ID: 30395 Updated by: [EMAIL PROTECTED] Reported By: mike dot greubel at pro-entertain dot de -Status: Assigned +Status: Closed Bug Type: Reproducible crash Operating System: GNU/Linux (Kernel 2.6.7) PHP Version: 5.0.2 Assigned To: andi New Comment:
This bug has been fixed in CVS. Snapshots of the sources are packaged every three hours; this change will be in the next snapshot. You can grab the snapshot at http://snaps.php.net/. Thank you for the report, and for helping us make PHP better. Should be fixed in 5.0.x CVS. Will apply fix for 5.1.x hopefully tomorrow. Previous Comments: ------------------------------------------------------------------------ [2004-10-11 13:46:26] [EMAIL PROTECTED] Valgrind output: [EMAIL PROTECTED]:~$ valgrind php ==15710== Memcheck, a memory error detector for x86-linux. ==15710== Copyright (C) 2002-2004, and GNU GPL'd, by Julian Seward et al. ==15710== Using valgrind-2.1.2, a program supervision framework for x86-linux. ==15710== Copyright (C) 2000-2004, and GNU GPL'd, by Julian Seward et al. <?p==15710== For more details, rerun with: -v ==15710== hp $my_array = array(); for($x = 0; $x < 2; $x++) { unset($foo); $foo = array(); $foo->bar = "a string"; $my_array[$x] = $foo; } var_dump($my_array); ?> Warning: Attempt to assign property of non-object in - on line 7 Call Stack: 0.1031 39896 1. {main}() -:0 Variables in local scope: $my_array = array () $x = 0 $foo = array () Warning: Attempt to assign property of non-object in - on line 7 Call Stack: 0.1031 39896 1. {main}() -:0 Variables in local scope: $my_array = array (0 => array ()) $x = 1 $foo = array () [Mon Oct 11 13:43:59 2004] Script: '-' --------------------------------------- /dat/dev/php/php-5.1dev/Zend/zend_execute.c(80) : Block 0x1C3B81F4 status: /dat/dev/php/php-5.1dev/Zend/zend_execute.h(64) : Actual location (location was relayed) Beginning: Overrun (magic=0x00000007, expected=0x7312F8DC) End: Unknown --------------------------------------- array(2) { [0]=> array(0) { } [1]=> array(0) { } } ==15710== Invalid read of size 1 ==15710== at 0x1B904791: strlen (mac_replace_strmem.c:189) ==15710== by 0x829D50C: xbuf_format_converter (spprintf.c:518) ==15710== by 0x829DFCA: vspprintf (spprintf.c:725) ==15710== by 0x1C45C028: xdebug_error_cb (xdebug.c:1527) ==15710== Address 0x1C3B98B8 is 0 bytes after a block of size 56 alloc'd ==15710== at 0x1B904EDD: malloc (vg_replace_malloc.c:131) ==15710== by 0x82C907A: _emalloc (zend_alloc.c:181) ==15710== by 0x82C9982: _estrndup (zend_alloc.c:418) ==15710== by 0x82C4E80: lex_scan (zend_language_scanner.l:1511) Warning: String is not zero-terminated (ZZZZZZZZZZZZZZZZÌ*) (source: /dat/dev/php/php-5.1dev/Zend/zend_variables.h:35) in Unknown on line 0 [Mon Oct 11 13:44:00 2004] Script: '-' --------------------------------------- /dat/dev/php/php-5.1dev/Zend/zend_variables.h(35) : Block 0x1C3B9880 status: /dat/dev/php/php-5.1dev/Zend/zend_variables.c(36) : Actual location (location was relayed) Beginning: Cached (allocated on /dat/dev/php/php-5.1dev/Zend/zend_vm_handlers.h:2403, 16 bytes) End: OK --------------------------------------- ==15710== ==15710== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 60 from 1) ==15710== malloc/free: in use at exit: 1276 bytes in 10 blocks. ==15710== malloc/free: 11971 allocs, 11961 frees, 909526 bytes allocated. ==15710== For a detailed leak analysis, rerun with: --leak-check=yes ==15710== For counts of detected errors, rerun with: -v without xdebug: [EMAIL PROTECTED]:~$ valgrind php ==15759== Memcheck, a memory error detector for x86-linux. ==15759== Copyright (C) 2002-2004, and GNU GPL'd, by Julian Seward et al. ==15759== Using valgrind-2.1.2, a program supervision framework for x86-linux. ==15759== Copyright (C) 2000-2004, and GNU GPL'd, by Julian Seward et al. ==15759== For more details, rerun with: -v ==15759== <?php $my_array = array(); for($x = 0; $x < 2; $x++) { unset($foo); $foo = array(); $foo->bar = "a string"; $my_array[$x] = $foo; } var_dump($my_array); ?> Warning: Attempt to assign property of non-object in - on line 7 Warning: Attempt to assign property of non-object in - on line 7 [Mon Oct 11 13:45:54 2004] Script: '-' --------------------------------------- /dat/dev/php/php-5.1dev/Zend/zend_execute.c(80) : Block 0x1C3B2F7C status: /dat/dev/php/php-5.1dev/Zend/zend_execute.h(64) : Actual location (location was relayed) Beginning: Overrun (magic=0x00000007, expected=0x7312F8DC) End: Unknown --------------------------------------- array(2) { [0]=> array(0) { } [1]=> array(0) { } } ==15759== Invalid read of size 1 ==15759== at 0x1B904791: strlen (mac_replace_strmem.c:189) ==15759== by 0x829D50C: xbuf_format_converter (spprintf.c:518) ==15759== by 0x829DFCA: vspprintf (spprintf.c:725) ==15759== by 0x8299914: php_error_cb (main.c:624) ==15759== Address 0x1C3B4848 is 0 bytes after a block of size 56 alloc'd ==15759== at 0x1B904EDD: malloc (vg_replace_malloc.c:131) ==15759== by 0x82C907A: _emalloc (zend_alloc.c:181) ==15759== by 0x82C9982: _estrndup (zend_alloc.c:418) ==15759== by 0x82C4E80: lex_scan (zend_language_scanner.l:1511) Warning: String is not zero-terminated (ZZZZZZZZZZZZZZZZÌ*) (source: /dat/dev/ php/php-5.1dev/Zend/zend_variables.h:35) in Unknown on line 0 [Mon Oct 11 13:45:54 2004] Script: '-' --------------------------------------- /dat/dev/php/php-5.1dev/Zend/zend_variables.h(35) : Block 0x1C3B4810 status: /dat/dev/php/php-5.1dev/Zend/zend_variables.c(36) : Actual location (location wa s relayed) Beginning: Cached (allocated on /dat/dev/php/php-5.1dev/Zend/zend_vm_handle rs.h:2403, 16 bytes) End: OK --------------------------------------- ==15759== ==15759== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 58 from 1) ==15759== malloc/free: in use at exit: 322 bytes in 4 blocks. ==15759== malloc/free: 11641 allocs, 11637 frees, 882284 bytes allocated. ==15759== For a detailed leak analysis, rerun with: --leak-check=yes ==15759== For counts of detected errors, rerun with: -v ------------------------------------------------------------------------ [2004-10-11 13:17:52] mike dot greubel at pro-entertain dot de Description: ------------ A small peace of code didn't work (array_push), so I decided to write a different version with same result. Testing in Konqueror will produce a Lost-Connection-to-Server-Error. cli-version produces a segfault, too. Reproduce code: --------------- $my_array = array(); for($x = 0; $x < 2; $x++) { unset($foo); $foo = array(); $foo->bar = "a string"; $my_array[$x] = $foo; } var_dump($my_array); Expected result: ---------------- A vardump of array $my_array. Actual result: -------------- Apache: segmentation fault of httpd-child. Server version: Apache/2.0.52 [client 192.168.100.209] PHP Warning: Attempt to assign property of non-object in /data/www/viewsvn/test.phpon line 7 [client 192.168.100.xxx] PHP Warning: Attempt to assign property of non-object in /data/www/test.php on line 7 [client 192.168.100.xxx] PHP Warning: Attempt to assign property of non-object in /data/www/test.php on line 7 [client 192.168.100.xxx] PHP Warning: Attempt to assign property of non-object in /data/www/test.php on line 7 [Mon Oct 11 13:10:29 2004] [notice] child pid 28578 exit signal Segmentation fault (11) [Mon Oct 11 13:10:29 2004] [notice] child pid 28580 exit signal Segmentation fault (11) cli-Version: php -q -f test.php PHP Warning: Attempt to assign property of non-object in /data/www/viewsvn/test.php on line 7 PHP Warning: Attempt to assign property of non-object in /data/www/viewsvn/test.php on line 7 array(2) { [0]=> array(0) { } [1]=> array(0) { } } Segmentation fault ------------------------------------------------------------------------ -- Edit this bug report at http://bugs.php.net/?id=30395&edit=1