From: skissane at ics dot mq dot edu dot au
Operating system: Linux (RedHat 9.0)
PHP version: 4.3.2
PHP Bug Type: Reproducible crash
Bug description: Reproducible crash in error handling
Description:
------------
I am sometimes getting segfaults when my custom error handler executes. It
happens when an array is passed to preg_match instead of a string, and
this raises an error.
Below is the error handler, and the backtrace PHP gives, and my PHP
configruation.
PHP/Apache Version
PHP Version 4.3.2
System Linux itsa.iips.mq.edu.au 2.4.18-10 #1 Wed Aug 7 11:39:21 EDT 2002
i686
Build Date Jul 23 2003 09:42:28
Configure Command './configure'
'--with-apxs2=/usr/local/apache2/bin/apxs' '--with-mssql=/usr/local'
'--without-mysql' '--with-curl=/usr' '--enable-debug'
Server API Apache 2.0 Handler
Virtual Directory Support disabled
Configuration File (php.ini) Path /usr/local/lib/php.ini
PHP API 20020918
PHP Extension 20020429
Zend Extension 20021010
Debug Build yes
Thread Safety disabled
Registered PHP Streams php, http, ftp
apache2handler
Apache Version Apache/2.0.45 (Unix)
Apache API Version 20020903
Server Administrator [EMAIL PROTECTED]
Hostname:Port itsa.iips.mq.edu.au:0
User/Group apache(48)/48
Max Requests Per Child: 1000 - Keep Alive: off - Max Per Connection: 100
Timeouts Connection: 300 - Keep-Alive: 15
Virtual Server No
Server Root /etc/httpd
Loaded Modules core mod_access mod_auth mod_include mod_log_config
mod_env mod_setenvif prefork http_core mod_mime mod_status mod_autoindex
mod_asis mod_cgi mod_negotiation mod_dir mod_imap mod_actions mod_userdir
mod_alias mod_so sapi_apache2
Directive Local Value Master Value
engine 1 1
last_modified 0 0
xbithack 0 0
Reproduce code:
---------------
<?
/*
** File: error.inc
** Description: Error handling code
** right form when user presses 'Cancel'
** Version: 1.0
** Created: 20/03/2003
** Author: Simon Kissane <[EMAIL PROTECTED]>
** Group: Internet Information Projects & Services
**
** Copyright (C) 2003 Macquarie University
*/
// Turn on output buffering
ob_start();
/*
** Function: _error_handler()
** Input: INTEGER $errno, STRING $errstr, STRING $errfile, INTEGER
$errline
** Output: None
** Description: Print stack backtrace
*/
function _error_backtrace ()
{
$trace = debug_backtrace();
echo "<ul>\n";
foreach ($trace as $fn => $frame) {
if ($fn < 2) { continue; }
echo "<li>#" . ($fn-2) . " - <b>";
if (array_key_exists("class",$frame)) {
echo $frame["class"] . $frame["type"];
}
echo $frame["function"];
echo "</b>";
if (array_key_exists("line",$frame)) {
echo " (at line " . $frame["line"] . " of file " .
$frame["file"] . ")";
}
echo "</li>\n";
if (array_key_exists("args",$frame)) {
echo "<ul>\n";
foreach ($frame["args"] as $key => $arg) {
echo "<li># " . $key . " - [";
print_r($arg);
echo "]</li>\n";
}
echo "</ul>\n";
}
}
echo "</ul>\n";
}
/*
** Function: _error_handler()
** Input: INTEGER $errno, STRING $errstr, STRING $errfile, INTEGER
$errline
** Output: None
** Description: Custom error handler.
** Some code taken from
http://www.php.net/manual/en/function.set-error-handler.php
*/
function _error_handler($errno, $errstr, $errfile, $errline) {
ob_clean();
// Special friendly handling for database errors.
if (strpos($errstr,"Unable to connect to server") !== FALSE) {
include_once("databaseproblem.inc");
exit;
}
else if (strpos($errstr,"String or binary data would be truncated")
!== FALSE) {
include_once("truncationerror.inc");
exit;
}
echo "<b>ERROR:</b> [$errno] $errstr<br>\n";
echo " Fatal error in line " . $errline . " of file " . $errfile;
echo ", PHP ". PHP_VERSION . " (" . PHP_OS . ")<br>\n";
echo "<b>Stack backtrace:</b><br>\n";
_error_backtrace();
echo "<b>Request:</b>\n";
echo "<ul>\n";
foreach ($_REQUEST as $k => $v) {
echo "<li>" . $k . "=" . $v . "</li>\n";
}
echo "</ul>\n";
echo "<b>Session Data:</b>\n";
echo "<ul>\n";
foreach ($_SESSION as $k => $v) {
echo "<li>" . $k . "="; print_r($v); echo "</li>\n";
}
echo "</ul>\n";
// echo "<b>Globals:</b>\n";
// echo "<ul>\n";
// foreach ($GLOBALS as $k => $v) {
// echo "<li>" . $k . "="; print_r($v); echo "</li>\n";
// }
// echo "</ul>\n";
echo "Aborting...<br>\n";
exit(1);
}
/*
** Function: logdebug()
** Input: STRING $msg
** Output: None
** Description: Log a debugging message to the debugging log
*/
function logdebug($msg) {
// $_logdebug_file =
fopen("/hosts/iips/logs/dev/handbook-debug.log","a+");
// fwrite($_logdebug_file, date('Y-m-d H:i:s') . " " . $msg ."\n");
// fclose($_logdebug_file);
// echo "<tt>" . $msg . "</tt><br/>";
}
// Initialise custom error handling
set_error_handler("_error_handler");
?>
Expected result:
----------------
No segfault!
Actual result:
--------------
Backtrace
Program received signal SIGSEGV, Segmentation fault.
0x40405a9d in zend_hash_copy (target=0x8586ef4, source=0x8577b2c,
pCopyConstructor=0x403fdf35 <zval_add_ref>, tmp=0xbfff50ec, size=4)
at /home/skissane/adm/php-4.3.2/Zend/zend_hash.c:783
783 if (p->nKeyLength) {
(gdb) bt
#0 0x40405a9d in zend_hash_copy (target=0x8586ef4, source=0x8577b2c,
pCopyConstructor=0x403fdf35 <zval_add_ref>, tmp=0xbfff50ec, size=4)
at /home/skissane/adm/php-4.3.2/Zend/zend_hash.c:783
#1 0x403fe08d in _zval_copy_ctor (zvalue=0x8586eb4,
__zend_filename=0x40448440
"/home/skissane/adm/php-4.3.2/Zend/zend_execute.c",
__zend_lineno=481) at
/home/skissane/adm/php-4.3.2/Zend/zend_variables.c:124
#2 0x40415902 in zend_assign_to_variable (result=0x83916e8,
op1=0x83916f8,
op2=0x8391708, value=0x857a164, type=4, Ts=0xbfff5180)
at /home/skissane/adm/php-4.3.2/Zend/zend_execute.c:481
#3 0x40410076 in execute (op_array=0x83a6280)
at /home/skissane/adm/php-4.3.2/Zend/zend_execute.c:1349
#4 0x404110d9 in execute (op_array=0x82f6ee0)
at /home/skissane/adm/php-4.3.2/Zend/zend_execute.c:1650
#5 0x403f5e28 in call_user_function_ex (function_table=0x813bcf0,
object_pp=0x0,
function_name=0x8352b6c, retval_ptr_ptr=0xbfff6264, param_count=5,
params=0x857ca0c, no_separation=1, symbol_table=0x0)
at /home/skissane/adm/php-4.3.2/Zend/zend_execute_API.c:559
#6 0x403ff8f6 in zend_error (type=8,
format=0x404467e2 "Array to string conversion")
at /home/skissane/adm/php-4.3.2/Zend/zend.c:797
#7 0x403f8dd8 in _convert_to_string (op=0x857a164,
__zend_filename=0x40447d40
"/home/skissane/adm/php-4.3.2/Zend/zend_builtin_functions.c",
__zend_lineno=263) at
/home/skissane/adm/php-4.3.2/Zend/zend_operators.c:466
#8 0x40408185 in zend_if_strlen (ht=1, return_value=0x857a1a4,
this_ptr=0x0,
return_value_used=1)
at /home/skissane/adm/php-4.3.2/Zend/zend_builtin_functions.c:263
#9 0x40410ea6 in execute (op_array=0x84f6818)
at /home/skissane/adm/php-4.3.2/Zend/zend_execute.c:1606
#10 0x403f5e28 in call_user_function_ex (function_table=0x813bcf0,
object_pp=0x0,
function_name=0x85795b4, retval_ptr_ptr=0xbfff7a58, param_count=2,
params=0x8580980, no_separation=0, symbol_table=0x0)
at /home/skissane/adm/php-4.3.2/Zend/zend_execute_API.c:559
#11 0x4034c1ef in zif_call_user_func (ht=3, return_value=0x857770c,
this_ptr=0x0,
return_value_used=1)
at /home/skissane/adm/php-4.3.2/ext/standard/basic_functions.c:1825
#12 0x40410ea6 in execute (op_array=0x8381608)
at /home/skissane/adm/php-4.3.2/Zend/zend_execute.c:1606
#13 0x404110d9 in execute (op_array=0x849fb2c)
at /home/skissane/adm/php-4.3.2/Zend/zend_execute.c:1650
#14 0x404110d9 in execute (op_array=0x8569a5c)
at /home/skissane/adm/php-4.3.2/Zend/zend_execute.c:1650
#15 0x404110d9 in execute (op_array=0x82ec01c)
at /home/skissane/adm/php-4.3.2/Zend/zend_execute.c:1650
#16 0x403ffb48 in zend_execute_scripts (type=8, retval=0x0, file_count=3)
at /home/skissane/adm/php-4.3.2/Zend/zend.c:869
#17 0x403ca119 in php_execute_script (primary_file=0xbffff750)
#18 0x40416ba6 in php_handler (r=0x83ff948)
at
/home/skissane/adm/php-4.3.2/sapi/apache2handler/sapi_apache2.c:525
#19 0x0807b47e in ap_run_handler (r=0x83ff948) at config.c:195
#20 0x0807b996 in ap_invoke_handler (r=0x83ff948) at config.c:401
#21 0x0806b8ff in ap_process_request (r=0x83ff948) at http_request.c:288
#22 0x08067b4d in ap_process_http_connection (c=0x828f118) at
http_core.c:293
#23 0x08084096 in ap_run_process_connection (c=0x828f118) at
connection.c:85
#24 0x0807a034 in child_main (child_num_arg=1930623196) at prefork.c:696
#25 0x0807a1de in make_child (s=0x80b4f00, slot=0) at prefork.c:736
#26 0x0807a237 in startup_children (number_to_start=8) at prefork.c:808
#27 0x0807a929 in ap_mpm_run (_pconf=0x8079910, plog=0x80ea8d8,
s=0x80b4f00)
at prefork.c:1024
#28 0x0807f642 in main (argc=2, argv=0xbffffa24) at main.c:660
#29 0x401e0967 in __libc_start_main () from /lib/libc.so.6
--
Edit bug report at http://bugs.php.net/?id=24762&edit=1
--
Try a CVS snapshot (php4): http://bugs.php.net/fix.php?id=24762&r=trysnapshot4
Try a CVS snapshot (php5): http://bugs.php.net/fix.php?id=24762&r=trysnapshot5
Fixed in CVS: http://bugs.php.net/fix.php?id=24762&r=fixedcvs
Fixed in release: http://bugs.php.net/fix.php?id=24762&r=alreadyfixed
Need backtrace: http://bugs.php.net/fix.php?id=24762&r=needtrace
Try newer version: http://bugs.php.net/fix.php?id=24762&r=oldversion
Not developer issue: http://bugs.php.net/fix.php?id=24762&r=support
Expected behavior: http://bugs.php.net/fix.php?id=24762&r=notwrong
Not enough info: http://bugs.php.net/fix.php?id=24762&r=notenoughinfo
Submitted twice: http://bugs.php.net/fix.php?id=24762&r=submittedtwice
register_globals: http://bugs.php.net/fix.php?id=24762&r=globals
PHP 3 support discontinued: http://bugs.php.net/fix.php?id=24762&r=php3
Daylight Savings: http://bugs.php.net/fix.php?id=24762&r=dst
IIS Stability: http://bugs.php.net/fix.php?id=24762&r=isapi
Install GNU Sed: http://bugs.php.net/fix.php?id=24762&r=gnused
