PHP :: Bug #43310 :: crash with References and unset

Bug #43310	crash with References and unset
Submitted:	2007-11-15 23:18 UTC	Modified:	2007-11-18 16:52 UTC
From:	commander at graphicore dot de	Assigned:
Status:	Closed	Package:	Reproducible crash
PHP Version:	5.2.5	OS:	Linux, WinXp
Private report:	No	CVE-ID:	None

View Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	commander at graphicore dot de
New email:
PHP Version:		OS:

New Comment:

[2007-11-15 23:18 UTC] commander at graphicore dot de

Description:
------------
The code crashes the Apache process immediately. The crash occurs with other functions(array_values, print_r, gettype, ...) instead of array_keys() as well.

To avoid the crash delete the reference in Line 7 to copy the array that contains the references. That was intended anyway.
However, it took hours to find the problem. A Runtime-Error or something like that would be nice.

Systems:
Linux(Ubuntu): Apache/2.2.4  PHP/5.2.3-1ubuntu6
Apache error.log:
[Thu Nov 15 23:18:48 2007] [notice] child pid 2874 exit signal Segmentation fault (11)

WinXp: Apache/2.2.3 (Win32) PHP Version 4.4.4
Apache error.log:
[Thu Nov 15 23:43:43 2007] [notice] Parent: child process exited with status 3221225477 -- Restarting.

best regards

Reproduce code:
---------------
<?php
class aClass{
    var $arr;
    function makeObjects($load){
        for($i = 1; $load >= $i; $i++){
            $this->arr['objects'][$i] = new aClass();
            $this->arr['objects'][$i]->arr =& $this->arr;//copying $this->arr avoids the crash
        }
        echo count($this->arr['objects']).' objects are loaded'."\n";
    }
}
$root = new aClass();
$objects[0] =& $root;
$root->arr['objects'] =& $objects;
$load = 3;
$root->makeObjects($load);
unset($objects[$load]);//unset the last object
array_keys($root->arr['objects']);//crash
echo count($objects).' objects are loaded';
?>

Expected result:
----------------
4 objects are loaded
3 objects are loaded

Actual result:
--------------
the process crashes, no warning, no error

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2007-11-16 00:32 UTC] felipensp at gmail dot com

Works fine in PHP 5.3.0-dev (cli) (built: Nov 15 2007 18:47:59)

[2007-11-16 00:51 UTC] jani@php.net

Thank you for this bug report. To properly diagnose the problem, we
need a backtrace to see what is happening behind the scenes. To
find out how to generate a backtrace, please read
http://bugs.php.net/bugs-generating-backtrace.php for *NIX and
http://bugs.php.net/bugs-generating-backtrace-win32.php for Win32

Once you have generated a backtrace, please submit it to this bug
report and change the status back to "Open". Thank you for helping
us make PHP better.

[2007-11-16 10:32 UTC] crrodriguez+php at suse dot de

this is the deal


5_3 is fine
5_2 non-debug = Crashes
5_2 debug

Starting program: /home/cristian/5.2/sapi/cli/php ../crash.php
4 objects are loaded

Warning: array_keys(): The first argument should be an array in /home/cristian/crash.php on line 18
3 objects are loaded
[Fri Nov 16 07:27:03 2007]  Script:  '../crash.php'
/home/cristian/5.2/Zend/zend_vm_execute.h(405) :  Freeing 0x0096A6A8 (24 bytes), script=../crash.php
Last leak repeated 2 times
[Fri Nov 16 07:27:03 2007]  Script:  '../crash.php'
/home/cristian/5.2/Zend/zend_execute.c(1009) :  Freeing 0x0096C890 (71 bytes), script=../crash.php
/home/cristian/5.2/Zend/zend_hash.c(388) : Actual location (location was relayed)
Last leak repeated 2 times
[Fri Nov 16 07:27:03 2007]  Script:  '../crash.php'
/home/cristian/5.2/Zend/zend_execute.c(1061) :  Freeing 0x0096F748 (24 bytes), script=../crash.php
Last leak repeated 1 time
[Fri Nov 16 07:27:03 2007]  Script:  '../crash.php'
/home/cristian/5.2/Zend/zend_execute.c(1065) :  Freeing 0x0096F7B8 (72 bytes), script=../crash.php
/home/cristian/5.2/Zend/zend_API.c(821) : Actual location (location was relayed)
Last leak repeated 3 times
[Fri Nov 16 07:27:03 2007]  Script:  '../crash.php'
/home/cristian/5.2/Zend/zend_hash.c(247) :  Freeing 0x0096FB38 (79 bytes), script=../crash.php
=== Total 13 memory leaks detected ===

[2007-11-18 16:52 UTC] derick@php.net

This bug has been fixed in CVS.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.
 
Thank you for the report, and for helping us make PHP better.

This is working fine in 5.3dev, so considered fixed.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2025 The PHP Group All rights reserved.	Last updated: Sat Jul 12 11:01:32 2025 UTC