ID: 50006 Updated by: s...@php.net Reported By: remus at gmx dot net -Status: Closed +Status: Open Bug Type: Reproducible crash Operating System: * PHP Version: 5.2-SVN-2009-10-26 Assigned To: felipe New Comment:
The fix doesn't actually fix the bug, just hides it. Valgrind still shows this: ==17856== Invalid read of size 4 ==17856== at 0x81BEA4B: array_user_key_compare (array.c:799) ==17856== by 0x82C33E4: zend_qsort (zend_qsort.c:86) ==17856== by 0x82BA4DD: zend_hash_sort (zend_hash.c:1282) ==17856== by 0x81BEE0B: zif_uksort (array.c:851) ==17856== by 0x82D2501: zend_do_fcall_common_helper_SPEC (zend_vm_execute.h:200) ==17856== by 0x82D7D7A: ZEND_DO_FCALL_SPEC_CONST_HANDLER (zend_vm_execute.h:1740) ==17856== by 0x82D207E: execute (zend_vm_execute.h:92) ==17856== by 0x82ACFB5: zend_execute_scripts (zend.c:1134) ==17856== by 0x825B833: php_execute_script (main.c:2035) ==17856== by 0x83293F6: main (php_cli.c:1162) ==17856== Address 0x4614410 is 8 bytes inside a block of size 256 free'd ==17856== at 0x4006C0C: realloc (vg_replace_malloc.c:429) ==17856== by 0x828F9FF: _erealloc (zend_alloc.c:2319) ==17856== by 0x82D2B9F: zend_ptr_stack_2_push (zend_ptr_stack.h:73) ==17856== by 0x82D225A: zend_do_fcall_common_helper_SPEC (zend_vm_execute.h:148) ==17856== by 0x82D7D7A: ZEND_DO_FCALL_SPEC_CONST_HANDLER (zend_vm_execute.h:1740) ==17856== by 0x82D207E: execute (zend_vm_execute.h:92) ==17856== by 0x82D2670: zend_do_fcall_common_helper_SPEC (zend_vm_execute.h:234) ==17856== by 0x82D3157: ZEND_DO_FCALL_BY_NAME_SPEC_HANDLER (zend_vm_execute.h:322) ==17856== by 0x82D207E: execute (zend_vm_execute.h:92) ==17856== by 0x82D2670: zend_do_fcall_common_helper_SPEC (zend_vm_execute.h:234) ==17856== by 0x82D3157: ZEND_DO_FCALL_BY_NAME_SPEC_HANDLER (zend_vm_execute.h:322) ==17856== by 0x82D207E: execute (zend_vm_execute.h:92) Previous Comments: ------------------------------------------------------------------------ [2009-11-01 17:31:17] fel...@php.net This bug has been fixed in SVN. Snapshots of the sources are packaged every three hours; this change will be in the next snapshot. You can grab the snapshot at http://snaps.php.net/. Thank you for the report, and for helping us make PHP better. ------------------------------------------------------------------------ [2009-11-01 17:30:55] s...@php.net Automatic comment from SVN on behalf of felipe Revision: http://svn.php.net/viewvc/?view=revision&revision=290128 Log: - Fixed bug #50006 (Segfault caused by uksort()) [5_2 only] ------------------------------------------------------------------------ [2009-10-26 22:45:17] j...@php.net Crashes only with PHP_5_2 branch. PHP_5_3 and HEAD are ok. ------------------------------------------------------------------------ [2009-10-26 22:41:52] j...@php.net See also bug #40039 Note the word 'bug', it will trigger the url to be added automatically. :) ------------------------------------------------------------------------ [2009-10-26 22:20:14] remus at gmx dot net Description: ------------ Seems to be the same problem as in #40039. In (very) specific circumstances, uksort() will lead to a segmentation fault. The Reproduce code worked on two entirely different computers for me, I couldn't test on more. php compiled with: $ ./configure --disable-libxml --disable-dom --disable-simplexml --disable-xmlwriter --disable-xml --disable-xmlreader --without-pear --enable-debug But bug obviously exists in other versions/configurations, too (with same trigger). Reproduce code: --------------- <?php $data = array( 'bar-bazbazbaz.' => 0, 'bar-bazbazbaz-' => 0, 'foo' => 0, ); uksort($data, 'magic_sort_cmp'); print_r($data); function magic_sort_cmp($a, $b) { $a = substr($a, 1); $b = substr($b, 1); if (!$a) return $b ? -1 : 0; if (!$b) return 1; return magic_sort_cmp($a, $b); } ?> Expected result: ---------------- The array is output in the same order as defined. Actual result: -------------- Segmentation fault Backtrace: #0 0x0824a33b in zend_call_function (fci=0xbf9e6f74, fci_cache=0x0) at ~/tmp/php/php-5.2.11/Zend/zend_execute_API.c:696 #1 0x0824b7b0 in call_user_function_ex (function_table=0x8488460, object_pp=0x0, function_name=0x0, retval_ptr_ptr=0xbf9e6fd8, param_count=2, params=0x851dbbc, no_separation=1, symbol_table=0x0) at ~/tmp/php/php-5.2.11/Zend/zend_execute_API.c:640 #2 0x0824b818 in call_user_function (function_table=0x8488460, object_pp=0x0, function_name=0x0, retval_ptr=0xbf9e700c, param_count=2, params=0xbf9e701c) at ~/tmp/php/php-5.2.11/Zend/zend_execute_API.c:613 #3 0x081a2b3b in array_user_key_compare (a=0x851d520, b=0x851d518) at ~/tmp/php/php-5.2.11/ext/standard/array.c:797 #4 0x082684f8 in zend_qsort (base=0x851d518, nmemb=3, siz=4, compare=0x81a2a60 <array_user_key_compare>) at ~/tmp/php/php-5.2.11/Zend/zend_qsort.c:86 #5 0x08261434 in zend_hash_sort (ht=0x851d434, sort_func=0x8268390 <zend_qsort>, compar=0x81a2a60 <array_user_key_compare>, renumber=0) at ~/tmp/php/php-5.2.11/Zend/zend_hash.c:1282 #6 0x081a5c31 in zif_uksort (ht=2, return_value=0x851d500, return_value_ptr=0x0, this_ptr=0x0, return_value_used=0) at ~/tmp/php/php-5.2.11/ext/standard/array.c:837 #7 0x08289a6a in zend_do_fcall_common_helper_SPEC (execute_data=0xbf9e732c) at ~/tmp/php/php-5.2.11/Zend/zend_vm_execute.h:200 #8 0x08276870 in execute (op_array=0x851b598) at ~/tmp/php/php-5.2.11/Zend/zend_vm_execute.h:92 #9 0x08255442 in zend_execute_scripts (type=8, retval=0x0, file_count=3) at ~/tmp/php/php-5.2.11/Zend/zend.c:1134 #10 0x08212b19 in php_execute_script (primary_file=0xbf9e96d8) at ~/tmp/php/php-5.2.11/main/main.c:2020 #11 0x082c1fe1 in main (argc=2, argv=0xbf9e97f4) at ~/tmp/php/php-5.2.11/sapi/cli/php_cli.c:1162 ------------------------------------------------------------------------ -- Edit this bug report at http://bugs.php.net/?id=50006&edit=1
