Bug #54860 [Com]: PHP crash when using closures + extract(EXTR_REFS)
Edit report at http://bugs.php.net/bug.php?id=54860&edit=1
ID: 54860
Comment by: ninzya at inbox dot lv
Reported by:ninzya at inbox dot lv
Summary:PHP crash when using closures + extract(EXTR_REFS)
Status: Feedback
Type: Bug
Package:Reproducible crash
Operating System: Windows 7
PHP Version:5.3.6
Block user comment: N
Private report: N
New Comment:
Works fine with 5.3 r311342.
Previous Comments:
[2011-05-21 20:07:02] fel...@php.net
Please try using this snapshot:
http://snaps.php.net/php5.3-latest.tar.gz
For Windows:
http://windows.php.net/snapshots/
I can't reproduce it.
[2011-05-19 14:02:47] ninzya at inbox dot lv
Sorry, extract() has nothing to do with this issue.
I was able to come up with more compact test script with no use of
extract():
$x =new stdClass;
$y =&$x;
for( $i =0; $i < 2; ++$i) {
$closure =function() use( $y) {
$y->someProperty ='someValue';// crashes on second iteration
};
$closure();
}
This code does not crash PHP 5.3.5. It seems that references + closures
became
broken in 5.3.6.
[2011-05-19 12:03:20] ninzya at inbox dot lv
Description:
See test script.
PHP 5.3.5 is not affected.
Test script:
---
// Initially $Object is not a reference and contains a "pointer"
// to an stdClass object.
$Object =new stdClass; /**/ echo 'New: '; debug_zval_dump( $Object);
// $Object becomes a reference to the "pointer" to an stdClass.
$Object =&$Object; /**/ echo 'Self-reference: '; debug_zval_dump(
$Object);
// Now we import $Object into closure by value. In theory,
// $Object, that is inside closure, should not be a reference, but
rather
// should be a variable, that "points" to stdClass (i.e. an equivalent
of
// $ImportedObject in expression "$ImportedObject =$Object").
$closure =function() use( $Object) {
// Once you manipulate $Object, you get PHP crashed.
$Object->x =10;
//debug_zval_dump( $Object);
};
// By calling extract() we make $Object to reference a new stdClass
instance.
extract( array( 'Object' =>new stdClass), EXTR_REFS);
echo 'After extract: '; debug_zval_dump( $Object);
// now we execute closure and get PHP crashed
$closure();
Expected result:
PHP should not crash.
Actual result:
--
PHP crashes.
If you put die() right before $closure(), then you get following
output:
line 1: New: object(stdClass)#1 (0) refcount(2){
line 2: }
line 3: Self-reference: object(stdClass)#1 (0) refcount(1){
line 4: }
line 5: After extract: object(stdClass)#3 (0) refcount(2){
line 6: }
Some questions regarding that output:
1) why there is refcount(2) in the first line? Isn't the object
referenced only
once and by $Object variable? I would expect to see refcount(1) here. As
you can
see on line 3, refcount seems to become correct after self-referencing
is being
made.
2) why line 5 says object(stdClass)#3, while there were only two (and
not 3)
stdClass objects allocated? If you comment out closure's definition,
then you
get object(stdClass)#2 (an expected output). Does closure clone $Object
when you
say "use($Object)"? Shouldn't the stdClass object be simply "referenced"
by the
"use($Object)"?
--
Edit this bug report at http://bugs.php.net/bug.php?id=54860&edit=1
Bug #54860 [Com]: PHP crash when using closures + extract(EXTR_REFS)
Edit report at http://bugs.php.net/bug.php?id=54860&edit=1
ID: 54860
Comment by: ninzya at inbox dot lv
Reported by:ninzya at inbox dot lv
Summary:PHP crash when using closures + extract(EXTR_REFS)
Status: Open
Type: Bug
Package:Reproducible crash
Operating System: Windows 7
PHP Version:5.3.6
Block user comment: N
Private report: N
New Comment:
Sorry, extract() has nothing to do with this issue.
I was able to come up with more compact test script with no use of
extract():
$x =new stdClass;
$y =&$x;
for( $i =0; $i < 2; ++$i) {
$closure =function() use( $y) {
$y->someProperty ='someValue';// crashes on second iteration
};
$closure();
}
This code does not crash PHP 5.3.5. It seems that references + closures
became
broken in 5.3.6.
Previous Comments:
[2011-05-19 12:03:20] ninzya at inbox dot lv
Description:
See test script.
PHP 5.3.5 is not affected.
Test script:
---
// Initially $Object is not a reference and contains a "pointer"
// to an stdClass object.
$Object =new stdClass; /**/ echo 'New: '; debug_zval_dump( $Object);
// $Object becomes a reference to the "pointer" to an stdClass.
$Object =&$Object; /**/ echo 'Self-reference: '; debug_zval_dump(
$Object);
// Now we import $Object into closure by value. In theory,
// $Object, that is inside closure, should not be a reference, but
rather
// should be a variable, that "points" to stdClass (i.e. an equivalent
of
// $ImportedObject in expression "$ImportedObject =$Object").
$closure =function() use( $Object) {
// Once you manipulate $Object, you get PHP crashed.
$Object->x =10;
//debug_zval_dump( $Object);
};
// By calling extract() we make $Object to reference a new stdClass
instance.
extract( array( 'Object' =>new stdClass), EXTR_REFS);
echo 'After extract: '; debug_zval_dump( $Object);
// now we execute closure and get PHP crashed
$closure();
Expected result:
PHP should not crash.
Actual result:
--
PHP crashes.
If you put die() right before $closure(), then you get following
output:
line 1: New: object(stdClass)#1 (0) refcount(2){
line 2: }
line 3: Self-reference: object(stdClass)#1 (0) refcount(1){
line 4: }
line 5: After extract: object(stdClass)#3 (0) refcount(2){
line 6: }
Some questions regarding that output:
1) why there is refcount(2) in the first line? Isn't the object
referenced only
once and by $Object variable? I would expect to see refcount(1) here. As
you can
see on line 3, refcount seems to become correct after self-referencing
is being
made.
2) why line 5 says object(stdClass)#3, while there were only two (and
not 3)
stdClass objects allocated? If you comment out closure's definition,
then you
get object(stdClass)#2 (an expected output). Does closure clone $Object
when you
say "use($Object)"? Shouldn't the stdClass object be simply "referenced"
by the
"use($Object)"?
--
Edit this bug report at http://bugs.php.net/bug.php?id=54860&edit=1
