php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #18606 array_sort with user-supplied comparison function segfaults
Submitted: 2002-07-26 21:31 UTC Modified: 2002-08-27 01:00 UTC
Votes:1
Avg. Score:5.0 ± 0.0
Reproduced:1 of 1 (100.0%)
Same Version:0 (0.0%)
Same OS:0 (0.0%)
From: chs at baltic-online dot de Assigned:
Status: No Feedback Package: Reproducible crash
PHP Version: 4.2.2 OS: sparc-sun-solaris2.8
Private report: No CVE-ID: None
 [2002-07-26 21:31 UTC] chs at baltic-online dot de
Hello,

using a user-supplied comparison function for array_sort() causes php to segfault. While this does not happen every time, the problem is reproducible once it occurs.

My configure line is as follows:

./configure  --prefix=/home/webm --with-apxs=/home/webm/bin/apxs --with-config-file-path=/home/webm/conf --with-imap=/home/chs/build/imap-2001a.RELEASE-CANDIDATE.1 --with-mysql=/opt/local/mysql --enable-ftp --with-java=/usr/java --with-zlib=/home/chs --enable-sysvsem --enable-sysvshm --with-oci8=/opt/app/oracle/product/8.0.5 --with-ldap=/home/chs --with-openssl=/home/chs

Here is a sample gdb session:

GNU gdb 5.2
Copyright 2002 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for details.
This GDB was configured as "sparc-sun-solaris2.8"...
(no debugging symbols found)...
(gdb) run -X
Starting program: /home/webm/bin/httpd -X
(no debugging symbols found)...(no debugging symbols found)...
(no debugging symbols found)...(no debugging symbols found)...
(no debugging symbols found)...(no debugging symbols found)...
(no debugging symbols found)...(no debugging symbols found)...
(no debugging symbols found)...(no debugging symbols found)...
(no debugging symbols found)...(no debugging symbols found)...
(no debugging symbols found)...(no debugging symbols found)...
(no debugging symbols found)...(no debugging symbols found)...
(no debugging symbols found)...(no debugging symbols found)...
(no debugging symbols found)...(no debugging symbols found)...
(no debugging symbols found)...(no debugging symbols found)...
(no debugging symbols found)...(no debugging symbols found)...
(no debugging symbols found)...(no debugging symbols found)...
(no debugging symbols found)...(no debugging symbols found)...
(no debugging symbols found)...(no debugging symbols found)...
(no debugging symbols found)...(no debugging symbols found)...
(no debugging symbols found)...(no debugging symbols found)...
(no debugging symbols found)...(no debugging symbols found)...
(no debugging symbols found)...(no debugging symbols found)...
(no debugging symbols found)...(no debugging symbols found)...
(no debugging symbols found)...(no debugging symbols found)...
Program received signal SIGSEGV, Segmentation fault.
call_user_function_ex (function_table=0x151f80, object_pp=0x0, 
    function_name=0x45522042, retval_ptr_ptr=0xffbeb704, param_count=2, 
    params=0xffbeb708, no_separation=0, symbol_table=0x0)
    at zend_execute_API.c:400
400             if (function_name->type==IS_ARRAY) { /* assume array($obj, $name) couple */
(gdb) bt
#0  call_user_function_ex (function_table=0x151f80, object_pp=0x0, 
    function_name=0x45522042, retval_ptr_ptr=0xffbeb704, param_count=2, 
    params=0xffbeb708, no_separation=0, symbol_table=0x0)
    at zend_execute_API.c:400
#1  0x7f290a00 in array_user_compare (a=0x785e24, b=0xffbeb704) at array.c:530
#2  0x7f23ba38 in zend_qsort (base=0x785e24, nmemb=7888272, siz=4, 
    compare=0x7f290994 <array_user_compare>) at zend_qsort.c:87
#3  0x7f236de0 in zend_hash_sort (ht=0x7755f0, 
    sort_func=0x7f23b980 <zend_qsort>, compar=0x7f290994 <array_user_compare>, 
    renumber=1) at zend_hash.c:1131
#4  0x7f290b6c in zif_usort (ht=17408, return_value=0x784280, this_ptr=0x0, 
    return_value_used=0) at array.c:562
#5  0x7f220e3c in execute ()
   from /export/home1/chs/build/php-4.2.2/.libs/libphp4.so
#6  0x7f22110c in execute ()
   from /export/home1/chs/build/php-4.2.2/.libs/libphp4.so
#7  0x7f22110c in execute ()
   from /export/home1/chs/build/php-4.2.2/.libs/libphp4.so
#8  0x7f22110c in execute ()
   from /export/home1/chs/build/php-4.2.2/.libs/libphp4.so
#9  0x7f22110c in execute ()
   from /export/home1/chs/build/php-4.2.2/.libs/libphp4.so
#10 0x7f22110c in execute ()
   from /export/home1/chs/build/php-4.2.2/.libs/libphp4.so
#11 0x7f22110c in execute ()
   from /export/home1/chs/build/php-4.2.2/.libs/libphp4.so
#12 0x7f2316fc in zend_execute_scripts (type=8, retval=0x0, file_count=3)
    at zend.c:810
#13 0x7f240b70 in php_execute_script (primary_file=0xffbef5f8) at main.c:1381
#14 0x7f23bcc0 in apache_php_module_main (r=0x5311a8, display_source_mode=0)
    at sapi_apache.c:90
#15 0x7f23cab4 in send_php (r=0x5311a8, display_source_mode=0, filename=0x0)
    at mod_php4.c:575
#16 0x7f23cb28 in send_parsed_php (r=0x5311a8) at mod_php4.c:590
#17 0x00050798 in ap_invoke_handler ()
#18 0x00067e5c in process_request_internal ()
#19 0x00067ea8 in ap_process_request ()
#20 0x0005c424 in child_main ()
#21 0x0005d2d8 in standalone_main ()
#22 0x0005e440 in main ()
(gdb) frame 0
#0  call_user_function_ex (function_table=0x151f80, object_pp=0x0, 
    function_name=0x45522042, retval_ptr_ptr=0xffbeb704, param_count=2, 
    params=0xffbeb708, no_separation=0, symbol_table=0x0)
    at zend_execute_API.c:400
400             if (function_name->type==IS_ARRAY) { /* assume array($obj, $name) couple */
(gdb) info local
i = 5507440
original_return_value = (zval **) 0x2
calling_symbol_table = (HashTable *) 0x774f00
function_state = {function_symbol_table = 0xff00, function = 0x58e538, 
  reserved = {0x74db9c, 0x0, 0xffbeb684, 0x780400}}
original_function_state_ptr = (zend_function_state *) 0xffbebb54
original_op_array = (zend_op_array *) 0x540970
original_opline_ptr = (zend_op **) 0x151f80
orig_free_op1 = 0
orig_free_op2 = 1163010114
orig_unary_op = (int (*)()) 0xffbeb704
orig_binary_op = (int (*)()) 0x786044
function_name_copy = {value = {lval = 7881304, dval = 2.1591364891357192e-306, 
    str = {val = 0x784258 "", len = 10}, ht = 0x784258, obj = {ce = 0x784258, 
      properties = 0xa}}, type = 3 '\003', is_ref = 0 '\0', refcount = 3}

For what it's worth, the comparison function used utilizes the OCI8-Interface; this may or not be related to this bug.

Apache versions tried include 1.3.20 and 1.3.26.

Thank you a lot!

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2002-07-26 22:19 UTC] sniper@php.net
I'm quite sure this is fixed already..but could you add a short but complete, stand-alone, cut'n'paste script here
which can be used to reproduce this problem..?

 [2002-08-27 01:00 UTC] php-bugs at lists dot php dot net
No feedback was provided for this bug for over a month, so it is
being suspended automatically. If you are able to provide the
information that was originally requested, please do so and change
the status of the bug back to "Open".
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Thu Dec 26 16:01:31 2024 UTC