php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #50481 Storing many SPLFixedArray in an array crashes
Submitted: 2009-12-15 14:23 UTC Modified: 2010-08-09 01:56 UTC
Votes:6
Avg. Score:5.0 ± 0.0
Reproduced:5 of 5 (100.0%)
Same Version:3 (60.0%)
Same OS:3 (60.0%)
From: simon dot nuttall at gmail dot com Assigned: felipe
Status: Closed Package: SPL related
PHP Version: 5.3.1 OS: Debian Linux www 2.6.26.2
Private report: No CVE-ID:
 [2009-12-15 14:23 UTC] simon dot nuttall at gmail dot com
Description:
------------
The script generates a segmentation fault when $count > 9992.

I have tried it on three machines, and on one the problem only occurs when $count > 9995.


Reproduce code:
---------------
$count = 9993;

$cache = array();

for($i = 0; $i < $count ; $i++) {

  $cache[$i] = new SplFixedArray(1);

}

echo 'Cache count: ' . count($cache);


Expected result:
----------------
Cache count: 9993

Actual result:
--------------
[Tue Dec 15 13:42:57 2009] [notice] child pid 10685 exit signal Segmentation fault (11)


Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2009-12-15 14:58 UTC] felipe@php.net
Program received signal SIGSEGV, Segmentation fault.
0x08543bad in gc_remove_from_buffer (zv=0x892722e, tsrm_ls=0x8925078) at /home/felipe/dev/php5/Zend/zend_gc.h:189
189		root->next->prev = root->prev;
(gdb) bt
#0  0x08543bad in gc_remove_from_buffer (zv=0x892722e, tsrm_ls=0x8925078) at /home/felipe/dev/php5/Zend/zend_gc.h:189
#1  gc_remove_zval_from_buffer (zv=0x892722e, tsrm_ls=0x8925078) at /home/felipe/dev/php5/Zend/zend_gc.c:265
#2  0x0850c5f4 in _zval_ptr_dtor (zval_ptr=0x8ac8d2c, __zend_filename=0x88f20d4 "/home/felipe/dev/php5/Zend/zend_variables.c", __zend_lineno=175)
    at /home/felipe/dev/php5/Zend/zend_execute_API.c:434
#3  0x0851bfbb in _zval_ptr_dtor_wrapper (zval_ptr=0x8ac8d2c) at /home/felipe/dev/php5/Zend/zend_variables.c:175
#4  0x0852da55 in _zend_hash_index_update_or_next_insert (ht=0x8ac9d08, h=0, pData=0x892723c, nDataSize=4, pDest=0x0, flag=1, 
    __zend_filename=0x889aa4c "/home/felipe/dev/php5/ext/spl/spl_fixedarray.c", __zend_lineno=161) at /home/felipe/dev/php5/Zend/zend_hash.c:374
#5  0x083487b9 in spl_fixedarray_object_get_properties (obj=0x8ac9b90, tsrm_ls=0x8925078) at /home/felipe/dev/php5/ext/spl/spl_fixedarray.c:161
#6  0x08543d21 in zval_scan_black (pz=0x8ac9b90, tsrm_ls=0x8925078) at /home/felipe/dev/php5/Zend/zend_gc.c:285
#7  0x08543de4 in zval_scan_black (pz=0x8ac9b90, tsrm_ls=0x8925078) at /home/felipe/dev/php5/Zend/zend_gc.c:302
#8  0x08544453 in zval_scan (pz=0x8ac85ac, tsrm_ls=0x8925078) at /home/felipe/dev/php5/Zend/zend_gc.c:435
#9  0x085447c8 in gc_scan_roots (tsrm_ls=0x8925078) at /home/felipe/dev/php5/Zend/zend_gc.c:511
#10 0x08544d87 in gc_collect_cycles (tsrm_ls=0x8925078) at /home/felipe/dev/php5/Zend/zend_gc.c:629
#11 0x085436d3 in gc_zval_possible_root (zv=0x8ac5618, tsrm_ls=0x8925078) at /home/felipe/dev/php5/Zend/zend_gc.c:166
#12 0x0850c6ad in gc_zval_check_possible_root (zval_ptr=0x892adb0, __zend_filename=0x88dd638 "/home/felipe/dev/php5/main/main.c", __zend_lineno=1590)
    at /home/felipe/dev/php5/Zend/zend_gc.h:183
#13 _zval_ptr_dtor (zval_ptr=0x892adb0, __zend_filename=0x88dd638 "/home/felipe/dev/php5/main/main.c", __zend_lineno=1590)
    at /home/felipe/dev/php5/Zend/zend_execute_API.c:445
#14 0x08498f88 in php_request_shutdown (dummy=0x0) at /home/felipe/dev/php5/main/main.c:1590
#15 0x085fecc5 in main (argc=2, argv=0xbffff6a4) at /home/felipe/dev/php5/sapi/cli/php_cli.c:1373

 [2010-04-25 06:32 UTC] colder@php.net
-Status: Verified +Status: Feedback
 [2010-04-25 06:32 UTC] colder@php.net
Please try using this snapshot:

  http://snaps.php.net/php5.3-latest.tar.gz
 
For Windows:

  http://windows.php.net/snapshots/


 [2010-06-11 00:32 UTC] jan-phpbug at kantert dot net
I can verify this on php 5.3.2 (Stock Ubuntu 10.04) and in php 5.3 latest (10.06.2010) on amd64. 2.6.32-22-server.
 [2010-08-09 01:56 UTC] felipe@php.net
Automatic comment from SVN on behalf of felipe
Revision: http://svn.php.net/viewvc/?view=revision&amp;revision=302011
Log: - Fixed bug #50481 (Storing many SPLFixedArray in an array crashes)
 [2010-08-09 01:56 UTC] felipe@php.net
-Status: Feedback +Status: Closed -Assigned To: +Assigned To: felipe
 [2010-08-09 01:56 UTC] felipe@php.net
This bug has been fixed in SVN.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.
 
Thank you for the report, and for helping us make PHP better.


 
PHP Copyright © 2001-2014 The PHP Group
All rights reserved.
Last updated: Thu Apr 24 19:01:53 2014 UTC