php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #29803 Seg fault on count($GLOBALS, COUNT_RECURSIVE);
Submitted: 2004-08-23 22:10 UTC Modified: 2006-01-06 09:13 UTC
Votes:2
Avg. Score:2.0 ± 1.0
Reproduced:1 of 1 (100.0%)
Same Version:1 (100.0%)
Same OS:1 (100.0%)
From: jome@php.net Assigned:
Status: Wont fix Package: Scripting Engine problem
PHP Version: 6CVS, 5CVS (2006-01-02) (cvs) OS: *
Private report: No CVE-ID: None
View Developer Edit
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: jome@php.net
New email:
PHP Version: OS:

 

 [2004-08-23 22:10 UTC] jome@php.net 
Description:
------------
Crash on count($GLOBALS, COUNT_RECURSIVE);

./configure --disable-all --enable-cli --enable-debug --enable-memory-limit

Reproduce code:
---------------
<?php count($GLOBALS, COUNT_RECURSIVE); ?>

Expected result:
----------------
Something similar to how var_dump() handles var_dump($GLOBALS).

Actual result:
--------------
Segmentation fault

#0  0x08125815 in zend_hash_num_elements (ht=0x818cf30) at /usr/local/src/php5-200408231830/Zend/zend_hash.c:987
987             IS_CONSISTENT(ht);

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2004-08-24 09:16 UTC] jome@php.net 
Let me know of you need more than this.

(gdb) frame 1
#1  0x0806936a in php_count_recursive (array=0x81910d4, mode=1)
    at /usr/local/src/php5-200408231830/ext/standard/array.c:267
267                             for (zend_hash_internal_pointer_reset_ex(Z_ARRVAL_P(array), &pos);
(gdb) frame 2
#2  0x08069382 in php_count_recursive (array=0x81910d4, mode=1)
    at /usr/local/src/php5-200408231830/ext/standard/array.c:270
270                                     cnt += php_count_recursive(*element, COUNT_RECURSIVE TSRMLS_CC);

  (More frames containing the above here.)

(gdb) frame 174531
#174531 0x0806942b in zif_count (ht=2, return_value=0x81c3d74, this_ptr=0x0,
    return_value_used=0)
    at /usr/local/src/php5-200408231830/ext/standard/array.c:293
293                             RETURN_LONG (php_count_recursive (array, mode TSRMLS_CC));

#174532 0x081420e8 in zend_do_fcall_common_helper (execute_data=0xbfffd590)
    at /usr/local/src/php5-200408231830/Zend/zend_execute.c:2980
2980                            ((zend_internal_function *) EX(function_state).function)->handler(opline->extended_value, EX_T(opline->result.u.var).var.ptr, EX(object), return_value_used TSRMLS_CC);

(gdb) frame 174533
#174533 0x0814274b in zend_do_fcall_handler (execute_data=0xbfffd590)
    at /usr/local/src/php5-200408231830/Zend/zend_execute.c:3114
3114            return zend_do_fcall_common_helper(ZEND_OPCODE_HANDLER_ARGS_PASSTHRU);

#174534 0x0813eabb in execute (op_array=0x81d0524)
    at /usr/local/src/php5-200408231830/Zend/zend_execute.c:1498
1498                    if (EX(opline)->handler(&execute_data TSRMLS_CC)) {

#174535 0x0811defe in zend_execute_scripts (type=8, retval=0x0, file_count=3)
    at /usr/local/src/php5-200408231830/Zend/zend.c:1052
1052                            zend_execute(EG(active_op_array) TSRMLS_CC);
 [2004-08-24 09:27 UTC] derick@php.net 
So, PHP is allowed to crash here as you're doing something infinite recursive... I have no clue how this should or can be fixed while the function is still useful. Suspending for now.
 [2004-08-24 09:33 UTC] jome@php.net 
Understood. I don't know much about the internals but like I mentioned, it works if you do var_dump($GLOBALS) though (ie PHP doesn't crash).
 [2006-01-06 09:13 UTC] derick@php.net 
I still have no clue, so marking it as "Wont Fix"
 
PHP Copyright © 2001-2025 The PHP Group
All rights reserved. 		Last updated: Fri Jul 04 20:01:35 2025 UTC