php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #27123 crashes when casting arrays to objects and back
Submitted: 2004-02-03 00:34 UTC Modified: 2004-03-14 12:07 UTC
Votes:4
Avg. Score:5.0 ± 0.0
Reproduced:4 of 4 (100.0%)
Same Version:1 (25.0%)
Same OS:4 (100.0%)
From: danielc at analysisandsolutions dot com Assigned:
Status: Closed Package: Scripting Engine problem
PHP Version: 5CVS-2004-02-18 OS: *
Private report: No CVE-ID: None
 [2004-02-03 00:34 UTC] danielc at analysisandsolutions dot com
Description:
------------
Found PEAR DB's getAssoc() method didn't work correctly when in DB_FETCHMODE_OBJECT mode.  See pear/DB/tests/18get.phpt for that.

I pared it down a bit and then Adam Trachtenberg whittled it down even farther.  Here's what he found:

   1) Use an array with a string key: array('a' => 1)
   2) Cast it to an object and call get_object_vars()
      on the result.
   3) Assign this cast object to an array with
      multiple elements.
   4) Call print_r() on the resulting array.

   If I remove any of these, the crash goes away.


Reproduce code:
---------------
<?php
$array = array(1);
$element = (object) array('a' => 1);
get_object_vars($element);
$array[] = $element;
print_r($array);
?>

Expected result:
----------------
Array
(
    [0] => 1
    [1] => stdClass Object
        (
            [a] => 1
        )

)


Actual result:
--------------
~~~~~ WINDOWS 2000 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Array
(
    [0] => 1
    [1] => stdClass Object
        (
            [a] => 1130656883
        )

)

~~~~~ OS X 10.3, PHP = beta 3 ~~~~~~~~~
No Output.

~~~~~ OS X 10.3, PHP = recent CVS ~~~~~
Array
(
    [0] => 1
    [2] => stdClass Object
        (
            [a] =>

... backtrace ...

#0  0x00271308 in _zend_is_inconsistent (ht=0x5a5a5a5a, file=0x3183f8 "/usr/local/cvs/php/php-src/Zend/zend_hash.c", line=504) at /usr/local/cvs/php/php-src/Zend/zend_hash.c:53
#1  0x00273384 in zend_hash_destroy (ht=0x5a5a5a5a) at /usr/local/cvs/php/php-src/Zend/zend_hash.c:504
#2  0x002658a8 in _zval_dtor (zvalue=0xbfffe710, __zend_filename=0x3178bc "/usr/local/cvs/php/php-src/Zend/zend_operators.c", __zend_lineno=510) at /usr/local/cvs/php/php-src/Zend/zend_variables.c:52
#3  0x0025d240 in _convert_to_string (op=0xbfffe710, __zend_filename=0x317b5c "/usr/local/cvs/php/php-src/Zend/zend.c", __zend_lineno=256) at /usr/local/cvs/php/php-src/Zend/zend_operators.c:510
#4  0x0026691c in zend_make_printable_zval (expr=0xace8d0, expr_copy=0xbfffe710, use_copy=0xbfffe720) at /usr/local/cvs/php/php-src/Zend/zend.c:256
#5  0x002669dc in zend_print_zval_ex (write_func=0x208fa0 <php_body_write_wrapper>, expr=0xace8d0, indent=0) at /usr/local/cvs/php/php-src/Zend/zend.c:275
#6  0x00266984 in zend_print_zval (expr=0xace8d0, indent=0) at /usr/local/cvs/php/php-src/Zend/zend.c:266
#7  0x00265d24 in zend_print_variable (var=0xace8d0) at /usr/local/cvs/php/php-src/Zend/zend_variables.c:171
#8  0x00267094 in zend_print_zval_r_ex (write_func=0x208fa0 <php_body_write_wrapper>, expr=0xace8d0, indent=16) at /usr/local/cvs/php/php-src/Zend/zend.c:387
#9  0x00266dc8 in zend_print_zval_r (expr=0xace8d0, indent=16) at /usr/local/cvs/php/php-src/Zend/zend.c:342
#10 0x002662c8 in print_hash (ht=0xace860, indent=12, is_object=1 '\001') at /usr/local/cvs/php/php-src/Zend/zend.c:159
#11 0x00267074 in zend_print_zval_r_ex (write_func=0x208fa0 <php_body_write_wrapper>, expr=0xacea48, indent=8) at /usr/local/cvs/php/php-src/Zend/zend.c:381
#12 0x00266dc8 in zend_print_zval_r (expr=0xacea48, indent=8) at /usr/local/cvs/php/php-src/Zend/zend.c:342
#13 0x002662c8 in print_hash (ht=0xacde60, indent=4, is_object=0 '\0') at /usr/local/cvs/php/php-src/Zend/zend.c:159
#14 0x00266ed4 in zend_print_zval_r_ex (write_func=0x208fa0 <php_body_write_wrapper>, expr=0xacc538, indent=0) at /usr/local/cvs/php/php-src/Zend/zend.c:356
#15 0x00266dc8 in zend_print_zval_r (expr=0xacc538, indent=0) at /usr/local/cvs/php/php-src/Zend/zend.c:342
#16 0x00165a10 in zif_print_r (ht=1, return_value=0xacea98, this_ptr=0x0, return_value_used=0) at /usr/local/cvs/php/php-src/ext/standard/basic_functions.c:2570
#17 0x0029d5ac in zend_do_fcall_common_helper (execute_data=0xbfffecb0, op_array=0xacdda8) at /usr/local/cvs/php/php-src/Zend/zend_execute.c:2550
#18 0x0029dff4 in zend_do_fcall_handler (execute_data=0xbfffecb0, op_array=0xacdda8) at /usr/local/cvs/php/php-src/Zend/zend_execute.c:2697
#19 0x00297a20 in execute (op_array=0xacdda8) at /usr/local/cvs/php/php-src/Zend/zend_execute.c:1264
#20 0x002689bc in zend_execute_scripts (type=8, retval=0x0, file_count=3) at /usr/local/cvs/php/php-src/Zend/zend.c:1051
#21 0x00209bf8 in php_execute_script (primary_file=0xbffff720) at /usr/local/cvs/php/php-src/main/main.c:1641
#22 0x002aac60 in main (argc=2, argv=0xbffffc94) at /usr/local/cvs/php/php-src/sapi/cli/php_cli.c:939


Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2004-02-18 11:53 UTC] sniper@php.net
Backtrace a bit different:

(gdb) bt
#0  0x406754ec in mempcpy () from /lib/i686/libc.so.6
#1  0x40667850 in _IO_new_file_xsputn () from /lib/i686/libc.so.6
#2  0x4065cf9f in fwrite () from /lib/i686/libc.so.6
#3  0x0837a979 in sapi_cli_single_write (str=0x0, str_length=1515870810) at /usr/src/web/php/php5/sapi/cli/php_cli.c:192
#4  0x08378ffa in sapi_cli_ub_write (str=0x0, str_length=1515870810) at /usr/src/web/php/php5/sapi/cli/php_cli.c:205
#5  0x0830ba1c in php_ub_body_write_no_header (str=0x0, str_length=1515870810)
    at /usr/src/web/php/php5/main/output.c:686
#6  0x0830a666 in php_body_write (str=0x0, str_length=1515870810) at /usr/src/web/php/php5/main/output.c:121
#7  0x082fbc89 in php_body_write_wrapper (str=0x0, str_length=1515870810) at /usr/src/web/php/php5/main/main.c:1269
#8  0x0833ea71 in zend_print_zval_ex (write_func=0x82fbc68 <php_body_write_wrapper>, expr=0xbfffd390, indent=0)
    at /usr/src/web/php/php5/Zend/zend.c:285
#9  0x0833e9ef in zend_print_zval (expr=0x40e42f04, indent=0) at /usr/src/web/php/php5/Zend/zend.c:266
#10 0x0833e140 in zend_print_variable (var=0x40e42f04) at /usr/src/web/php/php5/Zend/zend_variables.c:171
#11 0x0833ee58 in zend_print_zval_r_ex (write_func=0x82fbc68 <php_body_write_wrapper>, expr=0x40e42f04, indent=16)
    at /usr/src/web/php/php5/Zend/zend.c:387
#12 0x0833eca9 in zend_print_zval_r (expr=0x40e42f04, indent=16) at /usr/src/web/php/php5/Zend/zend.c:342
#13 0x0833e4e4 in print_hash (ht=0x40e42ea0, indent=12, is_object=1 '\001') at /usr/src/web/php/php5/Zend/zend.c:159
#14 0x0833ee42 in zend_print_zval_r_ex (write_func=0x82fbc68 <php_body_write_wrapper>, expr=0x40e4304c, indent=8)
    at /usr/src/web/php/php5/Zend/zend.c:381
#15 0x0833eca9 in zend_print_zval_r (expr=0x40e4304c, indent=8) at /usr/src/web/php/php5/Zend/zend.c:342
#16 0x0833e4e4 in print_hash (ht=0x40e42708, indent=4, is_object=0 '\0') at /usr/src/web/php/php5/Zend/zend.c:159
#17 0x0833ed3e in zend_print_zval_r_ex (write_func=0x82fbc68 <php_body_write_wrapper>, expr=0x40e41f70, indent=0)
    at /usr/src/web/php/php5/Zend/zend.c:356
#18 0x0833eca9 in zend_print_zval_r (expr=0x40e41f70, indent=0) at /usr/src/web/php/php5/Zend/zend.c:342
#19 0x0827456e in zif_print_r (ht=1, return_value=0x40e43090, this_ptr=0x0, return_value_used=0)
    at /usr/src/web/php/php5/ext/standard/basic_functions.c:2570

 [2004-02-18 11:55 UTC] sniper@php.net
Does not crash when print_r() is changed to var_dump():

array(2) {
  [0]=>
  int(1)
  [1]=>
  object(stdClass)#1 (1) {
    ["a"]=>
    &UNKNOWN:0
  }
}

 [2004-03-14 12:07 UTC] andi@php.net
This bug has been fixed in CVS.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.
 
Thank you for the report, and for helping us make PHP better.


 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Mon Nov 11 08:01:29 2024 UTC