php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #72411 PHP segfaults when there are too many elements added to a linked list
Submitted: 2016-06-15 11:31 UTC Modified: 2016-06-15 13:42 UTC
Votes:2
Avg. Score:3.5 ± 0.5
Reproduced:2 of 2 (100.0%)
Same Version:2 (100.0%)
Same OS:2 (100.0%)
From: pwmosquito at gmail dot com Assigned:
Status: Duplicate Package: Reproducible crash
PHP Version: Irrelevant OS: All
Private report: No CVE-ID: None
 [2016-06-15 11:31 UTC] pwmosquito at gmail dot com
Description:
------------
OSes: OSX (version 10.11.5), Ubuntu 14.04.3 LTS, CentOS release 6.5 (Final)
PHP versions: 5.5, 5.6, 7.0

When implementing a simple singly linked list in PHP I get a segfault if I try to add too many items to the list. To define too many: the sample code attached could cope with 29,000 items on my machine but segfaults with 30,000 items.

The interesting part is that if I first remove the items from the list, eg. with $this->head = $this->head->getNext() (method excluded from the sample code for brevity) then everything works as expected and I can add items to the list till it fill up and I get "Fatal error: Uncaught RuntimeException: Stack overflow.", which is expected.

If I add __destruct() { $this->head = null; } to LinkedList and set a breakpoint there it will segfault when I execute that line.

Test script:
---------------
<?php
class Node {
    private $next;

    public function setNext(Node $node = null) {
        $this->next = $node;
        return $this;
    }
}

class LinkedList {
    private $head;

    public function addNode() {
        $this->head = (new Node())->setNext($this->head);
    }
}

$ll = new LinkedList();
for ($i = 0; $i < 100000; $i++) {
    $ll->addNode();
}

Expected result:
----------------
no output

Actual result:
--------------
'php test.php' terminated by signal SIGSEGV (Address boundary error)

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2016-06-15 13:42 UTC] nikic@php.net
-Status: Open +Status: Duplicate
 [2016-06-15 13:42 UTC] nikic@php.net
Duplicate of bug #68606.
 [2016-06-15 14:00 UTC] brunocassol at gmail dot com
Well I can bikeshed this.

Full strace output: http://pastebin.com/Nnyufi3R

Last lines:

mmap(NULL, 2097152, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_HUGETLB, -1, 0) = -1 ENOMEM (Cannot allocate memory)
mmap(NULL, 2097152, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f139ea46000
munmap(0x7f139ea46000, 2097152)         = 0
mmap(NULL, 4190208, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f139e847000
munmap(0x7f139e847000, 1806336)         = 0
munmap(0x7f139ec00000, 286720)          = 0
madvise(0x7f139ea00000, 2097152, MADV_HUGEPAGE) = 0
mmap(NULL, 2097152, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_HUGETLB, -1, 0) = -1 ENOMEM (Cannot allocate memory)
mmap(NULL, 2097152, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f139e800000
madvise(0x7f139e800000, 2097152, MADV_HUGEPAGE) = 0
mmap(NULL, 2097152, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_HUGETLB, -1, 0) = -1 ENOMEM (Cannot allocate memory)
mmap(NULL, 2097152, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f139e600000
madvise(0x7f139e600000, 2097152, MADV_HUGEPAGE) = 0
--- SIGSEGV {si_signo=SIGSEGV, si_code=SEGV_MAPERR, si_addr=0x7ffdfe29cf78} ---
+++ killed by SIGSEGV (core dumped) +++
Segmentation fault (core dumped)
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Thu Oct 31 22:01:27 2024 UTC