ID: 34277
Updated by: [EMAIL PROTECTED]
Reported By: andreas dot ettner at freenet dot de
-Status: Closed
+Status: Assigned
Bug Type: Arrays related
Operating System: *
-PHP Version: 5CVS, 4CVS (2005-08-31)
+PHP Version: 4CVS (2005-08-31)
Assigned To: dmitry
New Comment:
Dmitry, the fix wasn't enough.
This change causes another crash with PHP_4_4 branch (only):
- $ret = array_filter(array(0), 'f');
+ $ret = array_filter(array(0, 1), 'f');
Backtrace:
0x082355c7 in call_user_function_ex (function_table=0x9b594b0,
object_pp=0x0,
function_name=0x80000020, retval_ptr_ptr=0xbf8f9120,
param_count=1,
params=0xbf8f9124, no_separation=0, symbol_table=0x0)
at /usr/src/php/php_4_4/Zend/zend_execute_API.c:443
443 if (function_name->type==IS_ARRAY) { /* assume
array($obj, $name) couple */
(gdb) bt
#0 0x082355c7 in call_user_function_ex (function_table=0x9b594b0,
object_pp=0x0,
function_name=0x80000020, retval_ptr_ptr=0xbf8f9120,
param_count=1,
params=0xbf8f9124, no_separation=0, symbol_table=0x0)
at /usr/src/php/php_4_4/Zend/zend_execute_API.c:443
#1 0x0819be7a in zif_array_filter (ht=2, return_value=0x9c33214,
this_ptr=0x0,
return_value_used=1) at
/usr/src/php/php_4_4/ext/standard/array.c:3360
#2 0x08251313 in execute (op_array=0x9c37e78)
at /usr/src/php/php_4_4/Zend/zend_execute.c:1675
.
.
Previous Comments:
------------------------------------------------------------------------
[2005-09-01 14:02:05] [EMAIL PROTECTED]
Fixed in CVS HEAD, PHP_5_1, PHP_5_0 and PHP_4_4.
------------------------------------------------------------------------
[2005-08-31 10:44:54] [EMAIL PROTECTED]
Dmitry, check this out please.
------------------------------------------------------------------------
[2005-08-27 03:44:22] andreas dot ettner at freenet dot de
Description:
------------
PHP crashes with a segmentation fault when executing the provided code.
This problem has been observed with various setups. The provided
backtrace of a crash was generated with PHP version 4.4.0 CGI,
configured with
'./configure' '--prefix=/home/eta/data/php-4.4.0' '--enable-debug' ,
compiled and run on a Debian GNU/Linux system with GCC version 3.3.5
and GNU C Library version 2.3.2. In this setup PHP crashed on every
invocation.
In order to facilitate the task of fixing this defect I have tried to
find out its reason, and I think I have succeeded:
In the implementation of zif_array_filter (resp. array_filter) in
ext/standard/array.c the local variables input and callback are set to
point to locations in the elements array of the executor's
argument_stack (l. 3312). Calling the callback later on in
zif_array_filter (l. 3340) might cause the elements array of the stack
to be moved in memory (through reallocation when growing the stack).
When this happens, the local variables input and callback become
invalid (dangling pointers), but are possibly used later on (in l. 3354
in our situation).
I hope this helps.
Reproduce code:
---------------
The code is unfortunately a bit long. It can be found at
http://people.freenet.de/aettner/crash.txt
Expected result:
----------------
No output (CGI version invoked with -q flag)
Actual result:
--------------
Segmentation fault (core dumped)
Backtrace generated with gdb:
Using host libthread_db library "/lib/libthread_db.so.1".
Core was generated by `php -q crash.txt'.
Program terminated with signal 11, Segmentation fault.
#0 0x081715a9 in _zend_is_inconsistent (ht=0xfb8277dc,
file=0x81bd880 "/home/eta/data/src-php-4.4.0/Zend/zend_hash.c",
line=1064)
at /home/eta/data/src-php-4.4.0/Zend/zend_hash.c:94
94 if (ht->inconsistent==HT_OK) {
#0 0x081715a9 in _zend_is_inconsistent (ht=0xfb8277dc,
file=0x81bd880 "/home/eta/data/src-php-4.4.0/Zend/zend_hash.c",
line=1064)
at /home/eta/data/src-php-4.4.0/Zend/zend_hash.c:94
#1 0x08174262 in zend_hash_get_current_key_ex (ht=0xfb8277dc,
str_index=0xbfffca6c, str_length=0xbfffca68, num_index=0xbfffca64,
duplicate=0 '\0', pos=0xbfffca60)
at /home/eta/data/src-php-4.4.0/Zend/zend_hash.c:1064
#2 0x080add21 in zif_array_filter (ht=2, return_value=0x821b7d4,
this_ptr=0x0, return_value_used=1)
at /home/eta/data/src-php-4.4.0/ext/standard/array.c:3354
#3 0x0818134a in execute (op_array=0x8220490)
at /home/eta/data/src-php-4.4.0/Zend/zend_execute.c:1672
#4 0x08181576 in execute (op_array=0x8220890)
at /home/eta/data/src-php-4.4.0/Zend/zend_execute.c:1716
#5 0x08181576 in execute (op_array=0x82209e0)
at /home/eta/data/src-php-4.4.0/Zend/zend_execute.c:1716
#6 0x08181576 in execute (op_array=0x8220b30)
at /home/eta/data/src-php-4.4.0/Zend/zend_execute.c:1716
#7 0x08181576 in execute (op_array=0x8220c80)
at /home/eta/data/src-php-4.4.0/Zend/zend_execute.c:1716
#8 0x08181576 in execute (op_array=0x8217234)
at /home/eta/data/src-php-4.4.0/Zend/zend_execute.c:1716
#9 0x0816d298 in zend_execute_scripts (type=8, retval=0x0,
file_count=3)
at /home/eta/data/src-php-4.4.0/Zend/zend.c:938
#10 0x0813707b in php_execute_script (primary_file=0xbffffa10)
at /home/eta/data/src-php-4.4.0/main/main.c:1751
#11 0x0818820c in main (argc=3, argv=0xbffffac4)
at /home/eta/data/src-php-4.4.0/sapi/cgi/cgi_main.c:1606
------------------------------------------------------------------------
--
Edit this bug report at http://bugs.php.net/?id=34277&edit=1
