From: nikic
Operating system:
PHP version: 5.4SVN-2012-03-04 (SVN)
Package: Reproducible crash
Bug Type: Bug
Bug description:call_user_func_array with more than 16333 arguments leaks /
crashes
Description:
------------
The following code:
call_user_func_array(function(&$a) {}, $array = array_fill(0, 16334,
"*"));
Produces this output:
Warning: Parameter 1 to {closure}() expected to be a reference, value given
in Command line code on line 1
[Sun Mar 4 16:17:15 2012] Script: '-'
/home/nikic/dev/php-src/trunk/Zend/zend_hash.c(832) : Freeing 0xB72FC03C
(36 bytes), script=-
/home/nikic/dev/php-src/trunk/Zend/zend_hash.c(412) : Actual location
(location was relayed)
Last leak repeated 16333 times
[Sun Mar 4 16:17:15 2012] Script: '-'
/home/nikic/dev/php-src/trunk/Zend/zend_hash.c(376) : Freeing 0xB744103C
(65536 bytes), script=-
/home/nikic/dev/php-src/trunk/Zend/zend_alloc.c(2529) : Actual location
(location was relayed)
[Sun Mar 4 16:17:15 2012] Script: '-'
/home/nikic/dev/php-src/trunk/Zend/zend_API.c(315) : Freeing 0xB74C0D50
(44 bytes), script=-
/home/nikic/dev/php-src/trunk/Zend/zend_variables.c(134) : Actual location
(location was relayed)
Last leak repeated 1 time
[Sun Mar 4 16:17:15 2012] Script: '-'
/home/nikic/dev/php-src/trunk/Zend/zend_vm_execute.h(6788) : Freeing
0xB78560A8 (20 bytes), script=-
[Sun Mar 4 16:17:15 2012] Script: '-'
/home/nikic/dev/php-src/trunk/Zend/zend_vm_execute.h(2378) : Freeing
0xB7857380 (2 bytes), script=-
/home/nikic/dev/php-src/trunk/Zend/zend_variables.c(121) : Actual location
(location was relayed)
[Sun Mar 4 16:17:15 2012] Script: '-'
/home/nikic/dev/php-src/trunk/Zend/zend_vm_execute.h(2375) : Freeing
0xB7858360 (20 bytes), script=-
=== Total 16340 memory leaks detected ===
If you do some more stuff after the call PHP will eventually segfault.
This only happens if the *first* argument of the callback is by-ref and
only happens after a certain number of arguments (for me it starts with
16334). That's why I guess that this has something to do with
http://lxr.php.net/xref/PHP_TRUNK/Zend/zend_execute_API.c#862 (i == 0 =>
branch not entered) and
http://lxr.php.net/xref/PHP_TRUNK/Zend/zend_execute_API.c#851 (as it is
only for large argument numbers).
--
Edit bug report at https://bugs.php.net/bug.php?id=61273&edit=1
--
Try a snapshot (PHP 5.4):
https://bugs.php.net/fix.php?id=61273&r=trysnapshot54
Try a snapshot (PHP 5.3):
https://bugs.php.net/fix.php?id=61273&r=trysnapshot53
Try a snapshot (trunk):
https://bugs.php.net/fix.php?id=61273&r=trysnapshottrunk
Fixed in SVN:
https://bugs.php.net/fix.php?id=61273&r=fixed
Fixed in SVN and need be documented:
https://bugs.php.net/fix.php?id=61273&r=needdocs
Fixed in release:
https://bugs.php.net/fix.php?id=61273&r=alreadyfixed
Need backtrace:
https://bugs.php.net/fix.php?id=61273&r=needtrace
Need Reproduce Script:
https://bugs.php.net/fix.php?id=61273&r=needscript
Try newer version:
https://bugs.php.net/fix.php?id=61273&r=oldversion
Not developer issue:
https://bugs.php.net/fix.php?id=61273&r=support
Expected behavior:
https://bugs.php.net/fix.php?id=61273&r=notwrong
Not enough info:
https://bugs.php.net/fix.php?id=61273&r=notenoughinfo
Submitted twice:
https://bugs.php.net/fix.php?id=61273&r=submittedtwice
register_globals:
https://bugs.php.net/fix.php?id=61273&r=globals
PHP 4 support discontinued:
https://bugs.php.net/fix.php?id=61273&r=php4
Daylight Savings: https://bugs.php.net/fix.php?id=61273&r=dst
IIS Stability:
https://bugs.php.net/fix.php?id=61273&r=isapi
Install GNU Sed:
https://bugs.php.net/fix.php?id=61273&r=gnused
Floating point limitations:
https://bugs.php.net/fix.php?id=61273&r=float
No Zend Extensions:
https://bugs.php.net/fix.php?id=61273&r=nozend
MySQL Configuration Error:
https://bugs.php.net/fix.php?id=61273&r=mysqlcfg
