ID: 29090
Comment by: marcus at lucidix dot com
Reported By: derek at battams dot ca
Status: Feedback
Bug Type: Reproducible crash
Operating System: Linux 2.4
PHP Version: 5.0.0RC3
New Comment:
Description:
------------
We are experiencing a similar seg fault, also in zend_hash_find.
Two servers running Linux 2.4, Apache 1.3, MySQL 4.0, PHP 5.0 (also
tested with CVS php5-200407242230.tar.bz2) segfault.
However, our application runs without issues on Windows XP, Apache 2.0,
MySQL 4.0, PHP 5.0.0.
The class this error occurs in is also part of a much larger system. We
have not yet been able to isolate the exact line of code causing this.
Additionally, the behavior is not consistent. Seg faults occur 95% of
the time, but occasionally it will run.
A few differences to the original bug report: We are not using
destructors, and no calls to md5 are made. The only common code between
our two code snippets is file_exists().
Please note: The following code snippet will not work by itself.
Reproduce code:
---------------
function _findstoredproc($storedproc)
{
// load the list of modules installed
$modmgr = lxModules::singleton();
$modules = $modmgr->modulelist();
// prepend the "core" module
$core = array(
'name' => 'core',
'type' => 'global',
'path' => GLOBALDIR . '/src/'
);
array_unshift($modules, $core);
// scan each module
foreach($modules as $module)
{
// assemble the file name, using module directory, drv/, proc
name
and driver extension
$filename = $module['path'] . 'drv/' . $storedproc . '.' .
$this->db_driver;
// check if the "stored proc" exists
if (file_exists($filename))
{
return $filename;
}
}
return false;
}
Expected Result:
----------------
Function returns a filename or false.
Actual Result:
"The page cannot be displayed" as the Apache child process seg faults.
Apache Error Log:
-----------------
/usr/local/src/php5-200407242230/main/streams/streams.c(1551) : Block
0x0838E678 status:
Beginning: Overrun (magic=0x4020F0E4, expected=0x7312F8DC)
End: Unknown
---------------------------------------
[Sun Jul 25 13:25:31 2004] Script:
'/home/marcus/public_html/webapp/trunk/index.lx'
---------------------------------------
/usr/local/src/php5-200407242230/Zend/zend_constants.c(33) : Block
0x404D9CA3 status:
/usr/local/src/php5-200407242230/Zend/zend_variables.c(39) : Actual
location (location was relayed)
Beginning: Overrun (magic=0x75622E6E, expected=0x7312F8DC)
[Sun Jul 25 13:25:32 2004] [notice] child pid 18603 exit signal
Segmentation fault (11)
GDB Backtrace:
--------------
Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 16384 (LWP 14684)]
0x4076c9e0 in zend_hash_find (ht=0x8235e6c, arKey=0x823c3dc "filename",
nKeyLength=9,
pData=0xbfffeaf4) at /usr/local/src/php-5.0.0/Zend/zend_hash.c:854
854 if ((p->h == h) && (p->nKeyLength ==
nKeyLength)) {
(gdb) bt
#0 0x4076c9e0 in zend_hash_find (ht=0x8235e6c, arKey=0x823c3dc
"filename", nKeyLength=9,
pData=0xbfffeaf4) at /usr/local/src/php-5.0.0/Zend/zend_hash.c:854
#1 0x4078920f in zend_fetch_var_address (opline=0x823bc38,
Ts=0x833ea5c, type=0)
at /usr/local/src/php-5.0.0/Zend/zend_execute.c:762
#2 0x4078c5ef in zend_fetch_r_handler (execute_data=0xbfffeb60,
opline=0x823bc38,
op_array=0x82b6fc4) at
/usr/local/src/php-5.0.0/Zend/zend_execute.c:1996
#3 0x4078acc4 in execute (op_array=0x82b6fc4) at
/usr/local/src/php-5.0.0/Zend/zend_execute.c:1391
#4 0x4078edd5 in zend_do_fcall_common_helper (execute_data=0xbfffec50,
opline=0x823e9c4,
op_array=0x823c064) at
/usr/local/src/php-5.0.0/Zend/zend_execute.c:2728
#5 0x4078f2ef in zend_do_fcall_by_name_handler
(execute_data=0xbfffec50, opline=0x823e9c4,
op_array=0x823c064) at
/usr/local/src/php-5.0.0/Zend/zend_execute.c:2810
#6 0x4078acc4 in execute (op_array=0x823c064) at
/usr/local/src/php-5.0.0/Zend/zend_execute.c:1391
#7 0x4078edd5 in zend_do_fcall_common_helper (execute_data=0xbfffed40,
opline=0x82655fc,
op_array=0x8266174) at
/usr/local/src/php-5.0.0/Zend/zend_execute.c:2728
#8 0x4078f2ef in zend_do_fcall_by_name_handler
(execute_data=0xbfffed40, opline=0x82655fc,
op_array=0x8266174) at
/usr/local/src/php-5.0.0/Zend/zend_execute.c:2810
#9 0x4078acc4 in execute (op_array=0x8266174) at
/usr/local/src/php-5.0.0/Zend/zend_execute.c:1391
#10 0x40756674 in zend_call_function (fci=0xbfffeeb0, fci_cache=0x0)
at /usr/local/src/php-5.0.0/Zend/zend_execute_API.c:835
#11 0x407555ac in call_user_function_ex (function_table=0x8150288,
object_pp=0x0,
function_name=0x824163c, retval_ptr_ptr=0xbfffef14, param_count=2,
params=0x82305cc,
no_separation=1, symbol_table=0x0) at
/usr/local/src/php-5.0.0/Zend/zend_execute_API.c:550
#12 0x40755463 in call_user_function (function_table=0x8150288,
object_pp=0x0,
function_name=0x824163c, retval_ptr=0x833cdec, param_count=2,
params=0xbfffef98)
at /usr/local/src/php-5.0.0/Zend/zend_execute_API.c:525
#13 0x4061a59b in ps_call_handler (func=0x824163c, argc=2,
argv=0xbfffef98)
at /usr/local/src/php-5.0.0/ext/session/mod_user.c:60
#14 0x4061abcb in ps_write_user (mod_data=0x4082feb0,
key=0x8241b2c "9541b01fe73fd7dcc43389ececda7949",
val=0x833f3ec "theme|s:7:\"default\";navmenu|s:4770:\"var myMenu =
[[' ', 'My Office', '/index.lx?_mod=transact&_file=index',
'_self', 'Go to My Work"..., vallen=5243) at
/usr/local/src/php-5.0.0/ext/session/mod_user.c:148
#15 0x40614d51 in php_session_save_current_state ()
at /usr/local/src/php-5.0.0/ext/session/session.c:802
#16 0x40619049 in php_session_flush () at
/usr/local/src/php-5.0.0/ext/session/session.c:1708
#17 0x40619074 in zm_deactivate_session (type=1, module_number=7)
at /usr/local/src/php-5.0.0/ext/session/session.c:1722
#18 0x40767fa0 in module_registry_cleanup (module=0x80e3b88)
at /usr/local/src/php-5.0.0/Zend/zend_API.c:1469
#19 0x4076c22e in zend_hash_apply (ht=0x40834380, apply_func=0x40767f5d
<module_registry_cleanup>)
at /usr/local/src/php-5.0.0/Zend/zend_hash.c:664
#20 0x40762ae5 in zend_deactivate_modules () at
/usr/local/src/php-5.0.0/Zend/zend.c:804
#21 0x40715391 in php_request_shutdown (dummy=0x0) at
/usr/local/src/php-5.0.0/main/main.c:1198
#22 0x40797c92 in apache_php_module_main (r=0x815c834,
display_source_mode=0)
at /usr/local/src/php-5.0.0/sapi/apache/sapi_apache.c:60
#23 0x40798c85 in send_php (r=0x815c834, display_source_mode=0,
filename=0x815e364
"/home/marcus/public_html/webapp/trunk/index.lx")
at /usr/local/src/php-5.0.0/sapi/apache/mod_php5.c:622
#24 0x40798d0a in send_parsed_php (r=0x815c834)
at /usr/local/src/php-5.0.0/sapi/apache/mod_php5.c:637
#25 0x08053ab4 in ap_invoke_handler ()
#26 0x0806342c in ap_some_auth_required ()
#27 0x08063488 in ap_process_request ()
#28 0x0805cc6b in ap_child_terminate ()
#29 0x0805cdfc in ap_child_terminate ()
#30 0x0805cf19 in ap_child_terminate ()
#31 0x0805d3f5 in ap_child_terminate ()
#32 0x0805dafd in main ()
#33 0x400f4da6 in __libc_start_main () from /lib/libc.so.6
(gdb) frame 3
#3 0x4078acc4 in execute (op_array=0x82b6fc4) at
/usr/local/src/php-5.0.0/Zend/zend_execute.c:1391
1391 if (EX(opline)->handler(&execute_data,
EX(opline), op_array TSRMLS_CC)) {
(gdb) print (char
*)(executor_globals.function_state_ptr->function)->common.function_name
$1 = 0x82b6edc "_findstoredproc"
(gdb) print (char *)executor_globals.active_op_array->function_name
$2 = 0x82b6edc "_findstoredproc"
(gdb) print (char *)executor_globals.active_op_array->filename
$3 = 0x82028d4
"/data/home/marcus/public_html/webapp/trunk/gbl/src/class.backend2.lx"
Previous Comments:
------------------------------------------------------------------------
[2004-07-25 21:12:35] [EMAIL PROTECTED]
Please try using this CVS snapshot:
http://snaps.php.net/php5-latest.tar.gz
For Windows:
http://snaps.php.net/win32/php5-win32-latest.zip
------------------------------------------------------------------------
[2004-07-17 19:28:57] derek at battams dot ca
This problem has carried over into the 5.0.0 final release.
------------------------------------------------------------------------
[2004-07-11 05:47:01] derek at battams dot ca
Description:
------------
PHP segfaults when trying to use the result of md5 or sha1 (tried md5
initally, then tried sha1 when code kept segfaulting) as a file name in
my destructor. Unfortunately, I can't reproduce the crash with a small
script (the class in question is part of a much larger system), but I
know how to elimite the segfault within the project's codebase. If I
remove the call to md5 in the sample code then there's no segfault (no
matter how hard I try). Once I put the md5 (or sha1) call back into
the destructor then the segfault returns immediately.
Reproduce code:
---------------
public function __destruct()
{
$cacheFile1 = BP_CACHE . "/" . md5($this->getDN());
$cacheFile2 = BP_CACHE . "/" .
md5($this->findAttribute("mail"));
if(!file_exists($cacheFile1) || !file_exists($cacheFile2) ||
!(is_link($cacheFile1) xor is_link($cacheFile2)))
if(file_exists($cacheFile1) && !is_link($cacheFile1))
{
if(file_exists($cacheFile2))
@unlink($cacheFile2);
@symlink(basename($cacheFile1), $cacheFile2);
}
else if(file_exists($cacheFile2) && !is_link($cacheFile2))
{
if(file_exists($cacheFile1))
@unlink($cacheFile1);
@symlink(basename($cacheFile2), $cacheFile1);
}
else
{
if(file_exists($cacheFile1))
@unlink($cacheFile1);
if(file_exists($cacheFile2))
@unlink($cacheFile2);
}
return;
}
Expected result:
----------------
Destructor returns with no segfault.
Actual result:
--------------
(gdb) bt
#0 0x081a3c99 in zend_hash_find (ht=0x4042cc5c,
arKey=0x4042c734 "cacheFile1", nKeyLength=11, pData=0x33303934)
at /tmp/php-5.0.0RC3/Zend/zend_hash.c:846
#1 0x081b74b6 in zend_fetch_var_address (opline=0x404323b8,
Ts=0xbfffe030,
type=0) at /tmp/php-5.0.0RC3/Zend/zend_execute.c:762
#2 0x081b9c5f in zend_fetch_r_handler (execute_data=0xbfffe6d0,
opline=0x404323b8, op_array=0x4042c25c)
at /tmp/php-5.0.0RC3/Zend/zend_execute.c:1994
#3 0x081b8a77 in execute (op_array=0x4042c25c)
at /tmp/php-5.0.0RC3/Zend/zend_execute.c:1389
#4 0x08194fa6 in zend_call_function (fci=0xbfffe850,
fci_cache=0xbfffe830)
at /tmp/php-5.0.0RC3/Zend/zend_execute_API.c:835
#5 0x081aa0c2 in zend_call_method (object_pp=0xbfffe8dc,
obj_ce=0x4042b824,
fn_proxy=0x0, function_name=0x81f9c04 "__destruct",
function_name_len=10,
retval_ptr_ptr=0x0, param_count=1078141880, arg1=0x0, arg2=0x0)
at /tmp/php-5.0.0RC3/Zend/zend_interfaces.c:79
#6 0x081ac3e1 in zend_objects_destroy_object (object=0x4043bf54,
handle=1078141880) at /tmp/php-5.0.0RC3/Zend/zend_objects.c:78
#7 0x081ae106 in zend_objects_store_call_destructors
(objects=0x82521d4)
at /tmp/php-5.0.0RC3/Zend/zend_objects_API.c:54
#8 0x0819428c in shutdown_executor ()
at /tmp/php-5.0.0RC3/Zend/zend_execute_API.c:209
#9 0x0819db09 in zend_deactivate () at
/tmp/php-5.0.0RC3/Zend/zend.c:819
#10 0x0816cdb5 in php_request_shutdown (dummy=0x0)
at /tmp/php-5.0.0RC3/main/main.c:1212
#11 0x081c3e8e in main (argc=2, argv=0xbffff6a4)
at /tmp/php-5.0.0RC3/sapi/cli/php_cli.c:1046
#12 0x42015574 in __libc_start_main () from /lib/tls/libc.so.6
Also, this from the debug enabled PHP binary:
[EMAIL PROTECTED] public_html]$ $R/php test.person.php
Warning: String is not zero-terminated
(ZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZ
ZZZZZZZZZZZZZZZZZZZZZZZZZZZZZ̏*̏*D) (source:
/tmp/php-5.0.0RC3/Zend/zend_execute_API.c:391) in Unknown on line 0
[Sat Jul 10 23:41:43 2004] Script: 'test.person.php'
---------------------------------------
/tmp/php-5.0.0RC3/Zend/zend_execute_API.c(391) : Block 0x4140E9D4
status:
/tmp/php-5.0.0RC3/Zend/zend_variables.c(45) : Actual location (location
was relayed)
Beginning: Cached (allocated on
/tmp/php-5.0.0RC3/main/streams/streams.c:1529, 69 bytes)
End: OK
---------------------------------------
------------------------------------------------------------------------
--
Edit this bug report at http://bugs.php.net/?id=29090&edit=1
