php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #60082 100% CPU / when using references with ArrayObject(&$ref).
Submitted: 2011-10-17 22:30 UTC Modified: 2011-11-18 05:22 UTC
Votes:1
Avg. Score:3.0 ± 0.0
Reproduced:1 of 1 (100.0%)
Same Version:0 (0.0%)
Same OS:0 (0.0%)
From: tklingenberg at lastflood dot net Assigned: helly
Status: Closed Package: SPL related
PHP Version: 5.3.8 OS: GNU/Linux
Private report: No CVE-ID:
 [2011-10-17 22:30 UTC] tklingenberg at lastflood dot net
Description:
------------
100% CPU / when using references with ArrayObject(&$ref).

Passing a copy works.

Test script:
---------------
$test = array();
$test = new ArrayObject(&$test);
$test['a'] = $test['b'];

or:

$GLOBALS = new ArrayObject(&$GLOBALS);
$a = $GLOBALS['b'];

Expected result:
----------------
Set $test['a'] or $a to NULL with an undefined offset/index warning.

Actual result:
--------------
Endless Loop / CPU goes up 100% and stays.

Patches

recursion-detection (last revision 2011-10-20 05:44 UTC) by tony2001@php.net)
bug60082.phpt (last revision 2011-10-18 12:51 UTC) by laruence@php.net)
bug60082.patch (last revision 2011-10-18 12:46 UTC) by laruence@php.net)

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2011-10-18 09:38 UTC] laruence@php.net
$test = new ArrayObject(&$test) will make the intern->array a object;

thus, there will be a infinite loop between spl_array_get_properties and 
spl_array_get_hash_table(call to HASH_OF which will call to 
spl_array_get_properties).  then PHP will segfault due to stack overflow...

I have tried to use SEPARATE_ARG_IF_REF to fix this segfault, but there is a 
test faild (ext/spl/tests/array_004.phpt)

thanks
 [2011-10-18 12:46 UTC] laruence@php.net
The following patch has been added/updated:

Patch Name: bug60082.patch
Revision:   1318941980
URL:        https://bugs.php.net/patch-display.php?bug=60082&patch=bug60082.patch&revision=1318941980
 [2011-10-18 12:51 UTC] laruence@php.net
The following patch has been added/updated:

Patch Name: bug60082.phpt
Revision:   1318942263
URL:        https://bugs.php.net/patch-display.php?bug=60082&patch=bug60082.phpt&revision=1318942263
 [2011-10-19 02:09 UTC] laruence@php.net
-Assigned To: +Assigned To: helly
 [2011-10-19 02:09 UTC] laruence@php.net
helly, plz look at this. thanks :)
 [2011-10-19 02:28 UTC] laruence@php.net
Automatic comment from SVN on behalf of laruence
Revision: http://svn.php.net/viewvc/?view=revision&revision=318204
Log: Test for #60082
 [2011-10-20 05:44 UTC] tony2001@php.net
The following patch has been added/updated:

Patch Name: recursion-detection
Revision:   1319089482
URL:        https://bugs.php.net/patch-display.php?bug=60082&patch=recursion-detection&revision=1319089482
 [2011-10-20 05:46 UTC] tony2001@php.net
I'd suggest to try to detect recursion in this case. Unfortunately, I don't see any way to do it except by adding another field to spl_array internal struct. But on the other hand, this struct is not used anywhere except spl_array.c itself, so it should be fine.
The patch is attached.
 [2011-10-20 12:22 UTC] laruence@php.net
hmm, your patch seems better, agree.
 [2011-11-01 10:10 UTC] tyrael@php.net
Automatic comment from SVN on behalf of tyrael
Revision: http://svn.php.net/viewvc/?view=revision&revision=318635
Log: marking ext/spl/tests/bug60082.phpt as slow test
 [2011-11-18 05:22 UTC] tony2001@php.net
Automatic comment from SVN on behalf of tony2001
Revision: http://svn.php.net/viewvc/?view=revision&revision=319432
Log: fix bug #60082 (Crash in ArrayObject() when using recursive references)
--Tis line, and those below, will be ignored--

M    trunk/ext/spl/spl_array.c
M    branches/PHP_5_4/ext/spl/spl_array.c
M    branches/PHP_5_3/ext/spl/spl_array.c
M    branches/PHP_5_3/NEWS
 [2011-11-18 05:22 UTC] tony2001@php.net
-Status: Assigned +Status: Closed
 [2011-11-18 05:22 UTC] tony2001@php.net
This bug has been fixed in SVN.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.

 For Windows:

http://windows.php.net/snapshots/
 
Thank you for the report, and for helping us make PHP better.


 [2012-04-10 12:06 UTC] ab@php.net
Automatic comment on behalf of ab
Revision: http://git.php.net/?p=php-src.git;a=commit;h=b2f2e1d6ccf5e4e282799c6639548833d766985a
Log: Fix bug #61659 Test ext\spl\tests\bug60082.phpt fails
 [2012-04-18 09:47 UTC] laruence@php.net
Automatic comment on behalf of tony2001
Revision: http://git.php.net/?p=php-src.git;a=commit;h=3b40dabc8cfed3bba51251be2fcf4659eaaa2ce5
Log: fix bug #60082 (Crash in ArrayObject() when using recursive references) --Tis line, and those below, will be ignored--
 [2012-07-24 23:38 UTC] rasmus@php.net
Automatic comment on behalf of tony2001
Revision: http://git.php.net/?p=php-src.git;a=commit;h=3b40dabc8cfed3bba51251be2fcf4659eaaa2ce5
Log: fix bug #60082 (Crash in ArrayObject() when using recursive references) --Tis line, and those below, will be ignored--
 [2013-11-17 09:35 UTC] laruence@php.net
Automatic comment on behalf of tony2001
Revision: http://git.php.net/?p=php-src.git;a=commit;h=3b40dabc8cfed3bba51251be2fcf4659eaaa2ce5
Log: fix bug #60082 (Crash in ArrayObject() when using recursive references) --Tis line, and those below, will be ignored--
 
PHP Copyright © 2001-2014 The PHP Group
All rights reserved.
Last updated: Sat Apr 19 06:02:27 2014 UTC