php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #61273 call_user_func_array with more than 16333 arguments leaks / crashes
Submitted: 2012-03-04 15:24 UTC Modified: 2012-03-11 15:29 UTC
From: nikic@php.net Assigned: dmitry
Status: Closed Package: Reproducible crash
PHP Version: 5.4SVN-2012-03-04 (SVN) OS:
Private report: No CVE-ID:
 [2012-03-04 15:24 UTC] nikic@php.net
Description:
------------
The following code:

call_user_func_array(function(&$a) {}, $array = array_fill(0, 16334, "*"));

Produces this output:

Warning: Parameter 1 to {closure}() expected to be a reference, value given in Command line code on line 1
[Sun Mar  4 16:17:15 2012]  Script:  '-'
/home/nikic/dev/php-src/trunk/Zend/zend_hash.c(832) :  Freeing 0xB72FC03C (36 bytes), script=-
/home/nikic/dev/php-src/trunk/Zend/zend_hash.c(412) : Actual location (location was relayed)
Last leak repeated 16333 times
[Sun Mar  4 16:17:15 2012]  Script:  '-'
/home/nikic/dev/php-src/trunk/Zend/zend_hash.c(376) :  Freeing 0xB744103C (65536 bytes), script=-
/home/nikic/dev/php-src/trunk/Zend/zend_alloc.c(2529) : Actual location (location was relayed)
[Sun Mar  4 16:17:15 2012]  Script:  '-'
/home/nikic/dev/php-src/trunk/Zend/zend_API.c(315) :  Freeing 0xB74C0D50 (44 bytes), script=-
/home/nikic/dev/php-src/trunk/Zend/zend_variables.c(134) : Actual location (location was relayed)
Last leak repeated 1 time
[Sun Mar  4 16:17:15 2012]  Script:  '-'
/home/nikic/dev/php-src/trunk/Zend/zend_vm_execute.h(6788) :  Freeing 0xB78560A8 (20 bytes), script=-
[Sun Mar  4 16:17:15 2012]  Script:  '-'
/home/nikic/dev/php-src/trunk/Zend/zend_vm_execute.h(2378) :  Freeing 0xB7857380 (2 bytes), script=-
/home/nikic/dev/php-src/trunk/Zend/zend_variables.c(121) : Actual location (location was relayed)
[Sun Mar  4 16:17:15 2012]  Script:  '-'
/home/nikic/dev/php-src/trunk/Zend/zend_vm_execute.h(2375) :  Freeing 0xB7858360 (20 bytes), script=-
=== Total 16340 memory leaks detected ===

If you do some more stuff after the call PHP will eventually segfault.

This only happens if the *first* argument of the callback is by-ref and only happens after a certain number of arguments (for me it starts with 16334). That's why I guess that this has something to do with http://lxr.php.net/xref/PHP_TRUNK/Zend/zend_execute_API.c#862 (i == 0 => branch not entered) and http://lxr.php.net/xref/PHP_TRUNK/Zend/zend_execute_API.c#851 (as it is only for large argument numbers).


Patches

call_user_func_array.patch (last revision 2012-03-04 16:00 UTC) by nikic@php.net)

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2012-03-04 15:33 UTC] nikic@php.net
Just checked with gdb and it seems that this indeed only happens if the stack is resized.
 [2012-03-04 15:53 UTC] nikic@php.net
The issue is indeed the if(i). Commenting it out fixes the problem.
 [2012-03-04 16:00 UTC] nikic@php.net
The following patch has been added/updated:

Patch Name: call_user_func_array.patch
Revision:   1330876827
URL:        https://bugs.php.net/patch-display.php?bug=61273&patch=call_user_func_array.patch&revision=1330876827
 [2012-03-04 17:44 UTC] pajoye@php.net
Can you take a look please?
 [2012-03-04 17:44 UTC] pajoye@php.net
-Status: Open +Status: Assigned -Assigned To: +Assigned To: dmitry
 [2012-03-11 15:28 UTC] laruence@php.net
Automatic comment from SVN on behalf of laruence
Revision: http://svn.php.net/viewvc/?view=revision&revision=324108
Log: Fixed bug #61273 (call_user_func_array with more than 16333 arguments leaks / crashes)
 [2012-03-11 15:29 UTC] laruence@php.net
-Status: Assigned +Status: Closed
 [2012-03-11 15:29 UTC] laruence@php.net
This bug has been fixed in SVN.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.

 For Windows:

http://windows.php.net/snapshots/
 
Thank you for the report, and for helping us make PHP better.


 [2012-04-18 09:45 UTC] laruence@php.net
Automatic comment on behalf of laruence
Revision: http://git.php.net/?p=php-src.git;a=commit;h=a38ffd57051954d2081f13f3db9e024465aa15b3
Log: Fixed bug #61273 (call_user_func_array with more than 16333 arguments leaks / crashes)
 [2012-07-24 23:36 UTC] rasmus@php.net
Automatic comment on behalf of laruence
Revision: http://git.php.net/?p=php-src.git;a=commit;h=a38ffd57051954d2081f13f3db9e024465aa15b3
Log: Fixed bug #61273 (call_user_func_array with more than 16333 arguments leaks / crashes)
 [2013-11-17 09:33 UTC] laruence@php.net
Automatic comment on behalf of laruence
Revision: http://git.php.net/?p=php-src.git;a=commit;h=a38ffd57051954d2081f13f3db9e024465aa15b3
Log: Fixed bug #61273 (call_user_func_array with more than 16333 arguments leaks / crashes)
 
PHP Copyright © 2001-2014 The PHP Group
All rights reserved.
Last updated: Thu Apr 17 16:02:22 2014 UTC