PHP 4.4.x heap corruption

From Wikitech
Revision as of 07:28, 19 August 2008 by Tim (Talk | contribs)

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

Warning: This page is old. It is kept as an archive. Do not expect anything on it to be relevant to the current day.

Segfault on exit in PHP 4.4.x. Object version: 

<?php
class C { var $m1, $m2, $m3, $m4, $m5, $m6; }
ini_set( 'memory_limit', -1 );
$a = array();
for ( $i=0; $i<100000; $i++) $a[] = new C;
?>

Array version: 

<?php
$t = array( 'm1' => null, 'm2' => null, 'm3' => null, 'm5' => null, 'm6' => null );
ini_set( 'memory_limit', -1 );
$a = array();
for ( $i=0; $i<100000; $i++) $a[] = $t;
debug_zval_dump($t);
?>

Returns: 

array(5) refcount(34466){
  ["m1"]=>
  NULL refcount(1)
  ["m2"]=>
  NULL refcount(1)
  ["m3"]=>
  NULL refcount(1)
  ["m5"]=>
  NULL refcount(1)
  ["m6"]=>
  NULL refcount(1)
}
Segmentation fault

With smaller array sizes, the reference count is correct and there is no segfault.

This is due to an unsigned short being used for a reference count in PHP 4. It was changed to an unsigned int in PHP 5.

Retrieved from "http://wikitech-old.wikimedia.org/index.php?title=PHP_4.4.x_heap_corruption&oldid=15809"
Personal tools
Namespaces

Variants
Actions
Navigation
Ops documentation
Wiki
Toolbox