PHP :: Bug #49896 :: unsetting array member inside uksort function causes 1.5GB memory exhaustion

Bug #49896	unsetting array member inside uksort function causes 1.5GB memory exhaustion
Submitted:	2009-10-16 08:24 UTC	Modified:	2009-12-08 11:55 UTC
From:	jmy at morgontech dot com	Assigned:
Status:	Closed	Package:	Arrays related
PHP Version:	5.*, 6 (2009-10-19)	OS:	*
Private report:	No	CVE-ID:	None

View Add Comment Developer Edit

[2009-10-16 08:24 UTC] jmy at morgontech dot com

Description:
------------
In an attempt to cull some unneeded array elements from within a user-defined function for uksort(), I came across a very odd memory exhaustion issue where array.c collapses under a sudden 1.5GB memory allocation attempt.

I realize this may not be the best way to accomplish my goal, but am pretty sure the memory exhaustion shouldn't be happening, regardless.

Reproduce code:
---------------
<?php
$sortOrder = Array(281, 830, 580, 541, 838, 839, 702, 625, 102, 234, 532, 317, 859, 738, 17, 350);
$myArray = Array(
    830 => 'eightthirty',
    317 => 'threeseventeen',
    102 => 'oneohtwo',
    281 => 'twoeightyone',
    14  => 'fourteen',
    580 => 'fiveeighty',
    541 => 'fivefourtyone',
    350 => 'threefifty',
    838 => 'eightthirtyeight',
    839 => 'eightthirtynine',
    702 => 'sevenohtwo',
    625 => 'sixtwentyfive',
    234 => 'twothreefour',
    532 => 'fivethirtytwo',
    859 => 'eightfiftynine',
    738 => 'seventhirtyeight',
    17  => 'seventeen'
);  

    function sortByOrder($a, $b) {
        global $sortOrder;
        global $myArray;

        if (!in_array($a, $sortOrder)) {
            unset($myArray[$a]);
            return 1;
        }
        if (!in_array($b, $sortOrder)) {
            return -1;
        }

        return array_search($a, $sortOrder) - array_search($b, $sortOrder);
    }

uksort($myArray, 'sortByOrder');
print_r($myArray);
?>

Expected result:
----------------
Expected result is an array sorted to match $sortOrder

Actual result:
--------------
Fatal error: Allowed memory size of 16777216 bytes exhausted at /root/source/php-5.3.0/ext/standard/array.c:694 (tried to allocate 1515870810 bytes) in /path/to/uksort_memory.php on line 38

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports

[2009-10-19 10:43 UTC] jani@php.net

It also crashes:

(gdb) bt
#0  _zval_ptr_dtor (zval_ptr=0x10) at /home/jani/src/php-5.3/Zend/zend_execute_API.c:429
#1  0x00000000005e86e8 in zend_hash_destroy (ht=0x1de2e0c0) at /home/jani/src/php-5.3/Zend/zend_hash.c:526
#2  0x00000000005dc876 in _zval_dtor_func (zvalue=0x1de304b8) at /home/jani/src/php-5.3/Zend/zend_variables.c:43
#3  0x00000000005d06e5 in _zval_ptr_dtor (zval_ptr=0x1de30b20) at /home/jani/src/php-5.3/Zend/zend_variables.h:35
#4  0x00000000005e83db in zend_hash_apply_deleter (ht=0xb5eec8, p=0x1de30b08) at /home/jani/src/php-5.3/Zend/zend_hash.c:611
#5  0x00000000005e8648 in zend_hash_graceful_reverse_destroy (ht=0xb5eec8) at /home/jani/src/php-5.3/Zend/zend_hash.c:646
#6  0x00000000005d0a9e in shutdown_executor () at /home/jani/src/php-5.3/Zend/zend_execute_API.c:252
#7  0x00000000005dcd63 in zend_deactivate () at /home/jani/src/php-5.3/Zend/zend.c:890
#8  0x000000000058deb8 in php_request_shutdown (dummy=<value optimized out>) at /home/jani/src/php-5.3/main/main.c:1601
#9  0x0000000000660108 in main (argc=2, argv=0x7fff8879e2a8) at /home/jani/src/php-5.3/sapi/cli/php_cli.c:1371

[2009-12-08 11:55 UTC] felipe@php.net

This issue was fixed with an improved fix for the bug #50006.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Sun May 19 21:01:32 2024 UTC