PHP :: Bug #22463 :: array_reduce segmentation fault

Bug #22463

array_reduce segmentation fault

Submitted:

2003-02-27 14:42 UTC

Modified:

2005-06-24 01:00 UTC

Votes:	2
Avg. Score:	4.5 ± 0.5
Reproduced:	1 of 1 (100.0%)
Same Version:	0 (0.0%)
Same OS:	0 (0.0%)

From:

mccannwj at pha dot jhu dot edu

Assigned:

Status:

No Feedback

Package:

Arrays related

PHP Version:

4CVS-2005-02-03 (4 only!)

OS:

redhat-linux-8.0

Private report:

CVE-ID:

None

View Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	mccannwj at pha dot jhu dot edu
New email:
PHP Version:		OS:

New Comment:

[2003-02-27 14:42 UTC] mccannwj at pha dot jhu dot edu

Using array_reduce on a nested list causes a segfault.

The following code isolates the problem.
<?php

$a['ANY']['F550M']['HRC']['j6jt01dlq_flt.fits'][] = array("FILE_NUMBER"=>2256,
							  "INGEST_DATE"=>'2003-01-16');
$a['ANY']['F550M']['HRC']['j6jt01dll_flt.fits'][] = array("FILE_NUMBER"=>2258,
							  "INGEST_DATE"=>'2003-01-17');

$num = nodeCount($a);
print $num;

function checkNode($v,$var) {
  print "<pre>";
  print_r($var);
  print "</pre>";
  if (is_scalar($var)) {
    $v += 1;
  }
  elseif (is_null($var)) {
  }
  else {
    $v += nodeCount($var);
  }
  return $v;
}
function nodeCount($array) {
  $number = 0;
  if (is_array($array))
    $number = array_reduce($array,"checkNode",0);
  return $number;
}
?>

How reproducible:
Always

Steps to Reproduce:
1. Execute code snippet
    
Actual Results:  apache error_log:
[Fri Feb 21 12:52:52 2003] [notice] child pid 5618 exit signal Segmentation
fault (11)


Expected Results:  This code should count the scalar nodes in the nested list. 
It should print the number 4.

Additional info:

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2003-03-25 13:37 UTC] andrey@php.net

 On my debian/ 4.3.2-dev it doesn't segfault. Valgring reports memoery read errors. Here is the script modified :
<?php

$a['one']['two']['three']['four'][] = array("FILE_NUMBER"=>2256, "INGEST_DATE"=>'2003-01-16');
$a['one']['two']['three']['four'][] = array("FILE_NUMBER"=>2258, "INGEST_DATE"=>'2003-01-17');

$num = nodeCount($a);
print $num;

function checkNode($v, $var) {

	var_dump($v, $var);
	echo str_repeat("-=",30)."\n";

	if (is_scalar($var)) {
		$v += 1;
	} elseif (is_null($var)) {

	} else {
		echo "Recursy down\n";
		$v += nodeCount($var);
		//$v = 2;
		echo "Recursy up\n";
	}
	echo "checkNode - END\n";
  	return $v;
}

function nodeCount($array) {
	$number = 0;
	if (is_array($array)) {
		$number = array_reduce($array, "checkNode" , 0);
	}
	return $number;
}
?>

checkNode calls recursively itself.  After getting of the recursy something bad happens at this line : 
zend_hash_move_forward_ex(Z_ARRVAL_PP(input), &pos);
I think this is the line.
Unfortunately I cannot help more atm.

[2005-02-03 12:54 UTC] jorton@php.net

With memory corruption checking enabled in libc, this test case still fails with 4.3-dev (but passes in 5.0-dev and 5.1-dev):

MALLOC_CHECK_=3 gdb --args ./4.3-on-2.0.x/sapi/cli/php -f bug22463.php
...
Program received signal SIGSEGV, Segmentation fault.
call_user_function_ex (function_table=0x8dc1078, object_pp=0x0, function_name=0x0,
    retval_ptr_ptr=0xbff693e4, param_count=2, params=0xbff693e8, no_separation=0,
    symbol_table=0x0) at /local/php/4.3/Zend/zend_execute_API.c:443
443             if (function_name->type==IS_ARRAY) { /* assume array($obj, $name) couple */
(gdb) where
#0  call_user_function_ex (function_table=0x8dc1078, object_pp=0x0, function_name=0x0,
    retval_ptr_ptr=0xbff693e4, param_count=2, params=0xbff693e8, no_separation=0,
    symbol_table=0x0) at /local/php/4.3/Zend/zend_execute_API.c:443
#1  0x080ad4bd in zif_array_reduce (ht=148960076, return_value=0x8e0982c, this_ptr=0x0,
    return_value_used=1) at /local/php/4.3/ext/standard/array.c:3258
#2  0x0815019f in execute (op_array=0x8e0f128) at /local/php/4.3/Zend/zend_execute.c:1651
#3  0x0814e1c4 in execute (op_array=0x8e0eef8) at /local/php/4.3/Zend/zend_execute.c:1695
#4  0x081344af in call_user_function_ex (function_table=0x8dc1078, object_pp=0x0,
    function_name=0x8e092c4, retval_ptr_ptr=0xbff69e74, param_count=2, params=0xbff69e78,
    no_separation=0, symbol_table=0x0) at /local/php/4.3/Zend/zend_execute_API.c:565
#5  0x080ad4bd in zif_array_reduce (ht=148959852, return_value=0x8e09564, this_ptr=0x0,
    return_value_used=1) at /local/php/4.3/ext/standard/array.c:3258
#6  0x0815019f in execute (op_array=0x8e0f128) at /local/php/4.3/Zend/zend_execute.c:1651
#7  0x0814e1c4 in execute (op_array=0x8e0eef8) at /local/php/4.3/Zend/zend_execute.c:1695
#8  0x081344af in call_user_function_ex (function_table=0x8dc1078, object_pp=0x0,
    function_name=0x8e0dfc4, retval_ptr_ptr=0xbff6a904, param_count=2, params=0xbff6a908,
    no_separation=0, symbol_table=0x0) at /local/php/4.3/Zend/zend_execute_API.c:565
#9  0x080ad4bd in zif_array_reduce (ht=148959676, return_value=0x8e0929c, this_ptr=0x0,
    return_value_used=1) at /local/php/4.3/ext/standard/array.c:3258
#10 0x0815019f in execute (op_array=0x8e0f128) at /local/php/4.3/Zend/zend_execute.c:1651
#11 0x0814e1c4 in execute (op_array=0x8e0eef8) at /local/php/4.3/Zend/zend_execute.c:1695
#12 0x081344af in call_user_function_ex (function_table=0x8dc1078, object_pp=0x0,
    function_name=0x8e0dc2c, retval_ptr_ptr=0xbff6b394, param_count=2, params=0xbff6b398,
    no_separation=0, symbol_table=0x0) at /local/php/4.3/Zend/zend_execute_API.c:565
#13 0x080ad4bd in zif_array_reduce (ht=148914716, return_value=0x8e0df9c, this_ptr=0x0,
    return_value_used=1) at /local/php/4.3/ext/standard/array.c:3258
#14 0x0815019f in execute (op_array=0x8e0f128) at /local/php/4.3/Zend/zend_execute.c:1651
#15 0x0814e1c4 in execute (op_array=0x8e0eef8) at /local/php/4.3/Zend/zend_execute.c:1695
#16 0x081344af in call_user_function_ex (function_table=0x8dc1078, object_pp=0x0,
    function_name=0x8e0db8c, retval_ptr_ptr=0xbff6be24, param_count=2, params=0xbff6be28,
    no_separation=0, symbol_table=0x0) at /local/php/4.3/Zend/zend_execute_API.c:565
#17 0x080ad4bd in zif_array_reduce (ht=148914548, return_value=0x8e0dc04, this_ptr=0x0,
    return_value_used=1) at /local/php/4.3/ext/standard/array.c:3258
#18 0x0815019f in execute (op_array=0x8e0f128) at /local/php/4.3/Zend/zend_execute.c:1651
#19 0x0814e1c4 in execute (op_array=0x8e0902c) at /local/php/4.3/Zend/zend_execute.c:1695
#20 0x0813d1d9 in zend_execute_scripts (type=8, retval=0x0, file_count=3)
    at /local/php/4.3/Zend/zend.c:926
#21 0x08113642 in php_execute_script (primary_file=0xbff6eb50)
    at /local/php/4.3/main/main.c:1739
#22 0x0815833b in main (argc=3, argv=0xbff6ec14) at /local/php/4.3/sapi/cli/php_cli.c:825

[2005-06-16 11:04 UTC] tony2001@php.net

Please try using this CVS snapshot:

  http://snaps.php.net/php4-STABLE-latest.tar.gz
 
For Windows:
 
  http://snaps.php.net/win32/php4-win32-STABLE-latest.zip

[2005-06-24 01:00 UTC] php-bugs at lists dot php dot net

No feedback was provided for this bug for over a week, so it is
being suspended automatically. If you are able to provide the
information that was originally requested, please do so and change
the status of the bug back to "Open".

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Sun Oct 27 16:01:27 2024 UTC