php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #17588 array_reduce() crashes
Submitted: 2002-06-04 05:24 UTC Modified: 2002-09-11 11:14 UTC
From: nick at phpa dot co dot uk Assigned:
Status: No Feedback Package: Arrays related
PHP Version: 4.2.1 OS: Linux glibc 2.1.3
Private report: No CVE-ID: None
 [2002-06-04 05:24 UTC] nick at phpa dot co dot uk
PHP 4.2.1 and later (and probably before) crash in array_reduce() after a number of page requests. At one point array_reduce() emitted a message concering problems with the callback function, although this was unconditionally defined prior to the call, and had correct arguments. This feels like a return of the problems in 4.0.6, and that went away in 4.0.7 and beyond.  The following is the stack trace from a 4.3.0-dev build. 

Program received signal SIGSEGV, Segmentation fault.
call_user_function_ex (function_table=0x824d198, object_pp=0x0, 
    function_name=0x19, retval_ptr_ptr=0xbfff9ef8, param_count=2, 
    params=0xbfff9efc, no_separation=0, symbol_table=0x0)
    at /usr/local/src/php-4.3.0dev/Zend/zend_execute_API.c:403
403             if (function_name->type==IS_ARRAY) { /* assume array($obj, $name
) couple */
(gdb) where
#0  call_user_function_ex (function_table=0x824d198, object_pp=0x0, 
    function_name=0x19, retval_ptr_ptr=0xbfff9ef8, param_count=2, 
    params=0xbfff9efc, no_separation=0, symbol_table=0x0)
    at /usr/local/src/php-4.3.0dev/Zend/zend_execute_API.c:403
#1  0x813c4d4 in zif_array_reduce (ht=3, return_value=0x838aa44, this_ptr=0x0, 
    return_value_used=1)
    at /usr/local/src/php-4.3.0dev/ext/standard/array.c:3020
#2  0x80a9e76 in execute (op_array=0x83ae350)
    at /usr/local/src/php-4.3.0dev/Zend/zend_execute.c:1598
#3  0x80a9fdb in execute (op_array=0x83ad068)
    at /usr/local/src/php-4.3.0dev/Zend/zend_execute.c:1638

etc.

The function name is an invalid zval ptr. When phpa is installed (not in this case), it tends to crash more often, in the same fn, and in that case when iterating an ht. There was an invalid *zval** in that case too.

The function table ht passed to call_user_function_ex() seems valid. 

(gdb) p *function_table
$4 = {nTableSize = 1024, nTableMask = 1023, nNumOfElements = 786, 
  nNextFreeElement = 0, pInternalPointer = 0x8230b88, pListHead = 0x8230b88, 
  pListTail = 0x82d5310, arBuckets = 0x8260530, 
  pDestructor = 0x8093f30 <destroy_zend_function>, persistent = 1 '\001', 
  nApplyCount = 0 '\000', bApplyProtection = 0 '\000'}
(gdb)

Assuming callable is valid after the call to zend_get_parameters_ex, then possibly zend_is_callable() is freeing the zval. I'll poke around further and add more info if I find any.

nick

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2002-06-04 05:55 UTC] nick at phpa dot co dot uk
Although in this case the function name was corrupt, checking pointers repeatedly, this is not always the case. Another place to crash is below:

Program received signal SIGSEGV, Segmentation fault.
0x813c277 in zif_array_reduce (ht=3, return_value=0x82e62ac, this_ptr=0x0, 
    return_value_used=1)
    at /usr/local/src/php-4.3.0dev/ext/standard/array.c:3037
3037                    zend_hash_move_forward_ex(Z_ARRVAL_PP(input), &pos);
(gdb) p *input
$1 = (zval *) 0x2773746e
(gdb) p **input
Cannot access memory at address 0x2773746e
(gdb) 

The related php code is below, and the memory corruption may be happening elsewhere.

function logtime_str()
{
   return strftime('%y%m%d %H%M%S');
}

function escape_logstr($msg)
{
  return str_replace(':','\:',$msg);
}

function build_log_entry($current, $item)
{
  return $current . ':' . escape_logstr($item);
}

function write_log_entry($filename, $items)
{
  global $siteroot,$logdir;

  if ($fp = @fopen("$logdir/$filename", "a")) {
     fwrite($fp, array_reduce($items, "build_log_entry", logtime_str())."\n");

     fclose($fp);
  }
}
 [2002-06-17 21:01 UTC] sniper@php.net
Could you please try this snapshot first:

 http://snaps.php.net/php4-latest.tar.gz

And if you can reproduce this still with that,
then please add a short and complete script to this report
so we can easily test this ourselves.

 [2002-09-11 11:14 UTC] sniper@php.net
No feedback was provided. The bug is being suspended because
we assume that you are no longer experiencing the problem.
If this is not the case and you are able to provide the
information that was requested earlier, please do so and
change the status of the bug back to "Open". Thank you.


 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Wed Oct 09 19:01:26 2024 UTC