PHP :: Bug #27611 :: segfault in xbuf_format

Bug #27611

segfault in xbuf_format_converter

Submitted:

2004-03-15 17:07 UTC

Modified:

2004-04-03 02:02 UTC

Votes:	1
Avg. Score:	5.0 ± 0.0
Reproduced:	1 of 1 (100.0%)
Same Version:	0 (0.0%)
Same OS:	0 (0.0%)

From:

jan at horde dot org

Assigned:

Status:

Not a bug

Package:

Scripting Engine problem

PHP Version:

5CVS-2004-03-15 (dev)

OS:

Linux

Private report:

CVE-ID:

None

View Developer Edit

[2004-03-15 17:07 UTC] jan at horde dot org

Description:
------------
I'm still looking where and when exactly this happens, but here's already the backtrace.

Actual result:
--------------
Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 16384 (LWP 20180)]
0x406b31c7 in xbuf_format_converter (xbuf=0xbfe01190,
    fmt=0x408b59e0 "is_a(): Deprecated. Please use the instanceof operator",
ap=0xbfe01298 "ø\022à¿]Bp@\020") at /home/jan/cvs/php5/main/spprintf.c:179
179     {

#0  0x406b31c7 in xbuf_format_converter (xbuf=0xbfe01190,
    fmt=0x408b59e0 "is_a(): Deprecated. Please use the instanceof operator",
    ap=0xbfe01298 "ø\022à¿]Bp@\020") at /home/jan/cvs/php5/main/spprintf.c:179
#1  0x406b45c9 in vspprintf (pbuf=0xbfe011fc, max_len=1024,
    format=0x408b59e0 "is_a(): Deprecated. Please use the instanceof operator", ap=0xbfe01298 "ø\022à¿]Bp@\020") at /home/jan/cvs/php5/main/spprintf.c:725
#2  0x406afc3d in php_error_cb (type=2048,
    error_filename=0x4187cbbc "/home/jan/headhorde/kronolith/lib/Kronolith.php", error_lineno=87,
    format=0x408b59e0 "is_a(): Deprecated. Please use the instanceof operator", args=0xbfe01298 "ø\022à¿]Bp@\020") at /home/jan/cvs/php5/main/main.c:656
#3  0x406f80f1 in zend_error (type=2048,
    format=0x408b59e0 "is_a(): Deprecated. Please use the instanceof operator")
    at /home/jan/cvs/php5/Zend/zend.c:907
#4  0x40704278 in zif_is_a (ht=2, return_value=0x41d6da2c, this_ptr=0x0,
    return_value_used=1)
    at /home/jan/cvs/php5/Zend/zend_builtin_functions.c:652
#5  0x4071eb2d in zend_do_fcall_common_helper (execute_data=0xbfe01420,
    opline=0x41704310, op_array=0x4188663c)
    at /home/jan/cvs/php5/Zend/zend_execute.c:2648
#6  0x4071f27d in zend_do_fcall_handler (execute_data=0xbfe01420,
    opline=0x41704310, op_array=0x4188663c)
    at /home/jan/cvs/php5/Zend/zend_execute.c:2777
#7  0x4071af4a in execute (op_array=0x4188663c)
    at /home/jan/cvs/php5/Zend/zend_execute.c:1339
#8  0x4071ecc6 in zend_do_fcall_common_helper (execute_data=0xbfe04490,
    opline=0x41b59244, op_array=0x41b40264)
    at /home/jan/cvs/php5/Zend/zend_execute.c:2677
#9  0x4071f16f in zend_do_fcall_by_name_handler (execute_data=0xbfe04490,
    opline=0x41b59244, op_array=0x41b40264)
    at /home/jan/cvs/php5/Zend/zend_execute.c:2759
#10 0x4071af4a in execute (op_array=0x41b40264)
    at /home/jan/cvs/php5/Zend/zend_execute.c:1339
#11 0x4071ecc6 in zend_do_fcall_common_helper (execute_data=0xbfe07500,

and so on...

#518 0x40720da5 in zend_include_or_eval_handler (execute_data=0xbfffca50,
    opline=0x80d9580, op_array=0x80d33c4)
    at /home/jan/cvs/php5/Zend/zend_execute.c:3492
#519 0x4071af4a in execute (op_array=0x80d33c4)
    at /home/jan/cvs/php5/Zend/zend_execute.c:1339

#520 0x406f871e in zend_execute_scripts (type=8, retval=0x0, file_count=3)
    at /home/jan/cvs/php5/Zend/zend.c:1044
#521 0x406b219e in php_execute_script (primary_file=0xbfffedc0)
    at /home/jan/cvs/php5/main/main.c:1655
#522 0x40726a44 in apache_php_module_main (r=0x81d27e0, display_source_mode=0)
    at /home/jan/cvs/php5/sapi/apache/sapi_apache.c:54
#523 0x407279e5 in send_php (r=0x81d27e0, display_source_mode=0,
    filename=0x81d2ed8 "/home/jan/headhorde//kronolith/index.php")
    at /home/jan/cvs/php5/sapi/apache/mod_php5.c:621
#524 0x40727a5e in send_parsed_php (r=0x81d27e0)
    at /home/jan/cvs/php5/sapi/apache/mod_php5.c:636

#525 0x080557d7 in ap_invoke_handler ()
#526 0x0806aab0 in process_request_internal ()
---Type <return> to continue, or q <return> to quit---
#527 0x4042edb6 in handle_dir () from /usr/lib/apache/mod_dir.so
#528 0x080557d7 in ap_invoke_handler ()
#529 0x0806aab0 in process_request_internal ()
#530 0x0806ad41 in ap_process_request ()
#531 0x080626f1 in child_main ()
#532 0x0806289a in make_child ()
#533 0x080629d6 in startup_children ()
#534 0x0806347b in standalone_main ()
#535 0x08063c36 in main ()

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2004-03-15 17:09 UTC] jan at horde dot org

The line that appeared in the backtrace looks like:

if (is_a($date, 'Kronolith_Date')) {

If I comment it out, it still segfaults, but with a different bt:

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 16384 (LWP 20318)]
0x406b31c7 in xbuf_format_converter (xbuf=0xbfe010b0,
    fmt=0x40892d27 "%sobject(%s)#%d (%d) {\n",
---Type <return> to continue, or q <return> to quit---
    ap=0xbfe01104 "É,\211@È\030ÓA\214\003")
    at /home/jan/cvs/php5/main/spprintf.c:179
179     {
(gdb) bt
#0  0x406b31c7 in xbuf_format_converter (xbuf=0xbfe010b0,
    fmt=0x40892d27 "%sobject(%s)#%d (%d) {\n",
    ap=0xbfe01104 "É,\211@È\030ÓA\214\003")
    at /home/jan/cvs/php5/main/spprintf.c:179
#1  0x406b45c9 in vspprintf (pbuf=0xbfe010e8, max_len=0,
    format=0x40892d27 "%sobject(%s)#%d (%d) {\n",
    ap=0xbfe01104 "É,\211@È\030ÓA\214\003")
    at /home/jan/cvs/php5/main/spprintf.c:725
#2  0x406af365 in php_printf (format=0x40892d27 "%sobject(%s)#%d (%d) {\n")
    at /home/jan/cvs/php5/main/main.c:397
#3  0x4067ccc0 in php_var_dump (struc=0x41cde8bc, level=1)
    at /home/jan/cvs/php5/ext/standard/var.c:111
#4  0x4067cea6 in zif_var_dump (ht=1, return_value=0x41d32a28, this_ptr=0x0,
    return_value_used=0) at /home/jan/cvs/php5/ext/standard/var.c:156
#5  0x4071eb2d in zend_do_fcall_common_helper (execute_data=0xbfe01270,
    opline=0x80d6db8, op_array=0x81daba0)
    at /home/jan/cvs/php5/Zend/zend_execute.c:2648
#6  0x4071f27d in zend_do_fcall_handler (execute_data=0xbfe01270,
    opline=0x80d6db8, op_array=0x81daba0)
    at /home/jan/cvs/php5/Zend/zend_execute.c:2777
#7  0x4071af4a in execute (op_array=0x81daba0)
    at /home/jan/cvs/php5/Zend/zend_execute.c:1339

[2004-03-15 18:08 UTC] iliaa@php.net

Please provide a short script that can be used to replicate 
the problem.

[2004-03-15 18:24 UTC] jan at horde dot org

No, because the instructions how to find out where the crash happens don't work anymore with php 5.

[2004-03-15 23:04 UTC] sniper@php.net

Thank you for this bug report. To properly diagnose the problem, we
need a short but complete example script to be able to reproduce
this bug ourselves. 

A proper reproducing script starts with <?php and ends with ?>,
is max. 10-20 lines long and does not require any external 
resources such as databases, etc.

If possible, make the script source available online and provide
an URL to it here. Try avoid embedding huge scripts into the report.

[2004-03-29 03:18 UTC] jan at horde dot org

Looks like this was rather a userland error. End endless loop due to an object not being cloned in PHP 5 anymore (as it was in PHP 4) seems to have causes the segfault.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2025 The PHP Group All rights reserved.	Last updated: Sat May 03 16:01:29 2025 UTC