php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #49896 unsetting array member inside uksort function causes 1.5GB memory exhaustion
Submitted: 2009-10-16 08:24 UTC Modified: 2009-12-08 11:55 UTC
From: jmy at morgontech dot com Assigned:
Status: Closed Package: Arrays related
PHP Version: 5.*, 6 (2009-10-19) OS: *
Private report: No CVE-ID: None
View Developer Edit
 [2009-10-16 08:24 UTC] jmy at morgontech dot com 
Description:
------------
In an attempt to cull some unneeded array elements from within a user-defined function for uksort(), I came across a very odd memory exhaustion issue where array.c collapses under a sudden 1.5GB memory allocation attempt.

I realize this may not be the best way to accomplish my goal, but am pretty sure the memory exhaustion shouldn't be happening, regardless.

Reproduce code:
---------------
<?php
$sortOrder = Array(281, 830, 580, 541, 838, 839, 702, 625, 102, 234, 532, 317, 859, 738, 17, 350);
$myArray = Array(
    830 => 'eightthirty',
    317 => 'threeseventeen',
    102 => 'oneohtwo',
    281 => 'twoeightyone',
    14  => 'fourteen',
    580 => 'fiveeighty',
    541 => 'fivefourtyone',
    350 => 'threefifty',
    838 => 'eightthirtyeight',
    839 => 'eightthirtynine',
    702 => 'sevenohtwo',
    625 => 'sixtwentyfive',
    234 => 'twothreefour',
    532 => 'fivethirtytwo',
    859 => 'eightfiftynine',
    738 => 'seventhirtyeight',
    17  => 'seventeen'
);  

    function sortByOrder($a, $b) {
        global $sortOrder;
        global $myArray;

        if (!in_array($a, $sortOrder)) {
            unset($myArray[$a]);
            return 1;
        }
        if (!in_array($b, $sortOrder)) {
            return -1;
        }

        return array_search($a, $sortOrder) - array_search($b, $sortOrder);
    }

uksort($myArray, 'sortByOrder');
print_r($myArray);
?>

Expected result:
----------------
Expected result is an array sorted to match $sortOrder

Actual result:
--------------
Fatal error: Allowed memory size of 16777216 bytes exhausted at /root/source/php-5.3.0/ext/standard/array.c:694 (tried to allocate 1515870810 bytes) in /path/to/uksort_memory.php on line 38

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2009-10-19 10:43 UTC] jani@php.net 
It also crashes:

(gdb) bt
#0  _zval_ptr_dtor (zval_ptr=0x10) at /home/jani/src/php-5.3/Zend/zend_execute_API.c:429
#1  0x00000000005e86e8 in zend_hash_destroy (ht=0x1de2e0c0) at /home/jani/src/php-5.3/Zend/zend_hash.c:526
#2  0x00000000005dc876 in _zval_dtor_func (zvalue=0x1de304b8) at /home/jani/src/php-5.3/Zend/zend_variables.c:43
#3  0x00000000005d06e5 in _zval_ptr_dtor (zval_ptr=0x1de30b20) at /home/jani/src/php-5.3/Zend/zend_variables.h:35
#4  0x00000000005e83db in zend_hash_apply_deleter (ht=0xb5eec8, p=0x1de30b08) at /home/jani/src/php-5.3/Zend/zend_hash.c:611
#5  0x00000000005e8648 in zend_hash_graceful_reverse_destroy (ht=0xb5eec8) at /home/jani/src/php-5.3/Zend/zend_hash.c:646
#6  0x00000000005d0a9e in shutdown_executor () at /home/jani/src/php-5.3/Zend/zend_execute_API.c:252
#7  0x00000000005dcd63 in zend_deactivate () at /home/jani/src/php-5.3/Zend/zend.c:890
#8  0x000000000058deb8 in php_request_shutdown (dummy=<value optimized out>) at /home/jani/src/php-5.3/main/main.c:1601
#9  0x0000000000660108 in main (argc=2, argv=0x7fff8879e2a8) at /home/jani/src/php-5.3/sapi/cli/php_cli.c:1371
 [2009-12-08 11:55 UTC] felipe@php.net 
This issue was fixed with an improved fix for the bug #50006.
 
PHP Copyright © 2001-2025 The PHP Group
All rights reserved. 		Last updated: Fri Dec 19 22:00:01 2025 UTC