ID: 22836
User updated by: brunswim at seas dot upenn dot edu
Reported By: brunswim at seas dot upenn dot edu
Status: Verified
Bug Type: Scripting Engine problem
Operating System: Debian Linux 2.4.18
PHP Version: 4.3.2-RC
New Comment:
This seems similar to bug #22367 but causes problems more globally.
Obviously, this is reproducible with a short script. In the following
similar example, it may be more apparent that global corruption is
taking place.
<?
function &f1() {
return($a);
}
function f2() {
$x = "bar";
$y = "bug!";
var_dump($x);
print "<br>\n$x";
}
$i =& f1();
$j =& f1();
f2();
?>
The output that I get is:
NULL
bug!
So, after 2 references to uninitialized variables, everything behaves
unpredictably.
It is easy to see how this situation could occur in "real" code. In
our case, we were building objects from a database select query. We
were iterating through the rows and putting data in $a[]. When there
were no rows, $a was never initialized, but it was extremely difficult
to isolate the problem because other functions, across many files, were
misbehaving due to this bug.
Previous Comments:
------------------------------------------------------------------------
[2003-03-24 04:29:46] [EMAIL PROTECTED]
This problem has much to do with bug #22367.
Assumed reason: unexpected change of EG(uninitialized_zval_ptr)..
------------------------------------------------------------------------
[2003-03-24 03:41:50] [EMAIL PROTECTED]
I get same output plus these leaks:
/usr/src/web/php/php4/Zend/zend_execute.c(436) : Freeing 0x0875A804 (4
bytes), script=t.php
/usr/src/web/php/php4/Zend/zend_variables.c(111) : Actual location
(location was relayed)
/usr/src/web/php/php4/Zend/zend_execute.c(1702) : Freeing 0x0875A6EC
(12 bytes), script=t.php
------------------------------------------------------------------------
[2003-03-24 01:45:41] brunswim at seas dot upenn dot edu
For the record, the output I am getting for this script is:
string(3) "foo"
foo
string(3) "foo"
foo
NULL
foo
NULL
foo
NULL
foo
NULL
foo
NULL
foo
NULL
foo
------------------------------------------------------------------------
[2003-03-23 22:53:07] brunswim at seas dot upenn dot edu
f() returns a reference to an uninitialized variable $a. In subsequent
calls, this appears to corrupt the local variable $x. The following
script demonstrates the problem.
<?
function &f() {
$x = "foo";
var_dump($x);
print "<br>\n$x<br>\n";
return($a);
}
for ($i = 0; $i < 8; $i++) {
$h =& f();
}
?>
On the third call to f(), $x prints fine but is reported to be NULL by
var_dump(). Operations on $x will subsequently cause unexpected
behavior.
We can change the behavior of $x by adding the line:
$y = "bar";
after the line:
$x = "foo";
If we do this, printing $x returns "bar" but var_dump() still returns
NULL.
------------------------------------------------------------------------
--
Edit this bug report at http://bugs.php.net/?id=22836&edit=1
