PHP :: Bug #43229 :: array_walk() crashes with a segmentation fault

Bug #43229

array_walk() crashes with a segmentation fault

Submitted:

2007-11-09 20:45 UTC

Modified:

2008-08-06 03:55 UTC

Votes:	5
Avg. Score:	4.2 ± 0.7
Reproduced:	5 of 5 (100.0%)
Same Version:	2 (40.0%)
Same OS:	3 (60.0%)

From:

tobsn@php.net

Assigned:

dmitry (profile)

Status:

Wont fix

Package:

Scripting Engine problem

PHP Version:

5.2CVS-2008-03-25 (CVS)

OS:

CentOS

Private report:

CVE-ID:

None

View Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	tobsn@php.net
New email:
PHP Version:		OS:

New Comment:

[2007-11-09 20:45 UTC] tobsn@php.net

Description:
------------
strace doesnt output anything - it just cuts the output with a segfault.

if you change the variable from $thiskeyword to something else without "this" at the start, it works correctly... ;)

Reproduce code:
---------------
<?php

$stopwords = array( 'this', 'a', 'the', 'is' );
$keyword = explode( ' ', 'this is a big problem' );

for( $i = 0; $i < 1000; $i++ ) {
        $thiskeyword = $keyword;
        array_walk( $thiskeyword, create_function('$v,$k','global $thiskeyword,$stopwords;if(in_array($v,$stopwords)){unset($thiskeyword[$k]);}'));
}

?>

Actual result:
--------------
Segmentation Fault

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2007-11-09 23:07 UTC] stas@php.net

Looks like a problem happens because array is modified while array_walk is walking it.

[2007-11-10 00:05 UTC] tobsn@php.net

if you use a different var name like $tmpkeyword instead of $thiskeyword - it works... ;)

[2007-11-12 11:58 UTC] jani@php.net

I get the same crash regardless what the variable name is:

Program received signal SIGSEGV, Segmentation fault.
0x08305dea in zend_hash_get_current_data_ex (ht=0x928721c, pData=0xbff8e0fc, pos=0xbff8e0e4) at /home/jani/src/php-5.3/Zend/zend_hash.c:1163
1163                    *pData = p->pData;
(gdb) bt
#0  0x08305dea in zend_hash_get_current_data_ex (ht=0x928721c, pData=0xbff8e0fc, pos=0xbff8e0e4) at /home/jani/src/php-5.3/Zend/zend_hash.c:1163
#1  0x082015df in php_array_walk (target_hash=0x928721c, userdata=0x0, recursive=0) at /home/jani/src/php-5.3/ext/standard/array.c:1035
#2  0x08201834 in zif_array_walk (ht=2, return_value=0x9287a18, return_value_ptr=0x0, this_ptr=0x0, return_value_used=0)
    at /home/jani/src/php-5.3/ext/standard/array.c:1126
#3  0x0831f002 in zend_do_fcall_common_helper_SPEC (execute_data=0xbff8e3bc) at /home/jani/src/php-5.3/Zend/zend_vm_execute.h:194
#4  0x08324824 in ZEND_DO_FCALL_SPEC_CONST_HANDLER (execute_data=0xbff8e3bc) at /home/jani/src/php-5.3/Zend/zend_vm_execute.h:1439
#5  0x0831eb06 in execute (op_array=0x9285f10) at /home/jani/src/php-5.3/Zend/zend_vm_execute.h:87
#6  0x082f7a7e in zend_execute_scripts (type=8, retval=0x0, file_count=3) at /home/jani/src/php-5.3/Zend/zend.c:1139
#7  0x0829ff95 in php_execute_script (primary_file=0xbff90740) at /home/jani/src/php-5.3/main/main.c:2007
#8  0x0837f5c4 in main (argc=2, argv=0xbff90894) at /home/jani/src/php-5.3/sapi/cli/php_cli.c:1140

[2007-12-03 15:13 UTC] david at grant dot org dot uk

Reproduced on PHP 5.2.5 on RHEL 4.

#0  zend_call_function (fci=0xbff5f4e0, fci_cache=0xbff5f510) at /home/wdierkes/buildroot/BUILD/php-5.2.5/Zend/zend_execute_API.c:911
#1  0x0309aa8b in php_array_walk (target_hash=0xb7aa1208, userdata=0xbff5f578, recursive=0) at /home/wdierkes/buildroot/BUILD/php-5.2.5/ext/standard/array.c:1114
#2  0x0309ae64 in zif_array_walk (ht=3, return_value=0xb7ab3a78, return_value_ptr=0x0, this_ptr=0x0, return_value_used=0)
    at /home/wdierkes/buildroot/BUILD/php-5.2.5/ext/standard/array.c:1171
#3  0x0318a244 in zend_do_fcall_common_helper_SPEC (execute_data=0xbff5f7f0) at /home/wdierkes/buildroot/BUILD/php-5.2.5/Zend/zend_vm_execute.h:200
#4  0x0318971a in execute (op_array=0xb7b8d50c) at /home/wdierkes/buildroot/BUILD/php-5.2.5/Zend/zend_vm_execute.h:92
#5  0x03189a1f in zend_do_fcall_common_helper_SPEC (execute_data=0xbff5ffc0) at /home/wdierkes/buildroot/BUILD/php-5.2.5/Zend/zend_vm_execute.h:234
#6  0x0318971a in execute (op_array=0xb7b8cd50) at /home/wdierkes/buildroot/BUILD/php-5.2.5/Zend/zend_vm_execute.h:92
#7  0x03189a1f in zend_do_fcall_common_helper_SPEC (execute_data=0xbff602f0) at /home/wdierkes/buildroot/BUILD/php-5.2.5/Zend/zend_vm_execute.h:234
#8  0x0318971a in execute (op_array=0xb7b891f8) at /home/wdierkes/buildroot/BUILD/php-5.2.5/Zend/zend_vm_execute.h:92
#9  0x03189a1f in zend_do_fcall_common_helper_SPEC (execute_data=0xbff60650) at /home/wdierkes/buildroot/BUILD/php-5.2.5/Zend/zend_vm_execute.h:234
#10 0x0318971a in execute (op_array=0xb7b37e24) at /home/wdierkes/buildroot/BUILD/php-5.2.5/Zend/zend_vm_execute.h:92
#11 0x03189a1f in zend_do_fcall_common_helper_SPEC (execute_data=0xbff625f0) at /home/wdierkes/buildroot/BUILD/php-5.2.5/Zend/zend_vm_execute.h:234
#12 0x0318971a in execute (op_array=0xb7cd7930) at /home/wdierkes/buildroot/BUILD/php-5.2.5/Zend/zend_vm_execute.h:92
#13 0x03168d4b in zend_execute_scripts (type=8, retval=0x1a4, file_count=3) at /home/wdierkes/buildroot/BUILD/php-5.2.5/Zend/zend.c:1134
#14 0x031214fb in php_execute_script (primary_file=0xbff648e0) at /home/wdierkes/buildroot/BUILD/php-5.2.5/main/main.c:2004
#15 0x0320caee in php_handler (r=0x96a8480) at /home/wdierkes/buildroot/BUILD/php-5.2.5/sapi/apache2handler/sapi_apache2.c:631

[2008-01-22 13:45 UTC] felipe@php.net

Works fine to me. 
PHP 5.3.0-dev (cli) (built: Jan 18 2008 12:20:16)

[2008-02-09 01:10 UTC] stas@php.net

Still creashes for me in 5.3CVS. Please do not re-close without ensuring a fix - UMRs or memory corruption can be elusive and not show on some environments while existing on others.

[2008-03-25 13:52 UTC] jani@php.net

Still crashes using latest 5.2 snapshot.

[2008-04-12 14:54 UTC] jani@php.net

Dmitry, can you please check this out? It's pretty bad if just a certain name of variable causes a crash.

[2008-04-14 11:23 UTC] dmitry@php.net

The crash is not related to variable name. It occurs because the script unset()s the element of array which is still referenced from the array_walk() function. So later array_walk() tries to access freed memory and may crash.

The array_walk() manual says:
Users may not change the array  itself from the callback function. e.g. Add/delete elements, unset elements, etc. If the array that array_walk() is applied to is changed, the behavior of this function is undefined, and unpredictable.

I think this bug shouldn't be fixed.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2025 The PHP Group All rights reserved.	Last updated: Thu Jul 03 12:01:33 2025 UTC