PHP :: Bug #20658 :: segfault after calling array

Bug #20658	segfault after calling array_walk
Submitted:	2002-11-26 13:41 UTC	Modified:	2003-01-02 18:40 UTC
From:	chris-php at bolt dot cx	Assigned:
Status:	No Feedback	Package:	Reproducible crash
PHP Version:	4CVS-2002-11-26 (stable)	OS:	Linux 2.4.19-pre4
Private report:	No	CVE-ID:	None

View Add Comment Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If this is not your bug, you can add a comment by following this link.
If this is your bug, but you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	chris-php at bolt dot cx
New email:
PHP Version:		OS:

New Comment:

[2002-11-26 13:41 UTC] chris-php at bolt dot cx

I get a segfault after calling array_walk, in this portion of a script:

function get_flat($packageid = 0) {
	if ($packageid == $this->lastflatid)
		return $this->flat;
	$this->lastflatid = $packageid;
	$this->flat = array();
	array_walk(&$this->tree[$packageid], array(&$this, "get_flat_callback"));
	return $this->flat;
}

function get_flat_callback($val, $key) {
	if (is_array($val)) {
		if (is_int($key))
			$this->flat[$key] =& $val;
		array_walk(&$val, array(&$this, "get_flat_callback"));
	}
}

The entire script can be viewed here:

http://dali.deviantart.com/~chris/themetree.phps

For some odd reason, this code is called twice in the page, however the bug only manifests itself the second time the function is called (which was why I added the first three lines of get_flat() as a temporary workaround) however it is completely reproducible. I could also reproduce it in 4.2.2, and it printed an error message to the php error_log:

[26-Nov-2002 10:16:31] PHP Warning:  Unable to call (null)() - function does not exist in /www/shared/themetree.php on line 67

A backtrace from a snapshot from an hour or two ago is below:

Program received signal SIGSEGV, Segmentation fault.
0x4038fd10 in xbuf_format_converter (xbuf=0xbfff9a78,
    fmt=0x403ddd60 "Unable to call %s() - function does not exist",
    ap=0xbfff9b30) at /home/chris/php4-STABLE-200211261830/main/spprintf.c:438
438                                                     s_len = strlen(s);
(gdb) bt
#0  0x4038fd10 in xbuf_format_converter (xbuf=0xbfff9a78,
    fmt=0x403ddd60 "Unable to call %s() - function does not exist",
    ap=0xbfff9b30) at /home/chris/php4-STABLE-200211261830/main/spprintf.c:438
#1  0x403902e1 in vspprintf (pbuf=0xbfff9ad8, max_len=0,
    format=0x403ddd60 "Unable to call %s() - function does not exist",
    ap=0xbfff9b30) at /home/chris/php4-STABLE-200211261830/main/spprintf.c:622
#2  0x4038c3cc in php_verror (docref=0x0, params=0x403e9f93 "", type=2,
    format=0x403ddd60 "Unable to call %s() - function does not exist",
    args=0xbfff9b30) at /home/chris/php4-STABLE-200211261830/main/main.c:399
#3  0x4038c723 in php_error_docref0 (docref=0x0, type=2,
    format=0x403ddd60 "Unable to call %s() - function does not exist")
    at /home/chris/php4-STABLE-200211261830/main/main.c:484
#4  0x403178bb in php_array_walk (target_hash=0x81ca984, userdata=0x0)
    at /home/chris/php4-STABLE-200211261830/ext/standard/array.c:983
#5  0x403179fd in zif_array_walk (ht=2, return_value=0x8254c8c, this_ptr=0x0,
    return_value_used=0)
    at /home/chris/php4-STABLE-200211261830/ext/standard/array.c:1023
#6  0x403cb211 in execute (op_array=0x8254b7c)
    at /home/chris/php4-STABLE-200211261830/Zend/zend_execute.c:1598
#7  0x403aff76 in call_user_function_ex (function_table=0x8253a00,
    object_pp=0x8209a68, function_name=0x8253644, retval_ptr_ptr=0xbfffa1a8,
    param_count=2, params=0xbfffa1c0, no_separation=0, symbol_table=0x0)
    at /home/chris/php4-STABLE-200211261830/Zend/zend_execute_API.c:557
#8  0x40317889 in php_array_walk (target_hash=0x824e4c4, userdata=0x0)
    at /home/chris/php4-STABLE-200211261830/ext/standard/array.c:978
#9  0x403179fd in zif_array_walk (ht=2, return_value=0x825547c, this_ptr=0x0,
    return_value_used=0)
    at /home/chris/php4-STABLE-200211261830/ext/standard/array.c:1023
#10 0x403cb211 in execute (op_array=0x8254b7c)
    at /home/chris/php4-STABLE-200211261830/Zend/zend_execute.c:1598
#11 0x403aff76 in call_user_function_ex (function_table=0x8253a00,
    object_pp=0x820aab0, function_name=0x825646c, retval_ptr_ptr=0xbfffa7f8,
    param_count=2, params=0xbfffa810, no_separation=0, symbol_table=0x0)
    at /home/chris/php4-STABLE-200211261830/Zend/zend_execute_API.c:557
#12 0x40317889 in php_array_walk (target_hash=0x8209914, userdata=0x0)
    at /home/chris/php4-STABLE-200211261830/ext/standard/array.c:978
#13 0x403179fd in zif_array_walk (ht=2, return_value=0x820cc94, this_ptr=0x0,
    return_value_used=0)
    at /home/chris/php4-STABLE-200211261830/ext/standard/array.c:1023
#14 0x403cb211 in execute (op_array=0x8254b7c)
    at /home/chris/php4-STABLE-200211261830/Zend/zend_execute.c:1598
#15 0x403aff76 in call_user_function_ex (function_table=0x8253a00,
    object_pp=0x82095c8, function_name=0x8253f3c, retval_ptr_ptr=0xbfffae48,
    param_count=2, params=0xbfffae60, no_separation=0, symbol_table=0x0)
    at /home/chris/php4-STABLE-200211261830/Zend/zend_execute_API.c:557
#16 0x40317889 in php_array_walk (target_hash=0x8254a9c, userdata=0x0)
    at /home/chris/php4-STABLE-200211261830/ext/standard/array.c:978
#17 0x403179fd in zif_array_walk (ht=2, return_value=0x8258764, this_ptr=0x0,
    return_value_used=0)
    at /home/chris/php4-STABLE-200211261830/ext/standard/array.c:1023
#18 0x403cb211 in execute (op_array=0x8254b7c)
    at /home/chris/php4-STABLE-200211261830/Zend/zend_execute.c:1598
#19 0x403aff76 in call_user_function_ex (function_table=0x8253a00,
    object_pp=0x8253c60, function_name=0x8251fec, retval_ptr_ptr=0xbfffb498,
    param_count=2, params=0xbfffb4b0, no_separation=0, symbol_table=0x0)
    at /home/chris/php4-STABLE-200211261830/Zend/zend_execute_API.c:557
#20 0x40317889 in php_array_walk (target_hash=0x8253bc4, userdata=0x0)
    at /home/chris/php4-STABLE-200211261830/ext/standard/array.c:978
#21 0x403179fd in zif_array_walk (ht=2, return_value=0x820c974, this_ptr=0x0,
    return_value_used=0)
    at /home/chris/php4-STABLE-200211261830/ext/standard/array.c:1023
#22 0x403cb211 in execute (op_array=0x8254b7c)
    at /home/chris/php4-STABLE-200211261830/Zend/zend_execute.c:1598
#23 0x403aff76 in call_user_function_ex (function_table=0x8253a00,
    object_pp=0x8249cd8, function_name=0x825a484, retval_ptr_ptr=0xbfffbae8,
    param_count=2, params=0xbfffbb00, no_separation=0, symbol_table=0x0)
    at /home/chris/php4-STABLE-200211261830/Zend/zend_execute_API.c:557
#24 0x40317889 in php_array_walk (target_hash=0x824dfb4, userdata=0x0)
    at /home/chris/php4-STABLE-200211261830/ext/standard/array.c:978
#25 0x403179fd in zif_array_walk (ht=2, return_value=0x81e5a94, this_ptr=0x0,
    return_value_used=0)
    at /home/chris/php4-STABLE-200211261830/ext/standard/array.c:1023
#26 0x403cb211 in execute (op_array=0x8249acc)
    at /home/chris/php4-STABLE-200211261830/Zend/zend_execute.c:1598
#27 0x403cb38e in execute (op_array=0x825238c)
    at /home/chris/php4-STABLE-200211261830/Zend/zend_execute.c:1640
#28 0x403cb38e in execute (op_array=0x8202db4)
    at /home/chris/php4-STABLE-200211261830/Zend/zend_execute.c:1640
#29 0x403b8d83 in zend_execute_scripts (type=8, retval=0x0, file_count=3)
    at /home/chris/php4-STABLE-200211261830/Zend/zend.c:864
#30 0x4038ea6d in php_execute_script (primary_file=0xbffff558)
    at /home/chris/php4-STABLE-200211261830/main/main.c:1549
#31 0x403d1c5e in apache_php_module_main (r=0x81cbc34, display_source_mode=0)
    at /home/chris/php4-STABLE-200211261830/sapi/apache/sapi_apache.c:55
#32 0x403d281f in send_php (r=0x81cbc34, display_source_mode=0, filename=0x0)
    at /home/chris/php4-STABLE-200211261830/sapi/apache/mod_php4.c:556
#33 0x403d2883 in send_parsed_php (r=0x81cbc34)
    at /home/chris/php4-STABLE-200211261830/sapi/apache/mod_php4.c:571
#34 0x0808ffd9 in ap_invoke_handler ()
#35 0x080a6daf in process_request_internal ()
#36 0x080a723a in ap_internal_redirect ()
#37 0x0806479c in handle_dir ()
#38 0x0808ffd9 in ap_invoke_handler ()
#39 0x080a6daf in process_request_internal ()
#40 0x080a6e22 in ap_process_request ()
#41 0x0809d2d6 in child_main ()
#42 0x0809d4b5 in make_child ()
#43 0x0809d636 in startup_children ()
#44 0x0809dce0 in standalone_main ()
#45 0x0809e56c in main ()
#46 0x4019fc6f in __libc_start_main () from /lib/libc.so.6
(gdb)

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports

[2002-11-26 15:38 UTC] moriyoshi@php.net

Please try using this CVS snapshot:

  http://snaps.php.net/php4-latest.tar.gz
 
For Windows:
 
  http://snaps.php.net/win32/php4-win32-latest.zip

[2002-11-26 16:48 UTC] chris-php at bolt dot cx

The one I tried and quoted in the bug report was less than 2 hours old at the time of the reporting.

Has anything changed between then and now?

[2002-11-26 17:02 UTC] moriyoshi@php.net

Yep. I found a bug in error reporting code while investigating array_walk() and fixed it. Now please try the latest one and it will give you a bit more useful information, I suppose.

[2002-11-28 23:25 UTC] chris-php at bolt dot cx

Seems to be fixed now, thanks for the help.

[2002-11-28 23:27 UTC] chris-php at bolt dot cx

Closing...

[2002-11-29 04:51 UTC] chris-php at bolt dot cx

Reopening. Reproduced it again, this time on another 'root' script, but in the same included script. Backtrace follows:

Program received signal SIGSEGV, Segmentation fault.
0x401fe2f7 in memcpy () from /lib/libc.so.6
(gdb) bt
#0  0x401fe2f7 in memcpy () from /lib/libc.so.6
#1  0x403aa20c in _estrndup (s=0x0, length=136151736)
    at /home/chris/php4-STABLE-200211290430/Zend/zend_alloc.c:357
#2  0x403bd677 in zend_is_callable (callable=0x81ca890, syntax_only=0,
    callable_name=0xbfff8e24)
    at /home/chris/php4-STABLE-200211290430/Zend/zend_API.c:1385
#3  0x40318f87 in php_array_walk (target_hash=0x8211a4c, userdata=0x0)
    at /home/chris/php4-STABLE-200211290430/ext/standard/array.c:985
#4  0x4031910d in zif_array_walk (ht=2, return_value=0x821af4c, this_ptr=0x0,
    return_value_used=0)
    at /home/chris/php4-STABLE-200211290430/ext/standard/array.c:1031
#5  0x403cc8e1 in execute (op_array=0x8256b7c)
    at /home/chris/php4-STABLE-200211290430/Zend/zend_execute.c:1598
#6  0x403b1646 in call_user_function_ex (function_table=0x82565b0,
    object_pp=0x825eb60, function_name=0x825df1c, retval_ptr_ptr=0xbfff9478,
    param_count=2, params=0xbfff9490, no_separation=0, symbol_table=0x0)
    at /home/chris/php4-STABLE-200211290430/Zend/zend_execute_API.c:557
#7  0x40318f59 in php_array_walk (target_hash=0x8259734, userdata=0x0)
    at /home/chris/php4-STABLE-200211290430/ext/standard/array.c:978
#8  0x4031910d in zif_array_walk (ht=2, return_value=0x825442c, this_ptr=0x0,
    return_value_used=0)
    at /home/chris/php4-STABLE-200211290430/ext/standard/array.c:1031
#9  0x403cc8e1 in execute (op_array=0x8256b7c)
    at /home/chris/php4-STABLE-200211290430/Zend/zend_execute.c:1598
#10 0x403b1646 in call_user_function_ex (function_table=0x82565b0,
    object_pp=0x824d2e8, function_name=0x825a124, retval_ptr_ptr=0xbfff9ac8,
    param_count=2, params=0xbfff9ae0, no_separation=0, symbol_table=0x0)
    at /home/chris/php4-STABLE-200211290430/Zend/zend_execute_API.c:557
#11 0x40318f59 in php_array_walk (target_hash=0x824c7dc, userdata=0x0)
    at /home/chris/php4-STABLE-200211290430/ext/standard/array.c:978
#12 0x4031910d in zif_array_walk (ht=2, return_value=0x825de3c, this_ptr=0x0,
    return_value_used=0)
    at /home/chris/php4-STABLE-200211290430/ext/standard/array.c:1031
#13 0x403cc8e1 in execute (op_array=0x8256b7c)
    at /home/chris/php4-STABLE-200211290430/Zend/zend_execute.c:1598
#14 0x403b1646 in call_user_function_ex (function_table=0x82565b0,
    object_pp=0x824ddb8, function_name=0x825a064, retval_ptr_ptr=0xbfffa118,
    param_count=2, params=0xbfffa130, no_separation=0, symbol_table=0x0)
    at /home/chris/php4-STABLE-200211290430/Zend/zend_execute_API.c:557
#15 0x40318f59 in php_array_walk (target_hash=0x825a2fc, userdata=0x0)
    at /home/chris/php4-STABLE-200211290430/ext/standard/array.c:978
#16 0x4031910d in zif_array_walk (ht=2, return_value=0x825a0b4, this_ptr=0x0,
    return_value_used=0)
    at /home/chris/php4-STABLE-200211290430/ext/standard/array.c:1031
#17 0x403cc8e1 in execute (op_array=0x8256b7c)
    at /home/chris/php4-STABLE-200211290430/Zend/zend_execute.c:1598
#18 0x403b1646 in call_user_function_ex (function_table=0x82565b0,
    object_pp=0x8259210, function_name=0x8257464, retval_ptr_ptr=0xbfffa768,
    param_count=2, params=0xbfffa780, no_separation=0, symbol_table=0x0)
    at /home/chris/php4-STABLE-200211290430/Zend/zend_execute_API.c:557
#19 0x40318f59 in php_array_walk (target_hash=0x8255f4c, userdata=0x0)
    at /home/chris/php4-STABLE-200211290430/ext/standard/array.c:978
#20 0x4031910d in zif_array_walk (ht=2, return_value=0x8259bac, this_ptr=0x0,
    return_value_used=0)
    at /home/chris/php4-STABLE-200211290430/ext/standard/array.c:1031
#21 0x403cc8e1 in execute (op_array=0x8256b7c)
    at /home/chris/php4-STABLE-200211290430/Zend/zend_execute.c:1598
#22 0x403b1646 in call_user_function_ex (function_table=0x82565b0,
    object_pp=0x825db20, function_name=0x824d594, retval_ptr_ptr=0xbfffadb8,
    param_count=2, params=0xbfffadd0, no_separation=0, symbol_table=0x0)
    at /home/chris/php4-STABLE-200211290430/Zend/zend_execute_API.c:557
#23 0x40318f59 in php_array_walk (target_hash=0x8250fec, userdata=0x0)
    at /home/chris/php4-STABLE-200211290430/ext/standard/array.c:978
#24 0x4031910d in zif_array_walk (ht=2, return_value=0x824d7d4, this_ptr=0x0,
    return_value_used=0)
    at /home/chris/php4-STABLE-200211290430/ext/standard/array.c:1031
#25 0x403cc8e1 in execute (op_array=0x8203cd4)
    at /home/chris/php4-STABLE-200211290430/Zend/zend_execute.c:1598
#26 0x403cca5e in execute (op_array=0x81ca574)
    at /home/chris/php4-STABLE-200211290430/Zend/zend_execute.c:1640
#27 0x403cca5e in execute (op_array=0x81d3764)
    at /home/chris/php4-STABLE-200211290430/Zend/zend_execute.c:1640
#28 0x403ba453 in zend_execute_scripts (type=8, retval=0x0, file_count=3)
    at /home/chris/php4-STABLE-200211290430/Zend/zend.c:864
#29 0x4039013d in php_execute_script (primary_file=0xbffff578)
    at /home/chris/php4-STABLE-200211290430/main/main.c:1549
#30 0x403d332e in apache_php_module_main (r=0x81c90b4, display_source_mode=0)
    at /home/chris/php4-STABLE-200211290430/sapi/apache/sapi_apache.c:55
#31 0x403d3eef in send_php (r=0x81c90b4, display_source_mode=0, filename=0x0)
    at /home/chris/php4-STABLE-200211290430/sapi/apache/mod_php4.c:556
#32 0x403d3f53 in send_parsed_php (r=0x81c90b4)
    at /home/chris/php4-STABLE-200211290430/sapi/apache/mod_php4.c:571
#33 0x0808ffd9 in ap_invoke_handler ()
#34 0x080a6daf in process_request_internal ()
#35 0x080a723a in ap_internal_redirect ()
#36 0x080687c6 in handler_redirect ()
#37 0x0808ffd9 in ap_invoke_handler ()
#38 0x080a6daf in process_request_internal ()
#39 0x080a6e22 in ap_process_request ()
#40 0x0809d2d6 in child_main ()
#41 0x0809d4b5 in make_child ()
#42 0x0809d636 in startup_children ()
#43 0x0809dce0 in standalone_main ()
#44 0x0809e56c in main ()
#45 0x4019fc6f in __libc_start_main () from /lib/libc.so.6

[2002-12-03 08:41 UTC] moriyoshi@php.net

What if putting var_dump() before array_walk() like following?

function get_flat($packageid = 0) {
	if ($packageid == $this->lastflatid)
		return $this->flat;
	$this->lastflatid = $packageid;
	$this->flat = array();
+       var_dump($this->tree);
	array_walk(&$this->tree[$packageid], array(&$this,
"get_flat_callback"));
	return $this->flat;
}

I guess you are recursively calling array_walk() infinite times. If my assumption is right, var_dump() would also continue displaying the content of $this->tree until you stop the execution.

[2003-01-02 18:40 UTC] sniper@php.net

No feedback was provided. The bug is being suspended because
we assume that you are no longer experiencing the problem.
If this is not the case and you are able to provide the
information that was requested earlier, please do so and
change the status of the bug back to "Open". Thank you.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Tue Apr 30 07:01:28 2024 UTC