php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #62653 unset($array[$float]) causes a crash
Submitted: 2012-07-24 16:16 UTC Modified: 2012-07-26 05:57 UTC
Votes:4
Avg. Score:4.8 ± 0.4
Reproduced:4 of 4 (100.0%)
Same Version:4 (100.0%)
Same OS:4 (100.0%)
From: davidso1 at rose-hulman dot edu Assigned: laruence
Status: Closed Package: Scripting Engine problem
PHP Version: 5.4.5 OS: Windows Server
Private report: No CVE-ID:
 [2012-07-24 16:16 UTC] davidso1 at rose-hulman dot edu
Description:
------------
The test code crashes apache in the 5.4+ environment.
$foo starts as a string, gets interpreted as a double but it isn't I guess.

unset($array[(double) $foo]) works as expected

Test script:
---------------
$array = array("5"=>"bar");
$foo = "10.0000"; // gettype($foo) = "string"
$foo /= 2; //Makes $foo = 5 but still gettype($foo) = "double"
unset($array[$foo]);
print_r($array);

Expected result:
----------------
Array()

Actual result:
--------------
Error 101 (net::ERR_CONNECTION_RESET): The connection was reset.

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2012-07-24 19:27 UTC] sixd@php.net
The testcase produces invalid reads & writes in valgrind.
 [2012-07-25 13:40 UTC] laruence@php.net
I can no reproduce this on Linux redhat
 [2012-07-25 15:54 UTC] nikic@php.net
-Summary: unset(array($foo)) crashes apache depending on $foo +Summary: unset($array[$float]) causes a crash
 [2012-07-25 15:55 UTC] jpauli@php.net
Switch to Scripting Engine Problem as bug type
 [2012-07-25 15:55 UTC] jpauli@php.net
-Package: Apache2 related +Package: Scripting Engine problem
 [2012-07-25 16:48 UTC] nikic@php.net
I have a patch for this here: https://github.com/php/php-src/pull/144

If you could test whether it fixes the issue for you it would help a lot.

We had some issues reproducing the problem consistently, so would be nice to verify this :)
 [2012-07-26 02:16 UTC] laruence@php.net
still can not reproduce in Ubuntu 11.10 && valgrind 3.6.1 & gcc 4.6.1 & 64bits
 [2012-07-26 02:26 UTC] rasmus@php.net
It is reproducable on 64-bit Ubuntu 12.04 with Valgrind 3.8.0
 [2012-07-26 05:53 UTC] laruence@php.net
Automatic comment on behalf of laruence
Revision: http://git.php.net/?p=php-src.git;a=commit;h=eae06100429f37e5297c432e99104daeeed13bad
Log: Fixed bug #62653: (unset($array[$float]) causes a crash)
 [2012-07-26 05:56 UTC] laruence@php.net
Automatic comment on behalf of laruence
Revision: http://git.php.net/?p=php-src.git;a=commit;h=eae06100429f37e5297c432e99104daeeed13bad
Log: Fixed bug #62653: (unset($array[$float]) causes a crash)
 [2012-07-26 05:57 UTC] laruence@php.net
This bug has been fixed in SVN.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.

 For Windows:

http://windows.php.net/snapshots/
 
Thank you for the report, and for helping us make PHP better.

the reason why jpauli and I can not reproduce is (it's silly):
I typo "USE_ZEND_ALLOC *&&* valgrind" at the first time, then I always ctrl+r
and jpauli copied my command from the pastbin :)

thanks
 [2012-07-26 05:57 UTC] laruence@php.net
-Status: Open +Status: Closed -Assigned To: +Assigned To: laruence
 [2012-07-26 15:35 UTC] smithrn at rose-hulman dot edu
I'm trying to test out the fix in the new Windows snapshot, but all of the links to download the snapshot are broken on http://windows.php.net/snapshots/
 
PHP Copyright © 2001-2014 The PHP Group
All rights reserved.
Last updated: Fri Apr 18 00:01:21 2014 UTC