Home Original page

PHP :: Bug #26675 :: Segfault on ArrayAccess use

Bug #26675 Segfault on ArrayAccess use
Submitted: 2003-12-19 20:20 UTC Modified: 2003-12-22 11:25 UTC
From: xi at ngs dot ru Assigned: helly (profile)
Status: Closed Package: Reproducible crash
PHP Version: 5.0.0b3 OS: *
Private report: No CVE-ID: None

 [2003-12-19 20:20 UTC] xi at ngs dot ru

Description:
------------
The following code produces segfault using snapshot php5-200312191230.

Reproduce code:
---------------
<?php
class A implements ArrayAccess
{
    private $array = array();

    public function offsetExists( $offset )
    { return isset( $this->array[ $offset ] ); }
    
    public function offsetGet( $offset )
    { return $this->array[ $offset ]; }

    public function offsetSet( $offset, $data )
    { $this->array[ $offset ] = $data; }

    public function offsetUnset( $offset )
    { unset( $this->array[ $offset ] ); }
}
$a = new A();
$a[] = 'Segfault here!';
?>

Expected result:
----------------
String added to $a

Actual result:
--------------
Segmentation fault

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

 [2003-12-20 02:52 UTC] eru@php.net

Thank you for this bug report. To properly diagnose the problem, we
need a backtrace to see what is happening behind the scenes. To
find out how to generate a backtrace, please read
http://bugs.php.net/bugs-generating-backtrace.php

Once you have generated a backtrace, please submit it to this bug
report and change the status back to "Open". Thank you for helping
us make PHP better.

 [2003-12-20 03:32 UTC] xi at ngs dot ru

Backtrace:

#0  zend_call_function (fci=0xbfffd4c0, fci_cache=0xbfffd4a0)
    at /home/simeon/php/php5-200312191230/Zend/zend_execute_API.c:668
#1  0x08141822 in zend_call_method (object_pp=0xbfffd550, obj_ce=0x4032b6dc, 
    fn_proxy=0x0, function_name=0x81941be "offsetset", function_name_len=9, 
    retval_ptr_ptr=0x0, param_count=136060708, arg1=0x0, arg2=0x4032a568)
    at /home/simeon/php/php5-200312191230/Zend/zend_interfaces.c:79
#2  0x081430ae in zend_std_write_dimension (object=0x4032c1cc, offset=0x0, 
    value=0x4032a568)
    at /home/simeon/php/php5-200312191230/Zend/zend_object_handlers.c:405
#3  0x08157410 in zend_assign_to_object (result=0x4032a4f0, 
    object_ptr=0x4032c250, op2=0x4032a520, value_op=0x4032a560, Ts=0xbfffd610, 
    opcode=147) at /home/simeon/php/php5-200312191230/Zend/zend_execute.c:416
#4  0x081517e0 in zend_assign_dim_handler (execute_data=0xbfffd6f0, 
    op_array=0x40324e5c)
    at /home/simeon/php/php5-200312191230/Zend/zend_execute.c:2058
#5  0x0814f5fd in execute (op_array=0x40324e5c)
    at /home/simeon/php/php5-200312191230/Zend/zend_execute.c:1260
#6  0x0813515a in zend_execute_scripts (type=8, retval=0x0, file_count=3)
    at /home/simeon/php/php5-200312191230/Zend/zend.c:1030
#7  0x081017ef in php_execute_script (primary_file=0xbffffac0)
    at /home/simeon/php/php5-200312191230/main/main.c:1638
#8  0x0815a312 in main (argc=2, argv=0xbffffb44)
    at /home/simeon/php/php5-200312191230/sapi/cli/php_cli.c:910

 [2003-12-22 11:25 UTC] helly@php.net

This bug has been fixed in CVS.

In case this was a PHP problem, snapshots of the sources are packaged
every three hours; this change will be in the next snapshot. You can
grab the snapshot at http://snaps.php.net/.
 
In case this was a documentation problem, the fix will show up soon at
http://www.php.net/manual/.

In case this was a PHP.net website problem, the change will show
up on the PHP.net site and on the mirror sites in short time.
 
Thank you for the report, and for helping us make PHP better.