subject:"\[PHP\-CVS\] com php\-src\: Fixed bug #62653\: $unset\($array\[$float\]$ causes a crash\)\: NEWS Zend\/tests\/bug62653.phpt Zend\/zend_vm_def.h Zend\/zend_vm

Re: [PHP-CVS] com php-src: Fixed bug #62653: (unset($array[$float]) causes a crash): NEWS Zend/tests/bug62653.phpt Zend/zend_vm_def.h Zend/zend_vm_execute.h

2012-07-26 Thread Laruence

Hi:
  this is introduced in
https://github.com/php/php-src/commit/b7e124004f24896248827eb969909f1e92eafc39
, that commit was only for 5.4.

 so 5.3 didn't have this bug,  actually our fix is make the codes
similar with 5.3 :).

thanks

On Thu, Jul 26, 2012 at 1:53 PM, Xinchen Hui larue...@php.net wrote:
 Commit:eae06100429f37e5297c432e99104daeeed13bad
 Author:Xinchen Hui larue...@php.net Thu, 26 Jul 2012 13:52:42 
 +0800
 Parents:   ba27e0888a3bb91eba3266c71003df045c4d2091
 Branches:  PHP-5.4

 Link:   
 http://git.php.net/?p=php-src.git;a=commitdiff;h=eae06100429f37e5297c432e99104daeeed13bad

 Log:
 Fixed bug #62653: (unset($array[$float]) causes a crash)

 the reason why jpauli and I can not reproduce is (it's silly):
 I typo USE_ZEND_ALLOC ** valgrind at the first time, then I always ctrl+r
 and jpauli copied my command from the pastbin :)

 thanks

 Bugs:
 https://bugs.php.net/62653

 Changed paths:
   M  NEWS
   A  Zend/tests/bug62653.phpt
   M  Zend/zend_vm_def.h
   M  Zend/zend_vm_execute.h


 Diff:
 diff --git a/NEWS b/NEWS
 index d429849..407b052 100644
 --- a/NEWS
 +++ b/NEWS
 @@ -5,6 +5,8 @@ PHP   
  NEWS
  - Core:
. Fixed bug #62661 (Interactive php-cli crashes if include() is used in
  auto_prepend_file). (Laruence)
 +  . Fixed bug #62653: (unset($array[$float]) causes a crash). (Nikita Popov,
 +Laruence)
. Fixed bug #62565 (Crashes due non-initialized internal properties_table).
  (Felipe)

 diff --git a/Zend/tests/bug62653.phpt b/Zend/tests/bug62653.phpt
 new file mode 100644
 index 000..cf5941c
 --- /dev/null
 +++ b/Zend/tests/bug62653.phpt
 @@ -0,0 +1,33 @@
 +--TEST--
 +Bug #62653: unset($array[$float]) causes a crash
 +--FILE--
 +?php
 +$array = array(5=bar);
 +$foo = 10.; // gettype($foo) = string
 +$foo /= 2; //Makes $foo = 5 but still gettype($foo) = double
 +unset($array[$foo]);
 +print_r($array);
 +
 +$array = array(5=bar);
 +$foo = 5;
 +unset($array[(float)$foo]);
 +print_r($array);
 +
 +$array = array(5=bar);
 +$foo = 5;
 +$foo /= 2; //Makes $foo = 5 but still gettype($foo) = double
 +$name = foo;
 +unset($array[$$name]);
 +print_r($array);
 +
 +?
 +--EXPECT--
 +Array
 +(
 +)
 +Array
 +(
 +)
 +Array
 +(
 +)
 diff --git a/Zend/zend_vm_def.h b/Zend/zend_vm_def.h
 index 5a3ae49..f5567ea 100644
 --- a/Zend/zend_vm_def.h
 +++ b/Zend/zend_vm_def.h
 @@ -3947,7 +3947,8 @@ ZEND_VM_HANDLER(75, ZEND_UNSET_DIM, VAR|UNUSED|CV, 
 CONST|TMP|VAR|CV)
 switch (Z_TYPE_P(offset)) {
 case IS_DOUBLE:
 hval = 
 zend_dval_to_lval(Z_DVAL_P(offset));
 -   ZEND_VM_C_GOTO(num_index_dim);
 +   zend_hash_index_del(ht, hval);
 +   break;
 case IS_RESOURCE:
 case IS_BOOL:
 case IS_LONG:
 diff --git a/Zend/zend_vm_execute.h b/Zend/zend_vm_execute.h
 index 1fb6e76..78f3d84 100644
 --- a/Zend/zend_vm_execute.h
 +++ b/Zend/zend_vm_execute.h
 @@ -13917,7 +13917,8 @@ static int ZEND_FASTCALL  
 ZEND_UNSET_DIM_SPEC_VAR_CONST_HANDLER(ZEND_OPCODE_HAND
 switch (Z_TYPE_P(offset)) {
 case IS_DOUBLE:
 hval = 
 zend_dval_to_lval(Z_DVAL_P(offset));
 -   goto num_index_dim;
 +   zend_hash_index_del(ht, hval);
 +   break;
 case IS_RESOURCE:
 case IS_BOOL:
 case IS_LONG:
 @@ -15919,7 +15920,8 @@ static int ZEND_FASTCALL  
 ZEND_UNSET_DIM_SPEC_VAR_TMP_HANDLER(ZEND_OPCODE_HANDLE
 switch (Z_TYPE_P(offset)) {
 case IS_DOUBLE:
 hval = 
 zend_dval_to_lval(Z_DVAL_P(offset));
 -   goto num_index_dim;
 +   zend_hash_index_del(ht, hval);
 +   break;
 case IS_RESOURCE:
 case IS_BOOL:
 case IS_LONG:
 @@ -18131,7 +18133,8 @@ static int ZEND_FASTCALL  
 ZEND_UNSET_DIM_SPEC_VAR_VAR_HANDLER(ZEND_OPCODE_HANDLE
 switch (Z_TYPE_P(offset)) {
 case IS_DOUBLE:
 hval = 
 zend_dval_to_lval(Z_DVAL_P(offset));
 -

[PHP-CVS] com php-src: Fixed bug #62653: (unset($array[$float]) causes a crash): NEWS Zend/tests/bug62653.phpt Zend/zend_vm_def.h Zend/zend_vm_execute.h

2012-07-25 Thread Xinchen Hui

Commit:eae06100429f37e5297c432e99104daeeed13bad
Author:Xinchen Hui larue...@php.net Thu, 26 Jul 2012 13:52:42 
+0800
Parents:   ba27e0888a3bb91eba3266c71003df045c4d2091
Branches:  PHP-5.4

Link:   
http://git.php.net/?p=php-src.git;a=commitdiff;h=eae06100429f37e5297c432e99104daeeed13bad

Log:
Fixed bug #62653: (unset($array[$float]) causes a crash)

the reason why jpauli and I can not reproduce is (it's silly):
I typo USE_ZEND_ALLOC ** valgrind at the first time, then I always ctrl+r
and jpauli copied my command from the pastbin :)

thanks

Bugs:
https://bugs.php.net/62653

Changed paths:
  M  NEWS
  A  Zend/tests/bug62653.phpt
  M  Zend/zend_vm_def.h
  M  Zend/zend_vm_execute.h


Diff:
diff --git a/NEWS b/NEWS
index d429849..407b052 100644
--- a/NEWS
+++ b/NEWS
@@ -5,6 +5,8 @@ PHP 
   NEWS
 - Core:
   . Fixed bug #62661 (Interactive php-cli crashes if include() is used in
 auto_prepend_file). (Laruence)
+  . Fixed bug #62653: (unset($array[$float]) causes a crash). (Nikita Popov,
+Laruence)
   . Fixed bug #62565 (Crashes due non-initialized internal properties_table).
 (Felipe)
 
diff --git a/Zend/tests/bug62653.phpt b/Zend/tests/bug62653.phpt
new file mode 100644
index 000..cf5941c
--- /dev/null
+++ b/Zend/tests/bug62653.phpt
@@ -0,0 +1,33 @@
+--TEST--
+Bug #62653: unset($array[$float]) causes a crash
+--FILE--
+?php
+$array = array(5=bar);
+$foo = 10.; // gettype($foo) = string
+$foo /= 2; //Makes $foo = 5 but still gettype($foo) = double
+unset($array[$foo]);
+print_r($array);
+
+$array = array(5=bar);
+$foo = 5;
+unset($array[(float)$foo]);
+print_r($array);
+
+$array = array(5=bar);
+$foo = 5;
+$foo /= 2; //Makes $foo = 5 but still gettype($foo) = double
+$name = foo;
+unset($array[$$name]);
+print_r($array);
+
+?
+--EXPECT--
+Array
+(
+)
+Array
+(
+)
+Array
+(
+)
diff --git a/Zend/zend_vm_def.h b/Zend/zend_vm_def.h
index 5a3ae49..f5567ea 100644
--- a/Zend/zend_vm_def.h
+++ b/Zend/zend_vm_def.h
@@ -3947,7 +3947,8 @@ ZEND_VM_HANDLER(75, ZEND_UNSET_DIM, VAR|UNUSED|CV, 
CONST|TMP|VAR|CV)
switch (Z_TYPE_P(offset)) {
case IS_DOUBLE:
hval = 
zend_dval_to_lval(Z_DVAL_P(offset));
-   ZEND_VM_C_GOTO(num_index_dim);
+   zend_hash_index_del(ht, hval);
+   break;
case IS_RESOURCE:
case IS_BOOL:
case IS_LONG:
diff --git a/Zend/zend_vm_execute.h b/Zend/zend_vm_execute.h
index 1fb6e76..78f3d84 100644
--- a/Zend/zend_vm_execute.h
+++ b/Zend/zend_vm_execute.h
@@ -13917,7 +13917,8 @@ static int ZEND_FASTCALL  
ZEND_UNSET_DIM_SPEC_VAR_CONST_HANDLER(ZEND_OPCODE_HAND
switch (Z_TYPE_P(offset)) {
case IS_DOUBLE:
hval = 
zend_dval_to_lval(Z_DVAL_P(offset));
-   goto num_index_dim;
+   zend_hash_index_del(ht, hval);
+   break;
case IS_RESOURCE:
case IS_BOOL:
case IS_LONG:
@@ -15919,7 +15920,8 @@ static int ZEND_FASTCALL  
ZEND_UNSET_DIM_SPEC_VAR_TMP_HANDLER(ZEND_OPCODE_HANDLE
switch (Z_TYPE_P(offset)) {
case IS_DOUBLE:
hval = 
zend_dval_to_lval(Z_DVAL_P(offset));
-   goto num_index_dim;
+   zend_hash_index_del(ht, hval);
+   break;
case IS_RESOURCE:
case IS_BOOL:
case IS_LONG:
@@ -18131,7 +18133,8 @@ static int ZEND_FASTCALL  
ZEND_UNSET_DIM_SPEC_VAR_VAR_HANDLER(ZEND_OPCODE_HANDLE
switch (Z_TYPE_P(offset)) {
case IS_DOUBLE:
hval = 
zend_dval_to_lval(Z_DVAL_P(offset));
-   goto num_index_dim;
+   zend_hash_index_del(ht, hval);
+   break;
case IS_RESOURCE:
case IS_BOOL:
case IS_LONG:
@@ -21166,7 +21169,8 @@ static int ZEND_FASTCALL

Re: [PHP-CVS] com php-src: Fixed bug #62653: (unset($array[$float]) causes a crash): NEWS Zend/tests/bug62653.phpt Zend/zend_vm_def.h Zend/zend_vm_execute.h

[PHP-CVS] com php-src: Fixed bug #62653: (unset($array[$float]) causes a crash): NEWS Zend/tests/bug62653.phpt Zend/zend_vm_def.h Zend/zend_vm_execute.h

2 matches

Site Navigation

Mail list logo

Footer information