php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #54609 Certain implementation(s) of SplFixedArray cause hard crash
Submitted: 2011-04-26 21:22 UTC Modified: 2011-06-07 03:26 UTC
Votes:3
Avg. Score:4.3 ± 0.5
Reproduced:3 of 3 (100.0%)
Same Version:3 (100.0%)
Same OS:3 (100.0%)
From: aleksey dot v dot korzun at gmail dot com Assigned: felipe
Status: Closed Package: SPL related
PHP Version: 5.3.6 OS: *nix
Private report: No CVE-ID:
 [2011-04-26 21:22 UTC] aleksey dot v dot korzun at gmail dot com
Description:
------------
Problem can be reproduced on both Linux and Unix environments, does not seem to be OS specific. 

Backtrace and other tests point specifically at SplFixedArray.

PHP/OS:

PHP 5.3.6
8.2-RELEASE FreeBSD

Extensions:

extension=ctype.so
extension=curl.so
extension=dom.so
extension=filter.so
extension=gd.so
extension=hash.so
extension=json.so
extension=mbstring.so
extension=mcrypt.so
extension=session.so
extension=simplexml.so
extension=ftp.so
extension=mysqli.so
extension=igbinary.so
extension=apc.so
extension=memcached.so



Test script:
---------------
<?php
/**
 * Proof of concept
 * @author Aleksey Korzun
 */
ini_set('memory_limit', '1024M');
ini_set('display_errors', 'On');
error_reporting(E_ALL);

// Hard limit for our test loop
$limit = 10000;

/**
 * Placeholder model
 */
class Model
{
    public function foo() {}
}

/**
 * Placeholder collection, using SplFixedArray
 */
class Collection extends \SplFixedArray
{
    // Population method
    public function bar() {
        $models = array();
        foreach($this as $id => $model) {
            $model->foo();
            $models[$id] = $model;
        }
    }
}

// Initialize and run the test
$collection = new Collection;
$collection->setSize($limit);
while($limit > 0) {
  --$limit;
   $collection[$limit] = new Model;
}
$collection->bar();


Expected result:
----------------
Script should not crash

Actual result:
--------------
(gdb) bt full
#0  0x00000008026f5567 in _zend_is_inconsistent (ht=0xffffffff, file=0x80285a5b8 "/usr/ports/lang/php5/work/php-5.3.6/Zend/zend_hash.c", line=520) at /usr/ports/lang/php5/work/php-5.3.6/Zend/zend_hash.c:53
No locals.
#1  0x00000008026f7381 in zend_hash_destroy (ht=0xffffffff) at /usr/ports/lang/php5/work/php-5.3.6/Zend/zend_hash.c:520
        p = (Bucket *) 0x802858ff0
        q = (Bucket *) 0x480
#2  0x0000000802710a66 in zend_object_std_dtor (object=0x808581920) at /usr/ports/lang/php5/work/php-5.3.6/Zend/zend_objects.c:41
No locals.
#3  0x0000000802710f15 in zend_objects_free_object_storage (object=0x808581920) at /usr/ports/lang/php5/work/php-5.3.6/Zend/zend_objects.c:126
No locals.
#4  0x0000000802716abf in zend_objects_store_del_ref_by_handle_ex (handle=3697, handlers=0x8029f0c20) at /usr/ports/lang/php5/work/php-5.3.6/Zend/zend_objects_API.c:220
        __orig_bailout = (sigjmp_buf *) 0x7fffffffe1b0
        __bailout = {{_sjb = {34400725674, 34376863547, 140737488347016, 140737488347184, 140737488350136, 140737488350104, 0, 0, 34499527295, 34498252960, 34499605672, 34359738368}}}
        obj = (struct _store_object *) 0x8094bdca8
        failure = 0
#5  0x00000008027167ae in zend_objects_store_del_ref (zobject=0x8085a8130) at /usr/ports/lang/php5/work/php-5.3.6/Zend/zend_objects_API.c:172
        handle = 3697
#6  0x00000008026e35b3 in _zval_dtor_func (zvalue=0x8085a8130, __zend_filename=0x802857e68 "/usr/ports/lang/php5/work/php-5.3.6/Zend/zend_execute_API.c", __zend_lineno=443)
    at /usr/ports/lang/php5/work/php-5.3.6/Zend/zend_variables.c:52
No locals.
#7  0x00000008026d223f in _zval_dtor (zvalue=0x8085a8130, __zend_filename=0x802857e68 "/usr/ports/lang/php5/work/php-5.3.6/Zend/zend_execute_API.c", __zend_lineno=443) at zend_variables.h:35
No locals.
#8  0x00000008026d2628 in _zval_ptr_dtor (zval_ptr=0x80821ad58, __zend_filename=0x80282b9d8 "/usr/ports/lang/php5/work/php-5.3.6/ext/spl/spl_fixedarray.c", __zend_lineno=182)
    at /usr/ports/lang/php5/work/php-5.3.6/Zend/zend_execute_API.c:443
No locals.
#9  0x000000080256f408 in spl_fixedarray_object_free_storage (object=0x808214990) at /usr/ports/lang/php5/work/php-5.3.6/ext/spl/spl_fixedarray.c:182
        intern = (spl_fixedarray_object *) 0x808214990
        i = 897
#10 0x00000008027164bd in zend_objects_store_free_object_storage (objects=0x8029f75b8) at /usr/ports/lang/php5/work/php-5.3.6/Zend/zend_objects_API.c:92
        obj = (struct _store_object *) 0x809484668
        i = 24
#11 0x00000008026d1f7a in shutdown_executor () at /usr/ports/lang/php5/work/php-5.3.6/Zend/zend_execute_API.c:302
        __orig_bailout = (sigjmp_buf *) 0x0
        __bailout = {{_sjb = {34400444143, 34376863547, 140737488347560, 140737488347712, 140737488350136, 140737488350104, 0, 0, 34402009727, 34384020168, 140737488347696, 34359738368}}}
#12 0x00000008026e56de in zend_deactivate () at /usr/ports/lang/php5/work/php-5.3.6/Zend/zend.c:890
No locals.
#13 0x00000008026656a1 in php_request_shutdown (dummy=0x0) at /usr/ports/lang/php5/work/php-5.3.6/main/main.c:1635
        report_memleaks = 1 '\001'
#14 0x00000008027d98b6 in php_apache_request_dtor (r=0x8035778a8) at /usr/ports/lang/php5/work/php-5.3.6/sapi/apache2handler/sapi_apache2.c:509
No locals.

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2011-05-04 19:02 UTC] aleksey dot v dot korzun at gmail dot com
Possibly x64 related
 [2011-06-05 03:38 UTC] felipe@php.net
Automatic comment from SVN on behalf of felipe
Revision: http://svn.php.net/viewvc/?view=revision&amp;revision=311817
Log: - Possible fix for bug #54609 (Certain implementation(s) of SplFixedArray cause hard crash)
 [2011-06-05 03:38 UTC] felipe@php.net
-Status: Open +Status: Feedback
 [2011-06-05 03:38 UTC] felipe@php.net
Please try using this snapshot:

  http://snaps.php.net/php-trunk-latest.tar.gz
 
For Windows:

  http://windows.php.net/snapshots/


 [2011-06-07 03:24 UTC] aleksey dot v dot korzun at gmail dot com
-Status: Feedback +Status: Open
 [2011-06-07 03:24 UTC] aleksey dot v dot korzun at gmail dot com
Fix is confirmed on my end.

Thank you!
 [2011-06-07 03:26 UTC] felipe@php.net
-Status: Open +Status: Closed -Assigned To: +Assigned To: felipe
 [2011-06-07 03:26 UTC] felipe@php.net
This bug has been fixed in SVN.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.
 
Thank you for the report, and for helping us make PHP better.

Thank you! :)
 
PHP Copyright © 2001-2014 The PHP Group
All rights reserved.
Last updated: Mon Apr 21 00:02:04 2014 UTC