ID: 40039
User updated by: aren at corp dot oodle dot com
Reported By: aren at corp dot oodle dot com
-Status: Feedback
+Status: Open
Bug Type: Reproducible crash
Operating System: Linux 2.6.5
PHP Version: 5.2.0
New Comment:
A contrived example does not exhibit the crash. Even a different code
path through the code that is crashing does not crash. It is only this
particular case that crashes every time. From the debugging I've done,
it looks like memory is being accidentally overwritten.
Previous Comments:
------------------------------------------------------------------------
[2007-01-06 16:43:06] [EMAIL PROTECTED]
Thank you for this bug report. To properly diagnose the problem, we
need a short but complete example script to be able to reproduce
this bug ourselves.
A proper reproducing script starts with <?php and ends with ?>,
is max. 10-20 lines long and does not require any external
resources such as databases, etc. If the script requires a
database to demonstrate the issue, please make sure it creates
all necessary tables, stored procedures etc.
Please avoid embedding huge scripts into the report.
------------------------------------------------------------------------
[2007-01-06 00:11:16] aren at corp dot oodle dot com
Description:
------------
I reliably get a seg fault during execution of uksort() in our web
application. Unfortunately, the seg fault is not reproducible with any
simpler test case, and other code paths over the same code work fine.
PHP line in question:
uksort($arr_values, array($this, '_compare_values'));
GDB output:
Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread -1208600896 (LWP 30559)]
0x01063602 in zend_call_function (fci=0xbfe7e950, fci_cache=0x0)
at
/php-5.2.0/Zend/zend_execute_API .c:661
661 if (Z_TYPE_P(fci->function_name)==IS_ARRAY) {
/* assume
array($obj, $name) couple */
(gdb) print fci.function_name
$3 = (zval *) 0x0
Actual result:
--------------
Segfault trace:
(gdb) bt
#0 0x01063602 in zend_call_function (fci=0xbfe7e950, fci_cache=0x0)
at /php-5.2.0/Zend/zend_execute_API.c:661
#1 0x01064660 in call_user_function_ex (function_table=0x0,
object_pp=0x0,
function_name=0x0, retval_ptr_ptr=0x0, param_count=0, params=0x0,
no_separation=0, symbol_table=0x0)
at /php-5.2.0/Zend/zend_execute_API.c:602
#2 0x0106469c in call_user_function (function_table=0x95c12f0,
object_pp=0x0,
function_name=0x0, retval_ptr=0xbfe7ea00, param_count=2,
params=0xbfe7e9f8)
at /php-5.2.0/Zend/zend_execute_API.c:575
#3 0x00fd3b12 in array_user_key_compare (a=0xb765d404, b=0xb765d3fc)
at /php-5.2.0/ext/standard/array.c: 736
#4 0x0107cff8 in zend_qsort (base=0xb765d3fc, nmemb=3, siz=4,
compare=0xfd3a9c <array_user_key_compare>)
at /php-5.2.0/Zend/zend_qsort.c:86
#5 0x010777e9 in zend_hash_sort (ht=0xb75aff48,
sort_func=0x107cf70 <zend_qsort>,
compar=0xfd3a9c <array_user_key_compare>, renumber=0)
at /php-5.2.0/Zend/zend_hash.c:1218
#6 0x00fd3d12 in zif_uksort (ht=2, return_value=0xb75dd098,
return_value_ptr=0x0, this_ptr=0x0, return_value_used=0)
at /php-5.2.0/ext/standard/array.c: 774
A watchpoint on the user_compare_func_name shows it is set in
zif_uksort's call to zend_get_parameters_ex (as expected):
(gdb) watch basic_globals.user_compare_func_name
Old value = (zval **) 0x0
New value = (zval **) 0xb7d2695c
0x010cd0f8 in zend_get_parameters_ex (param_count=0)
at /php-5.2.0/Zend/zend_API.c:134
134 *param = (zval **) p-(arg_count--);
(gdb) bt
#0 0x010cd0f8 in zend_get_parameters_ex (param_count=0)
at /php-5.2.0/Zend/zend_API.c:134
#1 0x01031c78 in zif_uksort (ht=2, return_value=0xb75ef2ec,
return_value_ptr=0x0, this_ptr=0x0, return_value_used=0)
And overwritten here:
(gdb) continue
Continuing.
Hardware watchpoint 4: *basic_globals.user_compare_func_name
Old value = (zval *) 0xb75f0afc
New value = (zval *) 0x0
0x00b32527 in memset () from /lib/tls/libc.so.6
(gdb) bt
#0 0x00b32527 in memset () from /lib/tls/libc.so.6
#1 0x00000040 in ?? ()
#2 0x010b816c in _ecalloc (nmemb=64, size=256)
at /php-5.2.0/Zend/zend_alloc.c:173 8
#3 0x010d37f6 in _zend_hash_init (ht=0xb75eeb04, nSize=45,
pHashFunction=0,
pDestructor=0x10c0460 <_zval_ptr_dtor>, persistent=0 '\0')
at /php-5.2.0/Zend/zend_hash.c:169
#4 0x010cb5c8 in _zval_copy_ctor_func (zvalue=0xb75efe9c)
at /php-5.2.0/Zend/zend_variables.c :133
#5 0x010e41b1 in zend_fetch_dimension_address (result=0xbff05fac,
container_ptr=0xb75f63ac, dim=0xb75f46cc, dim_is_tmp_var=0,
type=1)
at /php-5.2.0/Zend/zend_variables.h :45
#6 0x01141155 in ZEND_FETCH_DIM_W_SPEC_CV_CV_HANDLER
(execute_data=0xbff06180)
at /php-5.2.0/Zend/zend_execute.c:2 71
#7 0x010e457d in execute (op_array=0xb7ae9340)
at /php-5.2.0/Zend/zend_vm_execute. h:92
#8 0x010e47c9 in zend_do_fcall_common_helper_SPEC
(execute_data=0xbff064e0)
at /php-5.2.0/Zend/zend_vm_execute. h:234
#9 0x010e457d in execute (op_array=0xb7b40258)
at /php-5.2.0/Zend/zend_vm_execute. h:92
#10 0x010c1d8a in zend_call_function (fci=0xbff06610, fci_cache=0x0)
at /php-5.2.0/Zend/zend_execute_API .c:965
#11 0x010c2660 in call_user_function_ex (function_table=0x0,
object_pp=0x0,
function_name=0x0, retval_ptr_ptr=0x0, param_count=0, params=0x0,
no_separation=0, symbol_table=0x0)
at /php-5.2.0/Zend/zend_execute_API .c:602
#12 0x010c269c in call_user_function (function_table=0x8aad2f0,
object_pp=0x0,
function_name=0xb75f0afc, retval_ptr=0xbff066c0, param_count=2,
params=0xbff066b8)
at /php-5.2.0/Zend/zend_execute_API .c:575
#13 0x01031b12 in array_user_key_compare (a=0xb7671414, b=0xb7671418)
at /php-5.2.0/ext/standard/array.c: 736
#14 0x010db026 in zend_qsort (base=0xb7671414, nmemb=3, siz=4,
compare=0x1031a9c <array_user_key_compare>)
at /php-5.2.0/Zend/zend_qsort.c:83
#15 0x010d57e9 in zend_hash_sort (ht=0xb75f58ac,
sort_func=0x10daf70 <zend_qsort>,
compar=0x1031a9c <array_user_key_compare>, renumber=0)
at /php-5.2.0/Zend/zend_hash.c:1218
#16 0x01031d12 in zif_uksort (ht=2, return_value=0xb75ef2ec,
return_value_ptr=0x0, this_ptr=0x0, return_value_used=0)
at /php-5.2.0/ext/standard/array.c: 774
------------------------------------------------------------------------
--
Edit this bug report at http://bugs.php.net/?id=40039&edit=1
