|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #26675 Segfault on ArrayAccess use
Submitted: 2003-12-19 20:20 UTC Modified: 2003-12-22 11:25 UTC
From: xi at ngs dot ru Assigned: helly
Status: Closed Package: Reproducible crash
PHP Version: 5.0.0b3 OS: *
Private report: No CVE-ID:
 [2003-12-19 20:20 UTC] xi at ngs dot ru
The following code produces segfault using snapshot php5-200312191230.

Reproduce code:
class A implements ArrayAccess
    private $array = array();

    public function offsetExists( $offset )
    { return isset( $this->array[ $offset ] ); }
    public function offsetGet( $offset )
    { return $this->array[ $offset ]; }

    public function offsetSet( $offset, $data )
    { $this->array[ $offset ] = $data; }

    public function offsetUnset( $offset )
    { unset( $this->array[ $offset ] ); }
$a = new A();
$a[] = 'Segfault here!';

Expected result:
String added to $a

Actual result:
Segmentation fault


Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2003-12-20 02:52 UTC]
Thank you for this bug report. To properly diagnose the problem, we
need a backtrace to see what is happening behind the scenes. To
find out how to generate a backtrace, please read

Once you have generated a backtrace, please submit it to this bug
report and change the status back to "Open". Thank you for helping
us make PHP better.
 [2003-12-20 03:32 UTC] xi at ngs dot ru

#0  zend_call_function (fci=0xbfffd4c0, fci_cache=0xbfffd4a0)
    at /home/simeon/php/php5-200312191230/Zend/zend_execute_API.c:668
#1  0x08141822 in zend_call_method (object_pp=0xbfffd550, obj_ce=0x4032b6dc, 
    fn_proxy=0x0, function_name=0x81941be "offsetset", function_name_len=9, 
    retval_ptr_ptr=0x0, param_count=136060708, arg1=0x0, arg2=0x4032a568)
    at /home/simeon/php/php5-200312191230/Zend/zend_interfaces.c:79
#2  0x081430ae in zend_std_write_dimension (object=0x4032c1cc, offset=0x0, 
    at /home/simeon/php/php5-200312191230/Zend/zend_object_handlers.c:405
#3  0x08157410 in zend_assign_to_object (result=0x4032a4f0, 
    object_ptr=0x4032c250, op2=0x4032a520, value_op=0x4032a560, Ts=0xbfffd610, 
    opcode=147) at /home/simeon/php/php5-200312191230/Zend/zend_execute.c:416
#4  0x081517e0 in zend_assign_dim_handler (execute_data=0xbfffd6f0, 
    at /home/simeon/php/php5-200312191230/Zend/zend_execute.c:2058
#5  0x0814f5fd in execute (op_array=0x40324e5c)
    at /home/simeon/php/php5-200312191230/Zend/zend_execute.c:1260
#6  0x0813515a in zend_execute_scripts (type=8, retval=0x0, file_count=3)
    at /home/simeon/php/php5-200312191230/Zend/zend.c:1030
#7  0x081017ef in php_execute_script (primary_file=0xbffffac0)
    at /home/simeon/php/php5-200312191230/main/main.c:1638
#8  0x0815a312 in main (argc=2, argv=0xbffffb44)
    at /home/simeon/php/php5-200312191230/sapi/cli/php_cli.c:910
 [2003-12-20 05:31 UTC]
I could verify this.
 [2003-12-22 11:25 UTC]
This bug has been fixed in CVS.

In case this was a PHP problem, snapshots of the sources are packaged
every three hours; this change will be in the next snapshot. You can
grab the snapshot at
In case this was a documentation problem, the fix will show up soon at

In case this was a website problem, the change will show
up on the site and on the mirror sites in short time.
Thank you for the report, and for helping us make PHP better.
PHP Copyright © 2001-2015 The PHP Group
All rights reserved.
Last updated: Sun Nov 29 12:01:29 2015 UTC