From: jeff dot orrok at reedbusiness dot com
Operating system: windows xp sp2
PHP version: 5.2.4
PHP Bug Type: Reproducible crash
Bug description: stack overflow in php5ts.dll
Description:
------------
Invoking a non-existent method on a SOAP service crashes apache. Although
PEAR's SOAP module is involved in the problem, I thought y'all should know
about it in case there was something you could do to make your code more
robust.
C:\wamp\logs\apache_error.log:
[Tue Oct 30 11:58:42 2007] [notice] Parent: child process exited with
status 3221225477 -- Restarting.
Analysys Summary from Debug Diagnostic Tool:
In
httpd__PID__5256__Date__10_29_2007__Time_07_05_58PM__48__Second_Chance_Exception_C00000FD.dmp
the assembly instruction at php5ts!xbuf_format_converter+5b in
C:\wamp\Apache2\bin\php5ts.dll from The PHP Group has caused a stack
overflow exception (0xC00000FD) when trying to write to memory location
0x01b82ffc on thread 15
Reproduce code:
---------------
This is merely to demonstrate what I'm doing. I was hoping it might be
reproducible with any kind of "hello world" service. I am behind on my
deadline and need to get caught up before I can spend a lot of time on
this. I will try to pare down the amount of code to the smallest necessary
to reproduce, if it turns out to be a very specific circumstance.
require_once ('SOAP/Client.php'); // pear soap-0.11.0
define('RBI_COMMON_AUTH_WS_URL',
'http://localhost/WebServices/AuthenticationWS/service.php?wsdl');
define('RBICA_APP', 'BLOG');
define('RBICA_APP_TOKEN_ID', 'PERM_BLOG');
$wsdl_ca = new SOAP_WSDL (RBI_COMMON_AUTH_WS_URL,array('timeout' => 30));
$client_ca = $wsdl_ca->getProxy();
$wpUserId = $login->ID;
$result = $client_ca->GetMasterID(RBICA_APP_TOKEN_ID, RBICA_APP,
(integer)$wpUserId); // GetMasterID happens to not exist in the current
version of the service.
Expected result:
----------------
(be automatically logged in to WordPress via our in-house common
authentication service)
Actual result:
--------------
Report for
httpd__PID__5256__Date__10_29_2007__Time_07_05_58PM__48__Second_Chance_Exception_C00000FD.dmp
Type of Analysis Performed Crash Analysis
Machine Name HRAORROCKJ1D
Operating System Windows XP Service Pack 2
Number Of Processors 2
Process ID 5256
Process Image C:\wamp\Apache2\bin\httpd.exe
System Up-Time 10 day(s) 08:39:57
Process Up-Time 00:03:23
Thread 15 - System ID 784
Entry point msvcrt!_endthreadex+3a
Create time 10/29/2007 7:02:35 PM
Time spent in user mode 0 Days 0:0:0.500
Time spent in kernel mode 0 Days 0:0:0.62
Function Arg 1 Arg 2 Arg 3 Source
php5ts!xbuf_format_converter+5b 01b83280 00a359ac 01b8332c
php5ts!vspprintf+29 01b832b8 00000400 00a359ac
php5ts!php_error_cb+3a 00000800 07da1180 0000015f
php5ts!zend_error+43e 00000800 00a359ac 0079ca49
php5ts!zif_is_a+f 00000002 08f9a0f0 00000000
php5ts!zend_do_fcall_common_helper_SPEC+7d9 01b833b8 05cab000
07dd7fd8
php5ts!ZEND_DO_FCALL_SPEC_CONST_HANDLER+e5 00000000 05cab000
08f96944
php5ts!execute+1c5 07d95490 05cab000 05cab000
php5ts!zend_do_fcall_common_helper_SPEC+8f8 01b83460 05cab000
0079c1e5
php5ts!ZEND_DO_FCALL_BY_NAME_SPEC_HANDLER+15 01b83460 05cab000
08f94b84
php5ts!execute+1c5 07dcf3e8 05cab000 05cab000
... followed by hundreds of lines similar to the following:
php5ts!zend_do_fcall_common_helper_SPEC+8f8 01b835b0 05cab000
0079c1e5
php5ts!ZEND_DO_FCALL_BY_NAME_SPEC_HANDLER+15 01b835b0 05cab000
08f8ea8c
php5ts!execute+1c5 07dcf3e8 05cab000 05cab000
... followed by:
php5ts!zend_do_fcall_common_helper_SPEC+8f8 01bbfbb0 05cab000
0079c1e5
php5ts!ZEND_DO_FCALL_BY_NAME_SPEC_HANDLER+15 01bbfbb0 05cab000
05cab000
php5ts!execute+1c5 07d7e2e0 05cab000 00000000
php5ts!zend_execute_scripts+107 00000008 05cab000 00000000
php5ts!php_execute_script+20d 01bbfea0 05cab000 00000005
php5apache2_2!php_handler+5cd 05d40e70 0074c4c0 05d40e70
libhttpd!ap_run_handler+21 05d40e70 05d40e70 05d40e70
libhttpd!ap_invoke_handler+ae 00000000 05d3e128 01bbff38
libhttpd!ap_die+24e 05d40e70 00000000 0068e510
libhttpd!ap_get_request_note+1c6c 05d3e128 05d3e128 05d3e128
libhttpd!ap_run_process_connection+21 05d3e128 00716300
01bbff80
libhttpd!ap_process_connection+33 05d3e128 05cb9050 00000000
libhttpd!ap_regkey_value_remove+c0c 05d3e120 00000000 00e10050
msvcrt!_endthreadex+a9 01018b08 00000000 00e10050
kernel32!BaseThreadStart+37 77c3a341 01018b08 00000000
PHP5TS!XBUF_FORMAT_CONVERTER+5BIn
httpd__PID__5256__Date__10_29_2007__Time_07_05_58PM__48__Second_Chance_Exception_C00000FD.dmp
the assembly instruction at php5ts!xbuf_format_converter+5b in
C:\wamp\Apache2\bin\php5ts.dll from The PHP Group has caused a stack
overflow exception (0xC00000FD) when trying to write to memory location
0x01b82ffc on thread 15
Module Information
Image Name: C:\wamp\Apache2\bin\php5ts.dll Symbol Type: PDB
Base address: 0x00780000 Time Stamp: Thu Aug 30 05:06:12 2007
Checksum: 0x00000000 Comments:
COM DLL: False Company Name: The PHP Group
ISAPIExtension: False File Description: PHP Script Interpreter
ISAPIFilter: False File Version: 5.2.4.4
Managed DLL: False Internal Name: php5ts.dll
VB DLL: False Legal Copyright: Copyright © 1997-2007 The PHP Group
Loaded Image Name: php5ts.dll Legal Trademarks: PHP
Mapped Image Name: C:\wamp\Apache2\bin\php5ts.dll Original filename:
php5ts.dll
Module name: php5ts Private Build:
Single Threaded: False Product Name: PHP Script Interpreter
Module Size: 4.86 MBytes Product Version: 5.2.4
Symbol File Name: C:\xampp\php\debug\php5ts.pdb Special Build: &
--
Edit bug report at http://bugs.php.net/?id=43150&edit=1
--
Try a CVS snapshot (PHP 4.4):
http://bugs.php.net/fix.php?id=43150&r=trysnapshot44
Try a CVS snapshot (PHP 5.2):
http://bugs.php.net/fix.php?id=43150&r=trysnapshot52
Try a CVS snapshot (PHP 5.3):
http://bugs.php.net/fix.php?id=43150&r=trysnapshot53
Try a CVS snapshot (PHP 6.0):
http://bugs.php.net/fix.php?id=43150&r=trysnapshot60
Fixed in CVS: http://bugs.php.net/fix.php?id=43150&r=fixedcvs
Fixed in release:
http://bugs.php.net/fix.php?id=43150&r=alreadyfixed
Need backtrace: http://bugs.php.net/fix.php?id=43150&r=needtrace
Need Reproduce Script: http://bugs.php.net/fix.php?id=43150&r=needscript
Try newer version: http://bugs.php.net/fix.php?id=43150&r=oldversion
Not developer issue: http://bugs.php.net/fix.php?id=43150&r=support
Expected behavior: http://bugs.php.net/fix.php?id=43150&r=notwrong
Not enough info:
http://bugs.php.net/fix.php?id=43150&r=notenoughinfo
Submitted twice:
http://bugs.php.net/fix.php?id=43150&r=submittedtwice
register_globals: http://bugs.php.net/fix.php?id=43150&r=globals
PHP 3 support discontinued: http://bugs.php.net/fix.php?id=43150&r=php3
Daylight Savings: http://bugs.php.net/fix.php?id=43150&r=dst
IIS Stability: http://bugs.php.net/fix.php?id=43150&r=isapi
Install GNU Sed: http://bugs.php.net/fix.php?id=43150&r=gnused
Floating point limitations: http://bugs.php.net/fix.php?id=43150&r=float
No Zend Extensions: http://bugs.php.net/fix.php?id=43150&r=nozend
MySQL Configuration Error: http://bugs.php.net/fix.php?id=43150&r=mysqlcfg
