php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #46749 Crash when repeatedly attempting to assign to property of non-object.
Submitted: 2008-12-04 15:26 UTC Modified: 2008-12-04 15:51 UTC
From: robin_fernandes at uk dot ibm dot com Assigned:
Status: Closed Package: Reproducible crash
PHP Version: 6CVS-2008-12-04 (snap) OS: *
Private report: No CVE-ID: None
View Developer Edit
 [2008-12-04 15:26 UTC] robin_fernandes at uk dot ibm dot com 
Description:
------------
The script below crashes consistently on Windows and Linux on the latest php6 snap.

This seems to be specific to HEAD: I could NOT recreate the crash on the latest 5_2 and 5_3 snaps.

Reproduce code:
---------------
<?php
Class C {
	public $nonEmptyString = 'hello';
}

$c = new C;
$i=0;
while ($i++<10) {
	echo "$i...";
	@$c->nonEmptyString->prop = "Will eventually cause crash";
}
echo "Done."
?>

Expected result:
----------------
1...2...3...4...5...6...7...8...9...10...Done.

Actual result:
--------------
1...2...[crash]

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2008-12-04 15:30 UTC] robin_fernandes at uk dot ibm dot com 
In fact, the class C above is not necessary to get the crash; here is a shorter reproduce script. Expected and actual output as above.

<?php
$nonEmptyString = 'hello';
$i=0;
while ($i++<10) {
	echo "$i...";
	@$nonEmptyString->prop = 'Will eventually cause crash';
}
echo "Done."
?>
 [2008-12-04 15:32 UTC] felipe@php.net 
I can reproduce it.

1...2...
Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread -1225472304 (LWP 8923)]
0x0846bc91 in gc_remove_zval_from_buffer (zv=0x895149c, tsrm_ls=0x87a9050) at /home/felipe/dev/php6/Zend/zend_gc.h:189
189             root->next->prev = root->prev;
(gdb) bt
#0  0x0846bc91 in gc_remove_zval_from_buffer (zv=0x895149c, tsrm_ls=0x87a9050) at /home/felipe/dev/php6/Zend/zend_gc.h:189
#1  0x0841beaf in _zval_ptr_dtor (zval_ptr=0xbfcf97e8, __zend_filename=0x878582c "/home/felipe/dev/php6/Zend/zend_execute.c", __zend_lineno=604)
    at /home/felipe/dev/php6/Zend/zend_execute_API.c:455
#2  0x0849ca24 in zend_assign_to_object (result=0x8951438, object_ptr=0x8951720, property_name=0x8951464, value_op=0x8951498, Ts=0x8984188, opcode=136, tsrm_ls=0x87a9050)
    at /home/felipe/dev/php6/Zend/zend_execute.c:604
#3  0x0849c652 in ZEND_ASSIGN_OBJ_SPEC_VAR_CONST_HANDLER (execute_data=0x8984134, tsrm_ls=0x87a9050) at /home/felipe/dev/php6/Zend/zend_vm_execute.h:10561
#4  0x08477033 in execute (op_array=0x8950c9c, tsrm_ls=0x87a9050) at /home/felipe/dev/php6/Zend/zend_vm_execute.h:104
#5  0x084372bf in zend_execute_scripts (type=8, tsrm_ls=0x87a9050, retval=0x0, file_count=3) at /home/felipe/dev/php6/Zend/zend.c:1723
#6  0x083935e8 in php_execute_script (primary_file=0xbfcfbc98, tsrm_ls=0x87a9050) at /home/felipe/dev/php6/main/main.c:2216
#7  0x084edc28 in main (argc=2, argv=0xbfcfbe14) at /home/felipe/dev/php6/sapi/cli/php_cli.c:1141
 [2008-12-04 15:51 UTC] felipe@php.net 
This bug has been fixed in CVS.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.
 
Thank you for the report, and for helping us make PHP better.
 
PHP Copyright © 2001-2025 The PHP Group
All rights reserved. 		Last updated: Tue Jul 01 13:01:35 2025 UTC