ID: 43201
Updated by: [EMAIL PROTECTED]
Reported By: stas at zend dot com
Status: Open
Bug Type: Scripting Engine problem
Operating System: *
PHP Version: 5.2CVS-2007-11-05 (CVS)
Assigned To: dmitry
New Comment:
Shorter version:
<?php
class Foo {
function __get($k) {
return null;
}
}
$c = new Foo();
$c->arr[0]["k"] = 1;
$c->arr[0]["k2"] = $undef;
for($cnt=0;$cnt<6;++$cnt) {
$c->arr[$cnt]["k2"] = chop($undef);
}
?>
Previous Comments:
------------------------------------------------------------------------
[2007-11-05 18:15:07] stas at zend dot com
Description:
------------
Code modifying the result of __get (erroneously) and using undefined
variables crashes, apparently because of unitialized_zval being freed.
Reproduce code:
---------------
<?php
class Foo {
function __get($k) {
return null;
}
function __set($k, $v) {
$this->$k = $v;
}
}
$c = new Foo();
$c->arr[0]["k"] = 1;
$c->arr[0]["k2"] = $ref;
for($cnt=0;$cnt<6;$cnt++) {
$ref = chop($undef);
$c->arr[$cnt]["k2"] = $ref;
}
?>
Expected result:
----------------
No crash :)
Actual result:
--------------
On windows - crash
On Unix debug -
php5/Zend/zend_hash.c(517) : ht=0xa533520 is being destroyed
------------------------------------------------------------------------
--
Edit this bug report at http://bugs.php.net/?id=43201&edit=1
