PHP :: Bug #26223 :: Error message makes PHP crash (in some special cases)

Bug #26223

Error message makes PHP crash (in some special cases)

Submitted:

2003-11-12 11:35 UTC

Modified:

2005-01-09 11:48 UTC

Votes:	1
Avg. Score:	1.0 ± 0.0
Reproduced:	0 of 1 (0.0%)

From:

Xuefer at 21cn dot com

Assigned:

helly (profile)

Status:

Closed

Package:

*General Issues

PHP Version:

4CVS, 5CVS

OS:

Private report:

CVE-ID:

None

View Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	Xuefer at 21cn dot com
New email:
PHP Version:		OS:

New Comment:

[2003-11-12 11:35 UTC] Xuefer at 21cn dot com

Description:
------------
using session_set_save_handler()
in write handler, if an error occur or using echo, something is output, php crash

this make script debugging very hard

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2003-11-14 00:09 UTC] Xuefer at 21cn dot com

sorry for my careless
it took me so much time to track down this problem
but i don't know if it'll still crash if php env(system+apache+php..) changed

<?php

touch('./127.0.0.1.3.4.5.6');
file_exists('./127.0.0.1.3.4.5.6');

function n()
{
	return true;
}


function write()
{
	file_exists('Unknown');
}

session_set_save_handler ("n", "n", "n", "write", "n", "n");
session_start();
?>

[2003-11-17 21:38 UTC] sniper@php.net

Here you can find some debug enabled builds:

   http://www.thebrainroom.net/php-snaps/

[2003-11-17 23:08 UTC] Xuefer at 21cn dot com

i'm not familiar with debugging
i'm stucked

with same script
still crash on http://www.thebrainroom.net/php-snaps/php4-win32-STABLE-foundstone-latest.zip (with similar gdb bt)

but not crash on:
http://www.thebrainroom.net/php-snaps/php4-win32-STABLE-debug-foundstone-latest.zip
output:

Warning: file_exists(): Stat failed for Unknown (errno=9 - Bad file descriptor) in c:\test.php on line 14
warning: ---------------------------------------

warning: f:\tbr\php\snapbuilder\php_4_3-foundstone\ext\standard\filestat.c(616) : Block 0x00BAE800 status:

warning: Beginning:     
warning: Cached (allocated on f:\tbr\php\snapbuilder\php_4_3-foundstone\main\main.c:485, 21 bytes)

warning:       End:     
warning: OK

warning: ---------------------------------------

[Tue Nov 18 11:23:53 2003]  Script:  'test.php'

Program exited normally.

[2004-02-13 10:02 UTC] sniper@php.net

The crash happens in the error outputting functions..php_docref..something. Marcus broke it so Marcus fixes it.

[2004-04-13 12:55 UTC] sniper@php.net

Please try using this CVS snapshot:

  http://snaps.php.net/php4-STABLE-latest.tar.gz
 
For Windows:
 
  http://snaps.php.net/win32/php4-win32-STABLE-latest.zip

[2004-04-21 06:32 UTC] Xuefer at 21cn dot com

seems fixed

but when i do "glob/unlink/rmdir" in session write handler, and it crash randomly. still can't make a reproduciable script yet :(

marking this bug as closed

[2004-07-03 08:55 UTC] Xuefer at 21cn dot com

the following script in php4CVS crash

<?php
function b() {
}

function bb() {
}
function aa() {
    register_shutdown_function('bb');
}
session_set_save_handler('a', 'a', 'a', 'aa', 'a', 'a');
session_start();
?>

while doing the following is fine:
<?php

function bb() {
}
function aa() {
    register_shutdown_function('bb');
}

aa(); aa(); aa(); aa();
?>

[2004-09-15 17:51 UTC] Xuefer at 21cn dot com

core file will sent to sniper at **.net ok?

Starting program: /home/oursky/src/php4-www-debug/sapi/cli/php -c . a.php

Program received signal SIGSEGV, Segmentation fault.
0x080e67ab in zend_hash_index_update_or_next_insert (ht=0x8154ddc, h=945959777, pData=0xbfffeea0, nDataSize=8, pDest=0x0, flag=4)
    at /home/oursky/src/php4/Zend/zend_hash.c:390
390             p = ht->arBuckets[nIndex];
(gdb) bt
#0  0x080e67ab in zend_hash_index_update_or_next_insert (ht=0x8154ddc, h=945959777, pData=0xbfffeea0, nDataSize=8, pDest=0x0, flag=4)
    at /home/oursky/src/php4/Zend/zend_hash.c:390
#1  0x08070bd0 in zif_register_shutdown_function (ht=1, return_value=0xbfffeea0, this_ptr=0x0, return_value_used=0)
    at /home/oursky/src/php4/ext/standard/basic_functions.c:2187
#2  0x080eee0f in execute (op_array=0x81549e0) at /home/oursky/src/php4/Zend/zend_execute.c:1635
#3  0x080db4c2 in call_user_function_ex (function_table=0x8128f30, object_pp=0x0, function_name=0x0, retval_ptr_ptr=0xbffff178, param_count=2, 
    params=0x8154dc4, no_separation=1, symbol_table=0x0) at /home/oursky/src/php4/Zend/zend_execute_API.c:567
#4  0x080dafd3 in call_user_function (function_table=0x39306535, object_pp=0x39306535, function_name=0x39306535, retval_ptr=0x8154c44, 
    param_count=135613340, params=0xbffff1c0) at /home/oursky/src/php4/Zend/zend_execute_API.c:409
#5  0x0805fdd8 in ps_write_user (mod_data=0x39306535, key=0x815487c "77d6e387747ca3b89ae8236afa355e09", 
    val=0x39306535 <Address 0x39306535 out of bounds>, vallen=0) at /home/oursky/src/php4/ext/session/mod_user.c:60
#6  0x0805df86 in php_session_save_current_state () at /home/oursky/src/php4/ext/session/session.c:694
#7  0x0805d9da in zm_deactivate_session (type=1, module_number=2) at /home/oursky/src/php4/ext/session/session.c:1598
#8  0x080e4c79 in module_registry_cleanup (module=0x39306535) at /home/oursky/src/php4/Zend/zend_API.c:1167
#9  0x080e6f18 in zend_hash_apply (ht=0xbffff1c0, apply_func=0x815560c) at /home/oursky/src/php4/Zend/zend_hash.c:701
#10 0x080e1d64 in zend_deactivate_modules () at /home/oursky/src/php4/Zend/zend.c:652
#11 0x080b93a5 in php_request_shutdown (dummy=0x0) at /home/oursky/src/php4/main/main.c:991
#12 0x080f35f8 in main (argc=4, argv=0xbffffa44) at /home/oursky/src/php4/sapi/cli/php_cli.c:873
#13 0x400a0657 in __libc_start_main (main=0x80f3190 <main>, argc=4, ubp_av=0xbffffa44, init=0x8059c1c <_init>, fini=0x80f4700 <_fini>, 
    rtld_fini=0x4100dc54 <_dl_fini>, stack_end=0xbffffa3c) at ../sysdeps/generic/libc-start.c:129
(gdb)

[2004-09-15 18:23 UTC] Xuefer at 21cn dot com

ok, i won't send corefile
os updated, this coredump is generated under linux
script updated:
<?php
function b() {
    return true;
}

function bb() {
}
function aa() {
    register_shutdown_function('bb');
    return true;
}
session_set_save_handler('aa', 'b', 'b', 'aa', 'b', 'b');
session_start();
?>

the "open" handler should be callable or else:
Fatal error: session_start(): Failed to initialize storage module: user (path: /tmp/) in /home/oursky/a.php on line 13

but when i change
session_set_save_handler('aa', 'b', 'b', 'aa', 'b', 'b');
to
session_set_save_handler('b',  'b', 'b', 'aa', 'b', 'b');
no coredump

very strange

[2004-10-18 14:36 UTC] mikael dot suvi at trigger dot ee

For the last sample crash script I did the following that fixed the crash for php-5.0.2. Problem was that session_write handler is called after the user defined shutdown functions. And php_call_shutdown_functions has already freed global user_shutdown_function_names the by the time session_write handler tries to register shutdown function again.

=========================
diff ext/standard/basic_functions.c.old ext/standard/basic_functions.c
2195a2196
>                       BG(user_shutdown_function_names) = NULL;
=========================

[2005-01-09 11:48 UTC] sniper@php.net

This bug has been fixed in CVS.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.
 
Thank you for the report, and for helping us make PHP better.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2025 The PHP Group All rights reserved.	Last updated: Tue Jul 01 20:01:36 2025 UTC