From: gw at gnc dot at
Operating system: suse sles9 kernel 2.6.5
PHP version: 5.1.2
PHP Bug Type: Reproducible crash
Bug description: zend/php crashes with server side includes in 5.0.4
Description:
------------
php 5.0.4,httpd 2.0.55 on a suse sles 9
httpd crashes when using server side includes.
no idea if this belongs to php only...i'm not using any 3rd party
products.just a plain php504 installation.
no changes to php.ini.
upgrade is not possible due to external customer scripts
.
php config:
'./configure' '--with-apxs2=/usr/local/apache2/bin/apxs' '--with-mysql'
'--enable-ftp' '--enable-trans-sid' '--enable-track-vars' '--enable-imap'
'--with-gettext' '--with-oci8=/opt/oracle/ora9i' '--without-sqlite'
Reproduce code:
---------------
<!--#config timefmt="%d. %m., %H:%M" -->
Actual result:
--------------
zaphod:/usr/local/apache/bin # gdb ./httpd
GNU gdb 6.3
Copyright 2004 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you
are
welcome to change it and/or distribute copies of it under certain
conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB. Type "show warranty" for
details.
This GDB was configured as "i586-suse-linux"...Using host libthread_db
library "/lib/tls/libthread_db.so.1".
(gdb) run -X
Starting program: /usr/local/apache2/bin/httpd -X
[Thread debugging using libthread_db enabled]
[New Thread 1076812448 (LWP 29354)]
Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 1076812448 (LWP 29354)]
zend_hash_index_find (ht=0x90a3e69, h=2, pData=0x90a3e69) at
/root/software/php-5.0.4/Zend/zend_hash.c:955
955 if ((p->h == h) && (p->nKeyLength == 0)) {
(gdb) bt
#0 zend_hash_index_find (ht=0x90a3e69, h=2, pData=0x90a3e69) at
/root/software/php-5.0.4/Zend/zend_hash.c:955
#1 0x4045b038 in _zend_list_delete (id=2) at
/root/software/php-5.0.4/Zend/zend_list.c:55
#2 0x404305fc in _php_stream_free (stream=0x82f988c, close_options=3) at
/root/software/php-5.0.4/main/streams/streams.c:310
#3 0x40420461 in stream_closer_for_zend (handle=0x82f988c) at
/root/software/php-5.0.4/main/main.c:843
#4 0x4043f913 in zend_file_handle_dtor (fh=0x82f99ac) at
zend_language_scanner.l:246
#5 0x4044cb29 in zend_llist_del_element (l=0x404cf2d4,
element=0xbfffef40, compare=0x4043b770 <zend_compare_file_handles>) at
/root/software/php-5.0.4/Zend/zend_llist.c:104
#6 0x4043f769 in zend_destroy_file_handle (file_handle=0xbfffef40) at
zend_language_scanner.l:284
#7 0x40452909 in zend_execute_scripts (type=2, retval=0x0, file_count=1)
at /root/software/php-5.0.4/Zend/zend.c:1066
#8 0x40482466 in php_handler (r=0x82f76e0) at
/root/software/php-5.0.4/sapi/apache2handler/sapi_apache2.c:557
#9 0x0808612b in ap_run_handler (r=0x82f76e0) at config.c:152
#10 0x08088aa5 in ap_invoke_handler (r=0x82f76e0) at config.c:364
#11 0x0809b278 in ap_run_sub_req (r=0x82f76e0) at request.c:1855
#12 0x080658cc in handle_include (ctx=0x82d7878, bb=0xbffff1bc,
r=0x82e3298, f=0x82dd438, head_ptr=0x82db850, inserted_head=0xbffff1c0) at
mod_include.c:742
#13 0x080638f9 in includes_filter (f=0x82dd438, b=0x82dd578) at
mod_include.c:3309
#14 0x0809200b in ap_pass_brigade (next=0x82dd438, bb=0x82dd578) at
util_filter.c:512
#15 0x08099aad in default_handler (r=0x82e3298) at core.c:3640
#16 0x0808612b in ap_run_handler (r=0x82e3298) at config.c:152
#17 0x08088aa5 in ap_invoke_handler (r=0x82e3298) at config.c:364
#18 0x0806e7af in ap_process_request (r=0x82e3298) at http_request.c:249
#19 0x08069e1c in ap_process_http_connection (c=0x82d7340) at
http_core.c:251
#20 0x0809007b in ap_run_process_connection (c=0x82d7340) at
connection.c:43
#21 0x08085238 in child_main (child_num_arg=<value optimized out>) at
prefork.c:610
#22 0x0808538e in make_child (s=0x80c6c88, slot=0) at prefork.c:650
#23 0x08085451 in startup_children (number_to_start=5) at prefork.c:722
#24 0x08085b1d in ap_mpm_run (_pconf=0x80c20a8, plog=0x80fc190,
s=0x80c6c88) at prefork.c:941
#25 0x0808ac7c in main (argc=2, argv=0xbffff614) at main.c:618
#0 zend_hash_index_find (ht=0x90a3e69, h=2, pData=0x90a3e69) at
/root/software/php-5.0.4/Zend/zend_hash.c:955
nIndex = 2
p = (Bucket *) 0x90a3e69
#1 0x4045b038 in _zend_list_delete (id=2) at
/root/software/php-5.0.4/Zend/zend_list.c:55
le = <value optimized out>
#2 0x404305fc in _php_stream_free (stream=0x82f988c, close_options=3) at
/root/software/php-5.0.4/main/streams/streams.c:310
ret = 1
remove_rsrc = <value optimized out>
release_cast = 1
#3 0x40420461 in stream_closer_for_zend (handle=0x82f988c) at
/root/software/php-5.0.4/main/main.c:843
No locals.
#4 0x4043f913 in zend_file_handle_dtor (fh=0x82f99ac) at
zend_language_scanner.l:246
No locals.
#5 0x4044cb29 in zend_llist_del_element (l=0x404cf2d4,
element=0xbfffef40, compare=0x4043b770 <zend_compare_file_handles>) at
/root/software/php-5.0.4/Zend/zend_llist.c:104
current = (zend_llist_element *) 0x82f99a4
next = (zend_llist_element *) 0x0
#6 0x4043f769 in zend_destroy_file_handle (file_handle=0xbfffef40) at
zend_language_scanner.l:284
No locals.
#7 0x40452909 in zend_execute_scripts (type=2, retval=0x0, file_count=1)
at /root/software/php-5.0.4/Zend/zend.c:1066
params = <value optimized out>
retval2 = (zval *) 0x1
old_exception = (zval *) 0x82f950c
ex_class_name =
"`\223/[EMAIL PROTECTED]"\000\000F([EMAIL PROTECTED]/[EMAIL PROTECTED]/\000\"",
'\0' <repeats 11 times>,
"\023\000\000\000H\220/\bô\217/\bÀ\201/\bÚ\002\v\b\bz/\b
v/\b3¨\n\b\bz/\bhîÿ¿%ó\b\b\bz/\bÚ\002\v\bÀ\201/\b\020\225/\b"
files = <value optimized out>
i = 0
file_handle = (zend_file_handle *) 0xbfffef40
orig_op_array = (zend_op_array *) 0x0
local_retval = (zval *) 0x0
#8 0x40482466 in php_handler (r=0x82f76e0) at
/root/software/php-5.0.4/sapi/apache2handler/sapi_apache2.c:557
zfd = {type = 5 '\005', filename = 0x82f84d0
"/home/webspace/www.waa.at/htdocs/feat_modules/mod_sem_wise.html",
opened_path = 0x82f97ac
"/data1/webspace/www.waa.at/htdocs/feat_modules/mod_sem_wise.html", handle
= {fd = 137336972, fp = 0x82f988c, stream = {handle = 0x82f988c,
reader = 0x4042f9e0 <_php_stream_read>, closer = 0x40420450
<stream_closer_for_zend>, interactive = 0}}, free_filename = 0 '\0'}
orig_bailout = {{__jmpbuf = {0, 0, 0, 0, 0, 0}, __mask_was_saved =
0, __saved_mask = {__val = {0 <repeats 32 times>}}}}
ctx = (php_struct *) 0x82f7518
brigade = (apr_bucket_brigade *) 0x82f7590
bucket = <value optimized out>
rv = <value optimized out>
parent_req = (request_rec *) 0x82f56d8
content_type = <value optimized out>
content_length = <value optimized out>
auth = <value optimized out>
#9 0x0808612b in ap_run_handler (r=0x82f76e0) at config.c:152
pHook = (ap_LINK_handler_t *) 0x81e5a7c
n = 7
rv = 151666281
#10 0x08088aa5 in ap_invoke_handler (r=0x82f76e0) at config.c:364
new_handler = <value optimized out>
p2 = <value optimized out>
handler = 0x816b9d8 "application/x-httpd-php"
result = <value optimized out>
old_handler = 0x0
#11 0x0809b278 in ap_run_sub_req (r=0x82f76e0) at request.c:1855
retval = 0
#12 0x080658cc in handle_include (ctx=0x82d7878, bb=0xbffff1bc,
r=0x82e3298, f=0x82dd438, head_ptr=0x82db850, inserted_head=0xbffff1c0) at
mod_include.c:742
tag_plus = <value optimized out>
tag = <value optimized out>
tag_val = 0x82e5348 "/feat_modules/mod_sem_wise.html"
tmp_buck = <value optimized out>
parsed_string = <value optimized out>
#13 0x080638f9 in includes_filter (f=0x82dd438, b=0x82dd578) at
mod_include.c:3309
dummy = (apr_bucket *) 0x0
tag = <value optimized out>
tag_len = <value optimized out>
carg = <value optimized out>
handle_func = (include_handler_fn_t *) 0x8065610 <handle_include>
r = <value optimized out>
ctx = <value optimized out>
conf = (include_dir_config *) 0x81016a8
sconf = (include_server_config *) 0x81001a0
#14 0x0809200b in ap_pass_brigade (next=0x82dd438, bb=0x82dd578) at
util_filter.c:512
e = <value optimized out>
#15 0x08099aad in default_handler (r=0x82e3298) at core.c:3640
req_cfg = <value optimized out>
c = (conn_rec *) 0x82d7340
bb = (apr_bucket_brigade *) 0x82dd578
e = (apr_bucket *) 0x82db3f0
d = (core_dir_config *) 0x82e5170
errstatus = 137221500
fd = (apr_file_t *) 0x82dd488
status = <value optimized out>
bld_content_md5 = 137212912
#16 0x0808612b in ap_run_handler (r=0x82e3298) at config.c:152
pHook = (ap_LINK_handler_t *) 0x81e5aa4
n = 9
rv = 151666281
#17 0x08088aa5 in ap_invoke_handler (r=0x82e3298) at config.c:364
new_handler = <value optimized out>
p2 = <value optimized out>
handler = 0x1 <Address 0x1 out of bounds>
result = <value optimized out>
old_handler = 0x80a4afe "default-handler"
#18 0x0806e7af in ap_process_request (r=0x82e3298) at http_request.c:249
access_status = <value optimized out>
#19 0x08069e1c in ap_process_http_connection (c=0x82d7340) at
http_core.c:251
r = (request_rec *) 0x82e3298
csd_set = 1
csd = (apr_socket_t *) 0x82d7268
#20 0x0809007b in ap_run_process_connection (c=0x82d7340) at
connection.c:43
pHook = (ap_LINK_process_connection_t *) 0x81e5e88
n = 0
rv = 151666281
#21 0x08085238 in child_main (child_num_arg=<value optimized out>) at
prefork.c:610
ptrans = (apr_pool_t *) 0x82d7230
allocator = (apr_allocator_t *) 0x82d51a0
current_conn = (conn_rec *) 0x82d7340
status = <value optimized out>
i = <value optimized out>
lr = <value optimized out>
curr_pollfd = <value optimized out>
last_pollfd = 0
pollset = (apr_pollfd_t *) 0x82d52c0
offset = <value optimized out>
csd = (void *) 0x82d7268
sbh = (ap_sb_handle_t *) 0x82d52a0
rv = <value optimized out>
bucket_alloc = (apr_bucket_alloc_t *) 0x82db240
#22 0x0808538e in make_child (s=0x80c6c88, slot=0) at prefork.c:650
pid = <value optimized out>
#23 0x08085451 in startup_children (number_to_start=5) at prefork.c:722
i = 0
#24 0x08085b1d in ap_mpm_run (_pconf=0x80c20a8, plog=0x80fc190,
s=0x80c6c88) at prefork.c:941
pidfile = <value optimized out>
index = <value optimized out>
remaining_children_to_start = 5
rv = <value optimized out>
#25 0x0808ac7c in main (argc=2, argv=0xbffff614) at main.c:618
exit_status = <value optimized out>
c = <value optimized out>
configtestonly = 0
confname = 0x80ae586 "conf/httpd.conf"
def_server_root = 0x80af104 "/usr/local/apache2"
temp_error_log = 0x0
process = <value optimized out>
server_conf = (server_rec *) 0x80c6c88
pglobal = (apr_pool_t *) 0x80c00a0
pconf = (apr_pool_t *) 0x80c20a8
plog = (apr_pool_t *) 0x80fc190
ptemp = (apr_pool_t *) 0x81051b0
pcommands = (apr_pool_t *) 0x80c40b0
opt = <value optimized out>
rv = <value optimized out>
mod = <value optimized out>
optarg = 0x0
signal_server = <value optimized out>
--
Edit bug report at http://bugs.php.net/?id=36293&edit=1
--
Try a CVS snapshot (PHP 4.4):
http://bugs.php.net/fix.php?id=36293&r=trysnapshot44
Try a CVS snapshot (PHP 5.1):
http://bugs.php.net/fix.php?id=36293&r=trysnapshot51
Try a CVS snapshot (PHP 6.0):
http://bugs.php.net/fix.php?id=36293&r=trysnapshot60
Fixed in CVS: http://bugs.php.net/fix.php?id=36293&r=fixedcvs
Fixed in release:
http://bugs.php.net/fix.php?id=36293&r=alreadyfixed
Need backtrace: http://bugs.php.net/fix.php?id=36293&r=needtrace
Need Reproduce Script: http://bugs.php.net/fix.php?id=36293&r=needscript
Try newer version: http://bugs.php.net/fix.php?id=36293&r=oldversion
Not developer issue: http://bugs.php.net/fix.php?id=36293&r=support
Expected behavior: http://bugs.php.net/fix.php?id=36293&r=notwrong
Not enough info:
http://bugs.php.net/fix.php?id=36293&r=notenoughinfo
Submitted twice:
http://bugs.php.net/fix.php?id=36293&r=submittedtwice
register_globals: http://bugs.php.net/fix.php?id=36293&r=globals
PHP 3 support discontinued: http://bugs.php.net/fix.php?id=36293&r=php3
Daylight Savings: http://bugs.php.net/fix.php?id=36293&r=dst
IIS Stability: http://bugs.php.net/fix.php?id=36293&r=isapi
Install GNU Sed: http://bugs.php.net/fix.php?id=36293&r=gnused
Floating point limitations: http://bugs.php.net/fix.php?id=36293&r=float
No Zend Extensions: http://bugs.php.net/fix.php?id=36293&r=nozend
MySQL Configuration Error: http://bugs.php.net/fix.php?id=36293&r=mysqlcfg
