php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #67693 incorrect push to the empty array
Submitted: 2014-07-28 05:29 UTC Modified: 2014-07-28 07:13 UTC
Votes:1
Avg. Score:5.0 ± 0.0
Reproduced:0 of 0 (0.0%)
From: dvlasov at parallels dot com Assigned:
Status: Closed Package: Scripting Engine problem
PHP Version: 5.5.15 OS: ubuntu 14.04 (32 bit)
Private report: No CVE-ID:
 [2014-07-28 05:29 UTC] dvlasov at parallels dot com
Description:
------------
When the initial one element array, starting with -1 index, is poped, and afterwards two values are pushed into the obtained empty array, the second value index is becoming 2147483647, which is obviously an error.


All other starting indexes (-2, 0, 1, 2,...) do not affect array in this way. 

Also, when starting index is > 0, the index of the first element, pushed into the empty array is kept from the previous key-value pair. Such behaviour may be also considered erroneous.

Test script:
---------------
<?php
$b=array(-1=>0);
$c=array_pop($b); assert($c == 0);

assert(array_push($b, 0), 1);
assert(array_push($b, 0), 2);
var_dump($b);
assert(array_push($b, 0), 3);
?>

Expected result:
----------------
array(2) {
  [0]=>
  int(0)
  [1]=>
  int(0)
}

Actual result:
--------------
array(2) {
  [-1]=>
  int(0)
  [2147483647]=>
  int(0)
}
PHP Warning:  array_push(): Cannot add element to the array as the next element is already occupied in /home/dmitri/workspace/cell/temp/array_push_pop_bug.php on line 8

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2014-07-28 07:13 UTC] yohgaki@php.net
-Status: Open +Status: Analyzed -Package: Arrays related +Package: Scripting Engine problem
 [2014-07-28 07:13 UTC] yohgaki@php.net
http://3v4l.org/MPaIr

It's the same in 64 bit architecture. Current behavior is debatable/erroneous. 
I haven't read Zend hash code. It seems it's converting index to PHP_INT_MAX somewhere.

_phpi_pop() is the function.

http://lxr.php.net/xref/PHP_5_5/ext/standard/array.c#1934

ulong index; is used for numeric index and next free element is set as 

Z_ARRVAL_P(stack)->nNextFreeElement = Z_ARRVAL_P(stack)->nNextFreeElement - 1;

Use of signed long for index would result in more intuitive behavior since PHP's int is always signed. This is Zend Hash index signed/unsigned issue. For this reason, category is changed to "Scripting Engine Problem"  There might be similar issues elsewhere.

Another possible fix for this specific bug might be adding check against signed int max and set nNextFreeElement to 0 when index is larger than signed long max. This could be in released versions. It's ugly. Uniform use of signed/unsigned is much cleaner solution. IMO.
 [2014-07-30 10:36 UTC] datibbaw@php.net
Automatic comment on behalf of datibbaw
Revision: http://git.php.net/?p=php-src.git;a=commit;h=da3add26cf7d9eec2023fdd3e52550ccb49aa74c
Log: Fixed bug #67693 - incorrect push to the empty array
 [2014-07-30 10:36 UTC] datibbaw@php.net
-Status: Analyzed +Status: Closed
 [2014-08-04 08:26 UTC] ab@php.net
Automatic comment on behalf of datibbaw
Revision: http://git.php.net/?p=php-src.git;a=commit;h=da3add26cf7d9eec2023fdd3e52550ccb49aa74c
Log: Fixed bug #67693 - incorrect push to the empty array
 [2014-08-04 08:43 UTC] ab@php.net
Automatic comment on behalf of datibbaw
Revision: http://git.php.net/?p=php-src.git;a=commit;h=da3add26cf7d9eec2023fdd3e52550ccb49aa74c
Log: Fixed bug #67693 - incorrect push to the empty array
 [2014-08-04 09:59 UTC] dmitry@php.net
Automatic comment on behalf of datibbaw
Revision: http://git.php.net/?p=php-src.git;a=commit;h=da3add26cf7d9eec2023fdd3e52550ccb49aa74c
Log: Fixed bug #67693 - incorrect push to the empty array
 [2014-08-14 00:52 UTC] tyrael@php.net
Automatic comment on behalf of datibbaw
Revision: http://git.php.net/?p=php-src.git;a=commit;h=da3add26cf7d9eec2023fdd3e52550ccb49aa74c
Log: Fixed bug #67693 - incorrect push to the empty array
 [2014-10-07 23:13 UTC] stas@php.net
Automatic comment on behalf of datibbaw
Revision: http://git.php.net/?p=php-src-security.git;a=commit;h=da3add26cf7d9eec2023fdd3e52550ccb49aa74c
Log: Fixed bug #67693 - incorrect push to the empty array
 [2014-10-07 23:24 UTC] stas@php.net
Automatic comment on behalf of datibbaw
Revision: http://git.php.net/?p=php-src-security.git;a=commit;h=da3add26cf7d9eec2023fdd3e52550ccb49aa74c
Log: Fixed bug #67693 - incorrect push to the empty array
 
PHP Copyright © 2001-2017 The PHP Group
All rights reserved.
Last updated: Fri Jun 23 06:01:39 2017 UTC