Hi: this is introduced in https://github.com/php/php-src/commit/b7e124004f24896248827eb969909f1e92eafc39 , that commit was only for 5.4.
so 5.3 didn't have this bug, actually our fix is make the codes similar with 5.3 :). thanks On Thu, Jul 26, 2012 at 1:53 PM, Xinchen Hui <larue...@php.net> wrote: > Commit: eae06100429f37e5297c432e99104daeeed13bad > Author: Xinchen Hui <larue...@php.net> Thu, 26 Jul 2012 13:52:42 > +0800 > Parents: ba27e0888a3bb91eba3266c71003df045c4d2091 > Branches: PHP-5.4 > > Link: > http://git.php.net/?p=php-src.git;a=commitdiff;h=eae06100429f37e5297c432e99104daeeed13bad > > Log: > Fixed bug #62653: (unset($array[$float]) causes a crash) > > the reason why jpauli and I can not reproduce is (it's silly): > I typo "USE_ZEND_ALLOC *&&* valgrind" at the first time, then I always ctrl+r > and jpauli copied my command from the pastbin :) > > thanks > > Bugs: > https://bugs.php.net/62653 > > Changed paths: > M NEWS > A Zend/tests/bug62653.phpt > M Zend/zend_vm_def.h > M Zend/zend_vm_execute.h > > > Diff: > diff --git a/NEWS b/NEWS > index d429849..407b052 100644 > --- a/NEWS > +++ b/NEWS > @@ -5,6 +5,8 @@ PHP > NEWS > - Core: > . Fixed bug #62661 (Interactive php-cli crashes if include() is used in > auto_prepend_file). (Laruence) > + . Fixed bug #62653: (unset($array[$float]) causes a crash). (Nikita Popov, > + Laruence) > . Fixed bug #62565 (Crashes due non-initialized internal properties_table). > (Felipe) > > diff --git a/Zend/tests/bug62653.phpt b/Zend/tests/bug62653.phpt > new file mode 100644 > index 0000000..cf5941c > --- /dev/null > +++ b/Zend/tests/bug62653.phpt > @@ -0,0 +1,33 @@ > +--TEST-- > +Bug #62653: unset($array[$float]) causes a crash > +--FILE-- > +<?php > +$array = array("5"=>"bar"); > +$foo = "10.0000"; // gettype($foo) = "string" > +$foo /= 2; //Makes $foo = 5 but still gettype($foo) = "double" > +unset($array[$foo]); > +print_r($array); > + > +$array = array("5"=>"bar"); > +$foo = "5"; > +unset($array[(float)$foo]); > +print_r($array); > + > +$array = array("5"=>"bar"); > +$foo = "5"; > +$foo /= 2; //Makes $foo = 5 but still gettype($foo) = "double" > +$name = "foo"; > +unset($array[$$name]); > +print_r($array); > + > +?> > +--EXPECT-- > +Array > +( > +) > +Array > +( > +) > +Array > +( > +) > diff --git a/Zend/zend_vm_def.h b/Zend/zend_vm_def.h > index 5a3ae49..f5567ea 100644 > --- a/Zend/zend_vm_def.h > +++ b/Zend/zend_vm_def.h > @@ -3947,7 +3947,8 @@ ZEND_VM_HANDLER(75, ZEND_UNSET_DIM, VAR|UNUSED|CV, > CONST|TMP|VAR|CV) > switch (Z_TYPE_P(offset)) { > case IS_DOUBLE: > hval = > zend_dval_to_lval(Z_DVAL_P(offset)); > - ZEND_VM_C_GOTO(num_index_dim); > + zend_hash_index_del(ht, hval); > + break; > case IS_RESOURCE: > case IS_BOOL: > case IS_LONG: > diff --git a/Zend/zend_vm_execute.h b/Zend/zend_vm_execute.h > index 1fb6e76..78f3d84 100644 > --- a/Zend/zend_vm_execute.h > +++ b/Zend/zend_vm_execute.h > @@ -13917,7 +13917,8 @@ static int ZEND_FASTCALL > ZEND_UNSET_DIM_SPEC_VAR_CONST_HANDLER(ZEND_OPCODE_HAND > switch (Z_TYPE_P(offset)) { > case IS_DOUBLE: > hval = > zend_dval_to_lval(Z_DVAL_P(offset)); > - goto num_index_dim; > + zend_hash_index_del(ht, hval); > + break; > case IS_RESOURCE: > case IS_BOOL: > case IS_LONG: > @@ -15919,7 +15920,8 @@ static int ZEND_FASTCALL > ZEND_UNSET_DIM_SPEC_VAR_TMP_HANDLER(ZEND_OPCODE_HANDLE > switch (Z_TYPE_P(offset)) { > case IS_DOUBLE: > hval = > zend_dval_to_lval(Z_DVAL_P(offset)); > - goto num_index_dim; > + zend_hash_index_del(ht, hval); > + break; > case IS_RESOURCE: > case IS_BOOL: > case IS_LONG: > @@ -18131,7 +18133,8 @@ static int ZEND_FASTCALL > ZEND_UNSET_DIM_SPEC_VAR_VAR_HANDLER(ZEND_OPCODE_HANDLE > switch (Z_TYPE_P(offset)) { > case IS_DOUBLE: > hval = > zend_dval_to_lval(Z_DVAL_P(offset)); > - goto num_index_dim; > + zend_hash_index_del(ht, hval); > + break; > case IS_RESOURCE: > case IS_BOOL: > case IS_LONG: > @@ -21166,7 +21169,8 @@ static int ZEND_FASTCALL > ZEND_UNSET_DIM_SPEC_VAR_CV_HANDLER(ZEND_OPCODE_HANDLER > switch (Z_TYPE_P(offset)) { > case IS_DOUBLE: > hval = > zend_dval_to_lval(Z_DVAL_P(offset)); > - goto num_index_dim; > + zend_hash_index_del(ht, hval); > + break; > case IS_RESOURCE: > case IS_BOOL: > case IS_LONG: > @@ -22504,7 +22508,8 @@ static int ZEND_FASTCALL > ZEND_UNSET_DIM_SPEC_UNUSED_CONST_HANDLER(ZEND_OPCODE_H > switch (Z_TYPE_P(offset)) { > case IS_DOUBLE: > hval = > zend_dval_to_lval(Z_DVAL_P(offset)); > - goto num_index_dim; > + zend_hash_index_del(ht, hval); > + break; > case IS_RESOURCE: > case IS_BOOL: > case IS_LONG: > @@ -23662,7 +23667,8 @@ static int ZEND_FASTCALL > ZEND_UNSET_DIM_SPEC_UNUSED_TMP_HANDLER(ZEND_OPCODE_HAN > switch (Z_TYPE_P(offset)) { > case IS_DOUBLE: > hval = > zend_dval_to_lval(Z_DVAL_P(offset)); > - goto num_index_dim; > + zend_hash_index_del(ht, hval); > + break; > case IS_RESOURCE: > case IS_BOOL: > case IS_LONG: > @@ -24820,7 +24826,8 @@ static int ZEND_FASTCALL > ZEND_UNSET_DIM_SPEC_UNUSED_VAR_HANDLER(ZEND_OPCODE_HAN > switch (Z_TYPE_P(offset)) { > case IS_DOUBLE: > hval = > zend_dval_to_lval(Z_DVAL_P(offset)); > - goto num_index_dim; > + zend_hash_index_del(ht, hval); > + break; > case IS_RESOURCE: > case IS_BOOL: > case IS_LONG: > @@ -26244,7 +26251,8 @@ static int ZEND_FASTCALL > ZEND_UNSET_DIM_SPEC_UNUSED_CV_HANDLER(ZEND_OPCODE_HAND > switch (Z_TYPE_P(offset)) { > case IS_DOUBLE: > hval = > zend_dval_to_lval(Z_DVAL_P(offset)); > - goto num_index_dim; > + zend_hash_index_del(ht, hval); > + break; > case IS_RESOURCE: > case IS_BOOL: > case IS_LONG: > @@ -29498,7 +29506,8 @@ static int ZEND_FASTCALL > ZEND_UNSET_DIM_SPEC_CV_CONST_HANDLER(ZEND_OPCODE_HANDL > switch (Z_TYPE_P(offset)) { > case IS_DOUBLE: > hval = > zend_dval_to_lval(Z_DVAL_P(offset)); > - goto num_index_dim; > + zend_hash_index_del(ht, hval); > + break; > case IS_RESOURCE: > case IS_BOOL: > case IS_LONG: > @@ -31371,7 +31380,8 @@ static int ZEND_FASTCALL > ZEND_UNSET_DIM_SPEC_CV_TMP_HANDLER(ZEND_OPCODE_HANDLER > switch (Z_TYPE_P(offset)) { > case IS_DOUBLE: > hval = > zend_dval_to_lval(Z_DVAL_P(offset)); > - goto num_index_dim; > + zend_hash_index_del(ht, hval); > + break; > case IS_RESOURCE: > case IS_BOOL: > case IS_LONG: > @@ -33453,7 +33463,8 @@ static int ZEND_FASTCALL > ZEND_UNSET_DIM_SPEC_CV_VAR_HANDLER(ZEND_OPCODE_HANDLER > switch (Z_TYPE_P(offset)) { > case IS_DOUBLE: > hval = > zend_dval_to_lval(Z_DVAL_P(offset)); > - goto num_index_dim; > + zend_hash_index_del(ht, hval); > + break; > case IS_RESOURCE: > case IS_BOOL: > case IS_LONG: > @@ -36219,7 +36230,8 @@ static int ZEND_FASTCALL > ZEND_UNSET_DIM_SPEC_CV_CV_HANDLER(ZEND_OPCODE_HANDLER_ > switch (Z_TYPE_P(offset)) { > case IS_DOUBLE: > hval = > zend_dval_to_lval(Z_DVAL_P(offset)); > - goto num_index_dim; > + zend_hash_index_del(ht, hval); > + break; > case IS_RESOURCE: > case IS_BOOL: > case IS_LONG: > > > -- > PHP CVS Mailing List (http://www.php.net/) > To unsubscribe, visit: http://www.php.net/unsub.php > -- Laruence Xinchen Hui http://www.laruence.com/ -- PHP CVS Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
