ID: 28957 Updated by: [EMAIL PROTECTED] Reported By: su1d at phpclub dot net -Status: Open +Status: Verified Bug Type: Reproducible crash -Operating System: Win32 +Operating System: Win32, Linux, Tru64 5.1B -PHP Version: 5CVS-2004-06-29 (dev) +PHP Version: 5CVS-2004-07-14 (dev) New Comment:
Both scripts segv. Previous Comments: ------------------------------------------------------------------------ [2004-07-13 16:47:08] fixxxer at php5 dot ru p.s. don't take to notice that the name of directory is php5.0.0RC3 - it's the latest snap really. :) ------------------------------------------------------------------------ [2004-07-13 16:43:42] fixxxer at php5 dot ru The problem still exists on the latest snapshot (Jul 13, 2004 12:30 GMT) and seems to be os-independent (I've tried on FreeBSD 4.9 and Windows XP). <?php class foo implements ArrayAccess { function offsetSet($k,$v){} function offsetGet($k){return $this;} function offsetExists($k){return true;} function offsetUnset($k){} function __set($k, $v){} function __get($k){return $this;} } $bar = new foo; $bar[]->blabla = 1; ?> Program received signal SIGSEGV, Segmentation fault. 0x821272b in zend_call_function (fci=0xbfbfe26c, fci_cache=0xbfbfe24c) at /usr/ports/lang/php5/work/php-5.0.0RC3/Zend/zend_execute_API.c:752 752 (*fci->params[i])->refcount++; (gdb) bt #0 0x821272b in zend_call_function (fci=0xbfbfe26c, fci_cache=0xbfbfe24c) at /usr/ports/lang/php5/work/php-5.0.0RC3/Zend/zend_execute_API.c:752 #1 0x822d63e in zend_call_method (object_pp=0xbfbfe2e8, obj_ce=0x84f8824, fn_proxy=0x0, function_name=0x83f63ff "offsetget", function_name_len=9, retval_ptr_ptr=0xbfbfe2dc, param_count=1, arg1=0x0, arg2=0x0) at /usr/ports/lang/php5/work/php-5.0.0RC3/Zend/zend_interfaces.c:79 #2 0x8230bea in zend_std_read_dimension (object=0x85065e4, offset=0x0, type=1) at /usr/ports/lang/php5/work/php-5.0.0RC3/Zend/zend_object_handlers.c:384 #3 0x823d79c in zend_fetch_dimension_address (result=0x850e3b8, op1=0x850e3cc, op2=0x850e3e0, Ts=0x8510624, type=1) at /usr/ports/lang/php5/work/php-5.0.0RC3/Zend/zend_execute.c:999 #4 0x825802b in zend_fetch_dim_w_handler (execute_data=0xbfbfe404, opline=0x850e3b4, op_array=0x8505124) at /usr/ports/lang/php5/work/php-5.0.0RC3/Zend/zend_execute.c:2063 #5 0x823fbcf in execute (op_array=0x8505124) at /usr/ports/lang/php5/work/php-5.0.0RC3/Zend/zend_execute.c:1391 #6 0x821e32e in zend_execute_scripts (type=8, retval=0x0, file_count=3) at /usr/ports/lang/php5/work/php-5.0.0RC3/Zend/zend.c:1061 #7 0x81e3ba5 in php_execute_script (primary_file=0xbfbffac0) at /usr/ports/lang/php5/work/php-5.0.0RC3/main/main.c:1627 #8 0x82688ce in main (argc=3, argv=0xbfbffb3c) at /usr/ports/lang/php5/work/php-5.0.0RC3/sapi/cli/php_cli.c:943 ------------------------------------------------------------------------ [2004-06-29 10:21:14] su1d at phpclub dot net Description: ------------ I suppose this could be related with the bug #26675 (http://bugs.php.net/bug.php?id=26675). Reproduce code: --------------- <?php class A implements ArrayAccess { function offsetGet($name) { return $this; } function offsetSet($name, $value) {} function offsetExists($name) { return true; } function offsetUnset($name) {} } $D = new A; $D[]->something = 1; ?> Expected result: ---------------- Actually, I'd like to see the offsetGet(null) to be called, but according to the `hack` that solved the #26675, I suppose this should be: Fatal error: Cannot use [] for reading in ... Actual result: -------------- *CRASH* ------------------------------------------------------------------------ -- Edit this bug report at http://bugs.php.net/?id=28957&edit=1