php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #29035 using isset() crashes PHP5TS.DLL within Apache
Submitted: 2004-07-06 19:19 UTC Modified: 2004-11-04 15:08 UTC
Votes:8
Avg. Score:4.4 ± 1.3
Reproduced:8 of 8 (100.0%)
Same Version:4 (50.0%)
Same OS:6 (75.0%)
From: steven at omicron-software dot co dot uk Assigned: andi (profile)
Status: Closed Package: Reproducible crash
PHP Version: 5.0.0RC3 OS: *
Private report: No CVE-ID: None
 [2004-07-06 19:19 UTC] steven at omicron-software dot co dot uk
Description:
------------
When using a simple isset() script crashes PHP5.

Reproduce code:
---------------
<?
$array = array('foo' => 'bar');
if (isset($array[])) echo "Something";
?>

Expected result:
----------------
The expected result is to echo "Something"

Actual result:
--------------
Actual result is a "Apache.exe has encountered a problem and needs to close.  We are sorry for the inconvenience." error in PHP5TS.DLL, running as a Module on Apache 1.3.31.

Debug tool with Microsoft Visual Studio returns this:
"Unhandled exception in Apache.exe (PHP5TS.DLL): 0xC0000005: Access Violation"

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2004-07-07 09:11 UTC] derick@php.net
Your expected result is wrong, you can not isset on an addition to an array.

Besides that, i could reproduce this on Linux too.

backtrace:
0x08316ef5 in zend_isset_isempty_dim_prop_obj_handler (prop_dim=0,
    execute_data=0xbfffd540, opline=0x404e63e0, op_array=0x404e60c4)
    at /dat/dev/php/php-5.0dev/Zend/zend_execute.c:3969
warning: Source file is more recent than executable.

3969
(gdb) bt
#0  0x08316ef5 in zend_isset_isempty_dim_prop_obj_handler (prop_dim=0,
    execute_data=0xbfffd540, opline=0x404e63e0, op_array=0x404e60c4)
    at /dat/dev/php/php-5.0dev/Zend/zend_execute.c:3969
#1  0x083171c3 in zend_isset_isempty_dim_obj_handler (execute_data=0xbfffd540,
    opline=0x404e63e0, op_array=0x404e60c4)
    at /dat/dev/php/php-5.0dev/Zend/zend_execute.c:4056
#2  0x0831029f in execute (op_array=0x404e60c4)
    at /dat/dev/php/php-5.0dev/Zend/zend_execute.c:1391
#3  0x082ec861 in zend_execute_scripts (type=8, retval=0x0, file_count=3)
    at /dat/dev/php/php-5.0dev/Zend/zend.c:1058
#4  0x082a6b83 in php_execute_script (primary_file=0xbffff980)
    at /dat/dev/php/php-5.0dev/main/main.c:1630
#5  0x0831cd96 in main (argc=1, argv=0xbffffa24)
    at /dat/dev/php/php-5.0dev/sapi/cli/php_cli.c:943

valgrind says:
==21034==
==21034== Invalid read of size 1
==21034==    at 0x8316EF5: zend_isset_isempty_dim_prop_obj_handler (zend_execute.c:3969)
==21034==    by 0x83171C2: zend_isset_isempty_dim_obj_handler (zend_execute.c:4056)
==21034==    by 0x831029E: execute (zend_execute.c:1391)
==21034==    by 0x82EC860: zend_execute_scripts (zend.c:1058)
==21034==  Address 0xC is not stack'd, malloc'd or free'd
==21034==
==21034== Process terminating with default action of signal 11 (SIGSEGV): dumping core
==21034==  Access not within mapped region at address 0xC
==21034==    at 0x8316EF5: zend_isset_isempty_dim_prop_obj_handler (zend_execute.c:3969)
==21034==    by 0x83171C2: zend_isset_isempty_dim_obj_handler (zend_execute.c:4056)
==21034==    by 0x831029E: execute (zend_execute.c:1391)
==21034==    by 0x82EC860: zend_execute_scripts (zend.c:1058)
==21034==

 [2004-08-13 03:02 UTC] jsgoupil at lookstrike dot com
Same with empty()
 [2004-11-04 15:08 UTC] thekid@php.net
Now outputs:

Fatal error: Cannot use [] for reading in /usr/home/thekid/test.php on line 3

The crash has gone, this is expected functionality, I assume this can be closed.
 
PHP Copyright © 2001-2023 The PHP Group
All rights reserved.
Last updated: Wed Feb 01 20:04:13 2023 UTC