ID: 42666
Comment by: morten-bugs dot php dot net at afdelingp dot dk
Reported By: per dot jessen at enidan dot com
Status: Open
Bug Type: Apache2 related
Operating System: Linux
PHP Version: 5.2.4
New Comment:
I have the same problem with php-4.4.8 and apache-2.0.52 on Red Hat
EL4.
Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread -1208830272 (LWP 6283)]
0x0106eff3 in zend_get_executed_lineno () at
/usr/src/debug/php4-4.4.8/Zend/zend_execute_API.c:269
269 return active_opline->lineno;
(gdb) bt
#0 0x0106eff3 in zend_get_executed_lineno () at
/usr/src/debug/php4-4.4.8/Zend/zend_execute_API.c:269
#1 0x01077ce6 in zend_error (type=512, format=0x1094fd6 "%s") at
/usr/src/debug/php4-4.4.8/Zend/zend.c:760
#2 0x0107f94e in zif_trigger_error (ht=2, return_value=0x94c71e4,
this_ptr=0x0, return_value_used=0)
at /usr/src/debug/php4-4.4.8/Zend/zend_builtin_functions.c:861
#3 0x0108a0ac in execute (op_array=0x9509654) at
/usr/src/debug/php4-4.4.8/Zend/zend_execute.c:1681
#4 0x01077e0c in zend_execute_scripts (type=8, retval=0x0,
file_count=3) at /usr/src/debug/php4-4.4.8/Zend/zend.c:939
#5 0x0104cf0e in php_execute_script (primary_file=0xbfe34b80) at
/usr/src/debug/php4-4.4.8/main/main.c:1758
#6 0x01091d6a in php_handler (r=0x94e3bd0) at
/usr/src/debug/php4-4.4.8/sapi/apache2handler/sapi_apache2.c:581
#7 0x007569d7 in ap_run_handler () from /usr/sbin/httpd
#8 0x00756e43 in ap_invoke_handler () from /usr/sbin/httpd
#9 0x007538c5 in ap_process_request () from /usr/sbin/httpd
#10 0x0074e63f in _start () from /usr/sbin/httpd
#11 0x094e3bd0 in ?? ()
#12 0x00000004 in ?? ()
#13 0x094e3bd0 in ?? ()
#14 0x094dbc88 in ?? ()
#15 0x094dbc9c in ?? ()
#16 0x00000000 in ?? ()
(gdb)
It appears that virtual() - if the requested URL executes the PHP
interpreter - corrupts the current scope. Specifically active_opline
(which is *EG(opline_ptr)) is NULL after the call.
I have a minimal example to reproduce it.
dummy.php and dummy.txt are the files requested via virtual().
crash.php will segfault the interpreter when the error handler tries to
get the current line number.
corrupt.php will not segfault, but will still have a corrupted current
scope. This is quite strange, and possibly not reproducible.
nophp.php will show that this is only a problem if the PHP interpreter
is used in the sub-request.
workaround.php will call virtual() in a function, thereby giving it a
separate scope, and not crash.
==> dummy.php <==
php
==> dummy.txt <==
txt
==> crash.php <==
<?php
virtual('dummy.php');
trigger_error('crash', E_USER_WARNING);
?>
==> corrupt.php <==
<?php
virtual('dummy.txt');
virtual('dummy.php');
trigger_error('memory corrupted', E_USER_WARNING);
?>
==> nophp.php <==
<?php
virtual('dummy.txt');
trigger_error('ok', E_USER_WARNING);
?>
==> workaround.php <==
<?php
function call_virtual($url)
{
virtual($url);
}
call_virtual('dummy.php');
trigger_error('ok', E_USER_WARNING);
?>
Best regards,
Morten K. Poulsen
Previous Comments:
------------------------------------------------------------------------
[2007-10-26 18:47:23] s dot clover at gmail dot com
Similar issue running PHP 5.2.4 as a module with Apache 2.2.6 on a Win
XP box. Three files:
---
test.php:
<?php
virtual ('/test.html');
echo $bad;?>
test.html:
<!--#include virtual="test2.php" -->
test2.php:
<?php
?>
---
This is running with display_errors=On. It also segfaults, but in
different ways, with display_errors=Off, or depending on the exact
amount of bytes/calls in various files will simply print out a notice
with a corrupted linenumber.
It looks like the issue is that the php-within-php virtual nesting
somehow corrupts php's ability to tell the difference between
uninitialized/unset variables and valid ones, leading to memory access
exceptions of various sorts.
------------------------------------------------------------------------
[2007-10-23 10:41:13] per dot jessen at enidan dot com
Sure.
problem.phtlm.en:
<?php
virtual("problem-include.phtml.en");
klop
?>
problem-include.phtml.en:
<?php
?>
------------------------------------------------------------------------
[2007-10-23 09:45:27] [EMAIL PROTECTED]
So you should be able to now provide the reproducing script here
instead of the tar package?
------------------------------------------------------------------------
[2007-10-23 06:19:35] per dot jessen at enidan dot com
Sorry, forgot to mention that - yes, I've removed the XSL calls, and
added a plain syntax error. The segfault still happens.
------------------------------------------------------------------------
[2007-10-22 19:24:10] [EMAIL PROTECTED]
And does the problem occur without XSL (by causing some other error) ?
(I can't check the tar package right now)
------------------------------------------------------------------------
The remainder of the comments for this report are too long. To view
the rest of the comments, please view the bug report online at
http://bugs.php.net/42666
--
Edit this bug report at http://bugs.php.net/?id=42666&edit=1
