php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #65050 zend_hash_apply not interruption safe
Submitted: 2013-06-17 18:22 UTC Modified: 2021-07-23 08:12 UTC
From: nikic@php.net Assigned: nikic (profile)
Status: Closed Package: Scripting Engine problem
PHP Version: 5.5.0RC3 OS:
Private report: No CVE-ID: None
View Developer Edit
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: nikic@php.net
New email:
PHP Version: OS:

 

 [2013-06-17 18:22 UTC] nikic@php.net 
Description:
------------
The zend_hash_apply is used all over the place, but it isn't interruption safe (just like iteration using HashPosition).

Here is an example making use of OB callbacks in var_dump:

<?php

$array1 = [0, 1];
$array2 = [&$array1];

ob_start(function($str) use(&$array1) {
    static $i = 0;
    if ($i++ == 4) {
        unset($array1[0]);
        //unset($array1[1]);
    }
    return "$i: $str";
}, 1);

var_dump($array2);

nikic@pluto:~/dev/php-dev$ sapi/cli/php t16.php 
1: array(1) {
2:   [0]=>
3:   4: &array(2) {
5:     [0]=>
6:     Segmentation fault (core dumped)

Valgrind output (only first entry):

==11997== Invalid read of size 4
==11997==    at 0x819057F: php_var_dump (var.c:99)
==11997==    by 0x81903EF: php_array_element_dump (var.c:51)
==11997==    by 0x827C917: zend_hash_apply_with_arguments (zend_hash.c:748)
==11997==    by 0x8190A58: php_var_dump (var.c:146)
==11997==    by 0x81903EF: php_array_element_dump (var.c:51)
==11997==    by 0x827C917: zend_hash_apply_with_arguments (zend_hash.c:748)
==11997==    by 0x8190A58: php_var_dump (var.c:146)
==11997==    by 0x8190C07: zif_var_dump (var.c:183)
==11997==    by 0x82A72BA: zend_do_fcall_common_helper_SPEC (zend_vm_execute.h:547)
==11997==    by 0x82ABD3F: ZEND_DO_FCALL_SPEC_CONST_HANDLER (zend_vm_execute.h:2328)
==11997==    by 0x82A67F6: execute_ex (zend_vm_execute.h:356)
==11997==    by 0x82A68AB: zend_execute (zend_vm_execute.h:381)
==11997==  Address 0x447f15c is 12 bytes inside a block of size 36 free'd
==11997==    at 0x402B06C: free (in /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so)
==11997==    by 0x823257E: _efree (zend_alloc.c:2437)
==11997==    by 0x827C09B: zend_hash_del_key_or_index (zend_hash.c:512)
==11997==    by 0x82FC731: ZEND_UNSET_DIM_SPEC_CV_CONST_HANDLER (zend_vm_execute.h:33119)
==11997==    by 0x82A67F6: execute_ex (zend_vm_execute.h:356)
==11997==    by 0x82A68AB: zend_execute (zend_vm_execute.h:381)
==11997==    by 0x8258E71: zend_call_function (zend_execute_API.c:939)
==11997==    by 0x8277CD4: zend_fcall_info_call (zend_API.c:3381)
==11997==    by 0x81E7B47: php_output_handler_op (output.c:962)
==11997==    by 0x81E8026: php_output_op (output.c:1063)
==11997==    by 0x81E5E6C: php_output_write (output.c:255)
==11997==    by 0x81C9442: php_printf (main.c:682)

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2021-07-23 08:12 UTC] nikic@php.net
-Status: Open +Status: Closed -Assigned To: +Assigned To: nikic
 [2021-07-23 08:12 UTC] nikic@php.net 
Don't think this issue is particularly useful anymore. zend_hash_apply is still not interruption safe, but it probably shouldn't be either, and is used relatively little nowadays. The var_dump() case in particular now adds a temporary addref to the array to prevent modifications.
 
PHP Copyright © 2001-2025 The PHP Group
All rights reserved. 		Last updated: Wed Apr 23 21:01:27 2025 UTC