php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #62616 ArrayIterator::count() from IteratorIterator instance gives Segmentation fault
Submitted: 2012-07-20 08:07 UTC Modified: 2012-07-21 14:44 UTC
Votes:1
Avg. Score:3.0 ± 0.0
Reproduced:0 of 0 (0.0%)
From: zoeslam at gmail dot com Assigned: laruence
Status: Closed Package: SPL related
PHP Version: 5.4.5 OS: Ubuntu 12.04
Private report: No CVE-ID:
 [2012-07-20 08:07 UTC] zoeslam at gmail dot com
Description:
------------
The code explains all, no idea why it happens.

Verified on Ubuntu and Slackware, both on PHP 5.4.3, PHP 5.4.4, PHP 5.4.5.

Test script:
---------------
$ai = new ArrayIterator(array(0,1));

var_dump($ai->count());

$ii = new IteratorIterator($ai);

var_dump($ii->count());


Expected result:
----------------
int(2)
int(2)

Actual result:
--------------
int(2)
int(2)
Segmentation fault

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2012-07-20 08:13 UTC] vanidlesky dot jr at gmail dot com
VanZCool
 [2012-07-20 11:54 UTC] fa@php.net
Reproducible on Debian wheezy with 5.4.0 and 5.4.5.
 [2012-07-20 12:54 UTC] fa@php.net
BT

#0  0x00007fdfaf4221d8 in ?? ()
#1  0x0000000000594a41 in spl_dual_it_free (intern=0x7fdfaf53fa20) at 
/opt/src/php-5.4.5/ext/spl/spl_iterators.c:1585
#2  spl_dual_it_dtor (_object=0x7fdfaf53fa20, handle=<optimized out>) at 
/opt/src/php-5.4.5/ext/spl/spl_iterators.c:2237
#3  0x00000000006a7b20 in zend_objects_store_del_ref_by_handle_ex (handle=2, 
handlers=<optimized out>) at /opt/src/php-5.4.5/Zend/zend_objects_API.c:206
#4  0x00000000006a7b63 in zend_objects_store_del_ref (zobject=0x7fdfaf53f990) at 
/opt/src/php-5.4.5/Zend/zend_objects_API.c:172
#5  0x0000000000674082 in _zval_dtor (zvalue=<optimized out>) at /opt/src/php-
5.4.5/Zend/zend_variables.h:35
#6  _zval_ptr_dtor (zval_ptr=0x7fdfaf53fb30) at /opt/src/php-
5.4.5/Zend/zend_execute_API.c:438
#7  _zval_ptr_dtor (zval_ptr=0x7fdfaf53fb30) at /opt/src/php-
5.4.5/Zend/zend_execute_API.c:427
#8  0x000000000068e28b in zend_hash_apply_deleter (ht=ht@entry=0xd34508, 
p=p@entry=0x7fdfaf53fb18) at /opt/src/php-5.4.5/Zend/zend_hash.c:650
#9  0x000000000068fdd1 in zend_hash_reverse_apply (ht=0xd34508, 
apply_func=apply_func@entry=0x673f10 <zval_call_destructor>) at /opt/src/php-
5.4.5/Zend/zend_hash.c:804
#10 0x000000000067438b in shutdown_destructors () at /opt/src/php-
5.4.5/Zend/zend_execute_API.c:217
#11 0x00000000006826c0 in zend_call_destructors () at /opt/src/php-
5.4.5/Zend/zend.c:925
#12 0x0000000000624805 in php_request_shutdown (dummy=dummy@entry=0x0) at 
/opt/src/php-5.4.5/main/main.c:1723
#13 0x0000000000726004 in do_cli (argc=2, argv=0x7fff5ea442f8) at /opt/src/php-
5.4.5/sapi/cli/php_cli.c:1174
#14 0x0000000000428455 in main (argc=2, argv=0x7fff5ea442f8) at /opt/src/php-
5.4.5/sapi/cli/php_cli.c:1364
 [2012-07-20 13:17 UTC] fa@php.net
-Status: Open +Status: Verified
 [2012-07-20 13:57 UTC] jpauli@php.net
I can reproduce on 5.3.14

I can only reproduce calling the method directly.
Calling count($ii) instead of $ii->count() wont segfault
 [2012-07-20 17:27 UTC] laruence@php.net
I've find the reason,  but seems not easy to fix.

$ii->count, will finally call to arrayObject->count (due to implemention of 
spl_dual_it_get_method).

but arrayObject->count will take the object as a spl_array_object, which is 
totally different struct with spl_dual_it_object, then in the 
spl_array_object_count_elements_helper , it will make the object struct mess(via 
update pos)
 [2012-07-20 17:33 UTC] laruence@php.net
-Assigned To: +Assigned To: colder
 [2012-07-21 08:31 UTC] zoeslam at gmail dot com
I've discovered a similar misbehaviour:

https://bugs.php.net/bug.php?id=62629
 [2012-07-21 14:43 UTC] laruence@php.net
Automatic comment on behalf of laruence
Revision: http://git.php.net/?p=php-src.git;a=commit;h=0c996613c0173708381f4bfcd28d2441360bc701
Log: Fixed bug #62616 (ArrayIterator::count() from IteratorIterator instance gives Segmentation fault)
 [2012-07-21 14:44 UTC] laruence@php.net
-Status: Verified +Status: Closed -Assigned To: colder +Assigned To: laruence
 [2012-07-21 14:44 UTC] laruence@php.net
This bug has been fixed in SVN.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.

 For Windows:

http://windows.php.net/snapshots/
 
Thank you for the report, and for helping us make PHP better.


 [2012-07-21 14:44 UTC] laruence@php.net
Automatic comment on behalf of laruence
Revision: http://git.php.net/?p=php-src.git;a=commit;h=0c996613c0173708381f4bfcd28d2441360bc701
Log: Fixed bug #62616 (ArrayIterator::count() from IteratorIterator instance gives Segmentation fault)
 [2012-07-21 15:25 UTC] laruence@php.net
Automatic comment on behalf of laruence
Revision: http://git.php.net/?p=php-src.git;a=commit;h=cc30524c89fa2255944dc3c70f8d41a6c23faa2a
Log: Fixed bug #62616 (ArrayIterator::count() from IteratorIterator instance gives Segmentation fault)
 [2012-07-21 15:26 UTC] laruence@php.net
Automatic comment on behalf of laruence
Revision: http://git.php.net/?p=php-src.git;a=commit;h=cc30524c89fa2255944dc3c70f8d41a6c23faa2a
Log: Fixed bug #62616 (ArrayIterator::count() from IteratorIterator instance gives Segmentation fault)
 [2012-07-21 15:28 UTC] laruence@php.net
Automatic comment on behalf of laruence
Revision: http://git.php.net/?p=php-src.git;a=commit;h=cc30524c89fa2255944dc3c70f8d41a6c23faa2a
Log: Fixed bug #62616 (ArrayIterator::count() from IteratorIterator instance gives Segmentation fault)
 
PHP Copyright © 2001-2014 The PHP Group
All rights reserved.
Last updated: Wed Apr 16 10:02:09 2014 UTC