From: nikic Operating system: PHP version: 5.5.0RC3 Package: Scripting Engine problem Bug Type: Bug Bug description:zend_hash_apply not interruption safe
Description: ------------ The zend_hash_apply is used all over the place, but it isn't interruption safe (just like iteration using HashPosition). Here is an example making use of OB callbacks in var_dump: <?php $array1 = [0, 1]; $array2 = [&$array1]; ob_start(function($str) use(&$array1) { static $i = 0; if ($i++ == 4) { unset($array1[0]); //unset($array1[1]); } return "$i: $str"; }, 1); var_dump($array2); nikic@pluto:~/dev/php-dev$ sapi/cli/php t16.php 1: array(1) { 2: [0]=> 3: 4: &array(2) { 5: [0]=> 6: Segmentation fault (core dumped) Valgrind output (only first entry): ==11997== Invalid read of size 4 ==11997== at 0x819057F: php_var_dump (var.c:99) ==11997== by 0x81903EF: php_array_element_dump (var.c:51) ==11997== by 0x827C917: zend_hash_apply_with_arguments (zend_hash.c:748) ==11997== by 0x8190A58: php_var_dump (var.c:146) ==11997== by 0x81903EF: php_array_element_dump (var.c:51) ==11997== by 0x827C917: zend_hash_apply_with_arguments (zend_hash.c:748) ==11997== by 0x8190A58: php_var_dump (var.c:146) ==11997== by 0x8190C07: zif_var_dump (var.c:183) ==11997== by 0x82A72BA: zend_do_fcall_common_helper_SPEC (zend_vm_execute.h:547) ==11997== by 0x82ABD3F: ZEND_DO_FCALL_SPEC_CONST_HANDLER (zend_vm_execute.h:2328) ==11997== by 0x82A67F6: execute_ex (zend_vm_execute.h:356) ==11997== by 0x82A68AB: zend_execute (zend_vm_execute.h:381) ==11997== Address 0x447f15c is 12 bytes inside a block of size 36 free'd ==11997== at 0x402B06C: free (in /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so) ==11997== by 0x823257E: _efree (zend_alloc.c:2437) ==11997== by 0x827C09B: zend_hash_del_key_or_index (zend_hash.c:512) ==11997== by 0x82FC731: ZEND_UNSET_DIM_SPEC_CV_CONST_HANDLER (zend_vm_execute.h:33119) ==11997== by 0x82A67F6: execute_ex (zend_vm_execute.h:356) ==11997== by 0x82A68AB: zend_execute (zend_vm_execute.h:381) ==11997== by 0x8258E71: zend_call_function (zend_execute_API.c:939) ==11997== by 0x8277CD4: zend_fcall_info_call (zend_API.c:3381) ==11997== by 0x81E7B47: php_output_handler_op (output.c:962) ==11997== by 0x81E8026: php_output_op (output.c:1063) ==11997== by 0x81E5E6C: php_output_write (output.c:255) ==11997== by 0x81C9442: php_printf (main.c:682) -- Edit bug report at https://bugs.php.net/bug.php?id=65050&edit=1 -- Try a snapshot (PHP 5.4): https://bugs.php.net/fix.php?id=65050&r=trysnapshot54 Try a snapshot (PHP 5.3): https://bugs.php.net/fix.php?id=65050&r=trysnapshot53 Try a snapshot (trunk): https://bugs.php.net/fix.php?id=65050&r=trysnapshottrunk Fixed in SVN: https://bugs.php.net/fix.php?id=65050&r=fixed Fixed in release: https://bugs.php.net/fix.php?id=65050&r=alreadyfixed Need backtrace: https://bugs.php.net/fix.php?id=65050&r=needtrace Need Reproduce Script: https://bugs.php.net/fix.php?id=65050&r=needscript Try newer version: https://bugs.php.net/fix.php?id=65050&r=oldversion Not developer issue: https://bugs.php.net/fix.php?id=65050&r=support Expected behavior: https://bugs.php.net/fix.php?id=65050&r=notwrong Not enough info: https://bugs.php.net/fix.php?id=65050&r=notenoughinfo Submitted twice: https://bugs.php.net/fix.php?id=65050&r=submittedtwice register_globals: https://bugs.php.net/fix.php?id=65050&r=globals PHP 4 support discontinued: https://bugs.php.net/fix.php?id=65050&r=php4 Daylight Savings: https://bugs.php.net/fix.php?id=65050&r=dst IIS Stability: https://bugs.php.net/fix.php?id=65050&r=isapi Install GNU Sed: https://bugs.php.net/fix.php?id=65050&r=gnused Floating point limitations: https://bugs.php.net/fix.php?id=65050&r=float No Zend Extensions: https://bugs.php.net/fix.php?id=65050&r=nozend MySQL Configuration Error: https://bugs.php.net/fix.php?id=65050&r=mysqlcfg