|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #68059 array_shift segfaults
Submitted: 2014-09-19 21:42 UTC Modified: 2017-10-24 08:25 UTC
Avg. Score:4.7 ± 0.5
Reproduced:3 of 3 (100.0%)
Same Version:2 (66.7%)
Same OS:0 (0.0%)
From: rrh at newrelic dot com Assigned:
Status: Suspended Package: xhprof (PECL)
PHP Version: 5.6.0 OS: ubuntu 14.04
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.
Block user comment
Status: Assign to:
Bug Type:
From: rrh at newrelic dot com
New email:
PHP Version: OS:


 [2014-09-19 21:42 UTC] rrh at newrelic dot com
If xhprof is enabled, and the php 5.6 executes php function array_shift, then the guts of _phpi_pop indirects through 0 for the return_value_ptr, resulting in a segfault.

The xhprof call through ->handler passes a 3rd argument which is the result of evaluating the C code:
  (EX(function_state).function->common.fn_flags &  ZEND_ACC_RETURN_REFERENCE) ?  &retvar->var.ptr:NULL
and for the case of the array_shift function, this passes NULL as the value of return_value_ptr in the environment of array_shift.

For PHP 5.6, and apparently PHP 5.6 only, the implementation of array_shift calls _phpi_pop which invokes macro RETVAL_ZVAL_FAST which has a code path that stores through return_value_ptr, without doing any checking for null pointers.

There are a handful of uses of RETVAL_ZVAL_FAST in PHP 5.6, all(?) related to array manipulation or iteration.


Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2017-10-24 08:25 UTC]
-Status: Open +Status: Suspended
 [2017-10-24 08:25 UTC]
This package has not had a release for over 4 years, and the last bit of git activity was over 2 years ago, so I think its safe to say this extension is no longer in active development. If development picks back up, then please re-open this report
PHP Copyright © 2001-2022 The PHP Group
All rights reserved.
Last updated: Sat Jun 25 15:03:37 2022 UTC