|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #71815 Segfault after 65536 empty array references
Submitted: 2016-03-13 18:38 UTC Modified: 2016-03-13 18:57 UTC
From: mihor dot cz at gmail dot com Assigned:
Status: Duplicate Package: Reproducible crash
PHP Version: 7.0.4 OS: CentOS 7.2.1511
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.
Block user comment
Status: Assign to:
Bug Type:
From: mihor dot cz at gmail dot com
New email:
PHP Version: OS:


 [2016-03-13 18:38 UTC] mihor dot cz at gmail dot com
Hello PHP team,
I managed to pin-point one problem with PHP 7.0.4 (But I think that this problem is at least from 7.0.0)

I don't think that there is more to explain than simple code below.

Originally I found this problem in our large PHP code and it disappeared every time I turned off Opcache, but after pin-pointing and extracting problem into code below: Opcache is no longer needed to segfault (so I guess that opcache is maybe little more sensitive to this kind of bad PHP code abuse)

My system spec:
PHP version: 7.0.4
OS: CentOS 7.2.1511
RAM: 128 GB
CPU: 2 x Intel(R) Xeon(R) CPU E5-2667 v3 @ 3.20GHz

PHP config:
Memory limit: 16 GB

Test script:
$desc = array();
for ($i = 65535; $i > 0; $i--)
	$desc[$i] = &$desc[$i - 1]; 
echo "still ok\n";
$desc = array();
for ($i = 65536; $i > 0; $i--)
	$desc[$i] = &$desc[$i - 1]; 
echo "not ok";

Expected result:
still ok
not ok

Actual result:
still ok
Segmentation fault


Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2016-03-13 18:57 UTC]
-Status: Open +Status: Duplicate
 [2016-03-13 18:57 UTC]
This has the same root cause as, namely the RHS of a ref assignment reallocating the array, while the LHS still holds a reference into it. We haven't found a good way to fix it yet.
PHP Copyright © 2001-2023 The PHP Group
All rights reserved.
Last updated: Wed Mar 22 04:03:45 2023 UTC