php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #31300 ArrayAccess and __get crash when using string concat in key
Submitted: 2004-12-26 07:06 UTC Modified: 2005-06-06 08:40 UTC
Votes:4
Avg. Score:4.5 ± 0.9
Reproduced:4 of 4 (100.0%)
Same Version:2 (50.0%)
Same OS:2 (50.0%)
From: gardan at gmx dot com Assigned:
Status: Closed Package: Scripting Engine problem
PHP Version: 5.0.5-dev (26 May 05) OS: Win32
Private report: No CVE-ID: None
View Add Comment Developer Edit
 [2004-12-26 07:06 UTC] gardan at gmx dot com 
Description:
------------
When executing the posted code, PHP 5.0.2 and 5.0.3rc-2 crash and kill apache on the first echo. When uncommenting the first echo, it crashes on the second one.

Like this

echo($test["ab_cd"]);
echo($test->{"ab_cd"});

it works.

Reproduce code:
---------------
class arr implements ArrayAccess {
	public $x = array("ab_cd" => "hello");
	function offsetExists($offset) { return isset($this->x[$offset]); }
	function offsetSet($offset, $value) { $this->x[$offset] = $value; }
	function offsetGet($offset) { return $this->x[$offset]; }
	function offsetUnset($offset) { unset($this->x[$offset]); }
	function __get($offset) { return $this->x[$offset]; }
}
$test = new arr;
echo($test["ab_cd"]);       // works
echo($test->{"ab_cd"});     // works
echo($test["ab"."_cd"]);    // crash
echo($test->{"ab"."_cd"});  // crash


Expected result:
----------------
hellohellohellohello

Actual result:
--------------
hellohello <crash>
Windows Apache Log:
Parent: child process exited with status 3221225477 -- Restarting

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2004-12-26 07:32 UTC] Beater at orgalan dot de 
I can partially confirm this for 5.0.3 running on Windows XP. The behaviour is very unpredictable.

Following you'll find some test cases and the behaviour on my system.

class arr implements ArrayAccess {
	public $x = array("ab_cd" => "hello");
	function offsetExists($offset) { return isset($this->x[$offset]); }
	function offsetSet($offset, $value) { $this->x[$offset] = $value; }
	function offsetGet($offset) { return $this->x[$offset]; }
	function offsetUnset($offset) { unset($this->x[$offset]); }
	function __get($offset) { return $this->x[$offset]; }
}
$test = new arr;

case 1:
--------------------
echo($test["ab"."_cd"]);    // crashs

case 2:
--------------------
echo($test["ab_cd"]);       // works
echo($test["ab"."_cd"]);    // works

case 3:
echo($test["ab_cd"]);       // works
echo($test->{"ab_cd"});     // works
echo($test["ab"."_cd"]);    // crashs

sounds stupid, but you'll confirm it, i guess
 [2004-12-26 12:24 UTC] derick@php.net 
Please try using this CVS snapshot:

  http://snaps.php.net/php5-STABLE-latest.tar.gz
 
For Windows:
 
  http://snaps.php.net/win32/php5.0-win32-latest.zip
 [2004-12-26 22:40 UTC] gardan at gmx dot com 
Still crashing with cvs snapshot (Windows).
 [2005-01-11 08:24 UTC] helly@php.net 
ArrayAccess is defined and controlled by the engine not SPL
 [2005-03-05 03:55 UTC] matt dot bevan at marginsoftware dot com 
Consider this bug confirmed using Apache/2.0.52       
(Gentoo/Linux) PHP/5.0.3 but is not re-producible in a     
small amount of code.     
     
In my case, performing strange acts got around the bug     
when using the array access more than once with three     
other variable assignments in-between the first call and     
second:     
 - The first dot-concatenated call worked fine.     
 - The second segfaulted Apache, unless:     
    - The first call is commented out, or     
    - The second call is placed right below the first, or     
    - One line of three lines is commented out.     
    - All array accesses are changed to use sprintf     
      not dot concatenation.     
     
It doesn't matter which line of the three simple, static     
variable assignments is commented.    
    
This bug drove me crazy all today.  I'm going to have  
nightmares about this bug.  ;)
 [2005-04-29 15:59 UTC] tony2001@php.net 
Please try using this CVS snapshot:

  http://snaps.php.net/php5-STABLE-latest.tar.gz
 
For Windows:
 
  http://snaps.php.net/win32/php5.0-win32-latest.zip

Can't reproduce with latest HEAD & 5.0.
 [2005-05-07 01:00 UTC] php-bugs at lists dot php dot net 
No feedback was provided for this bug for over a week, so it is
being suspended automatically. If you are able to provide the
information that was originally requested, please do so and change
the status of the bug back to "Open".
 [2005-05-27 00:51 UTC] dmytton@php.net 
I am able to replicate this using the latest build:

PHP Version 5.0.5-dev
Build Date May 26 2005 18:16:00

The code provided "[26 Dec 2004 7:32am CET] Beater at orgalan dot de" causes Apache to crash with error:

[Thu May 26 23:38:27 2005] [notice] Parent: child process exited with status 3221225477 -- Restarting.
[Thu May 26 23:38:27 2005] [notice] Apache/2.0.54 (Win32) PHP/5.0.5-dev configured -- resuming normal operations
 [2005-06-06 08:40 UTC] dmitry@php.net 
This bug is fixed in CVS HEAD nad PHP_5_0.
See Zend/tests/object_handlers.phpt
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Wed Jul 03 13:01:33 2024 UTC