From: alex dot emsenhuber at bluewin dot ch
Operating system: Mac OS X 10.5.7
PHP version: 6SVN-2009-07-23 (SVN)
PHP Bug Type: Reproducible crash
Bug description: @list( $b ) = $a; makes PHP segfault
Description:
------------
When using @list( $b ) = $a; on PHP 6, it seems that a new opcode is
inserted that frees a temp variable set from $a (see the "Actual result"
section below) and thus segfaults when using $a later. When I set
breakpoints on all lines that contains "SWITCH_FREE" in Zend_execute.c,
it's the one at line 1170 in function zend_do_free() that is called.
Reproduce code:
---------------
<?php
$a = array( "c" );
@list( $b ) = $a;
var_dump( $a );
I also used vld to get the opcodes produced by the laguage parser.
Expected result:
----------------
array(1) {
[0]=>
string(1) "c"
}
Analyse with vld:
$ PHP_5_3/sapi/cli/php -dvld.active=1 ~/test.php
Branch analysis from position: 0
Return found
filename: /Users/alexandre/test.php
function name: (null)
number of ops: 11
compiled vars: !0 = $a
line # op fetch ext return
operands
-------------------------------------------------------------------------------
2 0 INIT_ARRAY ~0 'c'
1 ASSIGN !0,
~0
3 2 BEGIN_SILENCE ~2
3 FETCH_R local $4 'a'
4 FETCH_DIM_R $5 $4,
0
5 FETCH_W local $3 'b'
6 ASSIGN $3,
$5
7 END_SILENCE ~2
4 8 SEND_VAR !0
9 DO_FCALL 1
'var_dump'
5 10 RETURN 1
Actual result:
--------------
Segmentation fault.
Analyse with vld:
$ PHP_6/sapi/cli/php -dvld.active=1 ~/test.php
Branch analysis from position: 0
Return found
filename: /Users/alexandre/test.php
function name: (null)
number of ops: 12
compiled vars: !0 = $a
line # op fetch ext return
operands
-------------------------------------------------------------------------------
2 0 INIT_ARRAY ~0 c
1 ASSIGN !0,
~0
3 2 BEGIN_SILENCE ~2
3 FETCH_R local $4 a
4 FETCH_DIM_TMP_VAR $5 $4,
0
5 FETCH_W local $3 b
6 ASSIGN $3,
$5
7 END_SILENCE ~2
8 SWITCH_FREE $4
4 9 SEND_VAR !0
10 DO_FCALL 1
var_dump
5 11 RETURN 1
You can see the new opcode "SWITCH_FREE" at position 8.
--
Edit bug report at http://bugs.php.net/?id=49037&edit=1
--
Try a snapshot (PHP 5.2):
http://bugs.php.net/fix.php?id=49037&r=trysnapshot52
Try a snapshot (PHP 5.3):
http://bugs.php.net/fix.php?id=49037&r=trysnapshot53
Try a snapshot (PHP 6.0):
http://bugs.php.net/fix.php?id=49037&r=trysnapshot60
Fixed in SVN:
http://bugs.php.net/fix.php?id=49037&r=fixed
Fixed in SVN and need be documented:
http://bugs.php.net/fix.php?id=49037&r=needdocs
Fixed in release:
http://bugs.php.net/fix.php?id=49037&r=alreadyfixed
Need backtrace:
http://bugs.php.net/fix.php?id=49037&r=needtrace
Need Reproduce Script:
http://bugs.php.net/fix.php?id=49037&r=needscript
Try newer version:
http://bugs.php.net/fix.php?id=49037&r=oldversion
Not developer issue:
http://bugs.php.net/fix.php?id=49037&r=support
Expected behavior:
http://bugs.php.net/fix.php?id=49037&r=notwrong
Not enough info:
http://bugs.php.net/fix.php?id=49037&r=notenoughinfo
Submitted twice:
http://bugs.php.net/fix.php?id=49037&r=submittedtwice
register_globals:
http://bugs.php.net/fix.php?id=49037&r=globals
PHP 4 support discontinued: http://bugs.php.net/fix.php?id=49037&r=php4
Daylight Savings: http://bugs.php.net/fix.php?id=49037&r=dst
IIS Stability:
http://bugs.php.net/fix.php?id=49037&r=isapi
Install GNU Sed:
http://bugs.php.net/fix.php?id=49037&r=gnused
Floating point limitations:
http://bugs.php.net/fix.php?id=49037&r=float
No Zend Extensions:
http://bugs.php.net/fix.php?id=49037&r=nozend
MySQL Configuration Error:
http://bugs.php.net/fix.php?id=49037&r=mysqlcfg
