|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #17588 array_reduce() crashes
Submitted: 2002-06-04 05:24 UTC Modified: 2002-09-11 11:14 UTC
From: nick at phpa dot co dot uk Assigned:
Status: No Feedback Package: Arrays related
PHP Version: 4.2.1 OS: Linux glibc 2.1.3
Private report: No CVE-ID: None
View Add Comment Developer Edit
Anyone can comment on a bug. Have a simpler test case? Does it work for you on a different platform? Let us know!
Just going to say 'Me too!'? Don't clutter the database with that please — but make sure to vote on the bug!
Your email address:
Solve the problem:
46 - 45 = ?
Subscribe to this entry?

 [2002-06-04 05:24 UTC] nick at phpa dot co dot uk
PHP 4.2.1 and later (and probably before) crash in array_reduce() after a number of page requests. At one point array_reduce() emitted a message concering problems with the callback function, although this was unconditionally defined prior to the call, and had correct arguments. This feels like a return of the problems in 4.0.6, and that went away in 4.0.7 and beyond.  The following is the stack trace from a 4.3.0-dev build. 

Program received signal SIGSEGV, Segmentation fault.
call_user_function_ex (function_table=0x824d198, object_pp=0x0, 
    function_name=0x19, retval_ptr_ptr=0xbfff9ef8, param_count=2, 
    params=0xbfff9efc, no_separation=0, symbol_table=0x0)
    at /usr/local/src/php-4.3.0dev/Zend/zend_execute_API.c:403
403             if (function_name->type==IS_ARRAY) { /* assume array($obj, $name
) couple */
(gdb) where
#0  call_user_function_ex (function_table=0x824d198, object_pp=0x0, 
    function_name=0x19, retval_ptr_ptr=0xbfff9ef8, param_count=2, 
    params=0xbfff9efc, no_separation=0, symbol_table=0x0)
    at /usr/local/src/php-4.3.0dev/Zend/zend_execute_API.c:403
#1  0x813c4d4 in zif_array_reduce (ht=3, return_value=0x838aa44, this_ptr=0x0, 
    at /usr/local/src/php-4.3.0dev/ext/standard/array.c:3020
#2  0x80a9e76 in execute (op_array=0x83ae350)
    at /usr/local/src/php-4.3.0dev/Zend/zend_execute.c:1598
#3  0x80a9fdb in execute (op_array=0x83ad068)
    at /usr/local/src/php-4.3.0dev/Zend/zend_execute.c:1638


The function name is an invalid zval ptr. When phpa is installed (not in this case), it tends to crash more often, in the same fn, and in that case when iterating an ht. There was an invalid *zval** in that case too.

The function table ht passed to call_user_function_ex() seems valid. 

(gdb) p *function_table
$4 = {nTableSize = 1024, nTableMask = 1023, nNumOfElements = 786, 
  nNextFreeElement = 0, pInternalPointer = 0x8230b88, pListHead = 0x8230b88, 
  pListTail = 0x82d5310, arBuckets = 0x8260530, 
  pDestructor = 0x8093f30 <destroy_zend_function>, persistent = 1 '\001', 
  nApplyCount = 0 '\000', bApplyProtection = 0 '\000'}

Assuming callable is valid after the call to zend_get_parameters_ex, then possibly zend_is_callable() is freeing the zval. I'll poke around further and add more info if I find any.



Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2002-06-04 05:55 UTC] nick at phpa dot co dot uk
Although in this case the function name was corrupt, checking pointers repeatedly, this is not always the case. Another place to crash is below:

Program received signal SIGSEGV, Segmentation fault.
0x813c277 in zif_array_reduce (ht=3, return_value=0x82e62ac, this_ptr=0x0, 
    at /usr/local/src/php-4.3.0dev/ext/standard/array.c:3037
3037                    zend_hash_move_forward_ex(Z_ARRVAL_PP(input), &pos);
(gdb) p *input
$1 = (zval *) 0x2773746e
(gdb) p **input
Cannot access memory at address 0x2773746e

The related php code is below, and the memory corruption may be happening elsewhere.

function logtime_str()
   return strftime('%y%m%d %H%M%S');

function escape_logstr($msg)
  return str_replace(':','\:',$msg);

function build_log_entry($current, $item)
  return $current . ':' . escape_logstr($item);

function write_log_entry($filename, $items)
  global $siteroot,$logdir;

  if ($fp = @fopen("$logdir/$filename", "a")) {
     fwrite($fp, array_reduce($items, "build_log_entry", logtime_str())."\n");

 [2002-06-17 21:01 UTC]
Could you please try this snapshot first:

And if you can reproduce this still with that,
then please add a short and complete script to this report
so we can easily test this ourselves.

 [2002-09-11 11:14 UTC]
No feedback was provided. The bug is being suspended because
we assume that you are no longer experiencing the problem.
If this is not the case and you are able to provide the
information that was requested earlier, please do so and
change the status of the bug back to "Open". Thank you.

PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Mon Jun 24 14:01:29 2024 UTC