php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #28972 [] operator overflow treatment is incorrect
Submitted: 2004-06-30 11:08 UTC Modified: 2005-08-04 01:00 UTC
Votes:4
Avg. Score:3.5 ± 1.7
Reproduced:3 of 4 (75.0%)
Same Version:1 (33.3%)
Same OS:1 (33.3%)
From: tomas_matousek at hotmail dot com Assigned:
Status: No Feedback Package: Scripting Engine problem
PHP Version: 5CVS, 4CVS (2005-06-19) OS: *
Private report: No CVE-ID: None
 [2004-06-30 11:08 UTC] tomas_matousek at hotmail dot com
Description:
------------
If there is an item in an array having key = 2^31-1 and you use [] operator without specifying a key it overflows and adds a new item with min. int (-2^31) in the array.

This is IMHO not correct or at least not consistent with the manual where the following sentence is stated:

"If you do not specify a key for a given value, then the maximum of the integer indices is taken, and the new key will be that maximum value + 1."

Moreover, consider the folowing array:
$a = array(2^31-2 => 1,-2^31 => 1) and use $a[] twice.
You get warning:
"Cannot add element to the array as the next element is already occupied".
But if the array is $a = array(2^31-1 => 1,-2^31 => 1) a new item is added with a key -2^31+1 with no warning.

However, if you use array_push instead [] it does never report a warning but does the same as [].

IMHO it will be more correct if both [] and array_push do not add a new key and report a warning or notice if the maximal integer key reaches maximum value 2^31-1.




Reproduce code:
---------------
    $a = array(2147483647 => 1, -2147483648 => 1);
    $a[] = 2;
    $a[] = 3;
    var_dump($a);
    
    $a = array(2147483646 => 1, -2147483648 => 1);
    $a[] = 2;
    $a[] = 3;
    var_dump($a);
  

Expected result:
----------------
Warning:  Cannot add element to array - integer key reached maximal possible value ...
Warning:  Cannot add element to array - integer key reached maximal possible value ...
array(4) {
  [2147483647]=>
  int(1)
  [-2147483648]=>
  int(1)
}

Warning:  Cannot add element to array - integer key reached maximal possible value ...
array(3) {
  [2147483646]=>
  int(1)
  [-2147483648]=>
  int(1)
  [2147483647]=>
  int(2)
}

Actual result:
--------------
array(4) {
  [2147483647]=>
  int(1)
  [-2147483648]=>
  int(1)
  [-2147483647]=>
  int(2)
  [-2147483646]=>
  int(3)
}
Warning:  Cannot add element to the array as the next element is already occupied in ...
array(3) {
  [2147483646]=>
  int(1)
  [-2147483648]=>
  int(1)
  [2147483647]=>
  int(2)
}

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2005-03-06 20:33 UTC] sniper@php.net
Leaks too:
/usr/src/php/php_4_3/Zend/zend_execute.c(501) :  Freeing 0x09ACF6A4 (12 bytes), script=t.php

 [2005-04-16 13:05 UTC] sniper@php.net
/usr/src/php/php5/Zend/zend_execute.c(891) :  Freeing 0x09C7786C (16 bytes), script=t.php
 [2005-06-24 00:10 UTC] andi@php.net
In the case of an integer overflow, it shouldn't be strange to you that there might be unpredictable behavior. Is this really a real-life problem that you are bumping into? If so, can you explain further? I am not sure if/how this should be addressed especially as different architectures might behave differently and I don't want to over-architect something which you shouldn't be bumping into in the first place...
 [2005-07-27 13:37 UTC] sniper@php.net
Can you respond to the feedback request by Andi?

 [2005-08-04 01:00 UTC] php-bugs at lists dot php dot net
No feedback was provided for this bug for over a week, so it is
being suspended automatically. If you are able to provide the
information that was originally requested, please do so and change
the status of the bug back to "Open".
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Sat Dec 21 14:01:32 2024 UTC