#26223 [Opn]: Error message makes PHP crash (in some special cases)
ID: 26223
User updated by: Xuefer at 21cn dot com
Reported By: Xuefer at 21cn dot com
Status: Open
Bug Type: *General Issues
Operating System: win32+rh7
PHP Version: 4CVS, 5CVS
Assigned To: helly
New Comment:
sorry! ignore my previous note
when i press submit, i suddenly notice this piece of code is added by
myself for debugging purpose, not in php :(
Previous Comments:
[2004-10-20 17:40:05] Xuefer at 21cn dot com
by trying ZEND_DEBUG, i found it access hash in php_error_cb which is
destroyed
Debug output:
[1804] e:\work\php4\zend\zend_hash.c(886) : ht=0x00df9614 is already
destroyed
win32 stack backtrace show frame 3 at:
if (zend_hash_find(&EG(symbol_table), "_SERVER", sizeof("_SERVER"),
(void **) &server_vars) == SUCCESS &&
Z_TYPE_PP(server_vars) == IS_ARRAY &&
zend_hash_find(Z_ARRVAL_PP(server_vars), "HTTP_HOST",
sizeof("HTTP_HOST"), (void **) &host)==SUCCESS && Z_TYPE_PP(host) ==
IS_STRING &&
zend_hash_find(Z_ARRVAL_PP(server_vars), "REQUEST_URI",
sizeof("REQUEST_URI"), (void **) &uri)==SUCCESS && Z_TYPE_PP(uri) ==
IS_STRING &&
zend_hash_find(Z_ARRVAL_PP(server_vars), "REQUEST_METHOD",
sizeof("REQUEST_METHOD"), (void **) &method)==SUCCESS &&
Z_TYPE_PP(method) == IS_STRING &&
1
) {
note: log_errors is turned ON
[2004-10-18 14:36:30] mikael dot suvi at trigger dot ee
For the last sample crash script I did the following that fixed the
crash for php-5.0.2. Problem was that session_write handler is called
after the user defined shutdown functions. And
php_call_shutdown_functions has already freed global
user_shutdown_function_names the by the time session_write handler
tries to register shutdown function again.
=
diff ext/standard/basic_functions.c.old ext/standard/basic_functions.c
2195a2196
> BG(user_shutdown_function_names) = NULL;
=
[2004-09-15 18:23:11] Xuefer at 21cn dot com
ok, i won't send corefile
os updated, this coredump is generated under linux
script updated:
the "open" handler should be callable or else:
Fatal error: session_start(): Failed to initialize storage module: user
(path: /tmp/) in /home/oursky/a.php on line 13
but when i change
session_set_save_handler('aa', 'b', 'b', 'aa', 'b', 'b');
to
session_set_save_handler('b', 'b', 'b', 'aa', 'b', 'b');
no coredump
very strange
[2004-09-15 18:13:08] [EMAIL PROTECTED]
thanks, but sending a core file is pointless without sending all
libraries and binaries over too. Btw, is the OS really "win32 only"?
[2004-09-15 17:51:48] Xuefer at 21cn dot com
core file will sent to sniper at **.net ok?
Starting program: /home/oursky/src/php4-www-debug/sapi/cli/php -c .
a.php
Program received signal SIGSEGV, Segmentation fault.
0x080e67ab in zend_hash_index_update_or_next_insert (ht=0x8154ddc,
h=945959777, pData=0xbfffeea0, nDataSize=8, pDest=0x0, flag=4)
at /home/oursky/src/php4/Zend/zend_hash.c:390
390 p = ht->arBuckets[nIndex];
(gdb) bt
#0 0x080e67ab in zend_hash_index_update_or_next_insert (ht=0x8154ddc,
h=945959777, pData=0xbfffeea0, nDataSize=8, pDest=0x0, flag=4)
at /home/oursky/src/php4/Zend/zend_hash.c:390
#1 0x08070bd0 in zif_register_shutdown_function (ht=1,
return_value=0xbfffeea0, this_ptr=0x0, return_value_used=0)
at /home/oursky/src/php4/ext/standard/basic_functions.c:2187
#2 0x080eee0f in execute (op_array=0x81549e0) at
/home/oursky/src/php4/Zend/zend_execute.c:1635
#3 0x080db4c2 in call_user_function_ex (function_table=0x8128f30,
object_pp=0x0, function_name=0x0, retval_ptr_ptr=0xb178,
param_count=2,
params=0x8154dc4, no_separation=1, symbol_table=0x0) at
/home/oursky/src/php4/Zend/zend_execute_API.c:567
#4 0x080dafd3 in call_user_function (function_table=0x39306535,
object_pp=0x39306535, function_name=0x39306535, retval_ptr=0x8154c44,
param_count=135613340, params=0xb1c0) at
/home/oursky/src/php4/Zend/zend_execute_API.c:409
#5 0x0805fdd8 in ps_write_user (mod_data=0x39306535, key=0x815487c
"77d6e387747ca3b89ae8236afa355e09",
val=0x39306535 , vallen=0) at
/home/oursky/src/php4/ext/session/mod_user.c:60
#6 0x0805df86 in php_session_save_current_state () at
/home/oursky/src/php4/ext/session/session.c:694
#7 0x0805d9da in zm_deactivate_session (type=1, module_number=2) at
/home/oursky/src/php4/ext/session/session.c:1598
#8 0x080e4c79 in module_registry_cleanup (module=0x39306535) at
/home/oursky/src/php4/Zend/zend_API.c:1167
#9 0x080e6f18 in zend_hash_apply (ht=0xb1c0, apply_func=0x815560c)
at /home/oursky/src/php4/Zend/zend_hash.c:70
#26223 [Opn]: Error message makes PHP crash (in some special cases)
ID: 26223
User updated by: Xuefer at 21cn dot com
Reported By: Xuefer at 21cn dot com
Status: Open
Bug Type: *General Issues
Operating System: win32+rh7
PHP Version: 4CVS, 5CVS
Assigned To: helly
New Comment:
by trying ZEND_DEBUG, i found it access hash in php_error_cb which is
destroyed
Debug output:
[1804] e:\work\php4\zend\zend_hash.c(886) : ht=0x00df9614 is already
destroyed
win32 stack backtrace show frame 3 at:
if (zend_hash_find(&EG(symbol_table), "_SERVER", sizeof("_SERVER"),
(void **) &server_vars) == SUCCESS &&
Z_TYPE_PP(server_vars) == IS_ARRAY &&
zend_hash_find(Z_ARRVAL_PP(server_vars), "HTTP_HOST",
sizeof("HTTP_HOST"), (void **) &host)==SUCCESS && Z_TYPE_PP(host) ==
IS_STRING &&
zend_hash_find(Z_ARRVAL_PP(server_vars), "REQUEST_URI",
sizeof("REQUEST_URI"), (void **) &uri)==SUCCESS && Z_TYPE_PP(uri) ==
IS_STRING &&
zend_hash_find(Z_ARRVAL_PP(server_vars), "REQUEST_METHOD",
sizeof("REQUEST_METHOD"), (void **) &method)==SUCCESS &&
Z_TYPE_PP(method) == IS_STRING &&
1
) {
note: log_errors is turned ON
Previous Comments:
[2004-10-18 14:36:30] mikael dot suvi at trigger dot ee
For the last sample crash script I did the following that fixed the
crash for php-5.0.2. Problem was that session_write handler is called
after the user defined shutdown functions. And
php_call_shutdown_functions has already freed global
user_shutdown_function_names the by the time session_write handler
tries to register shutdown function again.
=
diff ext/standard/basic_functions.c.old ext/standard/basic_functions.c
2195a2196
> BG(user_shutdown_function_names) = NULL;
=
[2004-09-15 18:23:11] Xuefer at 21cn dot com
ok, i won't send corefile
os updated, this coredump is generated under linux
script updated:
the "open" handler should be callable or else:
Fatal error: session_start(): Failed to initialize storage module: user
(path: /tmp/) in /home/oursky/a.php on line 13
but when i change
session_set_save_handler('aa', 'b', 'b', 'aa', 'b', 'b');
to
session_set_save_handler('b', 'b', 'b', 'aa', 'b', 'b');
no coredump
very strange
[2004-09-15 18:13:08] [EMAIL PROTECTED]
thanks, but sending a core file is pointless without sending all
libraries and binaries over too. Btw, is the OS really "win32 only"?
[2004-09-15 17:51:48] Xuefer at 21cn dot com
core file will sent to sniper at **.net ok?
Starting program: /home/oursky/src/php4-www-debug/sapi/cli/php -c .
a.php
Program received signal SIGSEGV, Segmentation fault.
0x080e67ab in zend_hash_index_update_or_next_insert (ht=0x8154ddc,
h=945959777, pData=0xbfffeea0, nDataSize=8, pDest=0x0, flag=4)
at /home/oursky/src/php4/Zend/zend_hash.c:390
390 p = ht->arBuckets[nIndex];
(gdb) bt
#0 0x080e67ab in zend_hash_index_update_or_next_insert (ht=0x8154ddc,
h=945959777, pData=0xbfffeea0, nDataSize=8, pDest=0x0, flag=4)
at /home/oursky/src/php4/Zend/zend_hash.c:390
#1 0x08070bd0 in zif_register_shutdown_function (ht=1,
return_value=0xbfffeea0, this_ptr=0x0, return_value_used=0)
at /home/oursky/src/php4/ext/standard/basic_functions.c:2187
#2 0x080eee0f in execute (op_array=0x81549e0) at
/home/oursky/src/php4/Zend/zend_execute.c:1635
#3 0x080db4c2 in call_user_function_ex (function_table=0x8128f30,
object_pp=0x0, function_name=0x0, retval_ptr_ptr=0xb178,
param_count=2,
params=0x8154dc4, no_separation=1, symbol_table=0x0) at
/home/oursky/src/php4/Zend/zend_execute_API.c:567
#4 0x080dafd3 in call_user_function (function_table=0x39306535,
object_pp=0x39306535, function_name=0x39306535, retval_ptr=0x8154c44,
param_count=135613340, params=0xb1c0) at
/home/oursky/src/php4/Zend/zend_execute_API.c:409
#5 0x0805fdd8 in ps_write_user (mod_data=0x39306535, key=0x815487c
"77d6e387747ca3b89ae8236afa355e09",
val=0x39306535 , vallen=0) at
/home/oursky/src/php4/ext/session/mod_user.c:60
#6 0x0805df86 in php_session_save_current_state () at
/home/oursky/src/php4/ext/session/session.c:694
#7 0x0805d9da in zm_deactivate_session (type=1, module_number=2) at
/home/oursky/src/php4/ext/session/session.c:1598
#8 0x080e4c79 in module_registry_cleanup (module=0x39306535) at
/home/oursky/src/php4/Zend/zend_API.c:1167
#9 0x080e6f18 in zend_hash_apply (ht=0xb1c0, apply_func=0x815560c)
at /home/oursky/src/php4/Zend/zend_hash.c:701
#10 0x080e1d64 in zend_deactivate_modules () at
/home/oursky/src/php4/Zend/zend.c:652
#11 0x080b93a5 in php_request_shutdown (dummy=0x0) at
/home/oursky/src/php4/main/main.c:991
#12 0x080f35f8 in main (argc=4, argv=0xba44) at
/home/oursky/src/php4/sapi/cli/php
