php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #39576 Segfault on array_intersect
Submitted: 2006-11-22 00:26 UTC Modified: 2006-11-22 10:42 UTC
From: php at seven dot net dot nz Assigned: tony2001
Status: Closed Package: Arrays related
PHP Version: 5.2.0 OS: Linux
Private report: No CVE-ID:
 [2006-11-22 00:26 UTC] php at seven dot net dot nz
Description:
------------
When intersecting 2 arrays, PHP segfaults.

The first array is the contents of get_object_vars ($this), the second is a key => object pair.

This does not reproduce the bug, but this is what the code looks like. Setting up the environment to reproduce it will take some time (objects returned by a database etc), so I'll only do it if necessary

Reproduce code:
---------------
<?php
class Test {

	function run () {

		$c = array_intersect_key (
			get_object_vars ($this),
			$this->columns
		);

		print_r ($c);

	}

}

class Test2 {}

$test = new Test;

$test->columns = array ('id' => new Test2);
$test->id = '1';

$test->run ();
?>

Expected result:
----------------
Array ( [id] => 1 )

Actual result:
--------------
Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread -1215007056 (LWP 21112)]
0xb765ab06 in zend_hash_del_key_or_index (ht=0xb6c47e44, arKey=0xb6c7e828 "", nKeyLength=1, h=3445614760, flag=0) at /root/php-5.2.0/Zend/zend_hash.c:462
462             p = ht->arBuckets[nIndex];
(gdb) bt
#0  0xb765ab06 in zend_hash_del_key_or_index (ht=0xb6c47e44, arKey=0xb6c7e828 "", nKeyLength=1, h=3445614760, flag=0)
    at /root/php-5.2.0/Zend/zend_hash.c:462
#1  0xb759b96c in php_array_intersect (ht=2, return_value=0xb6c7ee74, return_value_ptr=<value optimized out>, this_ptr=0x0, return_value_used=1,
    behavior=<value optimized out>, data_compare_type=0, key_compare_type=0) at /root/php-5.2.0/ext/standard/array.c:3135
#2  0xb766b6b3 in zend_do_fcall_common_helper_SPEC (execute_data=0xbfd50820) at /root/php-5.2.0/Zend/zend_vm_execute.h:200
#3  0xb76697cb in execute (op_array=0xb6c56bec) at /root/php-5.2.0/Zend/zend_vm_execute.h:92
#4  0xb766b236 in zend_do_fcall_common_helper_SPEC (execute_data=0xbfd509a0) at /root/php-5.2.0/Zend/zend_vm_execute.h:234
#5  0xb76697cb in execute (op_array=0xb6c1a474) at /root/php-5.2.0/Zend/zend_vm_execute.h:92
#6  0xb766b236 in zend_do_fcall_common_helper_SPEC (execute_data=0xbfd50ed0) at /root/php-5.2.0/Zend/zend_vm_execute.h:234
#7  0xb76697cb in execute (op_array=0xb6c8144c) at /root/php-5.2.0/Zend/zend_vm_execute.h:92
#8  0xb766ecdd in ZEND_INCLUDE_OR_EVAL_SPEC_TMP_HANDLER (execute_data=0xbfd527a0) at /root/php-5.2.0/Zend/zend_vm_execute.h:4572
#9  0xb76697cb in execute (op_array=0xb6c71574) at /root/php-5.2.0/Zend/zend_vm_execute.h:92
#10 0xb76510af in zend_execute_scripts (type=8, retval=0x80, file_count=3) at /root/php-5.2.0/Zend/zend.c:1097
#11 0xb7615afa in php_execute_script (primary_file=0xbfd54ac8) at /root/php-5.2.0/main/main.c:1758
#12 0xb76d2711 in php_handler (r=0x84ab238) at /root/php-5.2.0/sapi/apache2handler/sapi_apache2.c:592
#13 0x08078709 in ap_run_handler ()
#14 0x0807b8b1 in ap_invoke_handler ()
#15 0x0806a42c in ap_internal_redirect ()
#16 0xb79433c5 in ?? () from /usr/lib/apache2/modules/mod_rewrite.so
#17 0x084ab228 in ?? ()
#18 0x084a2978 in ?? ()
#19 0xb7944da7 in ?? () from /usr/lib/apache2/modules/mod_rewrite.so
#20 0x084a36c8 in ?? ()
#21 0x00000000 in ?? ()


Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2006-11-22 01:00 UTC] johannes@php.net
Not enough information was provided for us to be able
to handle this bug. Please re-read the instructions at
http://bugs.php.net/how-to-report.php

If you can provide more information, feel free to add it
to this bug and change the status back to "Open".

Thank you for your interest in PHP.


We really need a proper reproduce case showing the bug.
 [2006-11-22 02:02 UTC] php at seven dot net dot nz
OK, I've nailed it down:

<?php
class Test {

	public $_table = '';
	public $_columns = array ();
	public $_primary = array ();

}

$test = new Test ();
$test->name = 'test';
$test->_columns['name'] = new stdClass;

function test ($value, $column, &$columns) {}

array_walk (
	get_object_vars ($test),
	'test',
	$test->_columns
);

array_intersect_key (
	get_object_vars ($test),
	$test->_primary
);

print "OK\n";
?>


Here's the backtrace:

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread -1214896464 (LWP 23917)]
0xb7675b06 in zend_hash_del_key_or_index (ht=0xb6c92234, arKey=0xb6c92468 "", nKeyLength=1, h=3445614760, flag=0) at /root/php-5.2.0/Zend/zend_hash.c:462
462             p = ht->arBuckets[nIndex];
(gdb) bt
#0  0xb7675b06 in zend_hash_del_key_or_index (ht=0xb6c92234, arKey=0xb6c92468 "", nKeyLength=1, h=3445614760, flag=0)
    at /root/php-5.2.0/Zend/zend_hash.c:462
#1  0xb75b66dc in php_array_intersect (ht=2, return_value=0xb6c9219c, return_value_ptr=<value optimized out>, this_ptr=0x0, return_value_used=0,
    behavior=<value optimized out>, data_compare_type=0, key_compare_type=0) at /root/php-5.2.0/ext/standard/array.c:3119
#2  0xb76866b3 in zend_do_fcall_common_helper_SPEC (execute_data=0xbfd75080) at /root/php-5.2.0/Zend/zend_vm_execute.h:200
#3  0xb76847cb in execute (op_array=0xb6c8df14) at /root/php-5.2.0/Zend/zend_vm_execute.h:92
#4  0xb766c0af in zend_execute_scripts (type=8, retval=0x80, file_count=3) at /root/php-5.2.0/Zend/zend.c:1097
#5  0xb7630afa in php_execute_script (primary_file=0xbfd773a8) at /root/php-5.2.0/main/main.c:1758
#6  0xb76ed711 in php_handler (r=0x84a2990) at /root/php-5.2.0/sapi/apache2handler/sapi_apache2.c:592
#7  0x08078709 in ap_run_handler ()
#8  0x0807b8b1 in ap_invoke_handler ()
#9  0x0806a5a8 in ap_process_request ()
#10 0x080652e8 in _start ()
 [2006-11-22 02:03 UTC] php at seven dot net dot nz
I think the problem lies with the third parameter to function test (), and passing by reference.
 [2006-11-22 10:42 UTC] tony2001@php.net
This bug has been fixed in CVS.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.
 
Thank you for the report, and for helping us make PHP better.


 
PHP Copyright © 2001-2014 The PHP Group
All rights reserved.
Last updated: Mon Apr 21 02:02:11 2014 UTC