sorry for my careless
it took me so much time to track down this problem
but i don't know if it'll still crash if php env(system+apache+php..) changed

<?php

touch('./127.0.0.1.3.4.5.6');
file_exists('./127.0.0.1.3.4.5.6');

function n()
{
	return true;
}


function write()
{
	file_exists('Unknown');
}

session_set_save_handler ("n", "n", "n", "write", "n", "n");
session_start();
?>

Here you can find some debug enabled builds:

   http://www.thebrainroom.net/php-snaps/

i'm not familiar with debugging
i'm stucked

with same script
still crash on http://www.thebrainroom.net/php-snaps/php4-win32-STABLE-foundstone-latest.zip (with similar gdb bt)

but not crash on:
http://www.thebrainroom.net/php-snaps/php4-win32-STABLE-debug-foundstone-latest.zip
output:

Warning: file_exists(): Stat failed for Unknown (errno=9 - Bad file descriptor) in c:\test.php on line 14
warning: ---------------------------------------

warning: f:\tbr\php\snapbuilder\php_4_3-foundstone\ext\standard\filestat.c(616) : Block 0x00BAE800 status:

warning: Beginning:     
warning: Cached (allocated on f:\tbr\php\snapbuilder\php_4_3-foundstone\main\main.c:485, 21 bytes)

warning:       End:     
warning: OK

warning: ---------------------------------------

[Tue Nov 18 11:23:53 2003]  Script:  'test.php'

Program exited normally.

The crash happens in the error outputting functions..php_docref..something. Marcus broke it so Marcus fixes it.

Please try using this CVS snapshot:

  http://snaps.php.net/php4-STABLE-latest.tar.gz
 
For Windows:
 
  http://snaps.php.net/win32/php4-win32-STABLE-latest.zip

seems fixed

but when i do "glob/unlink/rmdir" in session write handler, and it crash randomly. still can't make a reproduciable script yet :(

marking this bug as closed

the following script in php4CVS crash

<?php
function b() {
}

function bb() {
}
function aa() {
    register_shutdown_function('bb');
}
session_set_save_handler('a', 'a', 'a', 'aa', 'a', 'a');
session_start();
?>

while doing the following is fine:
<?php

function bb() {
}
function aa() {
    register_shutdown_function('bb');
}

aa(); aa(); aa(); aa();
?>

core file will sent to sniper at **.net ok?

Starting program: /home/oursky/src/php4-www-debug/sapi/cli/php -c . a.php

Program received signal SIGSEGV, Segmentation fault.
0x080e67ab in zend_hash_index_update_or_next_insert (ht=0x8154ddc, h=945959777, pData=0xbfffeea0, nDataSize=8, pDest=0x0, flag=4)
    at /home/oursky/src/php4/Zend/zend_hash.c:390
390             p = ht->arBuckets[nIndex];
(gdb) bt
#0  0x080e67ab in zend_hash_index_update_or_next_insert (ht=0x8154ddc, h=945959777, pData=0xbfffeea0, nDataSize=8, pDest=0x0, flag=4)
    at /home/oursky/src/php4/Zend/zend_hash.c:390
#1  0x08070bd0 in zif_register_shutdown_function (ht=1, return_value=0xbfffeea0, this_ptr=0x0, return_value_used=0)
    at /home/oursky/src/php4/ext/standard/basic_functions.c:2187
#2  0x080eee0f in execute (op_array=0x81549e0) at /home/oursky/src/php4/Zend/zend_execute.c:1635
#3  0x080db4c2 in call_user_function_ex (function_table=0x8128f30, object_pp=0x0, function_name=0x0, retval_ptr_ptr=0xbffff178, param_count=2, 
    params=0x8154dc4, no_separation=1, symbol_table=0x0) at /home/oursky/src/php4/Zend/zend_execute_API.c:567
#4  0x080dafd3 in call_user_function (function_table=0x39306535, object_pp=0x39306535, function_name=0x39306535, retval_ptr=0x8154c44, 
    param_count=135613340, params=0xbffff1c0) at /home/oursky/src/php4/Zend/zend_execute_API.c:409
#5  0x0805fdd8 in ps_write_user (mod_data=0x39306535, key=0x815487c "77d6e387747ca3b89ae8236afa355e09", 
    val=0x39306535 <Address 0x39306535 out of bounds>, vallen=0) at /home/oursky/src/php4/ext/session/mod_user.c:60
#6  0x0805df86 in php_session_save_current_state () at /home/oursky/src/php4/ext/session/session.c:694
#7  0x0805d9da in zm_deactivate_session (type=1, module_number=2) at /home/oursky/src/php4/ext/session/session.c:1598
#8  0x080e4c79 in module_registry_cleanup (module=0x39306535) at /home/oursky/src/php4/Zend/zend_API.c:1167
#9  0x080e6f18 in zend_hash_apply (ht=0xbffff1c0, apply_func=0x815560c) at /home/oursky/src/php4/Zend/zend_hash.c:701
#10 0x080e1d64 in zend_deactivate_modules () at /home/oursky/src/php4/Zend/zend.c:652
#11 0x080b93a5 in php_request_shutdown (dummy=0x0) at /home/oursky/src/php4/main/main.c:991
#12 0x080f35f8 in main (argc=4, argv=0xbffffa44) at /home/oursky/src/php4/sapi/cli/php_cli.c:873
#13 0x400a0657 in __libc_start_main (main=0x80f3190 <main>, argc=4, ubp_av=0xbffffa44, init=0x8059c1c <_init>, fini=0x80f4700 <_fini>, 
    rtld_fini=0x4100dc54 <_dl_fini>, stack_end=0xbffffa3c) at ../sysdeps/generic/libc-start.c:129
(gdb)

ok, i won't send corefile
os updated, this coredump is generated under linux
script updated:
<?php
function b() {
    return true;
}

function bb() {
}
function aa() {
    register_shutdown_function('bb');
    return true;
}
session_set_save_handler('aa', 'b', 'b', 'aa', 'b', 'b');
session_start();
?>

the "open" handler should be callable or else:
Fatal error: session_start(): Failed to initialize storage module: user (path: /tmp/) in /home/oursky/a.php on line 13

but when i change
session_set_save_handler('aa', 'b', 'b', 'aa', 'b', 'b');
to
session_set_save_handler('b',  'b', 'b', 'aa', 'b', 'b');
no coredump

very strange

For the last sample crash script I did the following that fixed the crash for php-5.0.2. Problem was that session_write handler is called after the user defined shutdown functions. And php_call_shutdown_functions has already freed global user_shutdown_function_names the by the time session_write handler tries to register shutdown function again.

=========================
diff ext/standard/basic_functions.c.old ext/standard/basic_functions.c
2195a2196
>                       BG(user_shutdown_function_names) = NULL;
=========================

This bug has been fixed in CVS.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.
 
Thank you for the report, and for helping us make PHP better.