ID: 24581
Updated by: [email]sniperphp.net[/email]
Reported By: daniel dot goss at t-systems dot com
-Status: Open
+Status: Verified
Bug Type: Reproducible crash
Operating System: RedHat 8.0, 7.3
-PHP Version: 4.3.2
+PHP Version: 4.3.3RC2-dev, 5.0.0b2-dev
New Comment:

Verified with PHP 4.3.3RC2-dev and PHP 5.0.0b2-dev,
Backtrace for 4.3.3RC2-dev:

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 1024 (runnable)]
0x82c1020 in call_user_function_ex (function_table=0x85ad230,
object_pp=0x0, function_name=0x5a5a5a5a,
retval_ptr_ptr=0xbfffd1c4, param_count=2, params=0xbfffd1c8,
no_separation=0, symbol_table=0x0)
at /usr/src/web/php/php4_3/Zend/zend_execute_API.c:444
444 if (function_name->type==IS_ARRAY) { /* assume
array($obj, $name) couple */
(gdb) bt
#0 0x82c1020 in call_user_function_ex (function_table=0x85ad230,
object_pp=0x0, function_name=0x5a5a5a5a,
retval_ptr_ptr=0xbfffd1c4, param_count=2, params=0xbfffd1c8,
no_separation=0, symbol_table=0x0)
at /usr/src/web/php/php4_3/Zend/zend_execute_API.c:444
#1 0x81f1bd5 in array_user_compare (a=0x874c388, b=0x874c1fc) at
/usr/src/web/php/php4_3/ext/standard/array.c:532
#2 0x82db4da in zend_qsort (base=0x874c1fc, nmemb=100, siz=4,
compare=0x81f1b70 <array_user_compare>)
at /usr/src/web/php/php4_3/Zend/zend_qsort.c:86
#3 0x82d46f4 in zend_hash_sort (ht=0x874d21c, sort_func=0x82db384
<zend_qsort>,
compar=0x81f1b70 <array_user_compare>, renumber=1) at
/usr/src/web/php/php4_3/Zend/zend_hash.c:1133
#4 0x81f1dd1 in zif_usort (ht=2, return_value=0x874d2d4, this_ptr=0x0,
return_value_used=0)
at /usr/src/web/php/php4_3/ext/standard/array.c:564
#5 0x82e03a2 in execute (op_array=0x874898c) at
/usr/src/web/php/php4_3/Zend/zend_execute.c:1616
#6 0x82cce34 in zend_execute_scripts (type=8, retval=0x0,
file_count=3) at /usr/src/web/php/php4_3/Zend/zend.c:886
#7 0x828fefe in php_execute_script (primary_file=0xbffff8bc) at
/usr/src/web/php/php4_3/main/main.c:1685
#8 0x82f4367 in main (argc=2, argv=0xbffff924) at
/usr/src/web/php/php4_3/sapi/cli/php_cli.c:818
#9 0x406689cb in __libc_start_main (main=0x82f37e4 <main>, argc=2,
argv=0xbffff924, init=0x80ab2c0 <_init>,
fini=0x84525b4 <_fini>, rtld_fini=0x4000aea0 <_dl_fini>,
stack_end=0xbffff91c)
at ../sysdeps/generic/libc-start.c:92



Previous Comments:
------------------------------------------------------------------------

[2003-07-10 04:31:10] daniel dot goss at t-systems dot com

There is a little flaw in the example script. The line

usort($Test, MySort);

should read

usort($Test, "MySort");

but the behaviour is the same.

------------------------------------------------------------------------

[2003-07-10 04:26:04] daniel dot goss at t-systems dot com

Description:
------------
The php-engine crashes with a segmentation fault if the function, that
is called by usort calls another recursive function. The recoursion
deepth is less than 10 so there could not be a global stack overflow.
(Tested recursion deepth outside usort min. 8000.)


Reproduce code:
---------------
<?
function MyTest($A, $B, $C, $D, $E, $F, $G)
{
echo "|".$A++."|<BR>";
flush();

if ($A>10)
return 0;

MyTest($A, $B, $C, "", "", "", "");

return 0;
}

function MySort($A, $B)
{
return MyTest(0,$A,$B,"","","","");
}

for ($k=0; $k<100; $k++)
{
$Test[$k]=rand(1,100);
}

echo "BEGIN<BR>";
usort($Test, MySort);
echo "END<BR>";
?>


Expected result:
----------------
The recursion deepth inside the usort function should be min. 100.
Due to the recursive nature of modern sorting algorithms, I understand
that the full recursion deepth, like outside of usort, is not
available. But it should be much more than 10 (on my system)!

Actual result:
--------------
[notice] child pid 8651 exit signal Segmentation fault (11)


------------------------------------------------------------------------


--
Edit this bug report at [url]http://bugs.php.net/?id=24581&edit=1[/url]