Bug #61273 [Com]: call_user_func_array with more than 16333 arguments leaks / crashes

Sun, 04 Mar 2012 07:33:36 -0800 

Edit report at https://bugs.php.net/bug.php?id=61273&edit=1

 ID:                 61273
 Comment by:         ni...@php.net
 Reported by:        ni...@php.net
 Summary:            call_user_func_array with more than 16333 arguments
                     leaks / crashes
 Status:             Open
 Type:               Bug
 Package:            Reproducible crash
 PHP Version:        5.4SVN-2012-03-04 (SVN)
 Block user comment: N
 Private report:     N

 New Comment:

Just checked with gdb and it seems that this indeed only happens if the stack 
is resized.


Previous Comments:
------------------------------------------------------------------------
[2012-03-04 15:24:11] ni...@php.net

Description:
------------
The following code:

call_user_func_array(function(&$a) {}, $array = array_fill(0, 16334, "*"));

Produces this output:

Warning: Parameter 1 to {closure}() expected to be a reference, value given in 
Command line code on line 1
[Sun Mar  4 16:17:15 2012]  Script:  '-'
/home/nikic/dev/php-src/trunk/Zend/zend_hash.c(832) :  Freeing 0xB72FC03C (36 
bytes), script=-
/home/nikic/dev/php-src/trunk/Zend/zend_hash.c(412) : Actual location (location 
was relayed)
Last leak repeated 16333 times
[Sun Mar  4 16:17:15 2012]  Script:  '-'
/home/nikic/dev/php-src/trunk/Zend/zend_hash.c(376) :  Freeing 0xB744103C 
(65536 bytes), script=-
/home/nikic/dev/php-src/trunk/Zend/zend_alloc.c(2529) : Actual location 
(location was relayed)
[Sun Mar  4 16:17:15 2012]  Script:  '-'
/home/nikic/dev/php-src/trunk/Zend/zend_API.c(315) :  Freeing 0xB74C0D50 (44 
bytes), script=-
/home/nikic/dev/php-src/trunk/Zend/zend_variables.c(134) : Actual location 
(location was relayed)
Last leak repeated 1 time
[Sun Mar  4 16:17:15 2012]  Script:  '-'
/home/nikic/dev/php-src/trunk/Zend/zend_vm_execute.h(6788) :  Freeing 
0xB78560A8 (20 bytes), script=-
[Sun Mar  4 16:17:15 2012]  Script:  '-'
/home/nikic/dev/php-src/trunk/Zend/zend_vm_execute.h(2378) :  Freeing 
0xB7857380 (2 bytes), script=-
/home/nikic/dev/php-src/trunk/Zend/zend_variables.c(121) : Actual location 
(location was relayed)
[Sun Mar  4 16:17:15 2012]  Script:  '-'
/home/nikic/dev/php-src/trunk/Zend/zend_vm_execute.h(2375) :  Freeing 
0xB7858360 (20 bytes), script=-
=== Total 16340 memory leaks detected ===

If you do some more stuff after the call PHP will eventually segfault.

This only happens if the *first* argument of the callback is by-ref and only 
happens after a certain number of arguments (for me it starts with 16334). 
That's why I guess that this has something to do with 
http://lxr.php.net/xref/PHP_TRUNK/Zend/zend_execute_API.c#862 (i == 0 => branch 
not entered) and http://lxr.php.net/xref/PHP_TRUNK/Zend/zend_execute_API.c#851 
(as it is only for large argument numbers).



------------------------------------------------------------------------



-- 
Edit this bug report at https://bugs.php.net/bug.php?id=61273&edit=1

Reply via email to