From: tomas_matousek at hotmail dot com
Operating system: WinXP
PHP version: 5.0.0RC3
PHP Bug Type: Scripting Engine problem
Bug description: [] operator overflow treatment is incorrect
Description:
------------
If there is an item in an array having key = 2^31-1 and you use []
operator without specifying a key it overflows and adds a new item with
min. int (-2^31) in the array.
This is IMHO not correct or at least not consistent with the manual where
the following sentence is stated:
"If you do not specify a key for a given value, then the maximum of the
integer indices is taken, and the new key will be that maximum value +
1."
Moreover, consider the folowing array:
$a = array(2^31-2 => 1,-2^31 => 1) and use $a[] twice.
You get warning:
"Cannot add element to the array as the next element is already
occupied".
But if the array is $a = array(2^31-1 => 1,-2^31 => 1) a new item is added
with a key -2^31+1 with no warning.
However, if you use array_push instead [] it does never report a warning
but does the same as [].
IMHO it will be more correct if both [] and array_push do not add a new
key and report a warning or notice if the maximal integer key reaches
maximum value 2^31-1.
Reproduce code:
---------------
$a = array(2147483647 => 1, -2147483648 => 1);
$a[] = 2;
$a[] = 3;
var_dump($a);
$a = array(2147483646 => 1, -2147483648 => 1);
$a[] = 2;
$a[] = 3;
var_dump($a);
Expected result:
----------------
Warning: Cannot add element to array - integer key reached maximal
possible value ...
Warning: Cannot add element to array - integer key reached maximal
possible value ...
array(4) {
[2147483647]=>
int(1)
[-2147483648]=>
int(1)
}
Warning: Cannot add element to array - integer key reached maximal
possible value ...
array(3) {
[2147483646]=>
int(1)
[-2147483648]=>
int(1)
[2147483647]=>
int(2)
}
Actual result:
--------------
array(4) {
[2147483647]=>
int(1)
[-2147483648]=>
int(1)
[-2147483647]=>
int(2)
[-2147483646]=>
int(3)
}
Warning: Cannot add element to the array as the next element is already
occupied in ...
array(3) {
[2147483646]=>
int(1)
[-2147483648]=>
int(1)
[2147483647]=>
int(2)
}
--
Edit bug report at http://bugs.php.net/?id=28972&edit=1
--
Try a CVS snapshot (php4): http://bugs.php.net/fix.php?id=28972&r=trysnapshot4
Try a CVS snapshot (php5): http://bugs.php.net/fix.php?id=28972&r=trysnapshot5
Fixed in CVS: http://bugs.php.net/fix.php?id=28972&r=fixedcvs
Fixed in release: http://bugs.php.net/fix.php?id=28972&r=alreadyfixed
Need backtrace: http://bugs.php.net/fix.php?id=28972&r=needtrace
Need Reproduce Script: http://bugs.php.net/fix.php?id=28972&r=needscript
Try newer version: http://bugs.php.net/fix.php?id=28972&r=oldversion
Not developer issue: http://bugs.php.net/fix.php?id=28972&r=support
Expected behavior: http://bugs.php.net/fix.php?id=28972&r=notwrong
Not enough info: http://bugs.php.net/fix.php?id=28972&r=notenoughinfo
Submitted twice: http://bugs.php.net/fix.php?id=28972&r=submittedtwice
register_globals: http://bugs.php.net/fix.php?id=28972&r=globals
PHP 3 support discontinued: http://bugs.php.net/fix.php?id=28972&r=php3
Daylight Savings: http://bugs.php.net/fix.php?id=28972&r=dst
IIS Stability: http://bugs.php.net/fix.php?id=28972&r=isapi
Install GNU Sed: http://bugs.php.net/fix.php?id=28972&r=gnused
Floating point limitations: http://bugs.php.net/fix.php?id=28972&r=float
