php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #71815 Segfault after 65536 empty array references
Submitted: 2016-03-13 18:38 UTC Modified: 2016-03-13 18:57 UTC
From: mihor dot cz at gmail dot com Assigned:
Status: Duplicate Package: Reproducible crash
PHP Version: 7.0.4 OS: CentOS 7.2.1511
Private report: No CVE-ID: None
View Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
If you reported this bug, you can edit this bug over here.
(description)
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: mihor dot cz at gmail dot com
New email:
PHP Version: OS:

 

 [2016-03-13 18:38 UTC] mihor dot cz at gmail dot com
Description:
------------
Hello PHP team,
I managed to pin-point one problem with PHP 7.0.4 (But I think that this problem is at least from 7.0.0)

I don't think that there is more to explain than simple code below.

Originally I found this problem in our large PHP code and it disappeared every time I turned off Opcache, but after pin-pointing and extracting problem into code below: Opcache is no longer needed to segfault (so I guess that opcache is maybe little more sensitive to this kind of bad PHP code abuse)

My system spec:
PHP version: 7.0.4
OS: CentOS 7.2.1511
RAM: 128 GB
CPU: 2 x Intel(R) Xeon(R) CPU E5-2667 v3 @ 3.20GHz

PHP config:
Memory limit: 16 GB

Test script:
---------------
<?php
$desc = array();
for ($i = 65535; $i > 0; $i--)
{
	$desc[$i] = &$desc[$i - 1]; 
}
echo "still ok\n";
$desc = array();
for ($i = 65536; $i > 0; $i--)
{
	$desc[$i] = &$desc[$i - 1]; 
}
echo "not ok";

Expected result:
----------------
still ok
not ok

Actual result:
--------------
still ok
Segmentation fault

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2016-03-13 18:57 UTC] nikic@php.net
-Status: Open +Status: Duplicate
 [2016-03-13 18:57 UTC] nikic@php.net
This has the same root cause as https://bugs.php.net/bug.php?id=71539, namely the RHS of a ref assignment reallocating the array, while the LHS still holds a reference into it. We haven't found a good way to fix it yet.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Thu Oct 31 23:01:28 2024 UTC