[PHP-DEV] Bug #12776 Updated: 4.0.7RC1: array_walk crash

rasmus Thu, 16 Aug 2001 14:04:12 -0700
ID: 12776
Updated by: rasmus
Reported By: [EMAIL PROTECTED]
Status: Open
Bug Type: Reproducible crash
Operating System: Linux
PHP Version: 4.0.6
New Comment:

On my machine, this will crash it: 

function test($val,$key) {
     global $globalArray;
     $globalArray[]=$key;
}

$arr=array('k'=>'v');
array_walk($arr,'test');
echo "testing".$globalArray[0];

Changing the last line to:

echo "test".$globalArray[0];

makes it work.  Uh?

bt:

#0  0x4013913e in memcpy () from /lib/i686/libc.so.6
#1  0xbfffe3b0 in ?? ()
#2  0x080f2550 in execute (op_array=0x816c334) at ./zend_execute.c:1105
#3  0x080da832 in zend_execute_scripts (type=8, file_count=3) at zend.c:806
#4  0x0805faab in php_execute_script (primary_file=0xbffff8d0) at main.c:1310


Previous Comments:
------------------------------------------------------------------------

[2001-08-16 17:22:29] [EMAIL PROTECTED]

Oops, never mind, it is not fixed in CVS.  It just morphed slightly.

------------------------------------------------------------------------

[2001-08-16 17:18:35] [EMAIL PROTECTED]

Looks like it is fixed in CVS

------------------------------------------------------------------------

[2001-08-15 19:07:20] [EMAIL PROTECTED]

In both PHP 4.0.2, 4.0.6 and 4.0.7RC1:

The following code crashes PHP:
<?php

function test($val,$key)
{
        global $globalArray;
        $globalArray[]=$key; // this will end up crashing
//      $globalArray[]=(string)$key; // this will end up OK
        print "val: $val; key: $key\n"; flush();
}

$arr=array('k'=>'v');
array_walk($arr,'test');

// This will crash:
print "First value: ".$globalArray[0];

// This will not crash, but give the wrong
// result, and the final "done" will never be
// printed:
// print "First value: "; print $globalArray[0];

print "\nDone\n";

?>
It doesn't matter if the code is run from PHP as an Apache module or command-line PHP.

Operating systems tested: RH Linux 6.1, RH Linux Rawhide (i.e. cutting-edge Red Hat 
developer-version).

A GDB back-trace on the latter, using command-line PHP:
GNU gdb 5.0rh-5 Red Hat Linux 7.1
Copyright 2001 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for details.
This GDB was configured as "i386-redhat-linux"...
Core was generated by `/home/troels/local-php/bin/php simple.php'.
Program terminated with signal 11, Segmentation fault.
Reading symbols from /lib/libdl.so.2...done.
Loaded symbols for /lib/libdl.so.2
Reading symbols from /lib/libresolv.so.2...done.
Loaded symbols for /lib/libresolv.so.2
Reading symbols from /lib/libpam.so.0...done.
Loaded symbols for /lib/libpam.so.0
Reading symbols from /lib/i686/libm.so.6...done.
Loaded symbols for /lib/i686/libm.so.6
Reading symbols from /lib/libnsl.so.1...done.
Loaded symbols for /lib/libnsl.so.1
Reading symbols from /lib/libcrypt.so.1...done.
Loaded symbols for /lib/libcrypt.so.1
Reading symbols from /lib/i686/libc.so.6...done.
Loaded symbols for /lib/i686/libc.so.6
Reading symbols from /lib/ld-linux.so.2...done.
Loaded symbols for /lib/ld-linux.so.2
#0  0x400de721 in __kill () from /lib/i686/libc.so.6
(gdb) bt
#0  0x400de721 in __kill () from /lib/i686/libc.so.6
#1  0x080a4976 in _emalloc (size=1515870824, __zend_filename=0x80f349d 
"zend_operators.c", 
    __zend_lineno=1043, __zend_orig_filename=0x0, __zend_orig_lineno=0) at 
zend_alloc.c:173
#2  0x080b039e in concat_function (result=0xbfffe324, op1=0x813853c, op2=0xbfffe210)
    at zend_operators.c:1043
#3  0x080cd63b in execute (op_array=0x81340e4) at ./zend_execute.c:1105
#4  0x080b37fe in zend_execute_scripts (type=8, file_count=3) at zend.c:806
#5  0x0805b0c4 in php_execute_script (primary_file=0xbffff760) at main.c:1308
#6  0x0805911e in main (argc=2, argv=0xbffff804) at cgi_main.c:737
#7  0x400cc6b7 in __libc_start_main (main=0x80588d0 <main>, argc=2, ubp_av=0xbffff804, 

    init=0x80576a4 <_init>, fini=0x80d52f0 <_fini>, rtld_fini=0x4000db64 <_dl_fini>, 
    stack_end=0xbffff7fc) at ../sysdeps/generic/libc-start.c:129(gdb)

The above back-trace was created from a core-file generated by PHP 4.0.7RC1. The 
"config.nice" from the build:
#! /bin/sh
#
# Created by configure

'./configure' \
'--prefix=/home/troels/local-php' \
'--without-mysql' \
'--disable-xml' \
'--disable-session' \
'--enable-debug' \
'--without-pcre-regex' \
"$@"



------------------------------------------------------------------------



Edit this bug report at http://bugs.php.net/?id=12776&edit=1


-- 
PHP Development Mailing List <http://www.php.net/>
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]
[PHP-DEV] Bug #12776 Updated: 4.0.7RC1: array_walk crash

Reply via email to
