ID: 29493 Updated by: [EMAIL PROTECTED] Reported By: msm at manley dot org -Status: Open +Status: Verified Bug Type: Unknown/Other Function Operating System: Linux, FreeBSD PHP Version: 5.0.0 -Assigned To: +Assigned To: moriyoshi New Comment:
Seems a side-effect of the fix I did for bug #25708. Previous Comments: ------------------------------------------------------------------------ [2004-08-06 16:35:22] msm at manley dot org Sent patch to [EMAIL PROTECTED] that passes all of the PHP distribution testcases for bug 25708 and all of the testcases above. ------------------------------------------------------------------------ [2004-08-05 00:44:03] msm at manley dot org That patch is no good. It causes the testcase for bug 25708 to fail. ------------------------------------------------------------------------ [2004-08-04 23:46:02] msm at manley dot org The problem lies in extract()'s use of the SEPARATE_ZVAL macro in ext/standard/array.c. That macro actually makes a full copy of a ZVAL if the ZVAL's refcount is > 1. I assume that's used when doing lazy copies, normally. The existing extract() function uses SEPARATE_ZVAL_TO_MAKE_IS_REF to set is_ref = 1 in the ZVAL. When the refcount on the extract()ed array is 1, no copy is made and the extracted variables are refs to the array member. When the refcount is > 1, a copy of the array entry gets made by SEPARATE_ZVAL and the extracted variable end up as refs to the copy. Here is a patch that I believe fixes the problem. So far a modified version of PHP 5.0.0 has passed all the testcases with this patch in place. --- array.c Wed Aug 4 15:54:40 2004 +++ array.c.msm Wed Aug 4 16:42:01 2004 @@ -1372,7 +1372,7 @@ if (extract_refs) { zval **orig_var; - SEPARATE_ZVAL_TO_MAKE_IS_REF(entry); + (*(entry))->is_ref = 1; zval_add_ref(entry); if (zend_hash_find(EG(active_symbol_table), final_name.c, final_name.len+1, (void **) &orig_var) == SUCCESS) { ------------------------------------------------------------------------ [2004-08-03 22:59:58] msm at manley dot org Realizing I'm mostly conversing with myself here: I'm not completely certain, but I think the issue is on line 1375 of ext/standard/array.c SEPARATE_ZVAL_TO_MAKE_IS_REF(entry); If I follow the logic back through the twisty little maze of zend.h macros, it would appear that when that macro is called and the refcount on the original entry is > 1, SEPARATE_ZVAL ends up copying the entry entirely. But that would mean the individual entries in a array/hash have the same refcount as the array in general. Perhaps that's true? At this point I am in way deeper than I can figure, having never even looked at the PHP source before today. ------------------------------------------------------------------------ [2004-08-03 20:04:19] msm at manley dot org I shortened my testcases down to the following: <?php rc1(); rc2(); rc3(); function rc1() { echo "\n\n1: array copy by value\n"; $a = array( 'foo' => 'bar'); $b = $a; $b['foo'] = 'diff'; print_r($a); echo "\n-----\nnow extract from a with EXTR_REFS\n"; extract($a,EXTR_REFS); echo "post extract, foo = $foo\n"; $foo = 'noo'; echo "post reassign, foo = $foo\n"; print_r($a); print_r($b); } function rc2() { echo "\n\n2: array copy by reference\n"; $a = array( 'foo' => 'bar'); $b =& $a; print_r($a); echo "\n-----\nnow extract from a with EXTR_REFS\n"; extract($a,EXTR_REFS); echo "post extract, foo = $foo\n"; $foo = 'noo'; echo "post reassign, foo = $foo\n"; print_r($a); } function rc3() { echo "\n\n3: array copy by reference then unset copy\n"; $a = array( 'foo' => 'bar'); $b =& $a; unset($b); print_r($a); echo "\n-----\nnow extract from a with EXTR_REFS\n"; extract($a,EXTR_REFS); echo "post extract, foo = $foo\n"; $foo = 'noo'; echo "post reassign, foo = $foo\n"; print_r($a); } ?> Testcases 1 and 3 pass - $foo is a ref to $a['foo']. Testcase 2 fails -- $foo does not appear to be a ref to $a['foo']. ------------------------------------------------------------------------ The remainder of the comments for this report are too long. To view the rest of the comments, please view the bug report online at http://bugs.php.net/29493 -- Edit this bug report at http://bugs.php.net/?id=29493&edit=1