php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #24581 usort crashes if the function that it calls is slightly recoursive
Submitted: 2003-07-10 04:26 UTC Modified: 2003-07-13 10:50 UTC
Votes:1
Avg. Score:4.0 ± 0.0
Reproduced:1 of 1 (100.0%)
Same Version:0 (0.0%)
Same OS:1 (100.0%)
From: daniel dot goss at t-systems dot com Assigned:
Status: Wont fix Package: Scripting Engine problem
PHP Version: 4.3.3RC2-dev, 5.0.0b2-dev OS: RedHat 8.0, 7.3
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.
(description)
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: daniel dot goss at t-systems dot com
New email:
PHP Version: OS:

 

 [2003-07-10 04:26 UTC] daniel dot goss at t-systems dot com
Description:
------------
The php-engine crashes with a segmentation fault if the function, that is called by usort calls another recursive function. The recoursion deepth is less than 10 so there could not be a global stack overflow. (Tested recursion deepth outside usort min. 8000.)


Reproduce code:
---------------
<?
  function MyTest($A, $B, $C, $D, $E, $F, $G)
  {
    echo "|".$A++."|<BR>";
    flush();    

    if ($A>10)
      return 0;

    MyTest($A, $B, $C, "", "", "", "");
    
    return 0;
  }
  
  function MySort($A, $B)
  {
    return MyTest(0,$A,$B,"","","","");
  }
  
  for ($k=0; $k<100; $k++)
  {
    $Test[$k]=rand(1,100);
  }
  
  echo "BEGIN<BR>";
  usort($Test, MySort);
  echo "END<BR>";
?>


Expected result:
----------------
The recursion deepth inside the usort function should be min. 100.
Due to the recursive nature of modern sorting algorithms, I understand that the full recursion deepth, like outside of usort, is not available. But it should be much more than 10 (on my system)!

Actual result:
--------------
[notice] child pid 8651 exit signal Segmentation fault (11)

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2003-07-10 04:31 UTC] daniel dot goss at t-systems dot com
There is a little flaw in the example script. The line 

usort($Test, MySort);

should read

usort($Test, "MySort");

but the behaviour is the same.
 [2003-07-10 13:02 UTC] sniper@php.net
Verified with PHP 4.3.3RC2-dev and PHP 5.0.0b2-dev,
Backtrace for 4.3.3RC2-dev:

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 1024 (runnable)]
0x82c1020 in call_user_function_ex (function_table=0x85ad230, object_pp=0x0, function_name=0x5a5a5a5a, 
    retval_ptr_ptr=0xbfffd1c4, param_count=2, params=0xbfffd1c8, no_separation=0, symbol_table=0x0)
    at /usr/src/web/php/php4_3/Zend/zend_execute_API.c:444
444             if (function_name->type==IS_ARRAY) { /* assume array($obj, $name) couple */
(gdb) bt
#0  0x82c1020 in call_user_function_ex (function_table=0x85ad230, object_pp=0x0, function_name=0x5a5a5a5a, 
    retval_ptr_ptr=0xbfffd1c4, param_count=2, params=0xbfffd1c8, no_separation=0, symbol_table=0x0)
    at /usr/src/web/php/php4_3/Zend/zend_execute_API.c:444
#1  0x81f1bd5 in array_user_compare (a=0x874c388, b=0x874c1fc) at /usr/src/web/php/php4_3/ext/standard/array.c:532
#2  0x82db4da in zend_qsort (base=0x874c1fc, nmemb=100, siz=4, compare=0x81f1b70 <array_user_compare>)
    at /usr/src/web/php/php4_3/Zend/zend_qsort.c:86
#3  0x82d46f4 in zend_hash_sort (ht=0x874d21c, sort_func=0x82db384 <zend_qsort>, 
    compar=0x81f1b70 <array_user_compare>, renumber=1) at /usr/src/web/php/php4_3/Zend/zend_hash.c:1133
#4  0x81f1dd1 in zif_usort (ht=2, return_value=0x874d2d4, this_ptr=0x0, return_value_used=0)
    at /usr/src/web/php/php4_3/ext/standard/array.c:564
#5  0x82e03a2 in execute (op_array=0x874898c) at /usr/src/web/php/php4_3/Zend/zend_execute.c:1616
#6  0x82cce34 in zend_execute_scripts (type=8, retval=0x0, file_count=3) at /usr/src/web/php/php4_3/Zend/zend.c:886
#7  0x828fefe in php_execute_script (primary_file=0xbffff8bc) at /usr/src/web/php/php4_3/main/main.c:1685
#8  0x82f4367 in main (argc=2, argv=0xbffff924) at /usr/src/web/php/php4_3/sapi/cli/php_cli.c:818
#9  0x406689cb in __libc_start_main (main=0x82f37e4 <main>, argc=2, argv=0xbffff924, init=0x80ab2c0 <_init>, 
    fini=0x84525b4 <_fini>, rtld_fini=0x4000aea0 <_dl_fini>, stack_end=0xbffff91c)
    at ../sysdeps/generic/libc-start.c:92

 [2003-07-13 10:50 UTC] sniper@php.net
It's the same as every recursive bug: Stack overflows.

 
PHP Copyright © 2001-2022 The PHP Group
All rights reserved.
Last updated: Thu Aug 11 09:06:03 2022 UTC