php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #38956 seg fault during array_walk due to reallocated stack
Submitted: 2006-09-25 22:41 UTC Modified: 2006-09-27 17:34 UTC
From: jeannielu at hotmail dot com Assigned:
Status: Closed Package: Reproducible crash
PHP Version: 5.1.6 OS: Linux 2.6.16-22
Private report: No CVE-ID: None
 [2006-09-25 22:41 UTC] jeannielu at hotmail dot com
Description:
------------
I reliably get a seg fault during execution of array_walk() in our web application. Unfortunately, the seg fault is not reproducible with any simpler test case. 

gdb shows the death to be here:

#0  zend_call_function (fci=0xbfe8bcf0, fci_cache=0xbfe8bd14)
    at /usr/src/redhat/SOURCES/mazu/apache/php-5.1.6/Zend/zend_execute_API.c:859
859                             (*fci->params[i])->refcount++;

FYI, the call looks like this:

        array_walk($current_set,
                   array($this, '_format_traffic_data'),
                   $dd
                   );

Where $current_set is a 2-D array of 10x5 elements, $dd another 2-D array of 2x2 elements. Each element is a string of 10-30 characters. However, I don't think the argument details are important. 

Valgrind shows that zend_call_function died processing the third argument because it referenced memory freed by zend_ptr_stack.h. See attached backtrace.






Actual result:
--------------
gdb:

#0  zend_call_function (fci=0xbfe8bcf0, fci_cache=0xbfe8bd14)
    at /usr/src/redhat/SOURCES/mazu/apache/php-5.1.6/Zend/zend_execute_API.c:859
#1  0x081bdb35 in php_array_walk (target_hash=0x90472cc, userdata=0x85ebd6c, recursive=0)
    at /usr/src/redhat/SOURCES/mazu/apache/php-5.1.6/ext/standard/array.c:1099
#2  0x081bdeaf in zif_array_walk (ht=3, return_value=0x904b69c, return_value_ptr=0x0, this_ptr=0x0, return_value_used=0)
    at /usr/src/redhat/SOURCES/mazu/apache/php-5.1.6/ext/standard/array.c:1159
#3  0x0826af4d in zend_do_fcall_common_helper_SPEC (execute_data=0xbfe8cbd0)
    at /usr/src/redhat/SOURCES/mazu/apache/php-5.1.6/Zend/zend_vm_execute.h:200
#4  0x0826a6f1 in execute (op_array=0x894b304) at /usr/src/redhat/SOURCES/mazu/apache/php-5.1.6/Zend/zend_vm_execute.h:92
#5  0x0826a928 in zend_do_fcall_common_helper_SPEC (execute_data=0xbfe8df80)
    at /usr/src/redhat/SOURCES/mazu/apache/php-5.1.6/Zend/zend_vm_execute.h:234
#6  0x0826a6f1 in execute (op_array=0x8b12e34) at /usr/src/redhat/SOURCES/mazu/apache/php-5.1.6/Zend/zend_vm_execute.h:92
#7  0x0826a928 in zend_do_fcall_common_helper_SPEC (execute_data=0xbfe8f360)
    at /usr/src/redhat/SOURCES/mazu/apache/php-5.1.6/Zend/zend_vm_execute.h:234
#8  0x0826a6f1 in execute (op_array=0x8ada67c) at /usr/src/redhat/SOURCES/mazu/apache/php-5.1.6/Zend/zend_vm_execute.h:92
#9  0x0826a928 in zend_do_fcall_common_helper_SPEC (execute_data=0xbfe90280)
    at /usr/src/redhat/SOURCES/mazu/apache/php-5.1.6/Zend/zend_vm_execute.h:234
#10 0x0826a6f1 in execute (op_array=0x8ac0bfc) at /usr/src/redhat/SOURCES/mazu/apache/php-5.1.6/Zend/zend_vm_execute.h:92
#11 0x0826a928 in zend_do_fcall_common_helper_SPEC (execute_data=0xbfe92240)
    at /usr/src/redhat/SOURCES/mazu/apache/php-5.1.6/Zend/zend_vm_execute.h:234
#12 0x0826a6f1 in execute (op_array=0x860b9e0) at /usr/src/redhat/SOURCES/mazu/apache/php-5.1.6/Zend/zend_vm_execute.h:92
#13 0x0826a928 in zend_do_fcall_common_helper_SPEC (execute_data=0xbfe923b0)
    at /usr/src/redhat/SOURCES/mazu/apache/php-5.1.6/Zend/zend_vm_execute.h:234
#14 0x0826a6f1 in execute (op_array=0x85f609c) at /usr/src/redhat/SOURCES/mazu/apache/php-5.1.6/Zend/zend_vm_execute.h:92
#15 0x0825471f in zend_execute_scripts (type=8, retval=Variable "retval" is not available.
) at /usr/src/redhat/SOURCES/mazu/apache/php-5.1.6/Zend/zend.c:1109
#16 0x0822029c in php_execute_script (primary_file=0xbfe947d4)
    at /usr/src/redhat/SOURCES/mazu/apache/php-5.1.6/main/main.c:1737
#17 0x082ce8ad in main (argc=5, argv=0xbfe94914) at /usr/src/redhat/SOURCES/mazu/apache/php-5.1.6/sapi/cli/php_cli.c:1093

(gdb) print *fci->params[2]
$1 = (zval *) 0x39


valgrind:

==7352== LEAK SUMMARY:
==7352==    definitely lost: 0 bytes in 0 blocks.
==7352==      possibly lost: 1,088 bytes in 1 blocks.
==7352==    still reachable: 49,274 bytes in 568 blocks.
==7352==         suppressed: 0 bytes in 0 blocks.
==7352== Reachable blocks (those to which a pointer was found) are not shown.
==7352== To see them, rerun with: --show-reachable=yes
==7313== Invalid read of size 4
==7313==    at 0x81BDAF6: php_array_walk (array.c:1090)
==7313==    by 0x81BDEAE: zif_array_walk (array.c:1159)
==7313==    by 0x826AF4C: zend_do_fcall_common_helper_SPEC (zend_vm_execute.h:200)
==7313==    by 0x826A6F0: execute (zend_vm_execute.h:92)
==7313==    by 0x826A927: zend_do_fcall_common_helper_SPEC (zend_vm_execute.h:234)
==7313==    by 0x826A6F0: execute (zend_vm_execute.h:92)
==7313==    by 0x826A927: zend_do_fcall_common_helper_SPEC (zend_vm_execute.h:234)
==7313==    by 0x826A6F0: execute (zend_vm_execute.h:92)
==7313==    by 0x826A927: zend_do_fcall_common_helper_SPEC (zend_vm_execute.h:234)
==7313==    by 0x826A6F0: execute (zend_vm_execute.h:92)
==7313==    by 0x826A927: zend_do_fcall_common_helper_SPEC (zend_vm_execute.h:234)
==7313==    by 0x826A6F0: execute (zend_vm_execute.h:92)
==7313==  Address 0x437A678 is 80 bytes inside a block of size 268 free'd
==7313==    at 0x4005997: realloc (vg_replace_malloc.c:306)
==7313==    by 0x82406C3: _erealloc (zend_alloc.c:388)
==7313==    by 0x82906D4: zend_send_by_var_helper_SPEC_CV (zend_ptr_stack.h:99)
==7313==    by 0x826A6F0: execute (zend_vm_execute.h:92)
==7313==    by 0x826A927: zend_do_fcall_common_helper_SPEC (zend_vm_execute.h:234)
==7313==    by 0x826A6F0: execute (zend_vm_execute.h:92)
==7313==    by 0x826A927: zend_do_fcall_common_helper_SPEC (zend_vm_execute.h:234)
==7313==    by 0x826A6F0: execute (zend_vm_execute.h:92)
==7313==    by 0x826A927: zend_do_fcall_common_helper_SPEC (zend_vm_execute.h:234)
==7313==    by 0x826A6F0: execute (zend_vm_execute.h:92)
==7313==    by 0x826A927: zend_do_fcall_common_helper_SPEC (zend_vm_execute.h:234)
==7313==    by 0x826A6F0: execute (zend_vm_execute.h:92)



Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2006-09-26 01:32 UTC] judas dot iscariote at gmail dot com
Looks as a duplicate of 34066 which is fixed in CVS, and will be in 5.2.0 very soon now :)
 [2006-09-26 07:04 UTC] tony2001@php.net
Please try using this CVS snapshot:

  http://snaps.php.net/php5.2-latest.tar.gz
 
For Windows:
 
  http://snaps.php.net/win32/php5.2-win32-latest.zip


 [2006-09-26 22:01 UTC] jeannielu at hotmail dot com
php5.2-latest seems to fix it. Can I obtain a patch for 5.1.6? Will it apply cleanly?
 [2006-09-26 22:09 UTC] tony2001@php.net
Fixed -> closed.
I don't think it makes sense to backport a patch from a release candidate to the previous release. Just wait for a couple of weeks for the release.
 [2006-09-27 17:34 UTC] jeannielu at hotmail dot com
It makes sense if the patch is simple - in our case we won't have the opportunity window to upgrade our application until few months later.
 
PHP Copyright © 2001-2025 The PHP Group
All rights reserved.
Last updated: Tue Jul 15 23:01:33 2025 UTC