From: nikic
Operating system:
PHP version: 5.5.0RC3
Package: Scripting Engine problem
Bug Type: Bug
Bug description:zend_hash_apply not interruption safe
Description:
------------
The zend_hash_apply is used all over the place, but it isn't interruption
safe (just like iteration using HashPosition).
Here is an example making use of OB callbacks in var_dump:
<?php
$array1 = [0, 1];
$array2 = [&$array1];
ob_start(function($str) use(&$array1) {
static $i = 0;
if ($i++ == 4) {
unset($array1[0]);
//unset($array1[1]);
}
return "$i: $str";
}, 1);
var_dump($array2);
nikic@pluto:~/dev/php-dev$ sapi/cli/php t16.php
1: array(1) {
2: [0]=>
3: 4: &array(2) {
5: [0]=>
6: Segmentation fault (core dumped)
Valgrind output (only first entry):
==11997== Invalid read of size 4
==11997== at 0x819057F: php_var_dump (var.c:99)
==11997== by 0x81903EF: php_array_element_dump (var.c:51)
==11997== by 0x827C917: zend_hash_apply_with_arguments
(zend_hash.c:748)
==11997== by 0x8190A58: php_var_dump (var.c:146)
==11997== by 0x81903EF: php_array_element_dump (var.c:51)
==11997== by 0x827C917: zend_hash_apply_with_arguments
(zend_hash.c:748)
==11997== by 0x8190A58: php_var_dump (var.c:146)
==11997== by 0x8190C07: zif_var_dump (var.c:183)
==11997== by 0x82A72BA: zend_do_fcall_common_helper_SPEC
(zend_vm_execute.h:547)
==11997== by 0x82ABD3F: ZEND_DO_FCALL_SPEC_CONST_HANDLER
(zend_vm_execute.h:2328)
==11997== by 0x82A67F6: execute_ex (zend_vm_execute.h:356)
==11997== by 0x82A68AB: zend_execute (zend_vm_execute.h:381)
==11997== Address 0x447f15c is 12 bytes inside a block of size 36 free'd
==11997== at 0x402B06C: free (in
/usr/lib/valgrind/vgpreload_memcheck-x86-linux.so)
==11997== by 0x823257E: _efree (zend_alloc.c:2437)
==11997== by 0x827C09B: zend_hash_del_key_or_index (zend_hash.c:512)
==11997== by 0x82FC731: ZEND_UNSET_DIM_SPEC_CV_CONST_HANDLER
(zend_vm_execute.h:33119)
==11997== by 0x82A67F6: execute_ex (zend_vm_execute.h:356)
==11997== by 0x82A68AB: zend_execute (zend_vm_execute.h:381)
==11997== by 0x8258E71: zend_call_function (zend_execute_API.c:939)
==11997== by 0x8277CD4: zend_fcall_info_call (zend_API.c:3381)
==11997== by 0x81E7B47: php_output_handler_op (output.c:962)
==11997== by 0x81E8026: php_output_op (output.c:1063)
==11997== by 0x81E5E6C: php_output_write (output.c:255)
==11997== by 0x81C9442: php_printf (main.c:682)
--
Edit bug report at https://bugs.php.net/bug.php?id=65050&edit=1
--
Try a snapshot (PHP 5.4):
https://bugs.php.net/fix.php?id=65050&r=trysnapshot54
Try a snapshot (PHP 5.3):
https://bugs.php.net/fix.php?id=65050&r=trysnapshot53
Try a snapshot (trunk):
https://bugs.php.net/fix.php?id=65050&r=trysnapshottrunk
Fixed in SVN: https://bugs.php.net/fix.php?id=65050&r=fixed
Fixed in release: https://bugs.php.net/fix.php?id=65050&r=alreadyfixed
Need backtrace: https://bugs.php.net/fix.php?id=65050&r=needtrace
Need Reproduce Script: https://bugs.php.net/fix.php?id=65050&r=needscript
Try newer version: https://bugs.php.net/fix.php?id=65050&r=oldversion
Not developer issue: https://bugs.php.net/fix.php?id=65050&r=support
Expected behavior: https://bugs.php.net/fix.php?id=65050&r=notwrong
Not enough info:
https://bugs.php.net/fix.php?id=65050&r=notenoughinfo
Submitted twice:
https://bugs.php.net/fix.php?id=65050&r=submittedtwice
register_globals: https://bugs.php.net/fix.php?id=65050&r=globals
PHP 4 support discontinued: https://bugs.php.net/fix.php?id=65050&r=php4
Daylight Savings: https://bugs.php.net/fix.php?id=65050&r=dst
IIS Stability: https://bugs.php.net/fix.php?id=65050&r=isapi
Install GNU Sed: https://bugs.php.net/fix.php?id=65050&r=gnused
Floating point limitations: https://bugs.php.net/fix.php?id=65050&r=float
No Zend Extensions: https://bugs.php.net/fix.php?id=65050&r=nozend
MySQL Configuration Error: https://bugs.php.net/fix.php?id=65050&r=mysqlcfg
