php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #22463 array_reduce segmentation fault
Submitted: 2003-02-27 14:42 UTC Modified: 2005-06-24 01:00 UTC
Votes:2
Avg. Score:4.5 ± 0.5
Reproduced:1 of 1 (100.0%)
Same Version:0 (0.0%)
Same OS:0 (0.0%)
From: mccannwj at pha dot jhu dot edu Assigned:
Status: No Feedback Package: Arrays related
PHP Version: 4CVS-2005-02-03 (4 only!) OS: redhat-linux-8.0
Private report: No CVE-ID: None
 [2003-02-27 14:42 UTC] mccannwj at pha dot jhu dot edu
Using array_reduce on a nested list causes a segfault.

The following code isolates the problem.
<?php

$a['ANY']['F550M']['HRC']['j6jt01dlq_flt.fits'][] = array("FILE_NUMBER"=>2256,
							  "INGEST_DATE"=>'2003-01-16');
$a['ANY']['F550M']['HRC']['j6jt01dll_flt.fits'][] = array("FILE_NUMBER"=>2258,
							  "INGEST_DATE"=>'2003-01-17');

$num = nodeCount($a);
print $num;

function checkNode($v,$var) {
  print "<pre>";
  print_r($var);
  print "</pre>";
  if (is_scalar($var)) {
    $v += 1;
  }
  elseif (is_null($var)) {
  }
  else {
    $v += nodeCount($var);
  }
  return $v;
}
function nodeCount($array) {
  $number = 0;
  if (is_array($array))
    $number = array_reduce($array,"checkNode",0);
  return $number;
}
?>

How reproducible:
Always

Steps to Reproduce:
1. Execute code snippet
    
Actual Results:  apache error_log:
[Fri Feb 21 12:52:52 2003] [notice] child pid 5618 exit signal Segmentation
fault (11)


Expected Results:  This code should count the scalar nodes in the nested list. 
It should print the number 4.

Additional info:

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2003-03-25 13:37 UTC] andrey@php.net
 On my debian/ 4.3.2-dev it doesn't segfault. Valgring reports memoery read errors. Here is the script modified :
<?php

$a['one']['two']['three']['four'][] = array("FILE_NUMBER"=>2256, "INGEST_DATE"=>'2003-01-16');
$a['one']['two']['three']['four'][] = array("FILE_NUMBER"=>2258, "INGEST_DATE"=>'2003-01-17');

$num = nodeCount($a);
print $num;

function checkNode($v, $var) {

	var_dump($v, $var);
	echo str_repeat("-=",30)."\n";

	if (is_scalar($var)) {
		$v += 1;
	} elseif (is_null($var)) {

	} else {
		echo "Recursy down\n";
		$v += nodeCount($var);
		//$v = 2;
		echo "Recursy up\n";
	}
	echo "checkNode - END\n";
  	return $v;
}

function nodeCount($array) {
	$number = 0;
	if (is_array($array)) {
		$number = array_reduce($array, "checkNode" , 0);
	}
	return $number;
}
?>

checkNode calls recursively itself.  After getting of the recursy something bad happens at this line : 
zend_hash_move_forward_ex(Z_ARRVAL_PP(input), &pos);
I think this is the line.
Unfortunately I cannot help more atm.
 [2005-02-03 12:54 UTC] jorton@php.net
With memory corruption checking enabled in libc, this test case still fails with 4.3-dev (but passes in 5.0-dev and 5.1-dev):

MALLOC_CHECK_=3 gdb --args ./4.3-on-2.0.x/sapi/cli/php -f bug22463.php
...
Program received signal SIGSEGV, Segmentation fault.
call_user_function_ex (function_table=0x8dc1078, object_pp=0x0, function_name=0x0,
    retval_ptr_ptr=0xbff693e4, param_count=2, params=0xbff693e8, no_separation=0,
    symbol_table=0x0) at /local/php/4.3/Zend/zend_execute_API.c:443
443             if (function_name->type==IS_ARRAY) { /* assume array($obj, $name) couple */
(gdb) where
#0  call_user_function_ex (function_table=0x8dc1078, object_pp=0x0, function_name=0x0,
    retval_ptr_ptr=0xbff693e4, param_count=2, params=0xbff693e8, no_separation=0,
    symbol_table=0x0) at /local/php/4.3/Zend/zend_execute_API.c:443
#1  0x080ad4bd in zif_array_reduce (ht=148960076, return_value=0x8e0982c, this_ptr=0x0,
    return_value_used=1) at /local/php/4.3/ext/standard/array.c:3258
#2  0x0815019f in execute (op_array=0x8e0f128) at /local/php/4.3/Zend/zend_execute.c:1651
#3  0x0814e1c4 in execute (op_array=0x8e0eef8) at /local/php/4.3/Zend/zend_execute.c:1695
#4  0x081344af in call_user_function_ex (function_table=0x8dc1078, object_pp=0x0,
    function_name=0x8e092c4, retval_ptr_ptr=0xbff69e74, param_count=2, params=0xbff69e78,
    no_separation=0, symbol_table=0x0) at /local/php/4.3/Zend/zend_execute_API.c:565
#5  0x080ad4bd in zif_array_reduce (ht=148959852, return_value=0x8e09564, this_ptr=0x0,
    return_value_used=1) at /local/php/4.3/ext/standard/array.c:3258
#6  0x0815019f in execute (op_array=0x8e0f128) at /local/php/4.3/Zend/zend_execute.c:1651
#7  0x0814e1c4 in execute (op_array=0x8e0eef8) at /local/php/4.3/Zend/zend_execute.c:1695
#8  0x081344af in call_user_function_ex (function_table=0x8dc1078, object_pp=0x0,
    function_name=0x8e0dfc4, retval_ptr_ptr=0xbff6a904, param_count=2, params=0xbff6a908,
    no_separation=0, symbol_table=0x0) at /local/php/4.3/Zend/zend_execute_API.c:565
#9  0x080ad4bd in zif_array_reduce (ht=148959676, return_value=0x8e0929c, this_ptr=0x0,
    return_value_used=1) at /local/php/4.3/ext/standard/array.c:3258
#10 0x0815019f in execute (op_array=0x8e0f128) at /local/php/4.3/Zend/zend_execute.c:1651
#11 0x0814e1c4 in execute (op_array=0x8e0eef8) at /local/php/4.3/Zend/zend_execute.c:1695
#12 0x081344af in call_user_function_ex (function_table=0x8dc1078, object_pp=0x0,
    function_name=0x8e0dc2c, retval_ptr_ptr=0xbff6b394, param_count=2, params=0xbff6b398,
    no_separation=0, symbol_table=0x0) at /local/php/4.3/Zend/zend_execute_API.c:565
#13 0x080ad4bd in zif_array_reduce (ht=148914716, return_value=0x8e0df9c, this_ptr=0x0,
    return_value_used=1) at /local/php/4.3/ext/standard/array.c:3258
#14 0x0815019f in execute (op_array=0x8e0f128) at /local/php/4.3/Zend/zend_execute.c:1651
#15 0x0814e1c4 in execute (op_array=0x8e0eef8) at /local/php/4.3/Zend/zend_execute.c:1695
#16 0x081344af in call_user_function_ex (function_table=0x8dc1078, object_pp=0x0,
    function_name=0x8e0db8c, retval_ptr_ptr=0xbff6be24, param_count=2, params=0xbff6be28,
    no_separation=0, symbol_table=0x0) at /local/php/4.3/Zend/zend_execute_API.c:565
#17 0x080ad4bd in zif_array_reduce (ht=148914548, return_value=0x8e0dc04, this_ptr=0x0,
    return_value_used=1) at /local/php/4.3/ext/standard/array.c:3258
#18 0x0815019f in execute (op_array=0x8e0f128) at /local/php/4.3/Zend/zend_execute.c:1651
#19 0x0814e1c4 in execute (op_array=0x8e0902c) at /local/php/4.3/Zend/zend_execute.c:1695
#20 0x0813d1d9 in zend_execute_scripts (type=8, retval=0x0, file_count=3)
    at /local/php/4.3/Zend/zend.c:926
#21 0x08113642 in php_execute_script (primary_file=0xbff6eb50)
    at /local/php/4.3/main/main.c:1739
#22 0x0815833b in main (argc=3, argv=0xbff6ec14) at /local/php/4.3/sapi/cli/php_cli.c:825

 [2005-06-24 01:00 UTC] php-bugs at lists dot php dot net
No feedback was provided for this bug for over a week, so it is
being suspended automatically. If you are able to provide the
information that was originally requested, please do so and change
the status of the bug back to "Open".
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Tue Oct 15 20:01:27 2024 UTC