PHP :: Bug #24659 :: Crash due to some internal memory corruption (?)

Bug #24659	Crash due to some internal memory corruption (?)
Submitted:	2003-07-15 04:15 UTC	Modified:	2003-07-28 05:02 UTC
From:	fujimura at wakhok dot ac dot jp	Assigned:
Status:	Closed	Package:	Scripting Engine problem
PHP Version:	5CVS-2003-07-27 (dev)	OS:	Linux kernel-2.4.21
Private report:	No	CVE-ID:	None

View Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	fujimura at wakhok dot ac dot jp
New email:
PHP Version:		OS:

New Comment:

[2003-07-15 04:15 UTC] fujimura at wakhok dot ac dot jp

Description:
------------
The following code crashes(segmentation fault, and empty output) at a whim.
But it does not reproduce when php invoked as CLI.


Reproduce code:
---------------
<?php

class MyHandler {
    public function test($parser, $data) {
        print $data;
    }
}

$parser = xml_parser_create();
$parser AND die;

$handler = new MyHandler();

xml_set_default_handler($parser, array($handler, "test"));

xml_parser_free($parser);

?>

Expected result:
----------------
Nothing.

Actual result:
--------------
SIGSEGV logged to error_log.

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2003-07-15 04:16 UTC] fujimura at wakhok dot ac dot jp

-$parser AND die;
+$parser OR die;

;-)

[2003-07-16 03:54 UTC] sniper@php.net

Backtrace is useless as long as you don't have
--enable-debug in your configure line. 
So add it, and put new backtrace here.

Also include the full configure line you used.

[2003-07-16 20:56 UTC] fujimura at wakhok dot ac dot jp

> Backtrace is useless as long as you don't have
> --enable-debug in your configure line. 
Okay, I rebuilt PHP with --enable-debug, but this bug did not reproduce.
And next, I did again without --enable-debug, this bug reproduced.
I have discovered that set_exception_handler() causes this one too.
<?php
    set_exception_handler("test_func");
    function test_func($exception) {
        var_dump($exception);
        exit;
    }
    throw new Exception();
    print "A";
?>

I cannot understand. The debug codes of Zend causes with this?
What can I do?

> Also include the full configure line you used.
./configure \
--with-apxs=/usr/local/apache/bin/apxs \
--disable-short-tags \
--enable-versioning \
--enable-mbstring \
--enable-mbregex \
--enable-dom \
--with-iconv \
--with-xsl \
--with-openssl \
--with-zlib \
--with-bz2
...and --enable-debug

[2003-07-18 00:34 UTC] sniper@php.net

The first script (that xml thing) does this after some reloads:

Warning: xml_set_default_handler(): supplied resource is not a valid XML Parser resource in /www/apache-1.3.27/htdocs/exep.php on line 13

Warning: xml_parser_free(): supplied resource is not a valid XML Parser resource in /www/apache-1.3.27/htdocs/exep.php on line 15

Warning: Unknown list entry type in request shutdown (135138372) in Unknown on line 0

Given enough requests, (ab -n 1000 http://localhost/bug24658_a.php), it crashes:


[Switching to Thread 1024 (runnable)]
0x4042e1fd in zend_objects_destroy_object (object=0x80e907c, handle=1) at /usr/src/web/php/php5/Zend/zend_objects.c:36
36              zend_function *destructor = object->ce->destructor;
(gdb) bt
#0  0x4042e1fd in zend_objects_destroy_object (object=0x80e907c, handle=1)
    at /usr/src/web/php/php5/Zend/zend_objects.c:36
#1  0x40430855 in zend_objects_store_del_ref (zobject=0x80e0f9c) at /usr/src/web/php/php5/Zend/zend_objects_API.c:142
#2  0x4041fccc in _zval_dtor (zvalue=0x80e0f9c) at /usr/src/web/php/php5/Zend/zend_variables.c:61
#3  0x40417389 in _zval_ptr_dtor (zval_ptr=0x80ecff0) at /usr/src/web/php/php5/Zend/zend_execute_API.c:344
#4  0x40426be8 in zend_hash_destroy (ht=0x404a6990) at /usr/src/web/php/php5/Zend/zend_hash.c:509
#5  0x40416f55 in shutdown_executor () at /usr/src/web/php/php5/Zend/zend_execute_API.c:211
#6  0x40421257 in zend_deactivate () at /usr/src/web/php/php5/Zend/zend.c:795
#7  0x403ee8e6 in php_request_shutdown (dummy=0x0) at /usr/src/web/php/php5/main/main.c:1174
#8  0x4045c0d5 in apache_php_module_main (r=0x81bf684, display_source_mode=0)
    at /usr/src/web/php/php5/sapi/apache/sapi_apache.c:60
#9  0x4045cd00 in send_php (r=0x81bf684, display_source_mode=0, filename=0x0)
    at /usr/src/web/php/php5/sapi/apache/mod_php5.c:621
#10 0x4045cd6a in send_parsed_php (r=0x81bf684) at /usr/src/web/php/php5/sapi/apache/mod_php5.c:636
#11 0x8054f09 in ap_invoke_handler ()
#12 0x806b0cf in process_request_internal ()
#13 0x806b13a in ap_process_request ()
#14 0x8061916 in child_main ()
#15 0x8061af5 in make_child ()
#16 0x8061c76 in startup_children ()
#17 0x806230d in standalone_main ()
#18 0x8062b9c in main ()
#19 0x4016c9cb in __libc_start_main (main=0x80627d8 <main>, argc=3, argv=0xbffff6b4, init=0x804ed2c <_init>, 
    fini=0x8082e64 <_fini>, rtld_fini=0x4000aea0 <_dl_fini>, stack_end=0xbffff6ac)
    at ../sysdeps/generic/libc-start.c:92

[2003-07-18 00:36 UTC] sniper@php.net

The second script crashes much earlier:

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 1024 (runnable)]
0x40425fde in zend_hash_add_or_update (ht=0x80ded04, arKey=0x80ded24 "\\sA@", nKeyLength=7, pData=0x0, nDataSize=4, 
    pDest=0xbfffcd54, flag=1) at /usr/src/web/php/php5/Zend/zend_hash.c:238
238             INIT_DATA(ht, p, pData, nDataSize);
(gdb) bt
#0  0x40425fde in zend_hash_add_or_update (ht=0x80ded04, arKey=0x80ded24 "\\sA@", nKeyLength=7, pData=0x0, 
    nDataSize=4, pDest=0xbfffcd54, flag=1) at /usr/src/web/php/php5/Zend/zend_hash.c:238
#1  0x404271f4 in zend_hash_copy (target=0x80ded04, source=0x80de7e4, pCopyConstructor=0x4041fce4 <zval_add_ref>, 
    tmp=0xbfffcda4, size=4) at /usr/src/web/php/php5/Zend/zend_hash.c:750
#2  0x4041fde6 in _zval_copy_ctor (zvalue=0x80f160c) at /usr/src/web/php/php5/Zend/zend_variables.c:124
#3  0x4042b068 in zif_set_exception_handler (ht=1, return_value=0x80f160c, this_ptr=0x0, return_value_used=0)
    at /usr/src/web/php/php5/Zend/zend_builtin_functions.c:1017
#4  0x40451d4f in zend_do_fcall_common_helper (execute_data=0xbfffcf5c, op_array=0x80ea62c)
    at /usr/src/web/php/php5/Zend/zend_execute.c:2634
#5  0x404523f4 in zend_do_fcall_handler (execute_data=0xbfffcf5c, op_array=0x80ea62c)
    at /usr/src/web/php/php5/Zend/zend_execute.c:2763
#6  0x4043a7ee in execute (op_array=0x80ea62c) at /usr/src/web/php/php5/Zend/zend_execute.c:1194
#7  0x4042190f in zend_execute_scripts (type=8, retval=0x0, file_count=3) at /usr/src/web/php/php5/Zend/zend.c:1017
#8  0x403ef2c5 in php_execute_script (primary_file=0xbffff288) at /usr/src/web/php/php5/main/main.c:1695
#9  0x4045c07e in apache_php_module_main (r=0x81bf684, display_source_mode=0)
    at /usr/src/web/php/php5/sapi/apache/sapi_apache.c:54
#10 0x4045cd00 in send_php (r=0x81bf684, display_source_mode=0, filename=0x0)
    at /usr/src/web/php/php5/sapi/apache/mod_php5.c:621
#11 0x4045cd6a in send_parsed_php (r=0x81bf684) at /usr/src/web/php/php5/sapi/apache/mod_php5.c:636
#12 0x8054f09 in ap_invoke_handler ()
#13 0x806b0cf in process_request_internal ()
#14 0x806b13a in ap_process_request ()
#15 0x8061916 in child_main ()
#16 0x8061af5 in make_child ()
#17 0x8061c76 in startup_children ()
#18 0x806230d in standalone_main ()
#19 0x8062b9c in main ()
#20 0x4016c9cb in __libc_start_main (main=0x80627d8 <main>, argc=3, argv=0xbffff6b4, init=0x804ed2c <_init>, 
    fini=0x8082e64 <_fini>, rtld_fini=0x4000aea0 <_dl_fini>, stack_end=0xbffff6ac)
    at ../sysdeps/generic/libc-start.c:92

[2003-07-27 08:54 UTC] stas@php.net

Could not make the second one (set_exception_handler) crash. Please check it still happens in current CVS.

[2003-07-28 02:30 UTC] fujimura at wakhok dot ac dot jp

> Could not make the second one (set_exception_handler) crash. Please
> check it still happens in current CVS.
yes, I try it ...  not crash.

[2003-07-28 05:02 UTC] sniper@php.net

Fixed -> closed.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2025 The PHP Group All rights reserved.	Last updated: Sat Oct 25 08:00:01 2025 UTC