ID: 34277 User updated by: andreas dot ettner at freenet dot de Reported By: andreas dot ettner at freenet dot de -Status: Feedback +Status: Open Bug Type: Reproducible crash Operating System: Debian GNU/Linux PHP Version: 4.4.0 New Comment:
The PHP 5.1.0-dev snapshot provided by your link still crashes with a segmentation fault on the code sample. Previous Comments: ------------------------------------------------------------------------ [2005-08-28 00:58:45] [EMAIL PROTECTED] Please try using this CVS snapshot: http://snaps.php.net/php5-latest.tar.gz For Windows: http://snaps.php.net/win32/php5-win32-latest.zip ------------------------------------------------------------------------ [2005-08-27 03:44:22] andreas dot ettner at freenet dot de Description: ------------ PHP crashes with a segmentation fault when executing the provided code. This problem has been observed with various setups. The provided backtrace of a crash was generated with PHP version 4.4.0 CGI, configured with './configure' '--prefix=/home/eta/data/php-4.4.0' '--enable-debug' , compiled and run on a Debian GNU/Linux system with GCC version 3.3.5 and GNU C Library version 2.3.2. In this setup PHP crashed on every invocation. In order to facilitate the task of fixing this defect I have tried to find out its reason, and I think I have succeeded: In the implementation of zif_array_filter (resp. array_filter) in ext/standard/array.c the local variables input and callback are set to point to locations in the elements array of the executor's argument_stack (l. 3312). Calling the callback later on in zif_array_filter (l. 3340) might cause the elements array of the stack to be moved in memory (through reallocation when growing the stack). When this happens, the local variables input and callback become invalid (dangling pointers), but are possibly used later on (in l. 3354 in our situation). I hope this helps. Reproduce code: --------------- The code is unfortunately a bit long. It can be found at http://people.freenet.de/aettner/crash.txt Expected result: ---------------- No output (CGI version invoked with -q flag) Actual result: -------------- Segmentation fault (core dumped) Backtrace generated with gdb: Using host libthread_db library "/lib/libthread_db.so.1". Core was generated by `php -q crash.txt'. Program terminated with signal 11, Segmentation fault. #0 0x081715a9 in _zend_is_inconsistent (ht=0xfb8277dc, file=0x81bd880 "/home/eta/data/src-php-4.4.0/Zend/zend_hash.c", line=1064) at /home/eta/data/src-php-4.4.0/Zend/zend_hash.c:94 94 if (ht->inconsistent==HT_OK) { #0 0x081715a9 in _zend_is_inconsistent (ht=0xfb8277dc, file=0x81bd880 "/home/eta/data/src-php-4.4.0/Zend/zend_hash.c", line=1064) at /home/eta/data/src-php-4.4.0/Zend/zend_hash.c:94 #1 0x08174262 in zend_hash_get_current_key_ex (ht=0xfb8277dc, str_index=0xbfffca6c, str_length=0xbfffca68, num_index=0xbfffca64, duplicate=0 '\0', pos=0xbfffca60) at /home/eta/data/src-php-4.4.0/Zend/zend_hash.c:1064 #2 0x080add21 in zif_array_filter (ht=2, return_value=0x821b7d4, this_ptr=0x0, return_value_used=1) at /home/eta/data/src-php-4.4.0/ext/standard/array.c:3354 #3 0x0818134a in execute (op_array=0x8220490) at /home/eta/data/src-php-4.4.0/Zend/zend_execute.c:1672 #4 0x08181576 in execute (op_array=0x8220890) at /home/eta/data/src-php-4.4.0/Zend/zend_execute.c:1716 #5 0x08181576 in execute (op_array=0x82209e0) at /home/eta/data/src-php-4.4.0/Zend/zend_execute.c:1716 #6 0x08181576 in execute (op_array=0x8220b30) at /home/eta/data/src-php-4.4.0/Zend/zend_execute.c:1716 #7 0x08181576 in execute (op_array=0x8220c80) at /home/eta/data/src-php-4.4.0/Zend/zend_execute.c:1716 #8 0x08181576 in execute (op_array=0x8217234) at /home/eta/data/src-php-4.4.0/Zend/zend_execute.c:1716 #9 0x0816d298 in zend_execute_scripts (type=8, retval=0x0, file_count=3) at /home/eta/data/src-php-4.4.0/Zend/zend.c:938 #10 0x0813707b in php_execute_script (primary_file=0xbffffa10) at /home/eta/data/src-php-4.4.0/main/main.c:1751 #11 0x0818820c in main (argc=3, argv=0xbffffac4) at /home/eta/data/src-php-4.4.0/sapi/cgi/cgi_main.c:1606 ------------------------------------------------------------------------ -- Edit this bug report at http://bugs.php.net/?id=34277&edit=1
