PHP :: Bug #55288 :: usort segfaults

Bug #55288

usort segfaults

Submitted:

2011-07-26 19:19 UTC

Modified:

2011-07-29 15:58 UTC

Votes:	5
Avg. Score:	4.0 ± 0.6
Reproduced:	5 of 5 (100.0%)
Same Version:	5 (100.0%)
Same OS:	5 (100.0%)

From:

jstephens at qualtrics dot com

Assigned:

laruence (profile)

Status:

Closed

Package:

Arrays related

PHP Version:

5.3.6

OS:

Linux

Private report:

CVE-ID:

None

View Add Comment Developer Edit

[2011-07-26 19:19 UTC] jstephens at qualtrics dot com

Description:
------------
usort and uksort (and possibly other related functions) will segfault with the given script. I believe it is related to Zend's internal array "copy-on-write".

Test script:
---------------
class X {
	function __construct($v) { $this->v = $v; }
}

function sortIt(&$list) {
	usort($list, function($a, $b) use ($list) {
		return $a->v - $b->v;
	});
}

$list = array();
for($i = 0; $i < 10; ++$i) $list[mt_rand()] = new X(mt_rand());

echo "Sort...";
sortIt($list);
gc_collect_cycles();//segfault
echo "pass.\n";


Expected result:
----------------
"Sort...pass."

Actual result:
--------------
"Sort...Segmentation fault"

[dev@box dev]$ php --version
PHP 5.3.6 (cli) (built: Mar 17 2011 19:14:03) 
Copyright (c) 1997-2011 The PHP Group
Zend Engine v2.3.0, Copyright (c) 1998-2011 Zend Technologies
    with Xdebug v2.1.1, Copyright (c) 2002-2011, by Derick Rethans
[dev@box dev]$ gdb php
<snip>
Reading symbols from /usr/bin/php...(no debugging symbols found)...done.
(gdb) run usortCrash.php
Starting program: /usr/bin/php usortCrash.php
[Thread debugging using libthread_db enabled]
Sort...
Program received signal SIGSEGV, Segmentation fault.
0x00000000005db586 in ?? ()
(gdb) bt
#0  0x00000000005db586 in ?? ()
#1  0x00000000005db610 in ?? ()
#2  0x00000000005dbef5 in gc_collect_cycles ()
#3  0x00000000005cee1d in ?? ()
#4  0x00002aaaae139d0a in xdebug_execute_internal () from /usr/lib64/php/modules/xdebug.so
#5  0x00000000005e669d in ?? ()
#6  0x00000000005e5dcb in execute ()
#7  0x00002aaaae13998e in xdebug_execute () from /usr/lib64/php/modules/xdebug.so
#8  0x00000000005bf395 in zend_execute_scripts ()
#9  0x000000000056f628 in php_execute_script ()
#10 0x0000000000648ce0 in ?? ()
#11 0x00000033ad41d994 in __libc_start_main () from /lib64/libc.so.6
#12 0x0000000000422009 in _start ()

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports

[2011-07-27 06:27 UTC] laruence@php.net

I can not reproduce the segfault with your test script in my envrion, and I noticed that you have xdebug install in, plz remove all other php extensions then check if this bug exists again, thanks

[2011-07-27 14:13 UTC] jstephens at qualtrics dot com

I disabled all my extensions but, unfortunately, no dice.
I might add, we haven't been able to reproduce it with PHP versions before 5.3.6.

(gdb) run usortCrash.php
Starting program: /usr/bin/php usortCrash.php
[Thread debugging using libthread_db enabled]
Sort...
Program received signal SIGSEGV, Segmentation fault.
0x00000000005db586 in ?? ()
(gdb) bt
#0  0x00000000005db586 in ?? ()
#1  0x00000000005db610 in ?? ()
#2  0x00000000005dbef5 in gc_collect_cycles ()
#3  0x00000000005cee1d in ?? ()
#4  0x00000000005e6869 in ?? ()
#5  0x00000000005e5dcb in execute ()
#6  0x00000000005bf395 in zend_execute_scripts ()
#7  0x000000000056f628 in php_execute_script ()
#8  0x0000000000648ce0 in ?? ()
#9  0x00000033ad41d994 in __libc_start_main () from /lib64/libc.so.6
#10 0x0000000000422009 in _start ()

[2011-07-27 14:35 UTC] jstephens at qualtrics dot com

I just downloaded and compiled 5.3.6 from the website using "./configure --enable-debug=yes" on a different machine (Ubuntu 11.04 x64) and was still able to reproduce it.

Here's a better backtrace:

(gdb) run uSortCrash.php
Starting program: /home/jstephens/bin/php-5.3.6/sapi/cli/php uSortCrash.php
[Thread debugging using libthread_db enabled]
Sort...
Program received signal SIGSEGV, Segmentation fault.
0x00000000007f8f2f in zval_mark_grey (pz=0xfd1ab8) at /home/jstephens/bin/php-5.3.6/Zend/zend_gc.c:372
372				pz = *(zval**)p->pData;
(gdb) bt
#0  0x00000000007f8f2f in zval_mark_grey (pz=0xfd1ab8) at /home/jstephens/bin/php-5.3.6/Zend/zend_gc.c:372
#1  0x00000000007f91d9 in gc_mark_roots () at /home/jstephens/bin/php-5.3.6/Zend/zend_gc.c:435
#2  0x00000000007f9a8c in gc_collect_cycles () at /home/jstephens/bin/php-5.3.6/Zend/zend_gc.c:664
#3  0x00000000007e751d in zif_gc_collect_cycles (ht=0, return_value=0xfd93e0, return_value_ptr=0x0, this_ptr=0x0, return_value_used=0)
    at /home/jstephens/bin/php-5.3.6/Zend/zend_builtin_functions.c:337
#4  0x000000000080751c in zend_do_fcall_common_helper_SPEC (execute_data=0x7ffff7ebe090) at /home/jstephens/bin/php-5.3.6/Zend/zend_vm_execute.h:316
#5  0x000000000080ba8b in ZEND_DO_FCALL_SPEC_CONST_HANDLER (execute_data=0x7ffff7ebe090) at /home/jstephens/bin/php-5.3.6/Zend/zend_vm_execute.h:1606
#6  0x0000000000806a1a in execute (op_array=0xff1800) at /home/jstephens/bin/php-5.3.6/Zend/zend_vm_execute.h:107
#7  0x00000000007d4053 in zend_execute_scripts (type=8, retval=0x0, file_count=3) at /home/jstephens/bin/php-5.3.6/Zend/zend.c:1194
#8  0x000000000075e583 in php_execute_script (primary_file=0x7fffffffdf70) at /home/jstephens/bin/php-5.3.6/main/main.c:2268
#9  0x00000000008b47dd in main (argc=2, argv=0x7fffffffe1d8) at /home/jstephens/bin/php-5.3.6/sapi/cli/php_cli.c:1193

[2011-07-29 08:35 UTC] laruence@php.net

-Status: Open +Status: Feedback

[2011-07-29 08:35 UTC] laruence@php.net

Please try using this snapshot:

  http://snaps.php.net/php5.3-latest.tar.gz
 
For Windows:

  http://windows.php.net/snapshots/

Please try using this snapshot:

 http://snaps.php.net/php5.3-201107290830.tar.gz
 
For Windows:

  http://windows.php.net/snapshots/

[2011-07-29 14:25 UTC] jstephens at qualtrics dot com

-Status: Feedback +Status: Open

[2011-07-29 14:25 UTC] jstephens at qualtrics dot com

I tried php5.3-201107291230 and php5.3-201107290830 and they both worked.

[2011-07-29 15:34 UTC] laruence@php.net

-Status: Open +Status: Assigned -Assigned To: +Assigned To: laruence

[2011-07-29 15:34 UTC] laruence@php.net

This bug has been fixed in SVN.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.

 For Windows:

http://windows.php.net/snapshots/
 
Thank you for the report, and for helping us make PHP better.

[2011-07-29 15:58 UTC] laruence@php.net

-Status: Assigned +Status: Closed

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Sun May 19 18:01:33 2024 UTC