ID: 32171
User updated by: jr at terragate dot net
-Summary: WebDAV stream wrapper crashes PHP
Reported By: jr at terragate dot net
-Status: Feedback
+Status: Open
Bug Type: SPL related
Operating System: *
PHP Version: 5.*
Assigned To: helly
New Comment:
Finally I was able to create a smaller test case for the segfault (with
error_reporting = E_ALL):
<?php
class StreamWrapper
{
public function dir_opendir($path, $options) {
return TRUE;
}
public function dir_readdir()
{
return FALSE;
}
}
stream_wrapper_register('test', 'StreamWrapper');
$it = new DirectoryIterator('test://path/');
echo "Done\n";
?>
Trace:
(gdb) r crash.php
Starting program: /usr/local/bin/php crash.php
warning: Unable to find dynamic linker breakpoint function.
GDB will be unable to debug shared library initializers
and track explicitly loaded dynamic code.
[Thread debugging using libthread_db enabled]
[New Thread 16384 (LWP 15212)]
Done
Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 16384 (LWP 15212)]
0x00000019 in ?? ()
Current language: auto; currently asm
(gdb) bt
#0 0x00000019 in ?? ()
#1 0x081abc73 in _php_stream_free (stream=0x82fdce4, close_options=3)
at
/root/compile/php5-STABLE-200503091530/main/streams/streams.c:351
#2 0x080b3fb8 in spl_ce_dir_object_free_storage (object=0x82f76c4)
at
/root/compile/php5-STABLE-200503091530/ext/spl/spl_directory.c:66
#3 0x081fa906 in zend_objects_store_del_ref (zobject=0x82fd4e4)
at
/root/compile/php5-STABLE-200503091530/Zend/zend_objects_API.c:159
#4 0x081deb76 in _zval_dtor (zvalue=0x82fd4e4,
__zend_filename=0x82549e0
"/root/compile/php5-STABLE-200503091530/Zend/zend_execute_API.c",
__zend_lineno=392)
at /root/compile/php5-STABLE-200503091530/Zend/zend_variables.c:61
#5 0x081d36f8 in _zval_ptr_dtor (zval_ptr=0x82fdda0,
__zend_filename=0x8255940
"/root/compile/php5-STABLE-200503091530/Zend/zend_variables.c",
__zend_lineno=193)
at
/root/compile/php5-STABLE-200503091530/Zend/zend_execute_API.c:392
#6 0x081dee88 in _zval_ptr_dtor_wrapper (zval_ptr=0x82fdda0)
at
/root/compile/php5-STABLE-200503091530/Zend/zend_variables.c:193
#7 0x081e8f13 in zend_hash_apply_deleter (ht=0x82761d0, p=0x82fdd94)
at /root/compile/php5-STABLE-200503091530/Zend/zend_hash.c:574
#8 0x081e9164 in zend_hash_graceful_reverse_destroy (ht=0x82761d0)
at /root/compile/php5-STABLE-200503091530/Zend/zend_hash.c:640
#9 0x081d302f in shutdown_executor ()
at
/root/compile/php5-STABLE-200503091530/Zend/zend_execute_API.c:208
#10 0x081e0264 in zend_deactivate ()
at /root/compile/php5-STABLE-200503091530/Zend/zend.c:817
#11 0x081996e1 in php_request_shutdown (dummy=0x0)
at /root/compile/php5-STABLE-200503091530/main/main.c:1214
#12 0x082155d0 in main (argc=2, argv=0xbffff844)
at /root/compile/php5-STABLE-200503091530/sapi/cli/php_cli.c:1046
The script will be fully executed but php segfaults on shutdown. The
behavior in the complex test case (with the WebDAV stream wrapper) was
the same: Using instaneof instead of is_a caused the script to be fully
executed but with a segfault on shutdown.
To answer your second question I modified the test case above:
<?php
class StreamWrapper
{
public function dir_opendir($path, $options) {
is_a(null, 'AKnownOrUnknownClass');
return TRUE;
}
public function dir_readdir()
{
return FALSE;
}
}
stream_wrapper_register('test', 'StreamWrapper');
$it = new DirectoryIterator('test://path/');
echo "Done\n";
?>
Running this script with error_reporting set to E_ALL (or even E_ALL &
~E_NOTICE & ~E_STRICT) will lead to the behaviour already mentioned
(deprecation warning thrown as exception).
Running the script with error_reporting = 0 will terminate the script
with exit code 0377 and without outputting 'Done'.
Using gdb I figured out that php_error_cb is still called with the
deprecation warning and zend_throw_exception will abort the script.
We have two issues here:
1. A wrong free causing a segfault on shutdown
2. PHP notices and warnings thrown as exception
I dont't know what to do with the segfault (my knowledge about PHP's
internals is too limited to debug this yet).
IMHO the second problem could be solved in 2 ways:
1. Modifying php_error_cb's behavior (as my patch does)
2. Do not set error_mode to EH_THROW in spl_directory.c if a user space
stream wrapper is used.
Previous Comments:
------------------------------------------------------------------------
[2005-03-09 14:40:34] [EMAIL PROTECTED]
Did i get that correct that all works frin when you use instanceof ? If
so all is fine. Also what happens if you stick with is_a but set error
mode to 0?
------------------------------------------------------------------------
[2005-03-07 11:25:40] jr at terragate dot net
I tested the instanceof segfault against the 5.1 branch and it
segfaults too.
But I had to change a is_a in HTTP/Request.php to instanceof because
the 'notice exception' was thrown there this time.
I wasn't able to reproduce the segfault with a smaller test case by
using HTTP/Request.php myself (PEAR's WebDAV Wrapper) nor using
instanceof inside a small stream wrapper.
Initially I tested the bug with 5.0.3 but tried a snap a few hours
later. Sorry for not updating the version field.
------------------------------------------------------------------------
[2005-03-06 16:21:35] [EMAIL PROTECTED]
Please don't open more reports about same issue. (and when you report
bugs, put the LATEST version in the 'Version' field' so we don't have
to waste time asking if you tested the latest version..)
------------------------------------------------------------------------
[2005-03-04 18:48:59] jr at terragate dot net
I already tested the bug against yesterdays snapshot of
5.0.x.
Using the 5.1.0 snap does not resolve the exception
issue.
I will test the instanceof segfault on monday against
the 5.1 branch.
Maybe I should create a seperate bug for it.
voyager:~/Downloads/php5-200503041530/result/bin jr$
uname -a
Darwin voyager.starbase12.sfn 7.8.0 Darwin Kernel
Version 7.8.0: Wed Dec 22 14:26:17 PST 2004; root:xnu/
xnu-517.11.1.obj~1/RELEASE_PPC Power Macintosh powerpc
voyager:~/Downloads/php5-200503041530/result/bin jr$ ./
php -v
PHP 5.1.0-dev (cgi) (built: Mar 4 2005 18:33:26)
(DEBUG)
Copyright (c) 1997-2004 The PHP Group
Zend Engine v2.1.0-dev, Copyright (c) 1998-2004 Zend
Technologies
voyager:~/Downloads/php5-200503041530/result/bin jr$ ./
php test.php
Content-type: text/html
X-Powered-By: PHP/5.1.0-dev
<br />
<b>Fatal error</b>: Uncaught exception 'Exception' with
message 'is_a(): Deprecated. Please use the instanceof
operator' in /Volumes/Data/Users/jr/Downloads/php5
-200503041530/result/bin/test.php:6
Stack trace:
#0 /Volumes/Data/Users/jr/Downloads/php5-200503041530/
result/bin/test.php(12): StreamWrapper-
>dir_opendir(NULL, 'AKnownOrUnknown...')
#1 /Volumes/Data/Users/jr/Downloads/php5-200503041530/
result/bin/test.php(12): DirectoryIterator-
>__construct('test://path/', 4)
#2 {main}
thrown in <b>/Volumes/Data/Users/jr/Downloads/php5
-200503041530/result/bin/test.php</b> on line <b>6</
b><br />
/Volumes/Data/Users/jr/Downloads/php5-200503041530/
result/bin/test.php(6) : Fatal error - Uncaught
exception 'Exception' with message 'is_a(): Deprecated.
Please use the instanceof operator' in /Volumes/Data/
Users/jr/Downloads/php5-200503041530/result/bin/
test.php:6
Stack trace:
#0 /Volumes/Data/Users/jr/Downloads/php5-200503041530/
result/bin/test.php(12): StreamWrapper-
>dir_opendir(NULL, 'AKnownOrUnknown...')
#1 /Volumes/Data/Users/jr/Downloads/php5-200503041530/
result/bin/test.php(12): DirectoryIterator-
>__construct('test://path/', 4)
#2 {main}
thrown
------------------------------------------------------------------------
[2005-03-04 16:34:34] [EMAIL PROTECTED]
Please try using this CVS snapshot:
http://snaps.php.net/php5-latest.tar.gz
For Windows:
http://snaps.php.net/win32/php5-win32-latest.zip
------------------------------------------------------------------------
The remainder of the comments for this report are too long. To view
the rest of the comments, please view the bug report online at
http://bugs.php.net/32171
--
Edit this bug report at http://bugs.php.net/?id=32171&edit=1
