php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #40039 Seg fault during uksort
Submitted: 2007-01-06 00:11 UTC Modified: 2007-01-15 01:00 UTC
Votes:2
Avg. Score:5.0 ± 0.0
Reproduced:1 of 1 (100.0%)
Same Version:0 (0.0%)
Same OS:1 (100.0%)
From: aren at corp dot oodle dot com Assigned:
Status: No Feedback Package: Reproducible crash
PHP Version: 5.2.0 OS: Linux 2.6.5
Private report: No CVE-ID:
Have you experienced this issue?
Rate the importance of this bug to you:

 [2007-01-06 00:11 UTC] aren at corp dot oodle dot com
Description:
------------
I reliably get a seg fault during execution of uksort() in our web application. Unfortunately, the seg fault is not reproducible with any simpler test case, and other code paths over the same code work fine.

PHP line in question:

uksort($arr_values, array($this, '_compare_values'));

GDB output:

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread -1208600896 (LWP 30559)]
0x01063602 in zend_call_function (fci=0xbfe7e950, fci_cache=0x0)
     at 
/php-5.2.0/Zend/zend_execute_API .c:661
661                     if (Z_TYPE_P(fci->function_name)==IS_ARRAY) { /* assume 
array($obj, $name) couple */

(gdb) print fci.function_name
$3 = (zval *) 0x0


Actual result:
--------------
Segfault trace:

(gdb) bt
#0  0x01063602 in zend_call_function (fci=0xbfe7e950, fci_cache=0x0)
     at /php-5.2.0/Zend/zend_execute_API.c:661
#1  0x01064660 in call_user_function_ex (function_table=0x0, object_pp=0x0,
     function_name=0x0, retval_ptr_ptr=0x0, param_count=0, params=0x0,
     no_separation=0, symbol_table=0x0)
     at /php-5.2.0/Zend/zend_execute_API.c:602
#2  0x0106469c in call_user_function (function_table=0x95c12f0, object_pp=0x0,
     function_name=0x0, retval_ptr=0xbfe7ea00, param_count=2, params=0xbfe7e9f8)
     at /php-5.2.0/Zend/zend_execute_API.c:575
#3  0x00fd3b12 in array_user_key_compare (a=0xb765d404, b=0xb765d3fc)
     at /php-5.2.0/ext/standard/array.c: 736
#4  0x0107cff8 in zend_qsort (base=0xb765d3fc, nmemb=3, siz=4,
     compare=0xfd3a9c <array_user_key_compare>)
     at /php-5.2.0/Zend/zend_qsort.c:86
#5  0x010777e9 in zend_hash_sort (ht=0xb75aff48,
     sort_func=0x107cf70 <zend_qsort>,
     compar=0xfd3a9c <array_user_key_compare>, renumber=0)
     at /php-5.2.0/Zend/zend_hash.c:1218
#6  0x00fd3d12 in zif_uksort (ht=2, return_value=0xb75dd098,
     return_value_ptr=0x0, this_ptr=0x0, return_value_used=0)
     at /php-5.2.0/ext/standard/array.c: 774

A watchpoint on the user_compare_func_name shows it is set in zif_uksort's call to zend_get_parameters_ex (as expected):

(gdb) watch basic_globals.user_compare_func_name

Old value = (zval **) 0x0
New value = (zval **) 0xb7d2695c

0x010cd0f8 in zend_get_parameters_ex (param_count=0)
     at /php-5.2.0/Zend/zend_API.c:134
134                     *param = (zval **) p-(arg_count--);

(gdb) bt
#0  0x010cd0f8 in zend_get_parameters_ex (param_count=0)
     at /php-5.2.0/Zend/zend_API.c:134
#1  0x01031c78 in zif_uksort (ht=2, return_value=0xb75ef2ec,
     return_value_ptr=0x0, this_ptr=0x0, return_value_used=0)


And overwritten here:

(gdb) continue
Continuing.
Hardware watchpoint 4: *basic_globals.user_compare_func_name

Old value = (zval *) 0xb75f0afc
New value = (zval *) 0x0

0x00b32527 in memset () from /lib/tls/libc.so.6
(gdb) bt
#0  0x00b32527 in memset () from /lib/tls/libc.so.6
#1  0x00000040 in ?? ()
#2  0x010b816c in _ecalloc (nmemb=64, size=256)
     at /php-5.2.0/Zend/zend_alloc.c:173 8
#3  0x010d37f6 in _zend_hash_init (ht=0xb75eeb04, nSize=45, pHashFunction=0,
     pDestructor=0x10c0460 <_zval_ptr_dtor>, persistent=0 '\0')
     at /php-5.2.0/Zend/zend_hash.c:169
#4  0x010cb5c8 in _zval_copy_ctor_func (zvalue=0xb75efe9c)
     at /php-5.2.0/Zend/zend_variables.c :133
#5  0x010e41b1 in zend_fetch_dimension_address (result=0xbff05fac,
     container_ptr=0xb75f63ac, dim=0xb75f46cc, dim_is_tmp_var=0, type=1)
     at /php-5.2.0/Zend/zend_variables.h :45
#6  0x01141155 in ZEND_FETCH_DIM_W_SPEC_CV_CV_HANDLER (execute_data=0xbff06180)
     at /php-5.2.0/Zend/zend_execute.c:2 71
#7  0x010e457d in execute (op_array=0xb7ae9340)
     at /php-5.2.0/Zend/zend_vm_execute. h:92
#8  0x010e47c9 in zend_do_fcall_common_helper_SPEC (execute_data=0xbff064e0)
     at /php-5.2.0/Zend/zend_vm_execute. h:234
#9  0x010e457d in execute (op_array=0xb7b40258)
     at /php-5.2.0/Zend/zend_vm_execute. h:92
#10 0x010c1d8a in zend_call_function (fci=0xbff06610, fci_cache=0x0)
     at /php-5.2.0/Zend/zend_execute_API .c:965
#11 0x010c2660 in call_user_function_ex (function_table=0x0, object_pp=0x0,
     function_name=0x0, retval_ptr_ptr=0x0, param_count=0, params=0x0,
     no_separation=0, symbol_table=0x0)
     at /php-5.2.0/Zend/zend_execute_API .c:602
#12 0x010c269c in call_user_function (function_table=0x8aad2f0, object_pp=0x0,
     function_name=0xb75f0afc, retval_ptr=0xbff066c0, param_count=2,
     params=0xbff066b8)
     at /php-5.2.0/Zend/zend_execute_API .c:575
#13 0x01031b12 in array_user_key_compare (a=0xb7671414, b=0xb7671418)
     at /php-5.2.0/ext/standard/array.c: 736
#14 0x010db026 in zend_qsort (base=0xb7671414, nmemb=3, siz=4,
     compare=0x1031a9c <array_user_key_compare>)
     at /php-5.2.0/Zend/zend_qsort.c:83
#15 0x010d57e9 in zend_hash_sort (ht=0xb75f58ac,
     sort_func=0x10daf70 <zend_qsort>,
     compar=0x1031a9c <array_user_key_compare>, renumber=0)
     at /php-5.2.0/Zend/zend_hash.c:1218
#16 0x01031d12 in zif_uksort (ht=2, return_value=0xb75ef2ec,
     return_value_ptr=0x0, this_ptr=0x0, return_value_used=0)
     at /php-5.2.0/ext/standard/array.c: 774


Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2007-01-06 16:43 UTC] iliaa@php.net
Thank you for this bug report. To properly diagnose the problem, we
need a short but complete example script to be able to reproduce
this bug ourselves. 

A proper reproducing script starts with <?php and ends with ?>,
is max. 10-20 lines long and does not require any external 
resources such as databases, etc. If the script requires a 
database to demonstrate the issue, please make sure it creates 
all necessary tables, stored procedures etc.

Please avoid embedding huge scripts into the report.


 [2007-01-07 22:01 UTC] aren at corp dot oodle dot com
A contrived example does not exhibit the crash.  Even a different code path through the code that is crashing does not crash.  It is only this particular case that crashes every time.  From the debugging I've done, it looks like memory is being accidentally overwritten.
 [2007-01-07 22:07 UTC] iliaa@php.net
Thank you for this bug report. To properly diagnose the problem, we
need a short but complete example script to be able to reproduce
this bug ourselves. 

A proper reproducing script starts with <?php and ends with ?>,
is max. 10-20 lines long and does not require any external 
resources such as databases, etc. If the script requires a 
database to demonstrate the issue, please make sure it creates 
all necessary tables, stored procedures etc.

Please avoid embedding huge scripts into the report.

Without a reproduce script it would be impossible for us to 
replicate and resolve the problem.
 [2007-01-15 01:00 UTC] php-bugs at lists dot php dot net
No feedback was provided for this bug for over a week, so it is
being suspended automatically. If you are able to provide the
information that was originally requested, please do so and change
the status of the bug back to "Open".
 
PHP Copyright © 2001-2014 The PHP Group
All rights reserved.
Last updated: Thu Apr 24 02:02:10 2014 UTC