php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #38756 Returning large numbers of objects in an array results in a segfault
Submitted: 2006-09-08 21:55 UTC Modified: 2006-09-08 23:47 UTC
From: adam at aers dot ca Assigned:
Status: Wont fix Package: Class/Object related
PHP Version: 4.4.4 OS: Linux
Private report: No CVE-ID: None
Have you experienced this issue?
Rate the importance of this bug to you:

 [2006-09-08 21:55 UTC] adam at aers dot ca
Description:
------------
Returning large numbers of objects in an array seems to cause segmentation faults or other memory related errors.

Our memory limit is set to 1024M; that should be the only non-standard setting.

PHP Version => 4.4.4-pl2-gentoo

System => Linux nitrogen 2.6.13-gentoo-r3 #2 SMP Thu Oct 20 19:23:03 PDT 2005 x86_64
Build Date => Sep  7 2006 16:19:50
Configure Command =>  './configure' '--prefix=/usr/lib64/php4' '--host=x86_64-pc-linux-gnu' '--mandir=/usr/lib64/php4/man' '--infodir=/usr/lib64/php4/info' '-
-sysconfdir=/etc' '--cache-file=./config.cache' '--with-libdir=lib64' '--enable-cli' '--disable-cgi' '--with-config-file-path=/etc/php/cli-php4' '--with-confi
g-file-scan-dir=/etc/php/cli-php4/ext-active' '--without-pear' '--disable-bcmath' '--with-bz2' '--disable-calendar' '--disable-ctype' '--with-curl' '--disable
-dbase' '--with-dom' '--disable-exif' '--without-fbsql' '--without-fdftk' '--disable-filepro' '--enable-ftp' '--with-gettext' '--with-gmp' '--without-hwapi' '
--without-iconv' '--without-informix' '--without-kerberos' '--disable-mbstring' '--with-mcal=/usr' '--with-mcrypt' '--without-mcve' '--enable-memory-limit' '-
-without-mhash' '--without-ming' '--without-mnogosearch' '--without-msql' '--without-mssql' '--with-ncurses' '--without-oci8' '--without-oci8-instant-client'
'--without-oracle' '--with-openssl' '--with-openssl-dir=/usr' '--disable-overload' '--without-ovrimos' '--enable-pcntl' '--without-pfpro' '--with-pgsql' '--wi
th-pspell' '--without-recode' '--enable-shmop' '--without-snmp' '--enable-sockets' '--without-sybase' '--without-sybase-ct' '--enable-sysvmsg' '--enable-sysvs
em' '--enable-sysvshm' '--disable-tokenizer' '--disable-wddx' '--disable-xml' '--without-xmlrpc' '--with-zlib' '--disable-debug' '--enable-dba' '--without-cdb
' '--with-db4' '--without-flatfile' '--without-gdbm' '--without-inifile' '--disable-dbx' '--with-freetype-dir=/usr' '--with-t1lib=/usr' '--disable-gd-jis-conv
' '--enable-gd-native-ttf' '--with-jpeg-dir=/usr' '--with-png-dir=/usr' '--with-xpm-dir=/usr/X11R6' '--with-gd' '--with-imap' '--with-imap-ssl' '--with-mysql=
/usr' '--with-mysql-sock=/var/run/mysqld/mysqld.sock' '--with-unixODBC=/usr' '--without-adabas' '--without-birdstep' '--without-dbmaker' '--without-empress' '
--without-esoob' '--without-ibm-db2' '--without-iodbc' '--without-sapdb' '--without-solid' '--with-readline' '--without-libedit' '--disable-xslt' '--without-x
slt-sablot' '--without-dom-xslt' '--without-dom-exslt' '--with-mm' '--disable-zend-memory-manager'

Reproduce code:
---------------
testFunc();
function testFunc(){
        for( $i =0; $i < 100000; $i++ ){
                $line = new ReportLine();
                for( $j = 0; $j < 40; $j++ ){
                        $line->addData("this is a bug");
                }
                $lines[] = $line;
        }
        return $lines;
}
class ReportLine{
        var $bool;// = true;
        function ReportLine(){
//              $this->bool = true;
        }
        function addData($value){
                if( $this->bool ) $this->data[] = $value;
        }
}

Expected result:
----------------
No output.

Actual result:
--------------
This results in a segfault.  (Some values of the i limit gave me *** glibc detected *** double free or corruption (fasttop): 0x0000000000XXXXXX ***)  Lower values for the $i counter will result in things running okay.  Try setting it higher if the issue doesn't occur.  Removing the var declaration will fix the problem.  Assigning a value to it during the declaration will have no affect on the bug.  Assigning a value in the constructor - with or without a var declaration - will cause things to work fine.

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2006-09-08 22:18 UTC] tony2001@php.net
See bug #36793.
 [2006-09-08 23:47 UTC] adam at aers dot ca
I looked at results with  debug_zval_dump.  The test code seems to be incrementing the refcount of the 'bool' object and not the returned ReportLine object.  Shouldn't the refcount of the object's variable not be incrementing?  If the constructor sets the value of the object variable, then the refcount does not increase with the instantiations. 

New Code:
testFunc();
function testFunc(){
        for( $i =0; $i < 100000; $i++ ){
                $line = new ReportLine();
                for( $j = 0; $j < 40; $j++ ){
                        $line->addData("this is a bug");
                }
                $lines[] = $line;
                debug_zval_dump( $line );
        }
        return $lines;
}
class ReportLine{
        var $bool = true;
        function ReportLine(){
                //$this->bool = true;
        }
        function addData($value){
                if( $this->bool ) ;//$this->data[] = $value;
        }
}

Output:
...
object(reportline)(1) refcount(1){
  ["bool"]=>
  bool(true) refcount(3176)
}
object(reportline)(1) refcount(1){
  ["bool"]=>
  bool(true) refcount(3177)
}
object(reportline)(1) refcount(1){
  ["bool"]=>
  bool(true) refcount(3178)
}
object(reportline)(1) refcount(1){
  ["bool"]=>
  bool(true) refcount(3179)
}
object(reportline)(1) refcount(1){
  ["bool"]=>
  bool(true) refcount(3180)
}
object(reportline)(1) refcount(1){
  ["bool"]=>
  bool(true) refcount(3181)
}
object(reportline)(1) refcount(1){
  ["bool"]=>
  bool(true) refcount(3182)
}
....



Expected:
...
object(reportline)(1) refcount(1){
  ["bool"]=>
  bool(true) refcount(1)
}
...
 
PHP Copyright © 2001-2017 The PHP Group
All rights reserved.
Last updated: Sun Nov 19 01:31:42 2017 UTC