From:
Operating system: Windows 7
PHP version: 5.3.6
Package: Reproducible crash
Bug Type: Bug
Bug description:PHP crash when using closures + extract(EXTR_REFS)
Description:
------------
See test script.
PHP 5.3.5 is not affected.
Test script:
---------------
// Initially $Object is not a reference and contains a "pointer"
// to an stdClass object.
$Object =new stdClass; /**/ echo 'New: '; debug_zval_dump( $Object);
// $Object becomes a reference to the "pointer" to an stdClass.
$Object =&$Object; /**/ echo 'Self-reference: '; debug_zval_dump(
$Object);
// Now we import $Object into closure by value. In theory,
// $Object, that is inside closure, should not be a reference, but rather
// should be a variable, that "points" to stdClass (i.e. an equivalent of
// $ImportedObject in expression "$ImportedObject =$Object").
$closure =function() use( $Object) {
// Once you manipulate $Object, you get PHP crashed.
$Object->x =10;
//debug_zval_dump( $Object);
};
// By calling extract() we make $Object to reference a new stdClass
instance.
extract( array( 'Object' =>new stdClass), EXTR_REFS);
echo 'After extract: '; debug_zval_dump( $Object);
// now we execute closure and get PHP crashed
$closure();
Expected result:
----------------
PHP should not crash.
Actual result:
--------------
PHP crashes.
If you put die() right before $closure(), then you get following output:
line 1: New: object(stdClass)#1 (0) refcount(2){
line 2: }
line 3: Self-reference: object(stdClass)#1 (0) refcount(1){
line 4: }
line 5: After extract: object(stdClass)#3 (0) refcount(2){
line 6: }
Some questions regarding that output:
1) why there is refcount(2) in the first line? Isn't the object referenced
only
once and by $Object variable? I would expect to see refcount(1) here. As
you can
see on line 3, refcount seems to become correct after self-referencing is
being
made.
2) why line 5 says object(stdClass)#3, while there were only two (and not
3)
stdClass objects allocated? If you comment out closure's definition, then
you
get object(stdClass)#2 (an expected output). Does closure clone $Object
when you
say "use($Object)"? Shouldn't the stdClass object be simply "referenced" by
the
"use($Object)"?
--
Edit bug report at http://bugs.php.net/bug.php?id=54860&edit=1
--
Try a snapshot (PHP 5.2):
http://bugs.php.net/fix.php?id=54860&r=trysnapshot52
Try a snapshot (PHP 5.3):
http://bugs.php.net/fix.php?id=54860&r=trysnapshot53
Try a snapshot (trunk):
http://bugs.php.net/fix.php?id=54860&r=trysnapshottrunk
Fixed in SVN:
http://bugs.php.net/fix.php?id=54860&r=fixed
Fixed in SVN and need be documented:
http://bugs.php.net/fix.php?id=54860&r=needdocs
Fixed in release:
http://bugs.php.net/fix.php?id=54860&r=alreadyfixed
Need backtrace:
http://bugs.php.net/fix.php?id=54860&r=needtrace
Need Reproduce Script:
http://bugs.php.net/fix.php?id=54860&r=needscript
Try newer version:
http://bugs.php.net/fix.php?id=54860&r=oldversion
Not developer issue:
http://bugs.php.net/fix.php?id=54860&r=support
Expected behavior:
http://bugs.php.net/fix.php?id=54860&r=notwrong
Not enough info:
http://bugs.php.net/fix.php?id=54860&r=notenoughinfo
Submitted twice:
http://bugs.php.net/fix.php?id=54860&r=submittedtwice
register_globals:
http://bugs.php.net/fix.php?id=54860&r=globals
PHP 4 support discontinued: http://bugs.php.net/fix.php?id=54860&r=php4
Daylight Savings: http://bugs.php.net/fix.php?id=54860&r=dst
IIS Stability:
http://bugs.php.net/fix.php?id=54860&r=isapi
Install GNU Sed:
http://bugs.php.net/fix.php?id=54860&r=gnused
Floating point limitations:
http://bugs.php.net/fix.php?id=54860&r=float
No Zend Extensions:
http://bugs.php.net/fix.php?id=54860&r=nozend
MySQL Configuration Error:
http://bugs.php.net/fix.php?id=54860&r=mysqlcfg
