php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #30346 arrayAcces & using $this
Submitted: 2004-10-06 23:54 UTC Modified: 2005-12-04 13:35 UTC
Votes:1
Avg. Score:3.0 ± 0.0
Reproduced:1 of 1 (100.0%)
Same Version:1 (100.0%)
Same OS:1 (100.0%)
From: profic at kursknet dot ru Assigned: helly (profile)
Status: Closed Package: Scripting Engine problem
PHP Version: 5CVS-2005-03-13 OS: *
Private report: No CVE-ID: None
 [2004-10-06 23:54 UTC] profic at kursknet dot ru
Description:
------------
Class inherited of class implemented ArrayAccess have problems with using
$this['some' . $var] = $var . 'str';
if $var passed as method parameter.
Seems this is a memory problem.
Look at the 3 last entries in rtfHelperArray::haStore.

Reproduce code:
---------------
<?php
abstract class rtfHelperArray implements arrayAccess {
	private $haStore = array ();

	final public function offsetExists ($offset) {
		return true;
	}

	final public function offsetGet ($offset) {
		if (array_key_exists ($offset, $this->haStore)) {
			return $this->haStore[$offset];
		} else {
			$temp = NULL;
			return $temp;
		}
	}

	final public function offsetSet ($offset, $value) {
		$this->haStore[$offset] = $value;
		return true;
	}

	final public function offsetUnset ($offset) {
		unset ($this->haStore[$offset]);
		return true;
	}
}

error_reporting (E_ALL);

class test extends rtfHelperArray {
	public function doTest ($idx) {
		$this[$idx] = $idx;
		echo $idx, ' : ', $this[$idx], "\n";
		$this[$idx . '-2'] = $idx . '-2';
		echo $idx . '-2', ' : ', $this[$idx . '-2'], "\n";
		$this['3-' . $idx] = $idx . '-333';
		echo '3-' . $idx, ' : ', $this['3-' . $idx], "\n";
		$this['4-' . $idx] = $idx . '-4444';
		echo '4-' . $idx, ' : ', $this['4-' . $idx], "\n";
		$this['5-' . $idx] = $idx . '-5';
		echo '5-' . $idx, ' : ', $this['5-' . $idx], "\n";
		var_dump ($this);
	}
}

$o = new test ();
$o->doTest ('idx');
?>

Expected result:
----------------
idx : idx
idx-2 : idx-2
3-idx : idx-333
4-idx : idx-4444
5-idx : idx-5
object(test)#1 (1) {
  ["haStore:private"]=>
  array(5) {
    ["idx"]=>
    string(3) "idx"
    ["idx-2"]=>
    string(5) "idx-2"
    ["3-idx"]=>
    string(7) "idx-333"
    ["4-idx"]=>
    string(8) "idx-4444"
    ["5-idx"]=>
    string(5) "idx-5"
  }
}

Actual result:
--------------
idx : idx
idx-2 : idx-2
3-idx :
4-idx : idx-4444
5-idx :
object(test)#1 (1) {
  ["haStore:private"]=>
  array(5) {
    ["idx"]=>
    string(3) "idx"
    ["idx-2"]=>
    string(5) "idx-2"
    ["idx-3"]=>
    string(7) "test  3"
    ["4-idx"]=>
    string(8) "idx-4444"
    ["idx-5"]=>
    string(5) "test "
  }
}

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2004-10-07 11:44 UTC] profic at kursknet dot ru
Sorry, I forgot to mention that some times CLI version (which it was tested on) it crashes. Not allways (e.g. with every code), but with the same code it is reproducable. And with this code it crashes. But script finishes, so it seems a crash at shutdown
 [2004-10-24 14:08 UTC] tony2001@php.net
Segfaults only with 5.0.x. 
5.1 works fine (i.e. gives expected result and doesn't segfault).

bt:
Program received signal SIGSEGV, Segmentation fault.
0x08175639 in _efree (ptr=0xbfffcc28) at /home/dev/php-src_5_0/Zend/zend_alloc.c:281
281             REMOVE_POINTER_FROM_LIST(p);
(gdb) bt
#0  0x08175639 in _efree (ptr=0xbfffcc28) at /home/dev/php-src_5_0/Zend/zend_alloc.c:281
#1  0x081802b1 in _zval_ptr_dtor (zval_ptr=0xbfffcc28) at zend_execute.h:61
#2  0x08180ccc in zend_call_function (fci=0xbfffc8c0, fci_cache=0xbfffc8a0, tsrm_ls=0x82370b0) at zend_execute.h:124
#3  0x0819879f in zend_call_method (object_pp=0xbfffc980, obj_ce=0x82ea01c, fn_proxy=0x0, function_name=0x81e9cb4 "offsetget", function_name_len=9,
    retval_ptr_ptr=0xbfffc94c, param_count=-1073753328, arg1=0xbfffcc28, arg2=0x0, tsrm_ls=0x82370b0) at /home/dev/php-src_5_0/Zend/zend_interfaces.c:79
#4  0x0819b77b in zend_std_read_dimension (object=0x82ed3b4, offset=0xbfffcc28, type=0, tsrm_ls=0x82370b0)
    at /home/dev/php-src_5_0/Zend/zend_object_handlers.c:390
#5  0x081a7ce0 in zend_fetch_dimension_address (result=0x82ec17c, op1=0x82ed3b4, op2=0x82ec1a4, Ts=0xbfffca30, type=0, tsrm_ls=0x82370b0)
    at /home/dev/php-src_5_0/Zend/zend_execute.c:1000
#6  0x081aaac1 in zend_fetch_dim_r_handler (execute_data=0xbfffd040, opline=0x82ec178, op_array=0x82ea2ec, tsrm_ls=0x82370b0)
    at /home/dev/php-src_5_0/Zend/zend_execute.c:2067
#7  0x081a90e9 in execute (op_array=0x82ea2ec, tsrm_ls=0x82370b0) at /home/dev/php-src_5_0/Zend/zend_execute.c:1400
#8  0x081ac9c0 in zend_do_fcall_common_helper (execute_data=0xbfffd480, opline=0x82eef7c, op_array=0x82e3e54, tsrm_ls=0x82370b0)
    at /home/dev/php-src_5_0/Zend/zend_execute.c:2740
#9  0x081acd0d in zend_do_fcall_by_name_handler (execute_data=0xbfffd310, opline=0x82eef7c, op_array=0x82e3e54, tsrm_ls=0x82370b0)
    at /home/dev/php-src_5_0/Zend/zend_execute.c:2825
#10 0x081a90e9 in execute (op_array=0x82e3e54, tsrm_ls=0x82370b0) at /home/dev/php-src_5_0/Zend/zend_execute.c:1400
#11 0x0818b387 in zend_execute_scripts (type=8, tsrm_ls=0x82370b0, retval=0x0, file_count=3) at /home/dev/php-src_5_0/Zend/zend.c:1060
#12 0x081544ac in php_execute_script (primary_file=0xbffff870, tsrm_ls=0x82370b0) at /home/dev/php-src_5_0/main/main.c:1628
#13 0x081b4eb4 in main (argc=3, argv=0xbffff8f4) at /home/dev/php-src_5_0/sapi/cli/php_cli.c:943
 [2004-10-26 12:16 UTC] benneh at gmail dot com
I've just run into this, however I've managed to reduce to a test case with out extended classes.  It should be the same thing as the crash like yours appears to be caused by concatenating in the array index.

Minimal Testcase :
------------------
class Post_Header implements ArrayAccess {
	public function __construct() { }	
	public function offsetExists( $offset ) { return false; }
	public function offsetGet( $offset ) { return $offset; }
	public function offsetSet( $offset, $data ) { }
	public function offsetUnset( $offset ) { }
}
$post = new Post_Header;
$id = 'page';
echo $post[$id.'_show'];

Expected Results :
------------------
Test

Actual Results :
----------------
Crashes on the last line

Hope this more minimal testcase helps.
 [2004-10-26 20:27 UTC] helly@php.net
Thanks for the script.

The issue is fixed in 5.1 - i'll give 5.0 a try.
 [2004-11-28 13:31 UTC] tony2001@php.net
Well, no, not exactly. HEAD segfaults for me with this code:

Starting program: /home/dev/php-src/sapi/cli/php -f /www/index.php
ZZZZZZZZZ
Warning: String is not zero-terminated (ZZZZZZZZZZ&#9492;?&#9616;*) (source: /home/dev/php-src/Zend/zend_variables.h:35) in /www/index.php on line 12
[Sun Nov 28 15:28:18 2004]  Script:  '/www/index.php'
---------------------------------------
/home/dev/php-src/Zend/zend_vm_execute.h(6619) : Block 0xBFFFB4D8 status:
/home/dev/php-src/Zend/zend_execute.h(64) : Actual location (location was relayed)
Beginning:      Overrun (magic=0x00666669, expected=0x7312F8DC)

Program received signal SIGSEGV, Segmentation fault.
0x4207c5ac in memcpy () from /lib/tls/libc.so.6
(gdb) bt
#0  0x4207c5ac in memcpy () from /lib/tls/libc.so.6
#1  0x081bb0af in _mem_block_check (ptr=0xbfffb4fc, silent=0, __zend_filename=0x8291260 "/home/dev/php-src/Zend/zend_vm_execute.h", __zend_lineno=6619,
    __zend_orig_filename=0x828c000 "/home/dev/php-src/Zend/zend_execute.h", __zend_orig_lineno=64) at /home/dev/php-src/Zend/zend_alloc.c:737
#2  0x081bb07b in _mem_block_check (ptr=0xbfffb4fc, silent=1, __zend_filename=0x8291260 "/home/dev/php-src/Zend/zend_vm_execute.h", __zend_lineno=6619,
    __zend_orig_filename=0x828c000 "/home/dev/php-src/Zend/zend_execute.h", __zend_orig_lineno=64) at /home/dev/php-src/Zend/zend_alloc.c:729
#3  0x081ba0de in _efree (ptr=0xbfffb4fc, __zend_filename=0x8291260 "/home/dev/php-src/Zend/zend_vm_execute.h", __zend_lineno=6619,
    __zend_orig_filename=0x828c000 "/home/dev/php-src/Zend/zend_execute.h", __zend_orig_lineno=64) at /home/dev/php-src/Zend/zend_alloc.c:287
#4  0x081ca5ca in safe_free_zval_ptr_rel (p=0xbfffb4fc, __zend_filename=0x8291260 "/home/dev/php-src/Zend/zend_vm_execute.h", __zend_lineno=6619,
    __zend_orig_filename=0x828bb20 "/home/dev/php-src/Zend/zend_execute_API.c", __zend_orig_lineno=392) at zend_execute.h:64
#5  0x081c77ac in _zval_ptr_dtor (zval_ptr=0xbfffb428, __zend_filename=0x8291260 "/home/dev/php-src/Zend/zend_vm_execute.h", __zend_lineno=6619)
    at /home/dev/php-src/Zend/zend_execute_API.c:392
#6  0x0820d6c1 in ZEND_ECHO_SPEC_VAR_HANDLER (execute_data=0xbfffb810) at zend_vm_execute.h:6619
#7  0x081fc5ad in execute (op_array=0x834bca4) at zend_vm_execute.h:58
#8  0x081d59fa in zend_execute_scripts (type=8, retval=0x0, file_count=3) at /home/dev/php-src/Zend/zend.c:1053
#9  0x0818d3ca in php_execute_script (primary_file=0xbfffdc20) at /home/dev/php-src/main/main.c:1635
#10 0x0824fc2f in main (argc=3, argv=0xbfffdcb4) at /home/dev/php-src/sapi/cli/php_cli.c:943

In the same time, 5_0 works fine, printing "page_show".
 [2005-03-13 19:22 UTC] helly@php.net
There is still a problem with uninitialized temp and cv vars. This is related to http://bugs.php.net/32252
 [2005-05-14 12:26 UTC] tony2001@php.net
Please try using this CVS snapshot:

  http://snaps.php.net/php5-STABLE-latest.tar.gz
 
For Windows:
 
  http://snaps.php.net/win32/php5.0-win32-latest.zip

Not reproducible anymore.
 [2005-05-22 01:00 UTC] php-bugs at lists dot php dot net
No feedback was provided for this bug for over a week, so it is
being suspended automatically. If you are able to provide the
information that was originally requested, please do so and change
the status of the bug back to "Open".
 [2005-12-04 13:35 UTC] profic at kursknet dot ru
Just found it.
As Tony mentions ealier not reproducible anymore.
So I close it.
 
PHP Copyright © 2001-2022 The PHP Group
All rights reserved.
Last updated: Sat Aug 13 19:05:45 2022 UTC