Re: [PHP-CVS] com php-src: Fixed bug #62653: (unset($array[$float]) causes a crash): NEWS Zend/tests/bug62653.phpt Zend/zend_vm_def.h Zend/zend_vm_execute.h
Hi: this is introduced in https://github.com/php/php-src/commit/b7e124004f24896248827eb969909f1e92eafc39 , that commit was only for 5.4. so 5.3 didn't have this bug, actually our fix is make the codes similar with 5.3 :). thanks On Thu, Jul 26, 2012 at 1:53 PM, Xinchen Hui larue...@php.net wrote: Commit:eae06100429f37e5297c432e99104daeeed13bad Author:Xinchen Hui larue...@php.net Thu, 26 Jul 2012 13:52:42 +0800 Parents: ba27e0888a3bb91eba3266c71003df045c4d2091 Branches: PHP-5.4 Link: http://git.php.net/?p=php-src.git;a=commitdiff;h=eae06100429f37e5297c432e99104daeeed13bad Log: Fixed bug #62653: (unset($array[$float]) causes a crash) the reason why jpauli and I can not reproduce is (it's silly): I typo USE_ZEND_ALLOC ** valgrind at the first time, then I always ctrl+r and jpauli copied my command from the pastbin :) thanks Bugs: https://bugs.php.net/62653 Changed paths: M NEWS A Zend/tests/bug62653.phpt M Zend/zend_vm_def.h M Zend/zend_vm_execute.h Diff: diff --git a/NEWS b/NEWS index d429849..407b052 100644 --- a/NEWS +++ b/NEWS @@ -5,6 +5,8 @@ PHP NEWS - Core: . Fixed bug #62661 (Interactive php-cli crashes if include() is used in auto_prepend_file). (Laruence) + . Fixed bug #62653: (unset($array[$float]) causes a crash). (Nikita Popov, +Laruence) . Fixed bug #62565 (Crashes due non-initialized internal properties_table). (Felipe) diff --git a/Zend/tests/bug62653.phpt b/Zend/tests/bug62653.phpt new file mode 100644 index 000..cf5941c --- /dev/null +++ b/Zend/tests/bug62653.phpt @@ -0,0 +1,33 @@ +--TEST-- +Bug #62653: unset($array[$float]) causes a crash +--FILE-- +?php +$array = array(5=bar); +$foo = 10.; // gettype($foo) = string +$foo /= 2; //Makes $foo = 5 but still gettype($foo) = double +unset($array[$foo]); +print_r($array); + +$array = array(5=bar); +$foo = 5; +unset($array[(float)$foo]); +print_r($array); + +$array = array(5=bar); +$foo = 5; +$foo /= 2; //Makes $foo = 5 but still gettype($foo) = double +$name = foo; +unset($array[$$name]); +print_r($array); + +? +--EXPECT-- +Array +( +) +Array +( +) +Array +( +) diff --git a/Zend/zend_vm_def.h b/Zend/zend_vm_def.h index 5a3ae49..f5567ea 100644 --- a/Zend/zend_vm_def.h +++ b/Zend/zend_vm_def.h @@ -3947,7 +3947,8 @@ ZEND_VM_HANDLER(75, ZEND_UNSET_DIM, VAR|UNUSED|CV, CONST|TMP|VAR|CV) switch (Z_TYPE_P(offset)) { case IS_DOUBLE: hval = zend_dval_to_lval(Z_DVAL_P(offset)); - ZEND_VM_C_GOTO(num_index_dim); + zend_hash_index_del(ht, hval); + break; case IS_RESOURCE: case IS_BOOL: case IS_LONG: diff --git a/Zend/zend_vm_execute.h b/Zend/zend_vm_execute.h index 1fb6e76..78f3d84 100644 --- a/Zend/zend_vm_execute.h +++ b/Zend/zend_vm_execute.h @@ -13917,7 +13917,8 @@ static int ZEND_FASTCALL ZEND_UNSET_DIM_SPEC_VAR_CONST_HANDLER(ZEND_OPCODE_HAND switch (Z_TYPE_P(offset)) { case IS_DOUBLE: hval = zend_dval_to_lval(Z_DVAL_P(offset)); - goto num_index_dim; + zend_hash_index_del(ht, hval); + break; case IS_RESOURCE: case IS_BOOL: case IS_LONG: @@ -15919,7 +15920,8 @@ static int ZEND_FASTCALL ZEND_UNSET_DIM_SPEC_VAR_TMP_HANDLER(ZEND_OPCODE_HANDLE switch (Z_TYPE_P(offset)) { case IS_DOUBLE: hval = zend_dval_to_lval(Z_DVAL_P(offset)); - goto num_index_dim; + zend_hash_index_del(ht, hval); + break; case IS_RESOURCE: case IS_BOOL: case IS_LONG: @@ -18131,7 +18133,8 @@ static int ZEND_FASTCALL ZEND_UNSET_DIM_SPEC_VAR_VAR_HANDLER(ZEND_OPCODE_HANDLE switch (Z_TYPE_P(offset)) { case IS_DOUBLE: hval = zend_dval_to_lval(Z_DVAL_P(offset)); -
[PHP-CVS] com php-src: Fixed bug #62653: (unset($array[$float]) causes a crash): NEWS Zend/tests/bug62653.phpt Zend/zend_vm_def.h Zend/zend_vm_execute.h
Commit:eae06100429f37e5297c432e99104daeeed13bad Author:Xinchen Hui larue...@php.net Thu, 26 Jul 2012 13:52:42 +0800 Parents: ba27e0888a3bb91eba3266c71003df045c4d2091 Branches: PHP-5.4 Link: http://git.php.net/?p=php-src.git;a=commitdiff;h=eae06100429f37e5297c432e99104daeeed13bad Log: Fixed bug #62653: (unset($array[$float]) causes a crash) the reason why jpauli and I can not reproduce is (it's silly): I typo USE_ZEND_ALLOC ** valgrind at the first time, then I always ctrl+r and jpauli copied my command from the pastbin :) thanks Bugs: https://bugs.php.net/62653 Changed paths: M NEWS A Zend/tests/bug62653.phpt M Zend/zend_vm_def.h M Zend/zend_vm_execute.h Diff: diff --git a/NEWS b/NEWS index d429849..407b052 100644 --- a/NEWS +++ b/NEWS @@ -5,6 +5,8 @@ PHP NEWS - Core: . Fixed bug #62661 (Interactive php-cli crashes if include() is used in auto_prepend_file). (Laruence) + . Fixed bug #62653: (unset($array[$float]) causes a crash). (Nikita Popov, +Laruence) . Fixed bug #62565 (Crashes due non-initialized internal properties_table). (Felipe) diff --git a/Zend/tests/bug62653.phpt b/Zend/tests/bug62653.phpt new file mode 100644 index 000..cf5941c --- /dev/null +++ b/Zend/tests/bug62653.phpt @@ -0,0 +1,33 @@ +--TEST-- +Bug #62653: unset($array[$float]) causes a crash +--FILE-- +?php +$array = array(5=bar); +$foo = 10.; // gettype($foo) = string +$foo /= 2; //Makes $foo = 5 but still gettype($foo) = double +unset($array[$foo]); +print_r($array); + +$array = array(5=bar); +$foo = 5; +unset($array[(float)$foo]); +print_r($array); + +$array = array(5=bar); +$foo = 5; +$foo /= 2; //Makes $foo = 5 but still gettype($foo) = double +$name = foo; +unset($array[$$name]); +print_r($array); + +? +--EXPECT-- +Array +( +) +Array +( +) +Array +( +) diff --git a/Zend/zend_vm_def.h b/Zend/zend_vm_def.h index 5a3ae49..f5567ea 100644 --- a/Zend/zend_vm_def.h +++ b/Zend/zend_vm_def.h @@ -3947,7 +3947,8 @@ ZEND_VM_HANDLER(75, ZEND_UNSET_DIM, VAR|UNUSED|CV, CONST|TMP|VAR|CV) switch (Z_TYPE_P(offset)) { case IS_DOUBLE: hval = zend_dval_to_lval(Z_DVAL_P(offset)); - ZEND_VM_C_GOTO(num_index_dim); + zend_hash_index_del(ht, hval); + break; case IS_RESOURCE: case IS_BOOL: case IS_LONG: diff --git a/Zend/zend_vm_execute.h b/Zend/zend_vm_execute.h index 1fb6e76..78f3d84 100644 --- a/Zend/zend_vm_execute.h +++ b/Zend/zend_vm_execute.h @@ -13917,7 +13917,8 @@ static int ZEND_FASTCALL ZEND_UNSET_DIM_SPEC_VAR_CONST_HANDLER(ZEND_OPCODE_HAND switch (Z_TYPE_P(offset)) { case IS_DOUBLE: hval = zend_dval_to_lval(Z_DVAL_P(offset)); - goto num_index_dim; + zend_hash_index_del(ht, hval); + break; case IS_RESOURCE: case IS_BOOL: case IS_LONG: @@ -15919,7 +15920,8 @@ static int ZEND_FASTCALL ZEND_UNSET_DIM_SPEC_VAR_TMP_HANDLER(ZEND_OPCODE_HANDLE switch (Z_TYPE_P(offset)) { case IS_DOUBLE: hval = zend_dval_to_lval(Z_DVAL_P(offset)); - goto num_index_dim; + zend_hash_index_del(ht, hval); + break; case IS_RESOURCE: case IS_BOOL: case IS_LONG: @@ -18131,7 +18133,8 @@ static int ZEND_FASTCALL ZEND_UNSET_DIM_SPEC_VAR_VAR_HANDLER(ZEND_OPCODE_HANDLE switch (Z_TYPE_P(offset)) { case IS_DOUBLE: hval = zend_dval_to_lval(Z_DVAL_P(offset)); - goto num_index_dim; + zend_hash_index_del(ht, hval); + break; case IS_RESOURCE: case IS_BOOL: case IS_LONG: @@ -21166,7 +21169,8 @@ static int ZEND_FASTCALL