ID: 28957
Updated by: [EMAIL PROTECTED]
Reported By: su1d at phpclub dot net
-Status: Open
+Status: Verified
Bug Type: Reproducible crash
-Operating System: Win32
+Operating System: Win32, Linux, Tru64 5.1B
-PHP Version: 5CVS-2004-06-29 (dev)
+PHP Version: 5CVS-2004-07-14 (dev)
New Comment:
Both scripts segv.
Previous Comments:
------------------------------------------------------------------------
[2004-07-13 16:47:08] fixxxer at php5 dot ru
p.s. don't take to notice that the name of directory is php5.0.0RC3 -
it's the latest snap really. :)
------------------------------------------------------------------------
[2004-07-13 16:43:42] fixxxer at php5 dot ru
The problem still exists on the latest snapshot (Jul 13, 2004 12:30
GMT) and seems to be os-independent (I've tried on FreeBSD 4.9 and
Windows XP).
<?php
class foo implements ArrayAccess {
function offsetSet($k,$v){}
function offsetGet($k){return $this;}
function offsetExists($k){return true;}
function offsetUnset($k){}
function __set($k, $v){}
function __get($k){return $this;}
}
$bar = new foo;
$bar[]->blabla = 1;
?>
Program received signal SIGSEGV, Segmentation fault.
0x821272b in zend_call_function (fci=0xbfbfe26c, fci_cache=0xbfbfe24c)
at
/usr/ports/lang/php5/work/php-5.0.0RC3/Zend/zend_execute_API.c:752
752 (*fci->params[i])->refcount++;
(gdb) bt
#0 0x821272b in zend_call_function (fci=0xbfbfe26c,
fci_cache=0xbfbfe24c)
at
/usr/ports/lang/php5/work/php-5.0.0RC3/Zend/zend_execute_API.c:752
#1 0x822d63e in zend_call_method (object_pp=0xbfbfe2e8,
obj_ce=0x84f8824, fn_proxy=0x0,
function_name=0x83f63ff "offsetget", function_name_len=9,
retval_ptr_ptr=0xbfbfe2dc, param_count=1, arg1=0x0, arg2=0x0)
at
/usr/ports/lang/php5/work/php-5.0.0RC3/Zend/zend_interfaces.c:79
#2 0x8230bea in zend_std_read_dimension (object=0x85065e4, offset=0x0,
type=1)
at
/usr/ports/lang/php5/work/php-5.0.0RC3/Zend/zend_object_handlers.c:384
#3 0x823d79c in zend_fetch_dimension_address (result=0x850e3b8,
op1=0x850e3cc, op2=0x850e3e0, Ts=0x8510624, type=1)
at /usr/ports/lang/php5/work/php-5.0.0RC3/Zend/zend_execute.c:999
#4 0x825802b in zend_fetch_dim_w_handler (execute_data=0xbfbfe404,
opline=0x850e3b4, op_array=0x8505124)
at /usr/ports/lang/php5/work/php-5.0.0RC3/Zend/zend_execute.c:2063
#5 0x823fbcf in execute (op_array=0x8505124) at
/usr/ports/lang/php5/work/php-5.0.0RC3/Zend/zend_execute.c:1391
#6 0x821e32e in zend_execute_scripts (type=8, retval=0x0,
file_count=3)
at /usr/ports/lang/php5/work/php-5.0.0RC3/Zend/zend.c:1061
#7 0x81e3ba5 in php_execute_script (primary_file=0xbfbffac0) at
/usr/ports/lang/php5/work/php-5.0.0RC3/main/main.c:1627
#8 0x82688ce in main (argc=3, argv=0xbfbffb3c) at
/usr/ports/lang/php5/work/php-5.0.0RC3/sapi/cli/php_cli.c:943
------------------------------------------------------------------------
[2004-06-29 10:21:14] su1d at phpclub dot net
Description:
------------
I suppose this could be related with the bug #26675
(http://bugs.php.net/bug.php?id=26675).
Reproduce code:
---------------
<?php
class A implements ArrayAccess {
function offsetGet($name) { return $this; }
function offsetSet($name, $value) {}
function offsetExists($name) { return true; }
function offsetUnset($name) {}
}
$D = new A;
$D[]->something = 1;
?>
Expected result:
----------------
Actually, I'd like to see the offsetGet(null) to be called, but
according to the `hack` that solved the #26675, I suppose this should
be:
Fatal error: Cannot use [] for reading in ...
Actual result:
--------------
*CRASH*
------------------------------------------------------------------------
--
Edit this bug report at http://bugs.php.net/?id=28957&edit=1
