zend_vm_execute.h

Xinchen Hui Wed, 25 Jul 2012 22:53:50 -0700

Commit:    eae06100429f37e5297c432e99104daeeed13bad
Author:    Xinchen Hui <larue...@php.net>         Thu, 26 Jul 2012 13:52:42 
+0800
Parents:   ba27e0888a3bb91eba3266c71003df045c4d2091
Branches:  PHP-5.4


Link:       
http://git.php.net/?p=php-src.git;a=commitdiff;h=eae06100429f37e5297c432e99104daeeed13bad

Log:
Fixed bug #62653: (unset($array[$float]) causes a crash)

the reason why jpauli and I can not reproduce is (it's silly):
I typo "USE_ZEND_ALLOC *&&* valgrind" at the first time, then I always ctrl+r
and jpauli copied my command from the pastbin :)

thanks

Bugs:
https://bugs.php.net/62653

Changed paths:
  M  NEWS
  A  Zend/tests/bug62653.phpt
  M  Zend/zend_vm_def.h
  M  Zend/zend_vm_execute.h


Diff:
diff --git a/NEWS b/NEWS
index d429849..407b052 100644
--- a/NEWS
+++ b/NEWS
@@ -5,6 +5,8 @@ PHP                                                             
           NEWS
 - Core:
   . Fixed bug #62661 (Interactive php-cli crashes if include() is used in
     auto_prepend_file). (Laruence)
+  . Fixed bug #62653: (unset($array[$float]) causes a crash). (Nikita Popov,
+    Laruence)
   . Fixed bug #62565 (Crashes due non-initialized internal properties_table).
     (Felipe)
 
diff --git a/Zend/tests/bug62653.phpt b/Zend/tests/bug62653.phpt
new file mode 100644
index 0000000..cf5941c
--- /dev/null
+++ b/Zend/tests/bug62653.phpt
@@ -0,0 +1,33 @@
+--TEST--
+Bug #62653: unset($array[$float]) causes a crash
+--FILE--
+<?php
+$array = array("5"=>"bar");
+$foo = "10.0000"; // gettype($foo) = "string"
+$foo /= 2; //Makes $foo = 5 but still gettype($foo) = "double"
+unset($array[$foo]);
+print_r($array);
+
+$array = array("5"=>"bar");
+$foo = "5";
+unset($array[(float)$foo]);
+print_r($array);
+
+$array = array("5"=>"bar");
+$foo = "5";
+$foo /= 2; //Makes $foo = 5 but still gettype($foo) = "double"
+$name = "foo";
+unset($array[$$name]);
+print_r($array);
+
+?>
+--EXPECT--
+Array
+(
+)
+Array
+(
+)
+Array
+(
+)
diff --git a/Zend/zend_vm_def.h b/Zend/zend_vm_def.h
index 5a3ae49..f5567ea 100644
--- a/Zend/zend_vm_def.h
+++ b/Zend/zend_vm_def.h
@@ -3947,7 +3947,8 @@ ZEND_VM_HANDLER(75, ZEND_UNSET_DIM, VAR|UNUSED|CV, 
CONST|TMP|VAR|CV)
                                switch (Z_TYPE_P(offset)) {
                                        case IS_DOUBLE:
                                                hval = 
zend_dval_to_lval(Z_DVAL_P(offset));
-                                               ZEND_VM_C_GOTO(num_index_dim);
+                                               zend_hash_index_del(ht, hval);
+                                               break;
                                        case IS_RESOURCE:
                                        case IS_BOOL:
                                        case IS_LONG:
diff --git a/Zend/zend_vm_execute.h b/Zend/zend_vm_execute.h
index 1fb6e76..78f3d84 100644
--- a/Zend/zend_vm_execute.h
+++ b/Zend/zend_vm_execute.h
@@ -13917,7 +13917,8 @@ static int ZEND_FASTCALL  
ZEND_UNSET_DIM_SPEC_VAR_CONST_HANDLER(ZEND_OPCODE_HAND
                                switch (Z_TYPE_P(offset)) {
                                        case IS_DOUBLE:
                                                hval = 
zend_dval_to_lval(Z_DVAL_P(offset));
-                                               goto num_index_dim;
+                                               zend_hash_index_del(ht, hval);
+                                               break;
                                        case IS_RESOURCE:
                                        case IS_BOOL:
                                        case IS_LONG:
@@ -15919,7 +15920,8 @@ static int ZEND_FASTCALL  
ZEND_UNSET_DIM_SPEC_VAR_TMP_HANDLER(ZEND_OPCODE_HANDLE
                                switch (Z_TYPE_P(offset)) {
                                        case IS_DOUBLE:
                                                hval = 
zend_dval_to_lval(Z_DVAL_P(offset));
-                                               goto num_index_dim;
+                                               zend_hash_index_del(ht, hval);
+                                               break;
                                        case IS_RESOURCE:
                                        case IS_BOOL:
                                        case IS_LONG:
@@ -18131,7 +18133,8 @@ static int ZEND_FASTCALL  
ZEND_UNSET_DIM_SPEC_VAR_VAR_HANDLER(ZEND_OPCODE_HANDLE
                                switch (Z_TYPE_P(offset)) {
                                        case IS_DOUBLE:
                                                hval = 
zend_dval_to_lval(Z_DVAL_P(offset));
-                                               goto num_index_dim;
+                                               zend_hash_index_del(ht, hval);
+                                               break;
                                        case IS_RESOURCE:
                                        case IS_BOOL:
                                        case IS_LONG:
@@ -21166,7 +21169,8 @@ static int ZEND_FASTCALL  
ZEND_UNSET_DIM_SPEC_VAR_CV_HANDLER(ZEND_OPCODE_HANDLER
                                switch (Z_TYPE_P(offset)) {
                                        case IS_DOUBLE:
                                                hval = 
zend_dval_to_lval(Z_DVAL_P(offset));
-                                               goto num_index_dim;
+                                               zend_hash_index_del(ht, hval);
+                                               break;
                                        case IS_RESOURCE:
                                        case IS_BOOL:
                                        case IS_LONG:
@@ -22504,7 +22508,8 @@ static int ZEND_FASTCALL  
ZEND_UNSET_DIM_SPEC_UNUSED_CONST_HANDLER(ZEND_OPCODE_H
                                switch (Z_TYPE_P(offset)) {
                                        case IS_DOUBLE:
                                                hval = 
zend_dval_to_lval(Z_DVAL_P(offset));
-                                               goto num_index_dim;
+                                               zend_hash_index_del(ht, hval);
+                                               break;
                                        case IS_RESOURCE:
                                        case IS_BOOL:
                                        case IS_LONG:
@@ -23662,7 +23667,8 @@ static int ZEND_FASTCALL  
ZEND_UNSET_DIM_SPEC_UNUSED_TMP_HANDLER(ZEND_OPCODE_HAN
                                switch (Z_TYPE_P(offset)) {
                                        case IS_DOUBLE:
                                                hval = 
zend_dval_to_lval(Z_DVAL_P(offset));
-                                               goto num_index_dim;
+                                               zend_hash_index_del(ht, hval);
+                                               break;
                                        case IS_RESOURCE:
                                        case IS_BOOL:
                                        case IS_LONG:
@@ -24820,7 +24826,8 @@ static int ZEND_FASTCALL  
ZEND_UNSET_DIM_SPEC_UNUSED_VAR_HANDLER(ZEND_OPCODE_HAN
                                switch (Z_TYPE_P(offset)) {
                                        case IS_DOUBLE:
                                                hval = 
zend_dval_to_lval(Z_DVAL_P(offset));
-                                               goto num_index_dim;
+                                               zend_hash_index_del(ht, hval);
+                                               break;
                                        case IS_RESOURCE:
                                        case IS_BOOL:
                                        case IS_LONG:
@@ -26244,7 +26251,8 @@ static int ZEND_FASTCALL  
ZEND_UNSET_DIM_SPEC_UNUSED_CV_HANDLER(ZEND_OPCODE_HAND
                                switch (Z_TYPE_P(offset)) {
                                        case IS_DOUBLE:
                                                hval = 
zend_dval_to_lval(Z_DVAL_P(offset));
-                                               goto num_index_dim;
+                                               zend_hash_index_del(ht, hval);
+                                               break;
                                        case IS_RESOURCE:
                                        case IS_BOOL:
                                        case IS_LONG:
@@ -29498,7 +29506,8 @@ static int ZEND_FASTCALL  
ZEND_UNSET_DIM_SPEC_CV_CONST_HANDLER(ZEND_OPCODE_HANDL
                                switch (Z_TYPE_P(offset)) {
                                        case IS_DOUBLE:
                                                hval = 
zend_dval_to_lval(Z_DVAL_P(offset));
-                                               goto num_index_dim;
+                                               zend_hash_index_del(ht, hval);
+                                               break;
                                        case IS_RESOURCE:
                                        case IS_BOOL:
                                        case IS_LONG:
@@ -31371,7 +31380,8 @@ static int ZEND_FASTCALL  
ZEND_UNSET_DIM_SPEC_CV_TMP_HANDLER(ZEND_OPCODE_HANDLER
                                switch (Z_TYPE_P(offset)) {
                                        case IS_DOUBLE:
                                                hval = 
zend_dval_to_lval(Z_DVAL_P(offset));
-                                               goto num_index_dim;
+                                               zend_hash_index_del(ht, hval);
+                                               break;
                                        case IS_RESOURCE:
                                        case IS_BOOL:
                                        case IS_LONG:
@@ -33453,7 +33463,8 @@ static int ZEND_FASTCALL  
ZEND_UNSET_DIM_SPEC_CV_VAR_HANDLER(ZEND_OPCODE_HANDLER
                                switch (Z_TYPE_P(offset)) {
                                        case IS_DOUBLE:
                                                hval = 
zend_dval_to_lval(Z_DVAL_P(offset));
-                                               goto num_index_dim;
+                                               zend_hash_index_del(ht, hval);
+                                               break;
                                        case IS_RESOURCE:
                                        case IS_BOOL:
                                        case IS_LONG:
@@ -36219,7 +36230,8 @@ static int ZEND_FASTCALL  
ZEND_UNSET_DIM_SPEC_CV_CV_HANDLER(ZEND_OPCODE_HANDLER_
                                switch (Z_TYPE_P(offset)) {
                                        case IS_DOUBLE:
                                                hval = 
zend_dval_to_lval(Z_DVAL_P(offset));
-                                               goto num_index_dim;
+                                               zend_hash_index_del(ht, hval);
+                                               break;
                                        case IS_RESOURCE:
                                        case IS_BOOL:
                                        case IS_LONG:


--
PHP CVS Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

[PHP-CVS] com php-src: Fixed bug #62653: (unset($array[$float]) causes a crash): NEWS Zend/tests/bug62653.phpt Zend/zend_vm_def.h Zend/zend_vm_execute.h

Reply via email to