PHP :: Bug #46338 :: Segfault on multiple error handler

Bug #46338

Segfault on multiple error handler

Submitted:

2008-10-18 21:27 UTC

Modified:

2008-10-21 16:22 UTC

Votes:	2
Avg. Score:	5.0 ± 0.0
Reproduced:	2 of 2 (100.0%)
Same Version:	2 (100.0%)
Same OS:	1 (50.0%)

From:

spam at pamignot dot org

Assigned:

Status:

Closed

Package:

Scripting Engine problem

PHP Version:

5.3.0alpha3-dev

OS:

Irrelevant

Private report:

CVE-ID:

None

View Developer Edit

[2008-10-18 21:27 UTC] spam at pamignot dot org

Description:
------------
I just passed from 5.1.6 to 5.3.

I cannot give a quick code to reproduce the bug, but the script actually does those actions :
- getting GET POST COOKIE information, giving them to HTMLPurifier and set an array of the result
- define custom error handler
- execute action given by user
- display HTML result page

The script goes to the end, echo'ing wanted html page but it results in a segfault.

If I comment out the next line, or if I comment out the static method 'exception_error_handler' from my class MyException, the script just works fine :

set_error_handler(array('MyException', 'exception_error_handler'));

But if I let declared the method 'exception_error_handler', even with no code inside, returning true or false, or throwing an exception, the script ends up with a segfault.


Reproduce code:
---------------
/* some code using some PEAR packages, 
custom error handler, echo'ing a HTML page */
exit();

Expected result:
----------------
Expected result is displaying HTML page to user.

Actual result:
--------------
The actual result is the output of my desired HTML page, ending with a segfault :

# gdb php
GNU gdb 6.6-debian
Copyright (C) 2006 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for details.
This GDB was configured as "i486-linux-gnu"...
Using host libthread_db library "/lib/tls/i686/cmov/libthread_db.so.1".
(gdb) r index.php
Starting program: /usr/local/bin/php index.php
[Thread debugging using libthread_db enabled]
[New Thread -1223292352 (LWP 21507)]

/* here comes my HTML page */

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread -1223292352 (LWP 21507)]
zend_hash_destroy (ht=0x8ce9ac4) at /home/myhome/php-5.3.0alpha2/Zend/zend_hash.c:524
524                     p = p->pListNext;
(gdb) bt
#0  zend_hash_destroy (ht=0x8ce9ac4) at /home/myhome/php-5.3.0alpha2/Zend/zend_hash.c:524
#1  0x083d34e7 in _zval_dtor_func (zvalue=0x8ce9a78) at /home/myhome/php-5.3.0alpha2/Zend/zend_variables.c:43
#2  0x083d2c55 in zend_ptr_stack_apply (stack=0x88ba628, func=0x83d3440 <_zval_dtor_func>) at /home/myhome/php-5.3.0alpha2/Zend/zend_ptr_stack.c:90
#3  0x083d2c9f in zend_ptr_stack_clean (stack=0x88ba628, func=0x83d3440 <_zval_dtor_func>, free_elements=1 '\001')
    at /home/myhome/php-5.3.0alpha2/Zend/zend_ptr_stack.c:97
#4  0x083c67f9 in shutdown_executor (tsrm_ls=0x88b82a0) at /home/myhome/php-5.3.0alpha2/Zend/zend_execute_API.c:271
#5  0x083d3ab9 in zend_deactivate (tsrm_ls=0x88b82a0) at /home/myhome/php-5.3.0alpha2/Zend/zend.c:899
#6  0x0837995a in php_request_shutdown (dummy=0x0) at /home/myhome/php-5.3.0alpha2/main/main.c:1516
#7  0x0846a6da in main (argc=2, argv=0xbfc9d7a4) at /home/myhome/php-5.3.0alpha2/sapi/cli/php_cli.c:1311
(gdb) 


When I try from my browser and gdb "run -X" option, the backtrace looks like this :

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread -1216632640 (LWP 21116)]
zend_hash_destroy (ht=0x85e50e8) at /home/myhome/php-5.3.0alpha2/Zend/zend_hash.c:524
524                     p = p->pListNext;
(gdb) 
(gdb) 
(gdb) 
(gdb) 
(gdb) 
(gdb) 
(gdb) bt
#0  zend_hash_destroy (ht=0x85e50e8) at /home/myhome/php-5.3.0alpha2/Zend/zend_hash.c:524
#1  0xb72b9a57 in _zval_dtor_func (zvalue=0x85e509c) at /home/myhome/php-5.3.0alpha2/Zend/zend_variables.c:43
#2  0xb72b91c5 in zend_ptr_stack_apply (stack=0x81e5980, func=0xb72b99b0 <_zval_dtor_func>) at /home/myhome/php-5.3.0alpha2/Zend/zend_ptr_stack.c:90
#3  0xb72b920f in zend_ptr_stack_clean (stack=0x81e5980, func=0xb72b99b0 <_zval_dtor_func>, free_elements=1 '\001')
    at /home/myhome/php-5.3.0alpha2/Zend/zend_ptr_stack.c:97
#4  0xb72acd69 in shutdown_executor (tsrm_ls=0x8132108) at /home/myhome/php-5.3.0alpha2/Zend/zend_execute_API.c:271
#5  0xb72ba029 in zend_deactivate (tsrm_ls=0x8132108) at /home/myhome/php-5.3.0alpha2/Zend/zend.c:899
#6  0xb725feca in php_request_shutdown (dummy=0x0) at /home/myhome/php-5.3.0alpha2/main/main.c:1516
#7  0xb734fc1e in php_handler (r=0x8452b80) at /home/myhome/php-5.3.0alpha2/sapi/apache2handler/sapi_apache2.c:470
#8  0x08079259 in ap_run_handler ()
#9  0x0807c5b7 in ap_invoke_handler ()
#10 0x08089998 in ap_process_request ()
#11 0x08086c9b in ?? ()
#12 0x08452b80 in ?? ()
#13 0x00000004 in ?? ()
#14 0x08452b80 in ?? ()
#15 0x00000000 in ?? ()
(gdb)

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2008-10-18 21:52 UTC] spam at pamignot dot org

Surely not related to Apache2, but maybe GC (?), deplaced in Unknown/Other.

[2008-10-20 15:51 UTC] lbarnaud@php.net

Thank you for this bug report. To properly diagnose the problem, we
need a short but complete example script to be able to reproduce
this bug ourselves. 

A proper reproducing script starts with <?php and ends with ?>,
is max. 10-20 lines long and does not require any external 
resources such as databases, etc. If the script requires a 
database to demonstrate the issue, please make sure it creates 
all necessary tables, stored procedures etc.

Please avoid embedding huge scripts into the report.

[2008-10-20 18:02 UTC] spam at pamignot dot org

Here's the code. 
I notified HTMLPurifier developpers, since I think the problem comes from the library.

<?php

class myException extends Exception 
{ 
    public static function exception_error_handler($errno, $errstr, $errfile, $errline){}
}

require 'tools/htmlpurifier/library/HTMLPurifier.auto.php';
$filterObj = new HTMLPurifier;
$someVar = $filterObj->purify('something');
set_error_handler(array('myException', 'exception_error_handler'));

?>

[2008-10-20 18:54 UTC] ezyang@php.net

I believe this is a problem with the error handler stack. I get "zend_mm_heap corrupted" when I set the error handler twice.

<?php

function mute() {}
set_error_handler('mute');
set_error_handler('mute');

[2008-10-20 19:00 UTC] ezyang@php.net

Oh, also, I tested it on the latest alpha3-dev build.

php --version
PHP 5.3.0alpha3-dev (cli) (built: Oct 20 2008 20:49:57)
Copyright (c) 1997-2008 The PHP Group
Zend Engine v2.3.0, Copyright (c) 1998-2008 Zend Technologies

[2008-10-21 06:35 UTC] clemens dot kalb at netlogix dot de

Setting the error handler twice does indeed seem to be the problem. I can reproduce this with 5.3 alpha3-dev Build Date Oct 19 2008 04:42:11. See #46241 for a possible duplicate of this entry.

[2008-10-21 15:36 UTC] ezyang@php.net

Yeah, these are most definitely duplicates. (Doesn't know how to close a bug as a dupe).

[2008-10-21 16:22 UTC] spam at pamignot dot org

Ok, sorry for the noise.

Duplicate bug closed, just see :
http://bugs.php.net/46241

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2025 The PHP Group All rights reserved.	Last updated: Fri Aug 15 04:00:03 2025 UTC