php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #46873 Bus error: 10 (core dumped) in zend_hash.c
Submitted: 2008-12-15 19:41 UTC Modified: 2008-12-27 03:09 UTC
Votes:4
Avg. Score:4.8 ± 0.4
Reproduced:4 of 4 (100.0%)
Same Version:3 (75.0%)
Same OS:2 (50.0%)
From: christian at enovo dot dk Assigned: lbarnaud
Status: Closed Package: Reproducible crash
PHP Version: 5.*-CVS (2008-12-16) OS: *
Private report: No CVE-ID:
 [2008-12-15 19:41 UTC] christian at enovo dot dk
Description:
------------
Failing server:
        FreeBSD fox.enovo.dk 7.1-PRERELEASE FreeBSD 7.1-PRERELEASE 
#0: Sat Nov  1 17:48:22 UTC 2008     
jippignu@fox.enovo.dk:/usr/obj/usr/src/sys/Fox  amd64
        PHP 5.2.8 (cli) (built: Dec 15 2008 16:38:16) (DEBUG)
 
Working server:
        FreeBSD cox.enovo.dk 7.1-PRERELEASE FreeBSD 7.1-PRERELEASE 
#1: Sat Nov  1 16:45:54 UTC 2008     
jippignu@cox.enovo.dk:/usr/obj/usr/src/sys/Cox  amd64
        PHP 5.2.6 with Suhosin-Patch 0.9.6.2 (cli) (built: Oct  8 
2008 21:37:20)


Trace:
GNU gdb 6.1.1 [FreeBSD]
Copyright 2004 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and 
you are
welcome to change it and/or distribute copies of it under certain 
conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for 
details.
This GDB was configured as "amd64-marcel-freebsd"...
Core was generated by `php'.
Program terminated with signal 10, Bus error.
Reading symbols from /lib/libcrypt.so.4...done.
Loaded symbols for /lib/libcrypt.so.4
Reading symbols from /lib/libz.so.4...done.
Loaded symbols for /lib/libz.so.4
Reading symbols from /usr/local/lib/libexslt.so.8...done.
Loaded symbols for /usr/local/lib/libexslt.so.8
Reading symbols from /lib/libm.so.5...done.
Loaded symbols for /lib/libm.so.5
Reading symbols from /usr/local/lib/libmcrypt.so.8...done.
Loaded symbols for /usr/local/lib/libmcrypt.so.8
Reading symbols from /usr/local/lib/libltdl.so.4...done.
Loaded symbols for /usr/local/lib/libltdl.so.4
Reading symbols from /usr/local/lib/libintl.so.8...done.
Loaded symbols for /usr/local/lib/libintl.so.8
Reading symbols from /usr/local/lib/libpng.so.5...done.
Loaded symbols for /usr/local/lib/libpng.so.5
Reading symbols from /usr/local/lib/libjpeg.so.9...done.
Loaded symbols for /usr/local/lib/libjpeg.so.9
Reading symbols from /usr/lib/libssl.so.5...done.
Loaded symbols for /usr/lib/libssl.so.5
Reading symbols from /lib/libcrypto.so.5...done.
Loaded symbols for /lib/libcrypto.so.5
Reading symbols from /usr/lib/libbz2.so.3...done.
Loaded symbols for /usr/lib/libbz2.so.3
Reading symbols from /usr/local/lib/libcurl.so.4...done.
Loaded symbols for /usr/local/lib/libcurl.so.4
Reading symbols from /usr/local/lib/libcares.so.1...done.
Loaded symbols for /usr/local/lib/libcares.so.1
Reading symbols from 
/usr/local/lib/mysql/libmysqlclient.so.15...done.
Loaded symbols for /usr/local/lib/mysql/libmysqlclient.so.15
Reading symbols from /usr/local/lib/libxslt.so.2...done.
Loaded symbols for /usr/local/lib/libxslt.so.2
Reading symbols from /usr/local/lib/libxml2.so.5...done.
Loaded symbols for /usr/local/lib/libxml2.so.5
Reading symbols from /usr/local/lib/libiconv.so.3...done.
Loaded symbols for /usr/local/lib/libiconv.so.3
Reading symbols from /lib/libc.so.7...done.
Loaded symbols for /lib/libc.so.7
Reading symbols from /usr/local/lib/php/20060613-debug/apc.so...done.
Loaded symbols for /usr/local/lib/php/20060613-debug/apc.so
Reading symbols from /usr/lib/librt.so.1...done.
Loaded symbols for /usr/lib/librt.so.1
Reading symbols from /usr/local/lib/php/20060613-
debug/fileinfo.so...done.
Loaded symbols for /usr/local/lib/php/20060613-debug/fileinfo.so
Reading symbols from /usr/lib/libmagic.so.3...done.
Loaded symbols for /usr/lib/libmagic.so.3
Reading symbols from /libexec/ld-elf.so.1...done.
Loaded symbols for /libexec/ld-elf.so.1
#0  0x000000000082f88c in zend_hash_get_current_data_ex (ht=0xe24ed8, 
pData=0x7fffffffbdd8, pos=0x7fffffffbd98) at 
/usr/home/php/php-5.2.8/Zend/zend_hash.c:1163
1163                    *pData = p->pData;
(gdb) bt
#0  0x000000000082f88c in zend_hash_get_current_data_ex (ht=0xe24ed8, 
pData=0x7fffffffbdd8, pos=0x7fffffffbd98) at 
/usr/home/php/php-5.2.8/Zend/zend_hash.c:1163
#1  0x00000000006f3da3 in zif_extract (ht=2, return_value=0xe21048, 
return_value_ptr=0x0, this_ptr=0x0, 
return_value_used=0) at /usr/home/php/php-
5.2.8/ext/standard/array.c:1396
#2  0x000000000084b13b in zend_do_fcall_common_helper_SPEC 
(execute_data=0x7fffffffc420) at zend_vm_execute.h:200
#3  0x0000000000851d80 in ZEND_DO_FCALL_SPEC_CONST_HANDLER 
(execute_data=0x7fffffffc420) at zend_vm_execute.h:1729
#4  0x000000000084ab70 in execute (op_array=0xe24228) at 
zend_vm_execute.h:92
#5  0x000000000084b31c in zend_do_fcall_common_helper_SPEC 
(execute_data=0x7fffffffc9e0) at zend_vm_execute.h:234
#6  0x000000000084c035 in ZEND_DO_FCALL_BY_NAME_SPEC_HANDLER 
(execute_data=0x7fffffffc9e0) at zend_vm_execute.h:322
#7  0x000000000084ab70 in execute (op_array=0xe24228) at 
zend_vm_execute.h:92
#8  0x000000000084b31c in zend_do_fcall_common_helper_SPEC 
(execute_data=0x7fffffffcd00) at zend_vm_execute.h:234
#9  0x000000000084c035 in ZEND_DO_FCALL_BY_NAME_SPEC_HANDLER 
(execute_data=0x7fffffffcd00) at zend_vm_execute.h:322
#10 0x000000000084ab70 in execute (op_array=0xe1f428) at 
zend_vm_execute.h:92
#11 0x0000000000820150 in zend_execute_scripts (type=8, retval=0x0, 
file_count=3) at /usr/home/php/php-
5.2.8/Zend/zend.c:1134
#12 0x00000000007c031c in php_execute_script 
(primary_file=0x7fffffffe640) at /usr/home/php/php-
5.2.8/main/main.c:2023
#13 0x00000000008acd0d in main (argc=2, argv=0x7fffffffe7d0) at 
/usr/home/php/php-5.2.8/sapi/cli/php_cli.c:1133





Reproduce code:
---------------
<?php
    $data = array (
        'level0' => array(
        'level1'
        )
    );
 
    // If you uncomment the following a blank screen is outputted.
    $flattened = Set::flatten($data);
    var_dump($flattened);
 
    class Set {
        function flatten($data, $separator = '.') {
            $result = array();
            $path = null;
 
            if (is_array($separator)) {
                extract($separator, EXTR_OVERWRITE);
            }
 
            if (!is_null($path)) {
                $path .= $separator;
            }
 
            foreach ($data as $key => $val) {
                if (is_array($val)) {
                    $result += (array)Set::flatten($val, array(
                        'separator' => $separator,
                        'path' => $path . $key
                    ));
                } else {
                    $result[$path . $key] = $val;
                }
            }
            return $result;
        }
    }

Expected result:
----------------
array(1) {
          ["level0.0"]=>
          string(6) "level1"
        }

Actual result:
--------------
Bus error: 10 (core dumped)

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2008-12-15 19:43 UTC] christian at enovo dot dk
The issue does not exist with php 5.2.6 - but in 5.2.7/8 only.

Both with and without the Suhosin patch
 [2008-12-15 23:05 UTC] crrodriguez at opensuse dot org
VERIFIED in 5_3

gdb) bt
#0  0x00000000007f59b7 in zend_hash_get_current_data_ex (ht=0xfd6bf0, pData=0x7fff96781c68, pos=0x7fff96781c48)
    at /home/cristian/php5/Zend/zend_hash.c:1163
#1  0x00000000006c313b in zif_extract (ht=2, return_value=0xfd5590, return_value_ptr=0x0, this_ptr=0x0, return_value_used=0)
    at /home/cristian/php5/ext/standard/array.c:1287
#2  0x0000000000814959 in zend_do_fcall_common_helper_SPEC (execute_data=0x7f598e5fa6e0) at /home/cristian/php5/Zend/zend_vm_execute.h:313
#3  0x000000000081a050 in ZEND_DO_FCALL_SPEC_CONST_HANDLER (execute_data=0x7f598e5fa6e0) at /home/cristian/php5/Zend/zend_vm_execute.h:1564
#4  0x0000000000813a47 in execute (op_array=0xfd9298) at /home/cristian/php5/Zend/zend_vm_execute.h:104
#5  0x00000000007e4089 in zend_execute_scripts (type=8, retval=0x0, file_count=3) at /home/cristian/php5/Zend/zend.c:1197
#6  0x0000000000766aa1 in php_execute_script (primary_file=0x7fff96784440) at /home/cristian/php5/main/main.c:2080
#7  0x000000000088336b in main (argc=2, argv=0x7fff96784698) at /home/cristian/php5/sapi/cli/php_cli.c:1126
 [2008-12-16 03:08 UTC] crrodriguez at opensuse dot org
reduced test case

<?php
$data = array (
        'level0' => array(
        'level1'
        )
    );

$flattened = flatten($data);

function flatten($data, $separator = array()) {
    extract($separator, EXTR_OVERWRITE);
    foreach ($data as $key => $val) {
            flatten($val, array('separator' => $separator));
    }
}

?>
 [2008-12-16 18:03 UTC] jani@php.net
Output with reduced test script:

# src/build/php_5_2/sapi/cli/php t.php
Segmentation fault
# src/build/php_5_3/sapi/cli/php t.php
Segmentation fault
# src/build/php_6/sapi/cli/php t.php

Warning: Invalid argument supplied for foreach() in /home/jani/t.php on line 12

So it seems the bug is only in PHP_5* branches.
 [2008-12-17 11:14 UTC] bjori@php.net
I can't reproduce this using 5.3 from today:
bjori@jessica:/usr/src/php/5.3$ sapi/cli/php t.php 
PHP Warning:  Invalid argument supplied for foreach() in /usr/src/php/5.3/t.php on line 12

 [2008-12-26 11:53 UTC] felipe@php.net
Hi Arnald, that patch broken this.
 [2008-12-26 11:58 UTC] felipe@php.net
*Arnaud
I suppose http://cvs.php.net/viewvc.cgi/php-src/ext/standard/array.c?r1=1.308.2.21.2.58&r2=1.308.2.21.2.59 (Fixed bugs #44181 & #44182 (extract() and references))
 [2008-12-27 03:09 UTC] lbarnaud@php.net
This bug has been fixed in CVS.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.
 
Thank you for the report, and for helping us make PHP better.


 
PHP Copyright © 2001-2014 The PHP Group
All rights reserved.
Last updated: Thu Apr 17 06:02:13 2014 UTC