php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #34310 foreach($arr as $c->d => $x) crashes (works with PHP 5.0.3)
Submitted: 2005-08-30 16:14 UTC Modified: 2005-09-01 12:55 UTC
From: devriese at cs dot tcd dot ie Assigned: dmitry
Status: Closed Package: Reproducible crash
PHP Version: 5CVS-2005-08-31 OS: *
Private report: No CVE-ID:
 [2005-08-30 16:14 UTC] devriese at cs dot tcd dot ie
Description:
------------
When using an object attribute to store the key in a foreach loop, PHP crashes with a segmentation error (note that using an object attribute to store a value does work; see example code). 

Also: this code runs fine in PHP 5.0.3, but crashes with PHP 5.1.0RC1.

Reproduce code:
---------------
<?php
   class C
   {
      var $d;
   }

   $c = new C();

   $arr = array(1 => 'a', 2 => 'b', 3 => 'c');

   // Works fine:
   foreach($arr as $x => $c->d) echo "$c->d\n";

   // Crashes:
   foreach($arr as $c->d => $x) echo "$c->d\n";
?>

Expected result:
----------------
a
b
c
1
2
3


Actual result:
--------------
(in GDB):

a
b
c

Program received signal SIGSEGV, Segmentation fault.
0x003357c0 in zend_pzval_unlock_func (z=0x0, should_free=0xffbfdd7c)
    at /misc/csw/src/php-5.1.0RC1/Zend/zend_execute.c:66
66              if (!--z->refcount) {
(gdb) bt
#0  0x003357c0 in zend_pzval_unlock_func (z=0x0, should_free=0xffbfdd7c)
    at /misc/csw/src/php-5.1.0RC1/Zend/zend_execute.c:66
#1  0x00335774 in _get_zval_ptr_ptr_var (node=0x50b270, Ts=0xffbfde90, 
    should_free=0xffbfdd7c)
    at /misc/csw/src/php-5.1.0RC1/Zend/zend_execute.c:259
#2  0x00335700 in _get_zval_ptr_ptr (node=0x50b270, Ts=0xffbfde90, 
    should_free=0xffbfdd7c, type=1)
    at /misc/csw/src/php-5.1.0RC1/Zend/zend_execute.c:300
#3  0x00337088 in zend_assign_to_variable (result=0x50b258, op1=0x50b270, 
    op2=0x50b288, value=0xffbfe028, type=2, Ts=0xffbfde90)
    at /misc/csw/src/php-5.1.0RC1/Zend/zend_execute.c:632
#4  0x0035f62c in ZEND_ASSIGN_SPEC_VAR_TMP_HANDLER (execute_data=0xffbfe088)
    at zend_vm_execute.h:10210
#5  0x00333b1c in execute (op_array=0x506618) at zend_vm_execute.h:87
#6  0x002f6e1c in zend_execute_scripts (type=8, retval=0x0, file_count=3)
    at /misc/csw/src/php-5.1.0RC1/Zend/zend.c:1078
#7  0x00286e44 in php_execute_script (primary_file=0xffbfe848)
    at /misc/csw/src/php-5.1.0RC1/main/main.c:1672
#8  0x003a47a0 in main (argc=2, argv=0xffbfe8fc)
    at /misc/csw/src/php-5.1.0RC1/sapi/cgi/cgi_main.c:1574

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2005-08-31 10:43 UTC] sniper@php.net
Dmitry, check this out please.
 [2005-08-31 11:18 UTC] sniper@php.net
I added a test for this in Zend/tests/

 [2005-09-01 12:55 UTC] dmitry@php.net
Fixed in CVS HEAD and PHP_5_1.
 
PHP Copyright © 2001-2014 The PHP Group
All rights reserved.
Last updated: Fri Apr 18 00:01:21 2014 UTC