php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #12776 4.0.7RC1: array_walk crash
Submitted: 2001-08-15 19:07 UTC Modified: 2002-12-04 10:50 UTC
From: troels at arvin dot dk Assigned:
Status: Closed Package: Reproducible crash
PHP Version: 4.0.6 OS: Linux
Private report: No CVE-ID:
 [2001-08-15 19:07 UTC] troels at arvin dot dk
In both PHP 4.0.2, 4.0.6 and 4.0.7RC1:

The following code crashes PHP:
<?php

function test($val,$key)
{
	global $globalArray;
	$globalArray[]=$key; // this will end up crashing
//	$globalArray[]=(string)$key; // this will end up OK
	print "val: $val; key: $key\n"; flush();
}

$arr=array('k'=>'v');
array_walk($arr,'test');

// This will crash:
print "First value: ".$globalArray[0];

// This will not crash, but give the wrong
// result, and the final "done" will never be
// printed:
// print "First value: "; print $globalArray[0];

print "\nDone\n";

?>
It doesn't matter if the code is run from PHP as an Apache module or command-line PHP.

Operating systems tested: RH Linux 6.1, RH Linux Rawhide (i.e. cutting-edge Red Hat developer-version).

A GDB back-trace on the latter, using command-line PHP:
GNU gdb 5.0rh-5 Red Hat Linux 7.1
Copyright 2001 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for details.
This GDB was configured as "i386-redhat-linux"...
Core was generated by `/home/troels/local-php/bin/php simple.php'.
Program terminated with signal 11, Segmentation fault.
Reading symbols from /lib/libdl.so.2...done.
Loaded symbols for /lib/libdl.so.2
Reading symbols from /lib/libresolv.so.2...done.
Loaded symbols for /lib/libresolv.so.2
Reading symbols from /lib/libpam.so.0...done.
Loaded symbols for /lib/libpam.so.0
Reading symbols from /lib/i686/libm.so.6...done.
Loaded symbols for /lib/i686/libm.so.6
Reading symbols from /lib/libnsl.so.1...done.
Loaded symbols for /lib/libnsl.so.1
Reading symbols from /lib/libcrypt.so.1...done.
Loaded symbols for /lib/libcrypt.so.1
Reading symbols from /lib/i686/libc.so.6...done.
Loaded symbols for /lib/i686/libc.so.6
Reading symbols from /lib/ld-linux.so.2...done.
Loaded symbols for /lib/ld-linux.so.2
#0  0x400de721 in __kill () from /lib/i686/libc.so.6
(gdb) bt
#0  0x400de721 in __kill () from /lib/i686/libc.so.6
#1  0x080a4976 in _emalloc (size=1515870824, __zend_filename=0x80f349d "zend_operators.c", 
    __zend_lineno=1043, __zend_orig_filename=0x0, __zend_orig_lineno=0) at zend_alloc.c:173
#2  0x080b039e in concat_function (result=0xbfffe324, op1=0x813853c, op2=0xbfffe210)
    at zend_operators.c:1043
#3  0x080cd63b in execute (op_array=0x81340e4) at ./zend_execute.c:1105
#4  0x080b37fe in zend_execute_scripts (type=8, file_count=3) at zend.c:806
#5  0x0805b0c4 in php_execute_script (primary_file=0xbffff760) at main.c:1308
#6  0x0805911e in main (argc=2, argv=0xbffff804) at cgi_main.c:737
#7  0x400cc6b7 in __libc_start_main (main=0x80588d0 <main>, argc=2, ubp_av=0xbffff804, 
    init=0x80576a4 <_init>, fini=0x80d52f0 <_fini>, rtld_fini=0x4000db64 <_dl_fini>, 
    stack_end=0xbffff7fc) at ../sysdeps/generic/libc-start.c:129(gdb)

The above back-trace was created from a core-file generated by PHP 4.0.7RC1. The "config.nice" from the build:
#! /bin/sh
#
# Created by configure

'./configure' \
'--prefix=/home/troels/local-php' \
'--without-mysql' \
'--disable-xml' \
'--disable-session' \
'--enable-debug' \
'--without-pcre-regex' \
"$@"


Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2001-08-16 17:18 UTC] rasmus@php.net
Looks like it is fixed in CVS
 [2001-08-16 17:22 UTC] rasmus@php.net
Oops, never mind, it is not fixed in CVS.  It just morphed slightly.
 [2001-08-16 17:25 UTC] rasmus@php.net
On my machine, this will crash it: 

function test($val,$key) {
     global $globalArray;
     $globalArray[]=$key;
}

$arr=array('k'=>'v');
array_walk($arr,'test');
echo "testing".$globalArray[0];

Changing the last line to:

echo "test".$globalArray[0];

makes it work.  Uh?

bt:

#0  0x4013913e in memcpy () from /lib/i686/libc.so.6
#1  0xbfffe3b0 in ?? ()
#2  0x080f2550 in execute (op_array=0x816c334) at ./zend_execute.c:1105
#3  0x080da832 in zend_execute_scripts (type=8, file_count=3) at zend.c:806
#4  0x0805faab in php_execute_script (primary_file=0xbffff8d0) at main.c:1310

 [2002-01-06 07:37 UTC] sander@php.net
Does this problem still occur with 4.1.1?
 [2002-01-27 05:19 UTC] sander@php.net
No feedback.
 [2002-01-27 05:25 UTC] yohgaki@php.net
Hi sander,

I know this problem exists and this bug cannot be fixed easily....

Status = SUSPENDED

TO PHP USERS: *ONLY* change parameter passed! *Never* change array or array elements in walk funciton. 
 [2002-12-04 10:50 UTC] moriyoshi@php.net
This bug has been fixed in CVS.

In case this was a PHP problem, snapshots of the sources are packaged
every three hours; this change will be in the next snapshot. You can
grab the snapshot at http://snaps.php.net/.
 
In case this was a documentation problem, the fix will show up soon at
http://www.php.net/manual/.

In case this was a PHP.net website problem, the change will show
up on the PHP.net site and on the mirror sites in short time.
 
Thank you for the report, and for helping us make PHP better.


 
PHP Copyright © 2001-2014 The PHP Group
All rights reserved.
Last updated: Fri Apr 18 10:03:03 2014 UTC