PHP :: Bug #49037 :: @list( $b ) = $a; causes a crash

Bug #49037	@list( $b ) = $a; causes a crash
Submitted:	2009-07-23 18:27 UTC	Modified:	2009-07-28 13:01 UTC
From:	alex dot emsenhuber at bluewin dot ch	Assigned:	dmitry (profile)
Status:	Closed	Package:	Scripting Engine problem
PHP Version:	6SVN-2009-07-23 (SVN)	OS:	Mac OS X 10.5.7
Private report:	No	CVE-ID:	None

View Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	alex dot emsenhuber at bluewin dot ch
New email:
PHP Version:		OS:

New Comment:

[2009-07-23 18:27 UTC] alex dot emsenhuber at bluewin dot ch

Description:
------------
When using @list( $b ) = $a; on PHP 6, it seems that a new opcode is inserted that frees a temp variable set from $a (see the "Actual result" section below) and thus segfaults when using $a later. When I set breakpoints on all lines that contains "SWITCH_FREE" in Zend_execute.c, it's the one at line 1170 in function zend_do_free() that is called.

Reproduce code:
---------------
<?php
$a = array( "c" );
@list( $b ) = $a;
var_dump( $a );

I also used vld to get the opcodes produced by the laguage parser.

Expected result:
----------------
array(1) {
  [0]=>
  string(1) "c"
}

Analyse with vld:
$ PHP_5_3/sapi/cli/php -dvld.active=1 ~/test.php
Branch analysis from position: 0
Return found
filename:       /Users/alexandre/test.php
function name:  (null)
number of ops:  11
compiled vars:  !0 = $a
line     #  op                           fetch          ext  return  operands
-------------------------------------------------------------------------------
   2     0  INIT_ARRAY                                       ~0      'c'
         1  ASSIGN                                                   !0, ~0
   3     2  BEGIN_SILENCE                                    ~2      
         3  FETCH_R                      local               $4      'a'
         4  FETCH_DIM_R                                      $5      $4, 0
         5  FETCH_W                      local               $3      'b'
         6  ASSIGN                                                   $3, $5
         7  END_SILENCE                                              ~2
   4     8  SEND_VAR                                                 !0
         9  DO_FCALL                                      1          'var_dump'
   5    10  RETURN                                                   1

Actual result:
--------------
Segmentation fault.

Analyse with vld:
$ PHP_6/sapi/cli/php -dvld.active=1 ~/test.php
Branch analysis from position: 0
Return found
filename:       /Users/alexandre/test.php
function name:  (null)
number of ops:  12
compiled vars:  !0 = $a
line     #  op                           fetch          ext  return  operands
-------------------------------------------------------------------------------
   2     0  INIT_ARRAY                                       ~0      c
         1  ASSIGN                                                   !0, ~0
   3     2  BEGIN_SILENCE                                    ~2      
         3  FETCH_R                      local               $4      a
         4  FETCH_DIM_TMP_VAR                                $5      $4, 0
         5  FETCH_W                      local               $3      b
         6  ASSIGN                                                   $3, $5
         7  END_SILENCE                                              ~2
         8  SWITCH_FREE                                              $4
   4     9  SEND_VAR                                                 !0
        10  DO_FCALL                                      1          var_dump
   5    11  RETURN                                                   1

You can see the new opcode "SWITCH_FREE" at position 8.

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2009-07-28 13:01 UTC] svn@php.net

Automatic comment from SVN on behalf of dmitry
Revision: http://svn.php.net/viewvc/?view=revision&revision=286454
Log: Fixed bug #49037 (@list( $b ) = $a; causes a crash)

[2009-07-28 13:01 UTC] dmitry@php.net

This bug has been fixed in SVN.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.
 
Thank you for the report, and for helping us make PHP better.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2025 The PHP Group All rights reserved.	Last updated: Fri Jul 04 15:01:36 2025 UTC