PHP :: Bug #24659 :: Crash due to some internal memory corruption (?)

Bug #24659	Crash due to some internal memory corruption (?)
Submitted:	2003-07-15 04:15 UTC	Modified:	2003-07-28 05:02 UTC
From:	fujimura at wakhok dot ac dot jp	Assigned:
Status:	Closed	Package:	Scripting Engine problem
PHP Version:	5CVS-2003-07-27 (dev)	OS:	Linux kernel-2.4.21
Private report:	No	CVE-ID:	None

View Developer Edit

[2003-07-15 04:15 UTC] fujimura at wakhok dot ac dot jp

Description:
------------
The following code crashes(segmentation fault, and empty output) at a whim.
But it does not reproduce when php invoked as CLI.


Reproduce code:
---------------
<?php

class MyHandler {
    public function test($parser, $data) {
        print $data;
    }
}

$parser = xml_parser_create();
$parser AND die;

$handler = new MyHandler();

xml_set_default_handler($parser, array($handler, "test"));

xml_parser_free($parser);

?>

Expected result:
----------------
Nothing.

Actual result:
--------------
SIGSEGV logged to error_log.

Patches

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports

[2003-07-15 04:16 UTC] fujimura at wakhok dot ac dot jp

-$parser AND die;
+$parser OR die;

;-)

[2003-07-16 03:54 UTC] sniper@php.net

Backtrace is useless as long as you don't have
--enable-debug in your configure line. 
So add it, and put new backtrace here.

Also include the full configure line you used.

[2003-07-16 20:56 UTC] fujimura at wakhok dot ac dot jp

> Backtrace is useless as long as you don't have
> --enable-debug in your configure line. 
Okay, I rebuilt PHP with --enable-debug, but this bug did not reproduce.
And next, I did again without --enable-debug, this bug reproduced.
I have discovered that set_exception_handler() causes this one too.
<?php
    set_exception_handler("test_func");
    function test_func($exception) {
        var_dump($exception);
        exit;
    }
    throw new Exception();
    print "A";
?>

I cannot understand. The debug codes of Zend causes with this?
What can I do?

> Also include the full configure line you used.
./configure \
--with-apxs=/usr/local/apache/bin/apxs \
--disable-short-tags \
--enable-versioning \
--enable-mbstring \
--enable-mbregex \
--enable-dom \
--with-iconv \
--with-xsl \
--with-openssl \
--with-zlib \
--with-bz2
...and --enable-debug

[2003-07-18 00:34 UTC] sniper@php.net

The first script (that xml thing) does this after some reloads:

Warning: xml_set_default_handler(): supplied resource is not a valid XML Parser resource in /www/apache-1.3.27/htdocs/exep.php on line 13

Warning: xml_parser_free(): supplied resource is not a valid XML Parser resource in /www/apache-1.3.27/htdocs/exep.php on line 15

Warning: Unknown list entry type in request shutdown (135138372) in Unknown on line 0

Given enough requests, (ab -n 1000 http://localhost/bug24658_a.php), it crashes:


[Switching to Thread 1024 (runnable)]
0x4042e1fd in zend_objects_destroy_object (object=0x80e907c, handle=1) at /usr/src/web/php/php5/Zend/zend_objects.c:36
36              zend_function *destructor = object->ce->destructor;
(gdb) bt
#0  0x4042e1fd in zend_objects_destroy_object (object=0x80e907c, handle=1)
    at /usr/src/web/php/php5/Zend/zend_objects.c:36
#1  0x40430855 in zend_objects_store_del_ref (zobject=0x80e0f9c) at /usr/src/web/php/php5/Zend/zend_objects_API.c:142
#2  0x4041fccc in _zval_dtor (zvalue=0x80e0f9c) at /usr/src/web/php/php5/Zend/zend_variables.c:61
#3  0x40417389 in _zval_ptr_dtor (zval_ptr=0x80ecff0) at /usr/src/web/php/php5/Zend/zend_execute_API.c:344
#4  0x40426be8 in zend_hash_destroy (ht=0x404a6990) at /usr/src/web/php/php5/Zend/zend_hash.c:509
#5  0x40416f55 in shutdown_executor () at /usr/src/web/php/php5/Zend/zend_execute_API.c:211
#6  0x40421257 in zend_deactivate () at /usr/src/web/php/php5/Zend/zend.c:795
#7  0x403ee8e6 in php_request_shutdown (dummy=0x0) at /usr/src/web/php/php5/main/main.c:1174
#8  0x4045c0d5 in apache_php_module_main (r=0x81bf684, display_source_mode=0)
    at /usr/src/web/php/php5/sapi/apache/sapi_apache.c:60
#9  0x4045cd00 in send_php (r=0x81bf684, display_source_mode=0, filename=0x0)
    at /usr/src/web/php/php5/sapi/apache/mod_php5.c:621
#10 0x4045cd6a in send_parsed_php (r=0x81bf684) at /usr/src/web/php/php5/sapi/apache/mod_php5.c:636
#11 0x8054f09 in ap_invoke_handler ()
#12 0x806b0cf in process_request_internal ()
#13 0x806b13a in ap_process_request ()
#14 0x8061916 in child_main ()
#15 0x8061af5 in make_child ()
#16 0x8061c76 in startup_children ()
#17 0x806230d in standalone_main ()
#18 0x8062b9c in main ()
#19 0x4016c9cb in __libc_start_main (main=0x80627d8 <main>, argc=3, argv=0xbffff6b4, init=0x804ed2c <_init>, 
    fini=0x8082e64 <_fini>, rtld_fini=0x4000aea0 <_dl_fini>, stack_end=0xbffff6ac)
    at ../sysdeps/generic/libc-start.c:92

[2003-07-18 00:36 UTC] sniper@php.net

The second script crashes much earlier:

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 1024 (runnable)]
0x40425fde in zend_hash_add_or_update (ht=0x80ded04, arKey=0x80ded24 "\\sA@", nKeyLength=7, pData=0x0, nDataSize=4, 
    pDest=0xbfffcd54, flag=1) at /usr/src/web/php/php5/Zend/zend_hash.c:238
238             INIT_DATA(ht, p, pData, nDataSize);
(gdb) bt
#0  0x40425fde in zend_hash_add_or_update (ht=0x80ded04, arKey=0x80ded24 "\\sA@", nKeyLength=7, pData=0x0, 
    nDataSize=4, pDest=0xbfffcd54, flag=1) at /usr/src/web/php/php5/Zend/zend_hash.c:238
#1  0x404271f4 in zend_hash_copy (target=0x80ded04, source=0x80de7e4, pCopyConstructor=0x4041fce4 <zval_add_ref>, 
    tmp=0xbfffcda4, size=4) at /usr/src/web/php/php5/Zend/zend_hash.c:750
#2  0x4041fde6 in _zval_copy_ctor (zvalue=0x80f160c) at /usr/src/web/php/php5/Zend/zend_variables.c:124
#3  0x4042b068 in zif_set_exception_handler (ht=1, return_value=0x80f160c, this_ptr=0x0, return_value_used=0)
    at /usr/src/web/php/php5/Zend/zend_builtin_functions.c:1017
#4  0x40451d4f in zend_do_fcall_common_helper (execute_data=0xbfffcf5c, op_array=0x80ea62c)
    at /usr/src/web/php/php5/Zend/zend_execute.c:2634
#5  0x404523f4 in zend_do_fcall_handler (execute_data=0xbfffcf5c, op_array=0x80ea62c)
    at /usr/src/web/php/php5/Zend/zend_execute.c:2763
#6  0x4043a7ee in execute (op_array=0x80ea62c) at /usr/src/web/php/php5/Zend/zend_execute.c:1194
#7  0x4042190f in zend_execute_scripts (type=8, retval=0x0, file_count=3) at /usr/src/web/php/php5/Zend/zend.c:1017
#8  0x403ef2c5 in php_execute_script (primary_file=0xbffff288) at /usr/src/web/php/php5/main/main.c:1695
#9  0x4045c07e in apache_php_module_main (r=0x81bf684, display_source_mode=0)
    at /usr/src/web/php/php5/sapi/apache/sapi_apache.c:54
#10 0x4045cd00 in send_php (r=0x81bf684, display_source_mode=0, filename=0x0)
    at /usr/src/web/php/php5/sapi/apache/mod_php5.c:621
#11 0x4045cd6a in send_parsed_php (r=0x81bf684) at /usr/src/web/php/php5/sapi/apache/mod_php5.c:636
#12 0x8054f09 in ap_invoke_handler ()
#13 0x806b0cf in process_request_internal ()
#14 0x806b13a in ap_process_request ()
#15 0x8061916 in child_main ()
#16 0x8061af5 in make_child ()
#17 0x8061c76 in startup_children ()
#18 0x806230d in standalone_main ()
#19 0x8062b9c in main ()
#20 0x4016c9cb in __libc_start_main (main=0x80627d8 <main>, argc=3, argv=0xbffff6b4, init=0x804ed2c <_init>, 
    fini=0x8082e64 <_fini>, rtld_fini=0x4000aea0 <_dl_fini>, stack_end=0xbffff6ac)
    at ../sysdeps/generic/libc-start.c:92

[2003-07-27 08:54 UTC] stas@php.net

Could not make the second one (set_exception_handler) crash. Please check it still happens in current CVS.

[2003-07-28 02:30 UTC] fujimura at wakhok dot ac dot jp

> Could not make the second one (set_exception_handler) crash. Please
> check it still happens in current CVS.
yes, I try it ...  not crash.

[2003-07-28 05:02 UTC] sniper@php.net

Fixed -> closed.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Mon Aug 19 01:01:28 2024 UTC