php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #61730 Segfault from array_walk modifying an array passed by reference
Submitted: 2012-04-13 20:25 UTC Modified: 2012-05-06 12:42 UTC
Votes:1
Avg. Score:5.0 ± 0.0
Reproduced:1 of 1 (100.0%)
Same Version:1 (100.0%)
Same OS:1 (100.0%)
From: joe dot lencioni at gmail dot com Assigned: laruence
Status: Closed Package: Reproducible crash
PHP Version: 5.3.10 OS: 2.6.32-131.0.15.el6.x86_64
Private report: No CVE-ID:
 [2012-04-13 20:25 UTC] joe dot lencioni at gmail dot com
Description:
------------
The following code produces a segmentation fault.

Interestingly, if I remove either the unset or the modifying of the array values, it 
seems to work fine. Also, this only segfaults when the size of the array is larger. At 
1000 or lower, it worked fine.

We are using Xdebug 2.2.0rc1

gdb backtrace:

GNU gdb (GDB) Red Hat Enterprise Linux (7.2-50.el6)
Copyright (C) 2010 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-redhat-linux-gnu".
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>...
Reading symbols from /usr/bin/php...(no debugging symbols found)...done.
[New Thread 8825]
Reading symbols from /lib64/libcrypt.so.1...(no debugging symbols found)...done.
Loaded symbols for /lib64/libcrypt.so.1
Reading symbols from /usr/lib64/libedit.so.0...(no debugging symbols found)...done.
Loaded symbols for /usr/lib64/libedit.so.0
Reading symbols from /lib64/libncurses.so.5...(no debugging symbols found)...done.
Loaded symbols for /lib64/libncurses.so.5
Reading symbols from /usr/lib64/libgmp.so.3...(no debugging symbols found)...done.
Loaded symbols for /usr/lib64/libgmp.so.3
Reading symbols from /lib64/libbz2.so.1...(no debugging symbols found)...done.
Loaded symbols for /lib64/libbz2.so.1
Reading symbols from /lib64/libz.so.1...(no debugging symbols found)...done.
Loaded symbols for /lib64/libz.so.1
Reading symbols from /lib64/libpcre.so.0...(no debugging symbols found)...done.
Loaded symbols for /lib64/libpcre.so.0
Reading symbols from /lib64/librt.so.1...(no debugging symbols found)...done.
Loaded symbols for /lib64/librt.so.1
Reading symbols from /lib64/libm.so.6...(no debugging symbols found)...done.
Loaded symbols for /lib64/libm.so.6
Reading symbols from /lib64/libdl.so.2...(no debugging symbols found)...done.
Loaded symbols for /lib64/libdl.so.2
Reading symbols from /lib64/libnsl.so.1...(no debugging symbols found)...done.
Loaded symbols for /lib64/libnsl.so.1
Reading symbols from /usr/lib64/libxml2.so.2...(no debugging symbols found)...done.
Loaded symbols for /usr/lib64/libxml2.so.2
Reading symbols from /lib64/libgssapi_krb5.so.2...(no debugging symbols found)...done.
Loaded symbols for /lib64/libgssapi_krb5.so.2
Reading symbols from /lib64/libkrb5.so.3...(no debugging symbols found)...done.
Loaded symbols for /lib64/libkrb5.so.3
Reading symbols from /lib64/libk5crypto.so.3...(no debugging symbols found)...done.
Loaded symbols for /lib64/libk5crypto.so.3
Reading symbols from /lib64/libcom_err.so.2...(no debugging symbols found)...done.
Loaded symbols for /lib64/libcom_err.so.2
Reading symbols from /usr/lib64/libssl.so.10...(no debugging symbols found)...done.
Loaded symbols for /usr/lib64/libssl.so.10
Reading symbols from /usr/lib64/libcrypto.so.10...(no debugging symbols found)...done.
Loaded symbols for /usr/lib64/libcrypto.so.10
Reading symbols from /lib64/libc.so.6...(no debugging symbols found)...done.
Loaded symbols for /lib64/libc.so.6
Reading symbols from /lib64/libresolv.so.2...(no debugging symbols found)...done.
Loaded symbols for /lib64/libresolv.so.2
Reading symbols from /lib64/libfreebl3.so...(no debugging symbols found)...done.
Loaded symbols for /lib64/libfreebl3.so
Reading symbols from /lib64/libtinfo.so.5...(no debugging symbols found)...done.
Loaded symbols for /lib64/libtinfo.so.5
Reading symbols from /lib64/libpthread.so.0...(no debugging symbols found)...done.
[Thread debugging using libthread_db enabled]
Loaded symbols for /lib64/libpthread.so.0
Reading symbols from /lib64/ld-linux-x86-64.so.2...(no debugging symbols found)...done.
Loaded symbols for /lib64/ld-linux-x86-64.so.2
Reading symbols from /lib64/libkrb5support.so.0...(no debugging symbols found)...done.
Loaded symbols for /lib64/libkrb5support.so.0
Reading symbols from /lib64/libkeyutils.so.1...(no debugging symbols found)...done.
Loaded symbols for /lib64/libkeyutils.so.1
Reading symbols from /lib64/libselinux.so.1...(no debugging symbols found)...done.
Loaded symbols for /lib64/libselinux.so.1
Reading symbols from /usr/lib64/php/modules/xdebug.so...done.
Loaded symbols for /usr/lib64/php/modules/xdebug.so
Reading symbols from /usr/lib64/php/modules/apc.so...(no debugging symbols 
found)...done.
Loaded symbols for /usr/lib64/php/modules/apc.so
Reading symbols from /usr/lib64/php/modules/curl.so...(no debugging symbols 
found)...done.
Loaded symbols for /usr/lib64/php/modules/curl.so
Reading symbols from /usr/lib64/libcurl.so.4...(no debugging symbols found)...done.
Loaded symbols for /usr/lib64/libcurl.so.4
Reading symbols from /lib64/libidn.so.11...(no debugging symbols found)...done.
Loaded symbols for /lib64/libidn.so.11
Reading symbols from /lib64/libldap-2.4.so.2...(no debugging symbols found)...done.
Loaded symbols for /lib64/libldap-2.4.so.2
Reading symbols from /usr/lib64/libssl3.so...(no debugging symbols found)...done.
Loaded symbols for /usr/lib64/libssl3.so
Reading symbols from /usr/lib64/libsmime3.so...(no debugging symbols found)...done.
Loaded symbols for /usr/lib64/libsmime3.so
Reading symbols from /usr/lib64/libnss3.so...(no debugging symbols found)...done.
Loaded symbols for /usr/lib64/libnss3.so
Reading symbols from /usr/lib64/libnssutil3.so...(no debugging symbols found)...done.
Loaded symbols for /usr/lib64/libnssutil3.so
Reading symbols from /lib64/libplds4.so...(no debugging symbols found)...done.
Loaded symbols for /lib64/libplds4.so
Reading symbols from /lib64/libplc4.so...(no debugging symbols found)...done.
Loaded symbols for /lib64/libplc4.so
Reading symbols from /lib64/libnspr4.so...(no debugging symbols found)...done.
Loaded symbols for /lib64/libnspr4.so
Reading symbols from /usr/lib64/libssh2.so.1...(no debugging symbols found)...done.
Loaded symbols for /usr/lib64/libssh2.so.1
Reading symbols from /lib64/liblber-2.4.so.2...(no debugging symbols found)...done.
Loaded symbols for /lib64/liblber-2.4.so.2
Reading symbols from /usr/lib64/libsasl2.so.2...(no debugging symbols found)...done.
Loaded symbols for /usr/lib64/libsasl2.so.2
Reading symbols from /usr/lib64/php/modules/dom.so...(no debugging symbols 
found)...done.
Loaded symbols for /usr/lib64/php/modules/dom.so
Reading symbols from /usr/lib64/php/modules/fileinfo.so...(no debugging symbols 
found)...done.
Loaded symbols for /usr/lib64/php/modules/fileinfo.so
Reading symbols from /usr/lib64/php/modules/gd.so...(no debugging symbols found)...done.
Loaded symbols for /usr/lib64/php/modules/gd.so
Reading symbols from /usr/lib64/libt1.so.5...(no debugging symbols found)...done.
Loaded symbols for /usr/lib64/libt1.so.5
Reading symbols from /usr/lib64/libfreetype.so.6...(no debugging symbols found)...done.
Loaded symbols for /usr/lib64/libfreetype.so.6
Reading symbols from /usr/lib64/libX11.so.6...(no debugging symbols found)...done.
Loaded symbols for /usr/lib64/libX11.so.6
Reading symbols from /usr/lib64/libXpm.so.4...(no debugging symbols found)...done.
Loaded symbols for /usr/lib64/libXpm.so.4
Reading symbols from /usr/lib64/libpng12.so.0...(no debugging symbols found)...done.
Loaded symbols for /usr/lib64/libpng12.so.0
Reading symbols from /usr/lib64/libjpeg.so.62...(no debugging symbols found)...done.
Loaded symbols for /usr/lib64/libjpeg.so.62
Reading symbols from /usr/lib64/libxcb.so.1...(no debugging symbols found)...done.
Loaded symbols for /usr/lib64/libxcb.so.1
Reading symbols from /usr/lib64/libXau.so.6...(no debugging symbols found)...done.
Loaded symbols for /usr/lib64/libXau.so.6
Reading symbols from /usr/lib64/php/modules/json.so...(no debugging symbols 
found)...done.
Loaded symbols for /usr/lib64/php/modules/json.so
Reading symbols from /usr/lib64/php/modules/ldap.so...(no debugging symbols 
found)...done.
Loaded symbols for /usr/lib64/php/modules/ldap.so
Reading symbols from /usr/lib64/php/modules/mbstring.so...(no debugging symbols 
found)...done.
Loaded symbols for /usr/lib64/php/modules/mbstring.so
Reading symbols from /usr/lib64/php/modules/mcrypt.so...(no debugging symbols 
found)...done.
Loaded symbols for /usr/lib64/php/modules/mcrypt.so
Reading symbols from /usr/lib64/libmcrypt.so.4...(no debugging symbols found)...done.
Loaded symbols for /usr/lib64/libmcrypt.so.4
Reading symbols from /usr/lib64/libltdl.so.7...(no debugging symbols found)...done.
Loaded symbols for /usr/lib64/libltdl.so.7
Reading symbols from /usr/lib64/php/modules/mssql.so...(no debugging symbols 
found)...done.
Loaded symbols for /usr/lib64/php/modules/mssql.so
Reading symbols from /usr/lib64/libsybdb.so.5...(no debugging symbols found)...done.
Loaded symbols for /usr/lib64/libsybdb.so.5
Reading symbols from /usr/lib64/libgnutls.so.26...(no debugging symbols found)...done.
Loaded symbols for /usr/lib64/libgnutls.so.26
Reading symbols from /lib64/libgcrypt.so.11...(no debugging symbols found)...done.
Loaded symbols for /lib64/libgcrypt.so.11
Reading symbols from /usr/lib64/libtasn1.so.3...(no debugging symbols found)...done.
Loaded symbols for /usr/lib64/libtasn1.so.3
Reading symbols from /lib64/libgpg-error.so.0...(no debugging symbols found)...done.
Loaded symbols for /lib64/libgpg-error.so.0
Reading symbols from /usr/lib64/php/modules/mysql.so...(no debugging symbols 
found)...done.
Loaded symbols for /usr/lib64/php/modules/mysql.so
Reading symbols from /usr/lib64/mysql/libmysqlclient.so.18...(no debugging symbols 
found)...done.
Loaded symbols for /usr/lib64/mysql/libmysqlclient.so.18
Reading symbols from /usr/lib64/libstdc++.so.6...(no debugging symbols found)...done.
Loaded symbols for /usr/lib64/libstdc++.so.6
Reading symbols from /lib64/libgcc_s.so.1...(no debugging symbols found)...done.
Loaded symbols for /lib64/libgcc_s.so.1
Reading symbols from /usr/lib64/php/modules/mysqli.so...(no debugging symbols 
found)...done.
Loaded symbols for /usr/lib64/php/modules/mysqli.so
Reading symbols from /usr/lib64/php/modules/odbc.so...(no debugging symbols 
found)...done.
Loaded symbols for /usr/lib64/php/modules/odbc.so
Reading symbols from /usr/lib64/libodbc.so.2...(no debugging symbols found)...done.
Loaded symbols for /usr/lib64/libodbc.so.2
Reading symbols from /usr/lib64/php/modules/pdo.so...(no debugging symbols 
found)...done.
Loaded symbols for /usr/lib64/php/modules/pdo.so
Reading symbols from /usr/lib64/php/modules/pdo_dblib.so...(no debugging symbols 
found)...done.
Loaded symbols for /usr/lib64/php/modules/pdo_dblib.so
Reading symbols from /usr/lib64/php/modules/pdo_mysql.so...(no debugging symbols 
found)...done.
Loaded symbols for /usr/lib64/php/modules/pdo_mysql.so
Reading symbols from /usr/lib64/php/modules/pdo_odbc.so...(no debugging symbols 
found)...done.
Loaded symbols for /usr/lib64/php/modules/pdo_odbc.so
Reading symbols from /usr/lib64/php/modules/pdo_sqlite.so...(no debugging symbols 
found)...done.
Loaded symbols for /usr/lib64/php/modules/pdo_sqlite.so
Reading symbols from /usr/lib64/libsqlite3.so.0...(no debugging symbols found)...done.
Loaded symbols for /usr/lib64/libsqlite3.so.0
Reading symbols from /usr/lib64/php/modules/phar.so...(no debugging symbols 
found)...done.
Loaded symbols for /usr/lib64/php/modules/phar.so
Reading symbols from /usr/lib64/php/modules/pspell.so...(no debugging symbols 
found)...done.
Loaded symbols for /usr/lib64/php/modules/pspell.so
Reading symbols from /usr/lib64/libaspell.so.15...(no debugging symbols found)...done.
Loaded symbols for /usr/lib64/libaspell.so.15
Reading symbols from /usr/lib64/libpspell.so.15...(no debugging symbols found)...done.
Loaded symbols for /usr/lib64/libpspell.so.15
Reading symbols from /usr/lib64/php/modules/soap.so...(no debugging symbols 
found)...done.
Loaded symbols for /usr/lib64/php/modules/soap.so
Reading symbols from /usr/lib64/php/modules/sqlite3.so...(no debugging symbols 
found)...done.
Loaded symbols for /usr/lib64/php/modules/sqlite3.so
Reading symbols from /usr/lib64/php/modules/stats.so...done.
Loaded symbols for /usr/lib64/php/modules/stats.so
Reading symbols from /usr/lib64/php/modules/wddx.so...(no debugging symbols 
found)...done.
Loaded symbols for /usr/lib64/php/modules/wddx.so
Reading symbols from /usr/lib64/php/modules/xmlreader.so...(no debugging symbols 
found)...done.
Loaded symbols for /usr/lib64/php/modules/xmlreader.so
Reading symbols from /usr/lib64/php/modules/xmlwriter.so...(no debugging symbols 
found)...done.
Loaded symbols for /usr/lib64/php/modules/xmlwriter.so
Reading symbols from /usr/lib64/php/modules/xsl.so...(no debugging symbols 
found)...done.
Loaded symbols for /usr/lib64/php/modules/xsl.so
Reading symbols from /usr/lib64/libexslt.so.0...(no debugging symbols found)...done.
Loaded symbols for /usr/lib64/libexslt.so.0
Reading symbols from /usr/lib64/libxslt.so.1...(no debugging symbols found)...done.
Loaded symbols for /usr/lib64/libxslt.so.1
Reading symbols from /usr/lib64/php/modules/zip.so...(no debugging symbols 
found)...done.
Loaded symbols for /usr/lib64/php/modules/zip.so
Reading symbols from /lib64/libnss_files.so.2...(no debugging symbols found)...done.
Loaded symbols for /lib64/libnss_files.so.2
Core was generated by `php segfault.php'.
Program terminated with signal 11, Segmentation fault.
#0  0x00000000005bb5e2 in zend_hash_get_current_data_ex ()
Missing separate debuginfos, use: debuginfo-install php-cli-5.3.10-2.el6.remi.x86_64
(gdb) bt
#0  0x00000000005bb5e2 in zend_hash_get_current_data_ex ()
#1  0x00000000004f0d98 in ?? ()
#2  0x00000000004f1538 in ?? ()
#3  0x00007fdc92cbc367 in xdebug_execute_internal (current_execute_data=0x7fdc4a547050,
    return_value_used=0) at /var/tmp/xdebug/xdebug.c:1468
#4  0x00000000005fda96 in ?? ()
#5  0x00000000005d5310 in execute ()
#6  0x00007fdc92cbcac9 in xdebug_execute (op_array=0x2276040) at 
/var/tmp/xdebug/xdebug.c:1376
#7  0x00000000005aee5d in zend_execute_scripts ()
#8  0x000000000055c0f8 in php_execute_script ()
#9  0x0000000000639b57 in ?? ()
#10 0x0000003c7601ecdd in __libc_start_main () from /lib64/libc.so.6
#11 0x0000000000422319 in _start ()

Test script:
---------------
$myArray = array_fill(0, 10000, md5('test'));

array_walk(
    $myArray,
    function($value, $key, $myArray)
    {
      if (rand(0, 1)) {
        unset($myArray[$key]);
      } else if (rand(0, 1)) {
        $myArray[$key] = md5(rand(0, 10000));
      }
    },
    &$myArray
);

Expected result:
----------------
No segmentation fault

Actual result:
--------------
Segmentation fault

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2012-04-14 02:55 UTC] aharvey@php.net
Does the crash only occur if xdebug is installed?

Also, can you please generate the backtrace again with the relevant debuginfo 
package installed?
 [2012-04-14 02:55 UTC] aharvey@php.net
-Status: Open +Status: Feedback -Package: Arrays related +Package: Reproducible crash
 [2012-04-16 18:02 UTC] joe dot lencioni at gmail dot com
-Status: Feedback +Status: Open
 [2012-04-16 18:02 UTC] joe dot lencioni at gmail dot com
> Does the crash only occur if xdebug is installed?

No, it occurs even if xdebug is not installed. FWIW, it triggers a deprecated 
message: 
"Deprecated: Call-time pass-by-reference has been deprecated"

> Also, can you please generate the backtrace again with the relevant debuginfo 
package installed?

What debuginfo package are you referring to? I may not have the access to do 
that, but 
I'm not entirely sure I understand what you are requesting.
 [2012-05-06 11:29 UTC] laruence@php.net
-Status: Open +Status: Wont fix
 [2012-05-06 11:29 UTC] laruence@php.net
you are alter the array while iterating the array self. segfault is reasonable.
 [2012-05-06 11:44 UTC] laruence@php.net
a more proper test script without trigger the warning:

$myArray = array_fill(0, 10, 1);

array_walk(
    $myArray,
    function($value, $key) use (&$myArray)
    {
        unset($myArray[$key]);
    }
);
 [2012-05-06 12:03 UTC] laruence@php.net
Automatic comment on behalf of laruence
Revision: http://git.php.net/?p=php-src.git;a=commit;h=7ccd5943924fd4ad9adcad1fbc547adc79114bff
Log: Fixed bug #61730 (Segfault from array_walk modifying an array passed by reference)
 [2012-05-06 12:30 UTC] laruence@php.net
Automatic comment on behalf of laruence
Revision: http://git.php.net/?p=php-src.git;a=commit;h=7ccd5943924fd4ad9adcad1fbc547adc79114bff
Log: Fixed bug #61730 (Segfault from array_walk modifying an array passed by reference)
 [2012-05-06 12:31 UTC] laruence@php.net
Automatic comment on behalf of laruence
Revision: http://git.php.net/?p=php-src.git;a=commit;h=7ccd5943924fd4ad9adcad1fbc547adc79114bff
Log: Fixed bug #61730 (Segfault from array_walk modifying an array passed by reference)
 [2012-05-06 12:42 UTC] laruence@php.net
Thank you for your bug report. This issue has already been fixed
in the latest released version of PHP, which you can download at 
http://www.php.net/downloads.php


 [2012-05-06 12:42 UTC] laruence@php.net
-Status: Wont fix +Status: Closed -Assigned To: +Assigned To: laruence
 [2012-05-06 12:42 UTC] laruence@php.net
This bug has been fixed in SVN.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.

 For Windows:

http://windows.php.net/snapshots/
 
Thank you for the report, and for helping us make PHP better.


 
PHP Copyright © 2001-2014 The PHP Group
All rights reserved.
Last updated: Wed Apr 23 14:02:33 2014 UTC