ID: 50006 Updated by: s...@php.net Reported By: remus at gmx dot net -Status: Open +Status: Closed Bug Type: Reproducible crash Operating System: * PHP Version: 5.2-SVN-2009-10-26 Assigned To: felipe New Comment:
Should be fully fixed now (passes tests and valgrind). Previous Comments: ------------------------------------------------------------------------ [2009-11-29 08:35:02] s...@php.net Automatic comment from SVN on behalf of stas Revision: http://svn.php.net/viewvc/?view=revision&revision=291415 Log: proper fix for bug #50006 add modify protection to all user array sorts ------------------------------------------------------------------------ [2009-11-29 07:58:51] s...@php.net The fix doesn't actually fix the bug, just hides it. Valgrind still shows this: ==17856== Invalid read of size 4 ==17856== at 0x81BEA4B: array_user_key_compare (array.c:799) ==17856== by 0x82C33E4: zend_qsort (zend_qsort.c:86) ==17856== by 0x82BA4DD: zend_hash_sort (zend_hash.c:1282) ==17856== by 0x81BEE0B: zif_uksort (array.c:851) ==17856== by 0x82D2501: zend_do_fcall_common_helper_SPEC (zend_vm_execute.h:200) ==17856== by 0x82D7D7A: ZEND_DO_FCALL_SPEC_CONST_HANDLER (zend_vm_execute.h:1740) ==17856== by 0x82D207E: execute (zend_vm_execute.h:92) ==17856== by 0x82ACFB5: zend_execute_scripts (zend.c:1134) ==17856== by 0x825B833: php_execute_script (main.c:2035) ==17856== by 0x83293F6: main (php_cli.c:1162) ==17856== Address 0x4614410 is 8 bytes inside a block of size 256 free'd ==17856== at 0x4006C0C: realloc (vg_replace_malloc.c:429) ==17856== by 0x828F9FF: _erealloc (zend_alloc.c:2319) ==17856== by 0x82D2B9F: zend_ptr_stack_2_push (zend_ptr_stack.h:73) ==17856== by 0x82D225A: zend_do_fcall_common_helper_SPEC (zend_vm_execute.h:148) ==17856== by 0x82D7D7A: ZEND_DO_FCALL_SPEC_CONST_HANDLER (zend_vm_execute.h:1740) ==17856== by 0x82D207E: execute (zend_vm_execute.h:92) ==17856== by 0x82D2670: zend_do_fcall_common_helper_SPEC (zend_vm_execute.h:234) ==17856== by 0x82D3157: ZEND_DO_FCALL_BY_NAME_SPEC_HANDLER (zend_vm_execute.h:322) ==17856== by 0x82D207E: execute (zend_vm_execute.h:92) ==17856== by 0x82D2670: zend_do_fcall_common_helper_SPEC (zend_vm_execute.h:234) ==17856== by 0x82D3157: ZEND_DO_FCALL_BY_NAME_SPEC_HANDLER (zend_vm_execute.h:322) ==17856== by 0x82D207E: execute (zend_vm_execute.h:92) ------------------------------------------------------------------------ [2009-11-01 17:31:17] fel...@php.net This bug has been fixed in SVN. Snapshots of the sources are packaged every three hours; this change will be in the next snapshot. You can grab the snapshot at http://snaps.php.net/. Thank you for the report, and for helping us make PHP better. ------------------------------------------------------------------------ [2009-11-01 17:30:55] s...@php.net Automatic comment from SVN on behalf of felipe Revision: http://svn.php.net/viewvc/?view=revision&revision=290128 Log: - Fixed bug #50006 (Segfault caused by uksort()) [5_2 only] ------------------------------------------------------------------------ [2009-10-26 22:45:17] j...@php.net Crashes only with PHP_5_2 branch. PHP_5_3 and HEAD are ok. ------------------------------------------------------------------------ The remainder of the comments for this report are too long. To view the rest of the comments, please view the bug report online at http://bugs.php.net/50006 -- Edit this bug report at http://bugs.php.net/?id=50006&edit=1
