|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #34260 Segfault with callbacks (array_map) + overloading
Submitted: 2005-08-25 22:03 UTC Modified: 2005-09-02 09:47 UTC
Avg. Score:4.0 ± 1.0
Reproduced:2 of 2 (100.0%)
Same Version:0 (0.0%)
Same OS:0 (0.0%)
From: etnu at etnu dot org Assigned: dmitry
Status: Closed Package: Scripting Engine problem
PHP Version: 5CVS-2005-09-02 OS: *
Private report: No CVE-ID:
 [2005-08-25 22:03 UTC] etnu at etnu dot org
A segfault occurs when using callbacks to functions that get triggered via __call.

In the case of what's actually being called, the class is derived from mysqli.

I haven't done extensive testing, but I was getting segfaults with both array_map and array_filter. It seems to be a general callback-related issue.

Dual Opteron
Kernel is SMP + 64bit

./configure \
--with-pgsql \
--with-xmlrpc \
--with-apxs2=/usr/local/apache2/bin/apxs \
--with-mysql=/usr --with-mysqli=/usr/bin/mysql_config \
--prefix=/usr/local/apache2/php \
--with-config-file-path=/usr/local/apache2/php \
--enable-force-cgi-redirect \
--disable-magic-quotes \
--with-curl \
--with-gd --with-jpeg-dir=/usr/lib --with-png-dir=/usr/lib --with-freetype-dir=/usr/lib --with-zlib-dir=/usr/lib

Reproduce code:
class Faulty
    function __call($Method,$Args)
            case 'seg':
              echo "I hate me";

    function NormalMethod($Args)
       echo "I heart me"; 

$Faulty = new Faulty();
$Array = array('Some junk','Some other junk');

// This causes a seg fault.
$Failure = array_map(array($Faulty,'seg'),$Array);

// This does not.
$Failure = array_map(array($Faulty,'NormalMethod'),$Array);


Expected result:
Not seg faulting.

Actual result:


Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2005-08-28 01:11 UTC]
Derick, in cases like this with nice and short example script which clearly segfaults (I verified) you can propably come up with the backtrace YOURSELF?

Here it is, for all the other lazy asses:

(gdb) bt
#0  0x5a2a8fcc in ?? ()
#1  0x083a55f1 in zend_call_function (fci=0xbfffd4a0, fci_cache=0xbfffd4f0)
    at /usr/src/php/php_5_1/Zend/zend_execute_API.c:885
#2  0x082de40e in zif_array_map (ht=2, return_value=0x89d4064, return_value_ptr=0x0, this_ptr=0x0, 
    return_value_used=1) at /usr/src/php/php_5_1/ext/standard/array.c:4336
#3  0x083d739b in zend_do_fcall_common_helper_SPEC (execute_data=0xbfffd6c0) at zend_vm_execute.h:184
#4  0x083db82f in ZEND_DO_FCALL_SPEC_CONST_HANDLER (execute_data=0xbfffd6c0) at zend_vm_execute.h:1586
#5  0x083d707c in execute (op_array=0x89cf624) at zend_vm_execute.h:87
#6  0x083b09f1 in zend_execute_scripts (type=8, retval=0x0, file_count=3)
    at /usr/src/php/php_5_1/Zend/zend.c:1078
#7  0x0836f107 in php_execute_script (primary_file=0xbffffb00) at /usr/src/php/php_5_1/main/main.c:1675
#8  0x08426636 in main (argc=2, argv=0xbffffbd4) at /usr/src/php/php_5_1/sapi/cli/php_cli.c:1039

The crash happens for the 2nd call.

 [2005-09-02 07:25 UTC]
Dmitry, can you check this out please?

 [2005-09-02 09:47 UTC]
Fixed in CVS HEAD, PHP_5_1 and PHP_5_0.
PHP Copyright © 2001-2017 The PHP Group
All rights reserved.
Last updated: Fri Apr 28 08:01:50 2017 UTC