ID: 28972
Updated by: [EMAIL PROTECTED]
Reported By: tomas_matousek at hotmail dot com
-Status: Verified
+Status: Feedback
Bug Type: Scripting Engine problem
Operating System: *
PHP Version: 5CVS, 4CVS (2005-06-19)
New Comment:
Can you respond to the feedback request by Andi?
Previous Comments:
------------------------------------------------------------------------
[2005-06-24 00:10:04] [EMAIL PROTECTED]
In the case of an integer overflow, it shouldn't be strange to you that
there might be unpredictable behavior. Is this really a real-life
problem that you are bumping into? If so, can you explain further? I am
not sure if/how this should be addressed especially as different
architectures might behave differently and I don't want to
over-architect something which you shouldn't be bumping into in the
first place...
------------------------------------------------------------------------
[2005-04-16 13:05:13] [EMAIL PROTECTED]
/usr/src/php/php5/Zend/zend_execute.c(891) : Freeing 0x09C7786C (16
bytes), script=t.php
------------------------------------------------------------------------
[2005-03-06 20:33:58] [EMAIL PROTECTED]
Leaks too:
/usr/src/php/php_4_3/Zend/zend_execute.c(501) : Freeing 0x09ACF6A4 (12
bytes), script=t.php
------------------------------------------------------------------------
[2004-06-30 11:08:01] tomas_matousek at hotmail dot com
Description:
------------
If there is an item in an array having key = 2^31-1 and you use []
operator without specifying a key it overflows and adds a new item with
min. int (-2^31) in the array.
This is IMHO not correct or at least not consistent with the manual
where the following sentence is stated:
"If you do not specify a key for a given value, then the maximum of the
integer indices is taken, and the new key will be that maximum value +
1."
Moreover, consider the folowing array:
$a = array(2^31-2 => 1,-2^31 => 1) and use $a[] twice.
You get warning:
"Cannot add element to the array as the next element is already
occupied".
But if the array is $a = array(2^31-1 => 1,-2^31 => 1) a new item is
added with a key -2^31+1 with no warning.
However, if you use array_push instead [] it does never report a
warning but does the same as [].
IMHO it will be more correct if both [] and array_push do not add a new
key and report a warning or notice if the maximal integer key reaches
maximum value 2^31-1.
Reproduce code:
---------------
$a = array(2147483647 => 1, -2147483648 => 1);
$a[] = 2;
$a[] = 3;
var_dump($a);
$a = array(2147483646 => 1, -2147483648 => 1);
$a[] = 2;
$a[] = 3;
var_dump($a);
Expected result:
----------------
Warning: Cannot add element to array - integer key reached maximal
possible value ...
Warning: Cannot add element to array - integer key reached maximal
possible value ...
array(4) {
[2147483647]=>
int(1)
[-2147483648]=>
int(1)
}
Warning: Cannot add element to array - integer key reached maximal
possible value ...
array(3) {
[2147483646]=>
int(1)
[-2147483648]=>
int(1)
[2147483647]=>
int(2)
}
Actual result:
--------------
array(4) {
[2147483647]=>
int(1)
[-2147483648]=>
int(1)
[-2147483647]=>
int(2)
[-2147483646]=>
int(3)
}
Warning: Cannot add element to the array as the next element is
already occupied in ...
array(3) {
[2147483646]=>
int(1)
[-2147483648]=>
int(1)
[2147483647]=>
int(2)
}
------------------------------------------------------------------------
--
Edit this bug report at http://bugs.php.net/?id=28972&edit=1
