From: aren at corp dot oodle dot com
Operating system: Linux 2.6.5
PHP version: 5.2.0
PHP Bug Type: Reproducible crash
Bug description: Seg fault during uksort
Description:
------------
I reliably get a seg fault during execution of uksort() in our web
application. Unfortunately, the seg fault is not reproducible with any
simpler test case, and other code paths over the same code work fine.
PHP line in question:
uksort($arr_values, array($this, '_compare_values'));
GDB output:
Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread -1208600896 (LWP 30559)]
0x01063602 in zend_call_function (fci=0xbfe7e950, fci_cache=0x0)
at
/php-5.2.0/Zend/zend_execute_API .c:661
661 if (Z_TYPE_P(fci->function_name)==IS_ARRAY) { /*
assume
array($obj, $name) couple */
(gdb) print fci.function_name
$3 = (zval *) 0x0
Actual result:
--------------
Segfault trace:
(gdb) bt
#0 0x01063602 in zend_call_function (fci=0xbfe7e950, fci_cache=0x0)
at /php-5.2.0/Zend/zend_execute_API.c:661
#1 0x01064660 in call_user_function_ex (function_table=0x0,
object_pp=0x0,
function_name=0x0, retval_ptr_ptr=0x0, param_count=0, params=0x0,
no_separation=0, symbol_table=0x0)
at /php-5.2.0/Zend/zend_execute_API.c:602
#2 0x0106469c in call_user_function (function_table=0x95c12f0,
object_pp=0x0,
function_name=0x0, retval_ptr=0xbfe7ea00, param_count=2,
params=0xbfe7e9f8)
at /php-5.2.0/Zend/zend_execute_API.c:575
#3 0x00fd3b12 in array_user_key_compare (a=0xb765d404, b=0xb765d3fc)
at /php-5.2.0/ext/standard/array.c: 736
#4 0x0107cff8 in zend_qsort (base=0xb765d3fc, nmemb=3, siz=4,
compare=0xfd3a9c <array_user_key_compare>)
at /php-5.2.0/Zend/zend_qsort.c:86
#5 0x010777e9 in zend_hash_sort (ht=0xb75aff48,
sort_func=0x107cf70 <zend_qsort>,
compar=0xfd3a9c <array_user_key_compare>, renumber=0)
at /php-5.2.0/Zend/zend_hash.c:1218
#6 0x00fd3d12 in zif_uksort (ht=2, return_value=0xb75dd098,
return_value_ptr=0x0, this_ptr=0x0, return_value_used=0)
at /php-5.2.0/ext/standard/array.c: 774
A watchpoint on the user_compare_func_name shows it is set in zif_uksort's
call to zend_get_parameters_ex (as expected):
(gdb) watch basic_globals.user_compare_func_name
Old value = (zval **) 0x0
New value = (zval **) 0xb7d2695c
0x010cd0f8 in zend_get_parameters_ex (param_count=0)
at /php-5.2.0/Zend/zend_API.c:134
134 *param = (zval **) p-(arg_count--);
(gdb) bt
#0 0x010cd0f8 in zend_get_parameters_ex (param_count=0)
at /php-5.2.0/Zend/zend_API.c:134
#1 0x01031c78 in zif_uksort (ht=2, return_value=0xb75ef2ec,
return_value_ptr=0x0, this_ptr=0x0, return_value_used=0)
And overwritten here:
(gdb) continue
Continuing.
Hardware watchpoint 4: *basic_globals.user_compare_func_name
Old value = (zval *) 0xb75f0afc
New value = (zval *) 0x0
0x00b32527 in memset () from /lib/tls/libc.so.6
(gdb) bt
#0 0x00b32527 in memset () from /lib/tls/libc.so.6
#1 0x00000040 in ?? ()
#2 0x010b816c in _ecalloc (nmemb=64, size=256)
at /php-5.2.0/Zend/zend_alloc.c:173 8
#3 0x010d37f6 in _zend_hash_init (ht=0xb75eeb04, nSize=45,
pHashFunction=0,
pDestructor=0x10c0460 <_zval_ptr_dtor>, persistent=0 '\0')
at /php-5.2.0/Zend/zend_hash.c:169
#4 0x010cb5c8 in _zval_copy_ctor_func (zvalue=0xb75efe9c)
at /php-5.2.0/Zend/zend_variables.c :133
#5 0x010e41b1 in zend_fetch_dimension_address (result=0xbff05fac,
container_ptr=0xb75f63ac, dim=0xb75f46cc, dim_is_tmp_var=0, type=1)
at /php-5.2.0/Zend/zend_variables.h :45
#6 0x01141155 in ZEND_FETCH_DIM_W_SPEC_CV_CV_HANDLER
(execute_data=0xbff06180)
at /php-5.2.0/Zend/zend_execute.c:2 71
#7 0x010e457d in execute (op_array=0xb7ae9340)
at /php-5.2.0/Zend/zend_vm_execute. h:92
#8 0x010e47c9 in zend_do_fcall_common_helper_SPEC
(execute_data=0xbff064e0)
at /php-5.2.0/Zend/zend_vm_execute. h:234
#9 0x010e457d in execute (op_array=0xb7b40258)
at /php-5.2.0/Zend/zend_vm_execute. h:92
#10 0x010c1d8a in zend_call_function (fci=0xbff06610, fci_cache=0x0)
at /php-5.2.0/Zend/zend_execute_API .c:965
#11 0x010c2660 in call_user_function_ex (function_table=0x0,
object_pp=0x0,
function_name=0x0, retval_ptr_ptr=0x0, param_count=0, params=0x0,
no_separation=0, symbol_table=0x0)
at /php-5.2.0/Zend/zend_execute_API .c:602
#12 0x010c269c in call_user_function (function_table=0x8aad2f0,
object_pp=0x0,
function_name=0xb75f0afc, retval_ptr=0xbff066c0, param_count=2,
params=0xbff066b8)
at /php-5.2.0/Zend/zend_execute_API .c:575
#13 0x01031b12 in array_user_key_compare (a=0xb7671414, b=0xb7671418)
at /php-5.2.0/ext/standard/array.c: 736
#14 0x010db026 in zend_qsort (base=0xb7671414, nmemb=3, siz=4,
compare=0x1031a9c <array_user_key_compare>)
at /php-5.2.0/Zend/zend_qsort.c:83
#15 0x010d57e9 in zend_hash_sort (ht=0xb75f58ac,
sort_func=0x10daf70 <zend_qsort>,
compar=0x1031a9c <array_user_key_compare>, renumber=0)
at /php-5.2.0/Zend/zend_hash.c:1218
#16 0x01031d12 in zif_uksort (ht=2, return_value=0xb75ef2ec,
return_value_ptr=0x0, this_ptr=0x0, return_value_used=0)
at /php-5.2.0/ext/standard/array.c: 774
--
Edit bug report at http://bugs.php.net/?id=40039&edit=1
--
Try a CVS snapshot (PHP 4.4):
http://bugs.php.net/fix.php?id=40039&r=trysnapshot44
Try a CVS snapshot (PHP 5.2):
http://bugs.php.net/fix.php?id=40039&r=trysnapshot52
Try a CVS snapshot (PHP 6.0):
http://bugs.php.net/fix.php?id=40039&r=trysnapshot60
Fixed in CVS: http://bugs.php.net/fix.php?id=40039&r=fixedcvs
Fixed in release:
http://bugs.php.net/fix.php?id=40039&r=alreadyfixed
Need backtrace: http://bugs.php.net/fix.php?id=40039&r=needtrace
Need Reproduce Script: http://bugs.php.net/fix.php?id=40039&r=needscript
Try newer version: http://bugs.php.net/fix.php?id=40039&r=oldversion
Not developer issue: http://bugs.php.net/fix.php?id=40039&r=support
Expected behavior: http://bugs.php.net/fix.php?id=40039&r=notwrong
Not enough info:
http://bugs.php.net/fix.php?id=40039&r=notenoughinfo
Submitted twice:
http://bugs.php.net/fix.php?id=40039&r=submittedtwice
register_globals: http://bugs.php.net/fix.php?id=40039&r=globals
PHP 3 support discontinued: http://bugs.php.net/fix.php?id=40039&r=php3
Daylight Savings: http://bugs.php.net/fix.php?id=40039&r=dst
IIS Stability: http://bugs.php.net/fix.php?id=40039&r=isapi
Install GNU Sed: http://bugs.php.net/fix.php?id=40039&r=gnused
Floating point limitations: http://bugs.php.net/fix.php?id=40039&r=float
No Zend Extensions: http://bugs.php.net/fix.php?id=40039&r=nozend
MySQL Configuration Error: http://bugs.php.net/fix.php?id=40039&r=mysqlcfg
