PHP :: Bug #62616 :: ArrayIterator::count() from IteratorIterator instance gives Segmentation fault

Bug #62616

ArrayIterator::count() from IteratorIterator instance gives Segmentation fault

Submitted:

2012-07-20 08:07 UTC

Modified:

2012-07-21 14:44 UTC

Votes:	1
Avg. Score:	3.0 ± 0.0
Reproduced:	0 of 0 (0.0%)

From:

zoeslam at gmail dot com

Assigned:

laruence (profile)

Status:

Closed

Package:

SPL related

PHP Version:

5.4.5

OS:

Ubuntu 12.04

Private report:

CVE-ID:

None

View Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	zoeslam at gmail dot com
New email:
PHP Version:		OS:

New Comment:

[2012-07-20 08:07 UTC] zoeslam at gmail dot com

Description:
------------
The code explains all, no idea why it happens.

Verified on Ubuntu and Slackware, both on PHP 5.4.3, PHP 5.4.4, PHP 5.4.5.

Test script:
---------------
$ai = new ArrayIterator(array(0,1));

var_dump($ai->count());

$ii = new IteratorIterator($ai);

var_dump($ii->count());


Expected result:
----------------
int(2)
int(2)

Actual result:
--------------
int(2)
int(2)
Segmentation fault

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2012-07-20 08:13 UTC] vanidlesky dot jr at gmail dot com

VanZCool

[2012-07-20 11:54 UTC] fa@php.net

Reproducible on Debian wheezy with 5.4.0 and 5.4.5.

[2012-07-20 12:54 UTC] fa@php.net

BT

#0  0x00007fdfaf4221d8 in ?? ()
#1  0x0000000000594a41 in spl_dual_it_free (intern=0x7fdfaf53fa20) at 
/opt/src/php-5.4.5/ext/spl/spl_iterators.c:1585
#2  spl_dual_it_dtor (_object=0x7fdfaf53fa20, handle=<optimized out>) at 
/opt/src/php-5.4.5/ext/spl/spl_iterators.c:2237
#3  0x00000000006a7b20 in zend_objects_store_del_ref_by_handle_ex (handle=2, 
handlers=<optimized out>) at /opt/src/php-5.4.5/Zend/zend_objects_API.c:206
#4  0x00000000006a7b63 in zend_objects_store_del_ref (zobject=0x7fdfaf53f990) at 
/opt/src/php-5.4.5/Zend/zend_objects_API.c:172
#5  0x0000000000674082 in _zval_dtor (zvalue=<optimized out>) at /opt/src/php-
5.4.5/Zend/zend_variables.h:35
#6  _zval_ptr_dtor (zval_ptr=0x7fdfaf53fb30) at /opt/src/php-
5.4.5/Zend/zend_execute_API.c:438
#7  _zval_ptr_dtor (zval_ptr=0x7fdfaf53fb30) at /opt/src/php-
5.4.5/Zend/zend_execute_API.c:427
#8  0x000000000068e28b in zend_hash_apply_deleter (ht=ht@entry=0xd34508, 
p=p@entry=0x7fdfaf53fb18) at /opt/src/php-5.4.5/Zend/zend_hash.c:650
#9  0x000000000068fdd1 in zend_hash_reverse_apply (ht=0xd34508, 
apply_func=apply_func@entry=0x673f10 <zval_call_destructor>) at /opt/src/php-
5.4.5/Zend/zend_hash.c:804
#10 0x000000000067438b in shutdown_destructors () at /opt/src/php-
5.4.5/Zend/zend_execute_API.c:217
#11 0x00000000006826c0 in zend_call_destructors () at /opt/src/php-
5.4.5/Zend/zend.c:925
#12 0x0000000000624805 in php_request_shutdown (dummy=dummy@entry=0x0) at 
/opt/src/php-5.4.5/main/main.c:1723
#13 0x0000000000726004 in do_cli (argc=2, argv=0x7fff5ea442f8) at /opt/src/php-
5.4.5/sapi/cli/php_cli.c:1174
#14 0x0000000000428455 in main (argc=2, argv=0x7fff5ea442f8) at /opt/src/php-
5.4.5/sapi/cli/php_cli.c:1364

[2012-07-20 13:17 UTC] fa@php.net

-Status: Open +Status: Verified

[2012-07-20 13:57 UTC] jpauli@php.net

I can reproduce on 5.3.14

I can only reproduce calling the method directly.
Calling count($ii) instead of $ii->count() wont segfault

[2012-07-20 17:27 UTC] laruence@php.net

I've find the reason,  but seems not easy to fix.

$ii->count, will finally call to arrayObject->count (due to implemention of 
spl_dual_it_get_method).

but arrayObject->count will take the object as a spl_array_object, which is 
totally different struct with spl_dual_it_object, then in the 
spl_array_object_count_elements_helper , it will make the object struct mess(via 
update pos)

[2012-07-20 17:33 UTC] laruence@php.net

-Assigned To: +Assigned To: colder

[2012-07-21 08:31 UTC] zoeslam at gmail dot com

I've discovered a similar misbehaviour:

https://bugs.php.net/bug.php?id=62629

[2012-07-21 14:43 UTC] laruence@php.net

Automatic comment on behalf of laruence
Revision: http://git.php.net/?p=php-src.git;a=commit;h=0c996613c0173708381f4bfcd28d2441360bc701
Log: Fixed bug #62616 (ArrayIterator::count() from IteratorIterator instance gives Segmentation fault)

[2012-07-21 14:44 UTC] laruence@php.net

-Status: Verified +Status: Closed -Assigned To: colder +Assigned To: laruence

[2012-07-21 14:44 UTC] laruence@php.net

This bug has been fixed in SVN.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.

 For Windows:

http://windows.php.net/snapshots/
 
Thank you for the report, and for helping us make PHP better.

[2012-07-21 14:44 UTC] laruence@php.net

Automatic comment on behalf of laruence
Revision: http://git.php.net/?p=php-src.git;a=commit;h=0c996613c0173708381f4bfcd28d2441360bc701
Log: Fixed bug #62616 (ArrayIterator::count() from IteratorIterator instance gives Segmentation fault)

[2012-07-21 15:25 UTC] laruence@php.net

Automatic comment on behalf of laruence
Revision: http://git.php.net/?p=php-src.git;a=commit;h=cc30524c89fa2255944dc3c70f8d41a6c23faa2a
Log: Fixed bug #62616 (ArrayIterator::count() from IteratorIterator instance gives Segmentation fault)

[2012-07-21 15:26 UTC] laruence@php.net

Automatic comment on behalf of laruence
Revision: http://git.php.net/?p=php-src.git;a=commit;h=cc30524c89fa2255944dc3c70f8d41a6c23faa2a
Log: Fixed bug #62616 (ArrayIterator::count() from IteratorIterator instance gives Segmentation fault)

[2012-07-21 15:28 UTC] laruence@php.net

Automatic comment on behalf of laruence
Revision: http://git.php.net/?p=php-src.git;a=commit;h=cc30524c89fa2255944dc3c70f8d41a6c23faa2a
Log: Fixed bug #62616 (ArrayIterator::count() from IteratorIterator instance gives Segmentation fault)

[2014-10-07 23:23 UTC] stas@php.net

Automatic comment on behalf of laruence
Revision: http://git.php.net/?p=php-src-security.git;a=commit;h=cc30524c89fa2255944dc3c70f8d41a6c23faa2a
Log: Fixed bug #62616 (ArrayIterator::count() from IteratorIterator instance gives Segmentation fault)

[2014-10-07 23:23 UTC] stas@php.net

Automatic comment on behalf of laruence
Revision: http://git.php.net/?p=php-src-security.git;a=commit;h=0c996613c0173708381f4bfcd28d2441360bc701
Log: Fixed bug #62616 (ArrayIterator::count() from IteratorIterator instance gives Segmentation fault)

[2014-10-07 23:34 UTC] stas@php.net

Automatic comment on behalf of laruence
Revision: http://git.php.net/?p=php-src-security.git;a=commit;h=cc30524c89fa2255944dc3c70f8d41a6c23faa2a
Log: Fixed bug #62616 (ArrayIterator::count() from IteratorIterator instance gives Segmentation fault)

[2014-10-07 23:34 UTC] stas@php.net

Automatic comment on behalf of laruence
Revision: http://git.php.net/?p=php-src-security.git;a=commit;h=0c996613c0173708381f4bfcd28d2441360bc701
Log: Fixed bug #62616 (ArrayIterator::count() from IteratorIterator instance gives Segmentation fault)

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2025 The PHP Group All rights reserved.	Last updated: Mon Feb 03 09:01:29 2025 UTC