php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #32742 segmentation fault when the stream with a wrapper is not closed (Linux RH only)
Submitted: 2005-04-18 14:44 UTC Modified: 2005-05-16 16:47 UTC
Votes:2
Avg. Score:2.0 ± 1.0
Reproduced:1 of 1 (100.0%)
Same Version:0 (0.0%)
Same OS:1 (100.0%)
From: public at grik dot net Assigned: tony2001 (profile)
Status: Closed Package: Reproducible crash
PHP Version: 5.0.4 OS: Linux (RH7,RH9,Gentoo)
Private report: No CVE-ID: None
 [2005-04-18 14:44 UTC] public at grik dot net
Description:
------------
There is a problem with stream_wrapper_register() that appears on Linux and not on the FreeBSD.
I open a stream with the registered wrapper and assing a handler to the resource variable.
If a variable stays alive when the execution of the script reaches the end, PHP gives the segmentation fault.
Attempt to close the resource from an object destructor does not help.

Platforms tested: 5 servers with Red Hat 7, 9 and gentoo 5.03 (kernels 2.4, 2.6, 2.6 hardened), PHP 5.03, 5.04, 4.3.7

In FreeBSD 5.3 there is no problem executing the script.

Reproduce code:
---------------
<?php
class Wrapper{
    function stream_open($path, $path, $options, &$opened_path){return true;}
//... other methods do not matter for this bug
}

stream_wrapper_register("wr", 'Wrapper')
or die("Failed to register protocol");

$fp = fopen ('wr://example', 'w');

//fclose ($fp);
echo microtime();
?> 

Expected result:
----------------
time with microseconds

Actual result:
--------------
When run from the command line - time with microseconds and words "Segmentation fault",
when called from browser - no output.

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2005-04-18 16:35 UTC] tony2001@php.net
Here is the backtrace (pay attention to the last line):
(gdb) bt
#0  0x00000018 in ?? ()
#1  0x0817f8a6 in _php_stream_free (stream=0x82b8cb4, close_options=11) at /usr/src/dev/clean/php-src_5_0/main/streams/streams.c:351
#2  0x081814d8 in stream_resource_regular_dtor (rsrc=0x82b8d40) at /usr/src/dev/clean/php-src_5_0/main/streams/streams.c:1361
#3  0x081b6e2f in list_entry_destructor (ptr=0x82b8d40) at /usr/src/dev/clean/php-src_5_0/Zend/zend_list.c:178
#4  0x081b517a in zend_hash_del_key_or_index (ht=0x82372fc, arKey=0x0, nKeyLength=0, h=6, flag=1) at /usr/src/dev/clean/php-src_5_0/Zend/zend_hash.c:490
#5  0x081b6b8d in _zend_list_delete (id=6) at /usr/src/dev/clean/php-src_5_0/Zend/zend_list.c:58
#6  0x081acff6 in _zval_dtor (zvalue=0x82b8998, __zend_filename=0x8216844 "/usr/src/dev/clean/php-src_5_0/Zend/zend_execute_API.c", __zend_lineno=392)
    at /usr/src/dev/clean/php-src_5_0/Zend/zend_variables.c:69
#7  0x081a2d23 in _zval_ptr_dtor (zval_ptr=0x82b8bfc, __zend_filename=0x8217570 "/usr/src/dev/clean/php-src_5_0/Zend/zend_variables.c", __zend_lineno=193)
    at /usr/src/dev/clean/php-src_5_0/Zend/zend_execute_API.c:392
#8  0x081ad275 in _zval_ptr_dtor_wrapper (zval_ptr=0x82b8bfc) at /usr/src/dev/clean/php-src_5_0/Zend/zend_variables.c:193
#9  0x081b53b5 in zend_hash_apply_deleter (ht=0x82371d0, p=0x82b8bf0) at /usr/src/dev/clean/php-src_5_0/Zend/zend_hash.c:574
#10 0x081b555f in zend_hash_graceful_reverse_destroy (ht=0x82371d0) at /usr/src/dev/clean/php-src_5_0/Zend/zend_hash.c:640
#11 0x081a26ab in shutdown_executor () at /usr/src/dev/clean/php-src_5_0/Zend/zend_execute_API.c:208
#12 0x081ae443 in zend_deactivate () at /usr/src/dev/clean/php-src_5_0/Zend/zend.c:817
#13 0x081700a7 in php_request_shutdown (dummy=0x0) at /usr/src/dev/clean/php-src_5_0/main/main.c:1214
#14 0x081dc2f6 in main (argc=2, argv=0xbffff154) at /usr/src/dev/clean/php-src_5_0/sapi/cli/php_cli.c:1049
(gdb) f 1
#1  0x0817f8a6 in _php_stream_free (stream=0x82b8cb4, close_options=11) at /usr/src/dev/clean/php-src_5_0/main/streams/streams.c:351
351                             stream->wrapper->wops->stream_closer(stream->wrapper, stream TSRMLS_CC);
(gdb) p *stream.wrapper.wops
$1 = {stream_opener = 0x4480, stream_closer = 0x18, stream_stat = 0x82a67b0, url_stat = 0, dir_opener = 0x1, label = 0x0, unlink = 0, rename = 0x31,
  stream_mkdir = 0x82a67c8, stream_rmdir = 0x2}
 [2005-04-18 16:39 UTC] tony2001@php.net
Sara, you seem to be patching streams hard these days, please take a look at it.
Looks like there is some memory corruption (but valgrind complains only about invalid reads and tells nothing about invalid writes). 
 [2005-05-11 16:42 UTC] tony2001@php.net
Reassigned to myself, patch pending..
 [2005-05-16 15:49 UTC] public at grik dot net
The segmentation fault is gone.

Tony, I owe you :-)
 [2005-05-16 16:47 UTC] johannes@php.net
Segfault gone -> closed  
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Sat Dec 21 12:01:31 2024 UTC