From: remus at gmx dot net
Operating system: Linux/Ubuntu 9.04
PHP version: 5.2.11
PHP Bug Type: Reproducible crash
Bug description: Segfault
Description:
------------
Seems to be the same problem as in #40039. In (very) specific
circumstances, uksort() will lead to a segmentation fault.
The Reproduce code worked on two entirely different computers for me, I
couldn't test on more.
php compiled with:
$ ./configure --disable-libxml --disable-dom --disable-simplexml
--disable-xmlwriter --disable-xml --disable-xmlreader --without-pear
--enable-debug
But bug obviously exists in other versions/configurations, too (with same
trigger).
Reproduce code:
---------------
<?php
$data = array(
'bar-bazbazbaz.' => 0,
'bar-bazbazbaz-' => 0,
'foo' => 0,
);
uksort($data, 'magic_sort_cmp');
print_r($data);
function magic_sort_cmp($a, $b) {
$a = substr($a, 1);
$b = substr($b, 1);
if (!$a) return $b ? -1 : 0;
if (!$b) return 1;
return magic_sort_cmp($a, $b);
}
?>
Expected result:
----------------
The array is output in the same order as defined.
Actual result:
--------------
Segmentation fault
Backtrace:
#0 0x0824a33b in zend_call_function (fci=0xbf9e6f74, fci_cache=0x0)
at ~/tmp/php/php-5.2.11/Zend/zend_execute_API.c:696
#1 0x0824b7b0 in call_user_function_ex (function_table=0x8488460,
object_pp=0x0, function_name=0x0, retval_ptr_ptr=0xbf9e6fd8,
param_count=2, params=0x851dbbc, no_separation=1, symbol_table=0x0)
at ~/tmp/php/php-5.2.11/Zend/zend_execute_API.c:640
#2 0x0824b818 in call_user_function (function_table=0x8488460,
object_pp=0x0,
function_name=0x0, retval_ptr=0xbf9e700c, param_count=2,
params=0xbf9e701c)
at ~/tmp/php/php-5.2.11/Zend/zend_execute_API.c:613
#3 0x081a2b3b in array_user_key_compare (a=0x851d520, b=0x851d518)
at ~/tmp/php/php-5.2.11/ext/standard/array.c:797
#4 0x082684f8 in zend_qsort (base=0x851d518, nmemb=3, siz=4,
compare=0x81a2a60 <array_user_key_compare>)
at ~/tmp/php/php-5.2.11/Zend/zend_qsort.c:86
#5 0x08261434 in zend_hash_sort (ht=0x851d434,
sort_func=0x8268390 <zend_qsort>,
compar=0x81a2a60 <array_user_key_compare>, renumber=0)
at ~/tmp/php/php-5.2.11/Zend/zend_hash.c:1282
#6 0x081a5c31 in zif_uksort (ht=2, return_value=0x851d500,
return_value_ptr=0x0, this_ptr=0x0, return_value_used=0)
at ~/tmp/php/php-5.2.11/ext/standard/array.c:837
#7 0x08289a6a in zend_do_fcall_common_helper_SPEC
(execute_data=0xbf9e732c)
at ~/tmp/php/php-5.2.11/Zend/zend_vm_execute.h:200
#8 0x08276870 in execute (op_array=0x851b598)
at ~/tmp/php/php-5.2.11/Zend/zend_vm_execute.h:92
#9 0x08255442 in zend_execute_scripts (type=8, retval=0x0, file_count=3)
at ~/tmp/php/php-5.2.11/Zend/zend.c:1134
#10 0x08212b19 in php_execute_script (primary_file=0xbf9e96d8)
at ~/tmp/php/php-5.2.11/main/main.c:2020
#11 0x082c1fe1 in main (argc=2, argv=0xbf9e97f4)
at ~/tmp/php/php-5.2.11/sapi/cli/php_cli.c:1162
--
Edit bug report at http://bugs.php.net/?id=50006&edit=1
--
Try a snapshot (PHP 5.2):
http://bugs.php.net/fix.php?id=50006&r=trysnapshot52
Try a snapshot (PHP 5.3):
http://bugs.php.net/fix.php?id=50006&r=trysnapshot53
Try a snapshot (PHP 6.0):
http://bugs.php.net/fix.php?id=50006&r=trysnapshot60
Fixed in SVN:
http://bugs.php.net/fix.php?id=50006&r=fixed
Fixed in SVN and need be documented:
http://bugs.php.net/fix.php?id=50006&r=needdocs
Fixed in release:
http://bugs.php.net/fix.php?id=50006&r=alreadyfixed
Need backtrace:
http://bugs.php.net/fix.php?id=50006&r=needtrace
Need Reproduce Script:
http://bugs.php.net/fix.php?id=50006&r=needscript
Try newer version:
http://bugs.php.net/fix.php?id=50006&r=oldversion
Not developer issue:
http://bugs.php.net/fix.php?id=50006&r=support
Expected behavior:
http://bugs.php.net/fix.php?id=50006&r=notwrong
Not enough info:
http://bugs.php.net/fix.php?id=50006&r=notenoughinfo
Submitted twice:
http://bugs.php.net/fix.php?id=50006&r=submittedtwice
register_globals:
http://bugs.php.net/fix.php?id=50006&r=globals
PHP 4 support discontinued: http://bugs.php.net/fix.php?id=50006&r=php4
Daylight Savings: http://bugs.php.net/fix.php?id=50006&r=dst
IIS Stability:
http://bugs.php.net/fix.php?id=50006&r=isapi
Install GNU Sed:
http://bugs.php.net/fix.php?id=50006&r=gnused
Floating point limitations:
http://bugs.php.net/fix.php?id=50006&r=float
No Zend Extensions:
http://bugs.php.net/fix.php?id=50006&r=nozend
MySQL Configuration Error:
http://bugs.php.net/fix.php?id=50006&r=mysqlcfg
