php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #21547 segfault in _erealloc
Submitted: 2003-01-09 07:59 UTC Modified: 2003-01-10 16:43 UTC
Votes:1
Avg. Score:5.0 ± 0.0
Reproduced:1 of 1 (100.0%)
Same Version:0 (0.0%)
Same OS:0 (0.0%)
From: pascal dot terjan at free dot fr Assigned:
Status: Wont fix Package: Reproducible crash
PHP Version: 4.3.0 OS: Linux Mandrake Cooker
Private report: No CVE-ID: None
Have you experienced this issue?
Rate the importance of this bug to you:

 [2003-01-09 07:59 UTC] pascal dot terjan at free dot fr
This quite heavily recursive script produces a segmentation fault :
 
<?php
$depls=Array(
			'G'=>Array(-1, 0),
			'D'=>Array(1, 0),
			'B'=>Array(0, 1),
			'H'=>Array(0, -1));			

$pieces=Array(
			  Array(Array(0,0),
					Array(0,1)),
			  Array(Array(0,0),
					Array(0,1)),
			  Array(Array(0,0),
					Array(0,1)),
			  Array(Array(0,0),
					Array(0,1)),
			  Array(Array(0,0),
					Array(0,1),
					Array(1,0),
					Array(1,1)),
			  Array(Array(0,0)),
			  Array(Array(0,0)),
			  Array(Array(0,0)),
			  Array(Array(0,0)),
			  Array(Array(0,0),
					Array(1,0)));

$init=Array(
			Array(0,0),
			Array(3,0),
			Array(1,3),
			Array(2,3),
			Array(1,0),
			Array(0,3),
			Array(0,4),
			Array(3,3),
			Array(3,4),
			Array(1,2));

function is_final($situation){
  return(($situation[4][0]==1)&&($situation[4][1]==3));
}

function occupable($situation, $x, $y){
  global $pieces;
  if($x>3) return false;
  if($y>4) return false;
  if($x<0) return false;
  if($y<0) return false;
  foreach($situation as $piece=>$pos){
	if($pos=="") continue;
	$p = $pieces[$piece];
	foreach($p as $case){
	  if(($case[0]+$pos[0]==$x)&&
		 ($case[1]+$pos[1]==$y)) return false;
	}
  }
  return true;
}

function valide($situation, $piece, $mov){
  global $pieces;
  $p = $pieces[$piece];
  $x = $situation[$piece][0];
  $y = $situation[$piece][1];
  $situation[$piece]="";
  foreach($p as $case){
	if(!occupable($situation, $x+$case[0]+$mov[0], $y+$case[1]+$mov[1]))
	  return false;
  }
  return true;
}

function resolv($situation){
  global $tab, $depls, $pieces, $solution;
  $d = $depls;
  $p = $pieces;
  if(is_final($situation)){
	$solution = "";
	return;
  }
  foreach($p as $num=>$piece){
	foreach($d as $nom=>$mov){
	  if(valide($situation, $num, $mov)){
		$situation2=serialize($situation);
		$s3=$situation;
		$situation[$num][0]+=$mov[0];
		$situation[$num][1]+=$mov[1];
		$s=serialize($situation);
	   	if(isset($tab[$s])){
		  $situation = $s3;
		  continue;
		}
		$tab[$s]="";
		//echo $num.' '.$nom."\n";
		//print_r($situation);
		$tab[$situation2][$s]=Array($num=>$nom);
		resolv($situation);
		if($tab[$s]=="") unset($tab[$s]);
		if(isset($solution)){
		  $solution=$num.' '.$nom."\n".$solution;
		  return;
		}
		$situation = $s3;
	  }
	}
  }
}

resolv($init);
print_r($tab);
if(isset($solution)) echo $solution;
?>

(gdb) bt
#0  0x400ed1ee in _erealloc () from /usr/lib/libphp_common.so.430
(gdb) 

I tryied it with an older PHP and also got a segfault but somewhere else.

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2003-01-09 10:00 UTC] iliaa@php.net
Thank you for taking the time to write to us, but this is not
a bug. Please double-check the documentation available at
http://www.php.net/manual/ and the instructions on how to report
a bug at http://bugs.php.net/how-to-report.php

Simple, PHP has run out of memory and when it fails to allocate it exits or if you compiled PHP with --enable-debug dies with SIG11 (segmentation fault).
 [2003-01-09 10:23 UTC] pascal dot terjan at free dot fr
The diagnosis is strange as it crashes using about 20MB while the memory limit is at 128MB and I have more than 200MB free...
 [2003-01-09 16:20 UTC] iliaa@php.net
Perphaps you have a system limit on the amount of memory a process make try to use. Try the following script and see if it crashes:
<?php
$a = str_repeat('a', 25000000);
?>
 [2003-01-10 05:11 UTC] pascal dot terjan at free dot fr
Works fine, even with 125000000.
With 1000000000 I get
FATAL:  emalloc():  Unable to allocate 1000000001 bytes
 [2003-01-10 16:43 UTC] iliaa@php.net
Your recusive function causes a stack overflow because PHP does not have stack protection. This is not likely to be fixed in the near or even the far future. When using recursive functions add your own checks to prevent recursion beyond a certain level.
 
PHP Copyright © 2001-2021 The PHP Group
All rights reserved.
Last updated: Thu Apr 22 18:01:24 2021 UTC