ID: 43201 Updated by: [EMAIL PROTECTED] Reported By: stas at zend dot com -Status: Assigned +Status: Closed Bug Type: Scripting Engine problem Operating System: * PHP Version: 5.2CVS-2007-11-05 (CVS) Assigned To: dmitry New Comment:
This bug has been fixed in CVS. Snapshots of the sources are packaged every three hours; this change will be in the next snapshot. You can grab the snapshot at http://snaps.php.net/. Thank you for the report, and for helping us make PHP better. Previous Comments: ------------------------------------------------------------------------ [2007-11-05 18:20:40] [EMAIL PROTECTED] Shorter version: <?php class Foo { function __get($k) { return null; } } $c = new Foo(); $c->arr[0]["k"] = 1; $c->arr[0]["k2"] = $undef; for($cnt=0;$cnt<6;++$cnt) { $c->arr[$cnt]["k2"] = chop($undef); } ?> ------------------------------------------------------------------------ [2007-11-05 18:15:07] stas at zend dot com Description: ------------ Code modifying the result of __get (erroneously) and using undefined variables crashes, apparently because of unitialized_zval being freed. Reproduce code: --------------- <?php class Foo { function __get($k) { return null; } function __set($k, $v) { $this->$k = $v; } } $c = new Foo(); $c->arr[0]["k"] = 1; $c->arr[0]["k2"] = $ref; for($cnt=0;$cnt<6;$cnt++) { $ref = chop($undef); $c->arr[$cnt]["k2"] = $ref; } ?> Expected result: ---------------- No crash :) Actual result: -------------- On windows - crash On Unix debug - php5/Zend/zend_hash.c(517) : ht=0xa533520 is being destroyed ------------------------------------------------------------------------ -- Edit this bug report at http://bugs.php.net/?id=43201&edit=1
