PHP :: Bug #55288 :: usort segfaults

Bug #55288

usort segfaults

Submitted:

2011-07-26 19:19 UTC

Modified:

2011-07-29 15:58 UTC

Votes:	5
Avg. Score:	4.0 ± 0.6
Reproduced:	5 of 5 (100.0%)
Same Version:	5 (100.0%)
Same OS:	5 (100.0%)

From:

jstephens at qualtrics dot com

Assigned:

laruence (profile)

Status:

Closed

Package:

Arrays related

PHP Version:

5.3.6

OS:

Linux

Private report:

CVE-ID:

None

View Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	jstephens at qualtrics dot com
New email:
PHP Version:		OS:

New Comment:

[2011-07-26 19:19 UTC] jstephens at qualtrics dot com

Description:
------------
usort and uksort (and possibly other related functions) will segfault with the given script. I believe it is related to Zend's internal array "copy-on-write".

Test script:
---------------
class X {
	function __construct($v) { $this->v = $v; }
}

function sortIt(&$list) {
	usort($list, function($a, $b) use ($list) {
		return $a->v - $b->v;
	});
}

$list = array();
for($i = 0; $i < 10; ++$i) $list[mt_rand()] = new X(mt_rand());

echo "Sort...";
sortIt($list);
gc_collect_cycles();//segfault
echo "pass.\n";


Expected result:
----------------
"Sort...pass."

Actual result:
--------------
"Sort...Segmentation fault"

[dev@box dev]$ php --version
PHP 5.3.6 (cli) (built: Mar 17 2011 19:14:03) 
Copyright (c) 1997-2011 The PHP Group
Zend Engine v2.3.0, Copyright (c) 1998-2011 Zend Technologies
    with Xdebug v2.1.1, Copyright (c) 2002-2011, by Derick Rethans
[dev@box dev]$ gdb php
<snip>
Reading symbols from /usr/bin/php...(no debugging symbols found)...done.
(gdb) run usortCrash.php
Starting program: /usr/bin/php usortCrash.php
[Thread debugging using libthread_db enabled]
Sort...
Program received signal SIGSEGV, Segmentation fault.
0x00000000005db586 in ?? ()
(gdb) bt
#0  0x00000000005db586 in ?? ()
#1  0x00000000005db610 in ?? ()
#2  0x00000000005dbef5 in gc_collect_cycles ()
#3  0x00000000005cee1d in ?? ()
#4  0x00002aaaae139d0a in xdebug_execute_internal () from /usr/lib64/php/modules/xdebug.so
#5  0x00000000005e669d in ?? ()
#6  0x00000000005e5dcb in execute ()
#7  0x00002aaaae13998e in xdebug_execute () from /usr/lib64/php/modules/xdebug.so
#8  0x00000000005bf395 in zend_execute_scripts ()
#9  0x000000000056f628 in php_execute_script ()
#10 0x0000000000648ce0 in ?? ()
#11 0x00000033ad41d994 in __libc_start_main () from /lib64/libc.so.6
#12 0x0000000000422009 in _start ()

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2011-07-27 06:27 UTC] laruence@php.net

I can not reproduce the segfault with your test script in my envrion, and I noticed that you have xdebug install in, plz remove all other php extensions then check if this bug exists again, thanks

[2011-07-27 14:13 UTC] jstephens at qualtrics dot com

I disabled all my extensions but, unfortunately, no dice.
I might add, we haven't been able to reproduce it with PHP versions before 5.3.6.

(gdb) run usortCrash.php
Starting program: /usr/bin/php usortCrash.php
[Thread debugging using libthread_db enabled]
Sort...
Program received signal SIGSEGV, Segmentation fault.
0x00000000005db586 in ?? ()
(gdb) bt
#0  0x00000000005db586 in ?? ()
#1  0x00000000005db610 in ?? ()
#2  0x00000000005dbef5 in gc_collect_cycles ()
#3  0x00000000005cee1d in ?? ()
#4  0x00000000005e6869 in ?? ()
#5  0x00000000005e5dcb in execute ()
#6  0x00000000005bf395 in zend_execute_scripts ()
#7  0x000000000056f628 in php_execute_script ()
#8  0x0000000000648ce0 in ?? ()
#9  0x00000033ad41d994 in __libc_start_main () from /lib64/libc.so.6
#10 0x0000000000422009 in _start ()

[2011-07-27 14:35 UTC] jstephens at qualtrics dot com

I just downloaded and compiled 5.3.6 from the website using "./configure --enable-debug=yes" on a different machine (Ubuntu 11.04 x64) and was still able to reproduce it.

Here's a better backtrace:

(gdb) run uSortCrash.php
Starting program: /home/jstephens/bin/php-5.3.6/sapi/cli/php uSortCrash.php
[Thread debugging using libthread_db enabled]
Sort...
Program received signal SIGSEGV, Segmentation fault.
0x00000000007f8f2f in zval_mark_grey (pz=0xfd1ab8) at /home/jstephens/bin/php-5.3.6/Zend/zend_gc.c:372
372				pz = *(zval**)p->pData;
(gdb) bt
#0  0x00000000007f8f2f in zval_mark_grey (pz=0xfd1ab8) at /home/jstephens/bin/php-5.3.6/Zend/zend_gc.c:372
#1  0x00000000007f91d9 in gc_mark_roots () at /home/jstephens/bin/php-5.3.6/Zend/zend_gc.c:435
#2  0x00000000007f9a8c in gc_collect_cycles () at /home/jstephens/bin/php-5.3.6/Zend/zend_gc.c:664
#3  0x00000000007e751d in zif_gc_collect_cycles (ht=0, return_value=0xfd93e0, return_value_ptr=0x0, this_ptr=0x0, return_value_used=0)
    at /home/jstephens/bin/php-5.3.6/Zend/zend_builtin_functions.c:337
#4  0x000000000080751c in zend_do_fcall_common_helper_SPEC (execute_data=0x7ffff7ebe090) at /home/jstephens/bin/php-5.3.6/Zend/zend_vm_execute.h:316
#5  0x000000000080ba8b in ZEND_DO_FCALL_SPEC_CONST_HANDLER (execute_data=0x7ffff7ebe090) at /home/jstephens/bin/php-5.3.6/Zend/zend_vm_execute.h:1606
#6  0x0000000000806a1a in execute (op_array=0xff1800) at /home/jstephens/bin/php-5.3.6/Zend/zend_vm_execute.h:107
#7  0x00000000007d4053 in zend_execute_scripts (type=8, retval=0x0, file_count=3) at /home/jstephens/bin/php-5.3.6/Zend/zend.c:1194
#8  0x000000000075e583 in php_execute_script (primary_file=0x7fffffffdf70) at /home/jstephens/bin/php-5.3.6/main/main.c:2268
#9  0x00000000008b47dd in main (argc=2, argv=0x7fffffffe1d8) at /home/jstephens/bin/php-5.3.6/sapi/cli/php_cli.c:1193

[2011-07-29 08:35 UTC] laruence@php.net

-Status: Open +Status: Feedback

[2011-07-29 08:35 UTC] laruence@php.net

Please try using this snapshot:

  http://snaps.php.net/php5.3-latest.tar.gz
 
For Windows:

  http://windows.php.net/snapshots/

Please try using this snapshot:

 http://snaps.php.net/php5.3-201107290830.tar.gz
 
For Windows:

  http://windows.php.net/snapshots/

[2011-07-29 14:25 UTC] jstephens at qualtrics dot com

-Status: Feedback +Status: Open

[2011-07-29 14:25 UTC] jstephens at qualtrics dot com

I tried php5.3-201107291230 and php5.3-201107290830 and they both worked.

[2011-07-29 15:34 UTC] laruence@php.net

-Status: Open +Status: Assigned -Assigned To: +Assigned To: laruence

[2011-07-29 15:34 UTC] laruence@php.net

This bug has been fixed in SVN.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.

 For Windows:

http://windows.php.net/snapshots/
 
Thank you for the report, and for helping us make PHP better.

[2011-07-29 15:58 UTC] laruence@php.net

-Status: Assigned +Status: Closed

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2025 The PHP Group All rights reserved.	Last updated: Sun Nov 23 10:00:01 2025 UTC