php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #49896 unsetting array member inside uksort function causes 1.5GB memory exhaustion
Submitted: 2009-10-16 08:24 UTC Modified: 2009-12-08 11:55 UTC
From: jmy at morgontech dot com Assigned:
Status: Closed Package: Arrays related
PHP Version: 5.*, 6 (2009-10-19) OS: *
Private report: No CVE-ID: None
View Developer Edit
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: jmy at morgontech dot com
New email:
PHP Version: OS:

 

 [2009-10-16 08:24 UTC] jmy at morgontech dot com 
Description:
------------
In an attempt to cull some unneeded array elements from within a user-defined function for uksort(), I came across a very odd memory exhaustion issue where array.c collapses under a sudden 1.5GB memory allocation attempt.

I realize this may not be the best way to accomplish my goal, but am pretty sure the memory exhaustion shouldn't be happening, regardless.

Reproduce code:
---------------
<?php
$sortOrder = Array(281, 830, 580, 541, 838, 839, 702, 625, 102, 234, 532, 317, 859, 738, 17, 350);
$myArray = Array(
    830 => 'eightthirty',
    317 => 'threeseventeen',
    102 => 'oneohtwo',
    281 => 'twoeightyone',
    14  => 'fourteen',
    580 => 'fiveeighty',
    541 => 'fivefourtyone',
    350 => 'threefifty',
    838 => 'eightthirtyeight',
    839 => 'eightthirtynine',
    702 => 'sevenohtwo',
    625 => 'sixtwentyfive',
    234 => 'twothreefour',
    532 => 'fivethirtytwo',
    859 => 'eightfiftynine',
    738 => 'seventhirtyeight',
    17  => 'seventeen'
);  

    function sortByOrder($a, $b) {
        global $sortOrder;
        global $myArray;

        if (!in_array($a, $sortOrder)) {
            unset($myArray[$a]);
            return 1;
        }
        if (!in_array($b, $sortOrder)) {
            return -1;
        }

        return array_search($a, $sortOrder) - array_search($b, $sortOrder);
    }

uksort($myArray, 'sortByOrder');
print_r($myArray);
?>

Expected result:
----------------
Expected result is an array sorted to match $sortOrder

Actual result:
--------------
Fatal error: Allowed memory size of 16777216 bytes exhausted at /root/source/php-5.3.0/ext/standard/array.c:694 (tried to allocate 1515870810 bytes) in /path/to/uksort_memory.php on line 38

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2009-10-19 10:43 UTC] jani@php.net 
It also crashes:

(gdb) bt
#0  _zval_ptr_dtor (zval_ptr=0x10) at /home/jani/src/php-5.3/Zend/zend_execute_API.c:429
#1  0x00000000005e86e8 in zend_hash_destroy (ht=0x1de2e0c0) at /home/jani/src/php-5.3/Zend/zend_hash.c:526
#2  0x00000000005dc876 in _zval_dtor_func (zvalue=0x1de304b8) at /home/jani/src/php-5.3/Zend/zend_variables.c:43
#3  0x00000000005d06e5 in _zval_ptr_dtor (zval_ptr=0x1de30b20) at /home/jani/src/php-5.3/Zend/zend_variables.h:35
#4  0x00000000005e83db in zend_hash_apply_deleter (ht=0xb5eec8, p=0x1de30b08) at /home/jani/src/php-5.3/Zend/zend_hash.c:611
#5  0x00000000005e8648 in zend_hash_graceful_reverse_destroy (ht=0xb5eec8) at /home/jani/src/php-5.3/Zend/zend_hash.c:646
#6  0x00000000005d0a9e in shutdown_executor () at /home/jani/src/php-5.3/Zend/zend_execute_API.c:252
#7  0x00000000005dcd63 in zend_deactivate () at /home/jani/src/php-5.3/Zend/zend.c:890
#8  0x000000000058deb8 in php_request_shutdown (dummy=<value optimized out>) at /home/jani/src/php-5.3/main/main.c:1601
#9  0x0000000000660108 in main (argc=2, argv=0x7fff8879e2a8) at /home/jani/src/php-5.3/sapi/cli/php_cli.c:1371
 [2009-12-08 11:55 UTC] felipe@php.net 
This issue was fixed with an improved fix for the bug #50006.
 
PHP Copyright © 2001-2025 The PHP Group
All rights reserved. 		Last updated: Sun Jul 13 13:01:32 2025 UTC