<?
	class entity
	{
		private $data;
		private $modified;

		function __get($name)
		{
			if ( isset($this->data[$name]) )
				return $this->data[$name];
			else
				return $this->data[$name] = new set($this, $name);
		}

		function __set($name, $value)
		{
			$this->modified[$name] = $value;
		}
	}

	class set implements ArrayAccess
	{
		private $entity;
		private $name;

		function __construct($entity, $name)
		{
			$this->entity = $entity;
			$this->name = $name;
		}

		function offsetUnset($offset)
		{
			$this->entity->{$this->name} = null;
		}

		function offsetSet($offset, $value)
		{
		}

		function offsetGet($offset)
		{
			return 'Bogus';
		}

		function offsetExists($offset)
		{
		}

		function resetSelf()
		{
			$this->entity->{$this->name} = $this;
		}
	}

	$entity = new entity();

	$entity->whatever->resetSelf();

	echo $entity->whatever[0];

	//This will crash
	unset($entity->whatever[0]);

	//This will not crash (comment previous & uncomment this to test
//	$test = $entity->whatever; unset($test[0]);

	echo $entity->whatever[0];

	var_dump($entity);

	echo 'All good';
?>

Expected result:
----------------
The string 'BogusBogus<vardump result>AllGood'.

Actual result:
--------------
Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 16384 (LWP 654)]
0x4065de11 in zend_object_store_get_object (zobject=0x18302664) at /usr/src/php-5.2.1/Zend/zend_objects_API.c:255
255             return EG(objects_store).object_buckets[handle].bucket.obj.object;
(gdb) bt
#0  0x4065de11 in zend_object_store_get_object (zobject=0x18302664) at /usr/src/php-5.2.1/Zend/zend_objects_API.c:255
#1  0x4065b05f in zend_std_get_properties (object=0x810099c) at /usr/src/php-5.2.1/Zend/zend_object_handlers.c:55
#2  0x405dc642 in php_var_dump (struc=0x8100a9c, level=5) at /usr/src/php-5.2.1/ext/standard/var.c:140
#3  0x405dc921 in php_array_element_dump (zv=0x8100a9c, num_args=1, args=0x80f1188 "", hash_key=0xbfffc550) at /usr/src/php-5.2.1/ext/standard/var.c:64
#4  0x4064e4d0 in zend_hash_apply_with_arguments (ht=0x8100ac4, apply_func=0x405dc8c0 <php_array_element_dump>, num_args=1)
    at /usr/src/php-5.2.1/Zend/zend_hash.c:729
#5  0x405dc6cf in php_var_dump (struc=0x80fa794, level=3) at /usr/src/php-5.2.1/ext/standard/var.c:152
#6  0x405dc870 in php_object_property_dump (zv=0x80fa794, num_args=1, args=0xbfffc63c "\001", hash_key=0x8) at /usr/src/php-5.2.1/ext/standard/var.c:96
#7  0x4064e4d0 in zend_hash_apply_with_arguments (ht=0x80fb0b0, apply_func=0x405dc7c0 <php_object_property_dump>, num_args=1)
    at /usr/src/php-5.2.1/Zend/zend_hash.c:729
#8  0x405dc6cf in php_var_dump (struc=0x80f0bf0, level=1) at /usr/src/php-5.2.1/ext/standard/var.c:152
#9  0x405dc9be in zif_var_dump (ht=1, return_value=0x8100e5c, return_value_ptr=0x0, this_ptr=0x0, return_value_used=0)
    at /usr/src/php-5.2.1/ext/standard/var.c:193
#10 0x40660b14 in zend_do_fcall_common_helper_SPEC (execute_data=0xbfffc8e0) at /usr/src/php-5.2.1/Zend/zend_vm_execute.h:200
#11 0x40660249 in execute (op_array=0x80fa554) at /usr/src/php-5.2.1/Zend/zend_vm_execute.h:92
#12 0x40645274 in zend_execute_scripts (type=8, retval=0x0, file_count=3) at /usr/src/php-5.2.1/Zend/zend.c:1135
#13 0x4060990a in php_execute_script (primary_file=0xbfffebb0) at /usr/src/php-5.2.1/main/main.c:1784
#14 0x406c7842 in apache_php_module_main (r=0x80cb5bc, display_source_mode=0) at /usr/src/php-5.2.1/sapi/apache/sapi_apache.c:53
#15 0x406c82b6 in send_php (r=0x80cb5bc, display_source_mode=0, filename=0x0) at /usr/src/php-5.2.1/sapi/apache/mod_php5.c:663
#16 0x406c84c6 in send_parsed_php (r=0x80cb5bc) at /usr/src/php-5.2.1/sapi/apache/mod_php5.c:678
#17 0x08053ff7 in ap_invoke_handler ()
#18 0x08069039 in process_request_internal ()
#19 0x08069098 in ap_process_request ()
#20 0x080600ba in child_main ()
#21 0x08060262 in make_child ()
#22 0x080603c8 in startup_children ()
#23 0x08060a88 in standalone_main ()
#24 0x080612a6 in main ()

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2007-03-19 18:37 UTC] dmitry@php.net 
Fixed in CVS HEAD and PHP_5_2
 
PHP Copyright © 2001-2025 The PHP Group
All rights reserved. 		Last updated: Thu Jan 30 05:01:31 2025 UTC