From: skissane at ics dot mq dot edu dot au Operating system: Linux (RedHat 9.0) PHP version: 4.3.2 PHP Bug Type: Reproducible crash Bug description: Reproducible crash in error handling
Description: ------------ I am sometimes getting segfaults when my custom error handler executes. It happens when an array is passed to preg_match instead of a string, and this raises an error. Below is the error handler, and the backtrace PHP gives, and my PHP configruation. PHP/Apache Version PHP Version 4.3.2 System Linux itsa.iips.mq.edu.au 2.4.18-10 #1 Wed Aug 7 11:39:21 EDT 2002 i686 Build Date Jul 23 2003 09:42:28 Configure Command './configure' '--with-apxs2=/usr/local/apache2/bin/apxs' '--with-mssql=/usr/local' '--without-mysql' '--with-curl=/usr' '--enable-debug' Server API Apache 2.0 Handler Virtual Directory Support disabled Configuration File (php.ini) Path /usr/local/lib/php.ini PHP API 20020918 PHP Extension 20020429 Zend Extension 20021010 Debug Build yes Thread Safety disabled Registered PHP Streams php, http, ftp apache2handler Apache Version Apache/2.0.45 (Unix) Apache API Version 20020903 Server Administrator [EMAIL PROTECTED] Hostname:Port itsa.iips.mq.edu.au:0 User/Group apache(48)/48 Max Requests Per Child: 1000 - Keep Alive: off - Max Per Connection: 100 Timeouts Connection: 300 - Keep-Alive: 15 Virtual Server No Server Root /etc/httpd Loaded Modules core mod_access mod_auth mod_include mod_log_config mod_env mod_setenvif prefork http_core mod_mime mod_status mod_autoindex mod_asis mod_cgi mod_negotiation mod_dir mod_imap mod_actions mod_userdir mod_alias mod_so sapi_apache2 Directive Local Value Master Value engine 1 1 last_modified 0 0 xbithack 0 0 Reproduce code: --------------- <? /* ** File: error.inc ** Description: Error handling code ** right form when user presses 'Cancel' ** Version: 1.0 ** Created: 20/03/2003 ** Author: Simon Kissane <[EMAIL PROTECTED]> ** Group: Internet Information Projects & Services ** ** Copyright (C) 2003 Macquarie University */ // Turn on output buffering ob_start(); /* ** Function: _error_handler() ** Input: INTEGER $errno, STRING $errstr, STRING $errfile, INTEGER $errline ** Output: None ** Description: Print stack backtrace */ function _error_backtrace () { $trace = debug_backtrace(); echo "<ul>\n"; foreach ($trace as $fn => $frame) { if ($fn < 2) { continue; } echo "<li>#" . ($fn-2) . " - <b>"; if (array_key_exists("class",$frame)) { echo $frame["class"] . $frame["type"]; } echo $frame["function"]; echo "</b>"; if (array_key_exists("line",$frame)) { echo " (at line " . $frame["line"] . " of file " . $frame["file"] . ")"; } echo "</li>\n"; if (array_key_exists("args",$frame)) { echo "<ul>\n"; foreach ($frame["args"] as $key => $arg) { echo "<li># " . $key . " - ["; print_r($arg); echo "]</li>\n"; } echo "</ul>\n"; } } echo "</ul>\n"; } /* ** Function: _error_handler() ** Input: INTEGER $errno, STRING $errstr, STRING $errfile, INTEGER $errline ** Output: None ** Description: Custom error handler. ** Some code taken from http://www.php.net/manual/en/function.set-error-handler.php */ function _error_handler($errno, $errstr, $errfile, $errline) { ob_clean(); // Special friendly handling for database errors. if (strpos($errstr,"Unable to connect to server") !== FALSE) { include_once("databaseproblem.inc"); exit; } else if (strpos($errstr,"String or binary data would be truncated") !== FALSE) { include_once("truncationerror.inc"); exit; } echo "<b>ERROR:</b> [$errno] $errstr<br>\n"; echo " Fatal error in line " . $errline . " of file " . $errfile; echo ", PHP ". PHP_VERSION . " (" . PHP_OS . ")<br>\n"; echo "<b>Stack backtrace:</b><br>\n"; _error_backtrace(); echo "<b>Request:</b>\n"; echo "<ul>\n"; foreach ($_REQUEST as $k => $v) { echo "<li>" . $k . "=" . $v . "</li>\n"; } echo "</ul>\n"; echo "<b>Session Data:</b>\n"; echo "<ul>\n"; foreach ($_SESSION as $k => $v) { echo "<li>" . $k . "="; print_r($v); echo "</li>\n"; } echo "</ul>\n"; // echo "<b>Globals:</b>\n"; // echo "<ul>\n"; // foreach ($GLOBALS as $k => $v) { // echo "<li>" . $k . "="; print_r($v); echo "</li>\n"; // } // echo "</ul>\n"; echo "Aborting...<br>\n"; exit(1); } /* ** Function: logdebug() ** Input: STRING $msg ** Output: None ** Description: Log a debugging message to the debugging log */ function logdebug($msg) { // $_logdebug_file = fopen("/hosts/iips/logs/dev/handbook-debug.log","a+"); // fwrite($_logdebug_file, date('Y-m-d H:i:s') . " " . $msg ."\n"); // fclose($_logdebug_file); // echo "<tt>" . $msg . "</tt><br/>"; } // Initialise custom error handling set_error_handler("_error_handler"); ?> Expected result: ---------------- No segfault! Actual result: -------------- Backtrace Program received signal SIGSEGV, Segmentation fault. 0x40405a9d in zend_hash_copy (target=0x8586ef4, source=0x8577b2c, pCopyConstructor=0x403fdf35 <zval_add_ref>, tmp=0xbfff50ec, size=4) at /home/skissane/adm/php-4.3.2/Zend/zend_hash.c:783 783 if (p->nKeyLength) { (gdb) bt #0 0x40405a9d in zend_hash_copy (target=0x8586ef4, source=0x8577b2c, pCopyConstructor=0x403fdf35 <zval_add_ref>, tmp=0xbfff50ec, size=4) at /home/skissane/adm/php-4.3.2/Zend/zend_hash.c:783 #1 0x403fe08d in _zval_copy_ctor (zvalue=0x8586eb4, __zend_filename=0x40448440 "/home/skissane/adm/php-4.3.2/Zend/zend_execute.c", __zend_lineno=481) at /home/skissane/adm/php-4.3.2/Zend/zend_variables.c:124 #2 0x40415902 in zend_assign_to_variable (result=0x83916e8, op1=0x83916f8, op2=0x8391708, value=0x857a164, type=4, Ts=0xbfff5180) at /home/skissane/adm/php-4.3.2/Zend/zend_execute.c:481 #3 0x40410076 in execute (op_array=0x83a6280) at /home/skissane/adm/php-4.3.2/Zend/zend_execute.c:1349 #4 0x404110d9 in execute (op_array=0x82f6ee0) at /home/skissane/adm/php-4.3.2/Zend/zend_execute.c:1650 #5 0x403f5e28 in call_user_function_ex (function_table=0x813bcf0, object_pp=0x0, function_name=0x8352b6c, retval_ptr_ptr=0xbfff6264, param_count=5, params=0x857ca0c, no_separation=1, symbol_table=0x0) at /home/skissane/adm/php-4.3.2/Zend/zend_execute_API.c:559 #6 0x403ff8f6 in zend_error (type=8, format=0x404467e2 "Array to string conversion") at /home/skissane/adm/php-4.3.2/Zend/zend.c:797 #7 0x403f8dd8 in _convert_to_string (op=0x857a164, __zend_filename=0x40447d40 "/home/skissane/adm/php-4.3.2/Zend/zend_builtin_functions.c", __zend_lineno=263) at /home/skissane/adm/php-4.3.2/Zend/zend_operators.c:466 #8 0x40408185 in zend_if_strlen (ht=1, return_value=0x857a1a4, this_ptr=0x0, return_value_used=1) at /home/skissane/adm/php-4.3.2/Zend/zend_builtin_functions.c:263 #9 0x40410ea6 in execute (op_array=0x84f6818) at /home/skissane/adm/php-4.3.2/Zend/zend_execute.c:1606 #10 0x403f5e28 in call_user_function_ex (function_table=0x813bcf0, object_pp=0x0, function_name=0x85795b4, retval_ptr_ptr=0xbfff7a58, param_count=2, params=0x8580980, no_separation=0, symbol_table=0x0) at /home/skissane/adm/php-4.3.2/Zend/zend_execute_API.c:559 #11 0x4034c1ef in zif_call_user_func (ht=3, return_value=0x857770c, this_ptr=0x0, return_value_used=1) at /home/skissane/adm/php-4.3.2/ext/standard/basic_functions.c:1825 #12 0x40410ea6 in execute (op_array=0x8381608) at /home/skissane/adm/php-4.3.2/Zend/zend_execute.c:1606 #13 0x404110d9 in execute (op_array=0x849fb2c) at /home/skissane/adm/php-4.3.2/Zend/zend_execute.c:1650 #14 0x404110d9 in execute (op_array=0x8569a5c) at /home/skissane/adm/php-4.3.2/Zend/zend_execute.c:1650 #15 0x404110d9 in execute (op_array=0x82ec01c) at /home/skissane/adm/php-4.3.2/Zend/zend_execute.c:1650 #16 0x403ffb48 in zend_execute_scripts (type=8, retval=0x0, file_count=3) at /home/skissane/adm/php-4.3.2/Zend/zend.c:869 #17 0x403ca119 in php_execute_script (primary_file=0xbffff750) #18 0x40416ba6 in php_handler (r=0x83ff948) at /home/skissane/adm/php-4.3.2/sapi/apache2handler/sapi_apache2.c:525 #19 0x0807b47e in ap_run_handler (r=0x83ff948) at config.c:195 #20 0x0807b996 in ap_invoke_handler (r=0x83ff948) at config.c:401 #21 0x0806b8ff in ap_process_request (r=0x83ff948) at http_request.c:288 #22 0x08067b4d in ap_process_http_connection (c=0x828f118) at http_core.c:293 #23 0x08084096 in ap_run_process_connection (c=0x828f118) at connection.c:85 #24 0x0807a034 in child_main (child_num_arg=1930623196) at prefork.c:696 #25 0x0807a1de in make_child (s=0x80b4f00, slot=0) at prefork.c:736 #26 0x0807a237 in startup_children (number_to_start=8) at prefork.c:808 #27 0x0807a929 in ap_mpm_run (_pconf=0x8079910, plog=0x80ea8d8, s=0x80b4f00) at prefork.c:1024 #28 0x0807f642 in main (argc=2, argv=0xbffffa24) at main.c:660 #29 0x401e0967 in __libc_start_main () from /lib/libc.so.6 -- Edit bug report at http://bugs.php.net/?id=24762&edit=1 -- Try a CVS snapshot (php4): http://bugs.php.net/fix.php?id=24762&r=trysnapshot4 Try a CVS snapshot (php5): http://bugs.php.net/fix.php?id=24762&r=trysnapshot5 Fixed in CVS: http://bugs.php.net/fix.php?id=24762&r=fixedcvs Fixed in release: http://bugs.php.net/fix.php?id=24762&r=alreadyfixed Need backtrace: http://bugs.php.net/fix.php?id=24762&r=needtrace Try newer version: http://bugs.php.net/fix.php?id=24762&r=oldversion Not developer issue: http://bugs.php.net/fix.php?id=24762&r=support Expected behavior: http://bugs.php.net/fix.php?id=24762&r=notwrong Not enough info: http://bugs.php.net/fix.php?id=24762&r=notenoughinfo Submitted twice: http://bugs.php.net/fix.php?id=24762&r=submittedtwice register_globals: http://bugs.php.net/fix.php?id=24762&r=globals PHP 3 support discontinued: http://bugs.php.net/fix.php?id=24762&r=php3 Daylight Savings: http://bugs.php.net/fix.php?id=24762&r=dst IIS Stability: http://bugs.php.net/fix.php?id=24762&r=isapi Install GNU Sed: http://bugs.php.net/fix.php?id=24762&r=gnused