PHP :: Bug #35323 :: debug_backtrace() crash when assigned to global in error handler (works in 5.1)

Bug #35323

debug_backtrace() crash when assigned to global in error handler (works in 5.1)

Submitted:

2005-11-22 08:33 UTC

Modified:

2008-07-11 21:13 UTC

Votes:	4
Avg. Score:	4.5 ± 0.5
Reproduced:	4 of 4 (100.0%)
Same Version:	3 (75.0%)
Same OS:	3 (75.0%)

From:

tcarter at noggin dot com dot au

Assigned:

Status:

Wont fix

Package:

Scripting Engine problem

PHP Version:

4.4.2RC1

OS:

Linux 2.4.31

Private report:

CVE-ID:

None

View Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	tcarter at noggin dot com dot au
New email:
PHP Version:		OS:

New Comment:

[2005-11-22 08:33 UTC] tcarter at noggin dot com dot au

Description:
------------
Calls to debug_backtrace() cause PHP to crash when    
the result is assigned to a static or uninitialized global    
variable inside a custom error handler when an error is    
triggered from inside a (different) function.    
    
Crash occurs with:   
PHP 4.4.1   
PHP 4.4.2RC2 (Snapshot 200511220601) 
   
Does not occur with:   
PHP 4.3.10   
PHP 5.0.3   
   

Reproduce code:
---------------
function err_h() {
        global $backtrace;
        $backtrace = debug_backtrace();
}

set_error_handler("err_h");

function crash_me() { trigger_error('Crash!'); }

crash_me();


Expected result:
----------------
PHP shouldn't crash 

Actual result:
--------------
[trav@dev php4-STABLE-200511220601]$ ./configure 
--disable-all --enable-debug 
... 
[trav@dev php4-STABLE-200511220601]$ gdb sapi/cli/php 
... 
This GDB was configured as "i386-redhat-linux-gnu"... 
(gdb) set args -c ./php.ini-dist -f ~/crashme.php 
(gdb) run 
Starting 
program: /home/users/trav/build/php4-STABLE-200511220601/sapi/cli/php 
-c ./php.ini-dist -f ~/crashme.php 
[Tue Nov 22 18:23:15 2005]  Script:  
'/home/users/trav/crashme.php' 
--------------------------------------- 
/home/users/trav/build/php4-STABLE-200511220601/Zend/zend_opcode.c(152) : 
Block 0x0816F7E8 status: 
Beginning:      Overrun (magic=0x08170A78, 
expected=0x7312F8DC) 
      End:      Unknown 
--------------------------------------- 
[Tue Nov 22 18:23:15 2005]  Script:  
'/home/users/trav/crashme.php' 
--------------------------------------- 
/home/users/trav/build/php4-STABLE-200511220601/Zend/zend_opcode.c(159) : 
Block 0x0816A028 status: 
/home/users/trav/build/php4-STABLE-200511220601/Zend/zend_variables.c(44) : 
Actual location (location was relayed) 
Beginning:      Overrun (magic=0x0816A060, 
expected=0x7312F8DC) 
      End:      Unknown 
--------------------------------------- 
[Tue Nov 22 18:23:15 2005]  Script:  
'/home/users/trav/crashme.php' 
--------------------------------------- 
/home/users/trav/build/php4-STABLE-200511220601/Zend/zend_opcode.c(159) : 
Block 0x08169FE8 status: 
/home/users/trav/build/php4-STABLE-200511220601/Zend/zend_variables.c(44) : 
Actual location (location was relayed) 
Beginning:      Overrun (magic=0x0816A020, 
expected=0x7312F8DC) 
      End:      Unknown 
--------------------------------------- 
[Tue Nov 22 18:23:15 2005]  Script:  
'/home/users/trav/crashme.php' 
--------------------------------------- 
/home/users/trav/build/php4-STABLE-200511220601/Zend/zend_opcode.c(159) : 
Block 0x08170A40 status: 
/home/users/trav/build/php4-STABLE-200511220601/Zend/zend_variables.c(44) : 
Actual location (location was relayed) 
Beginning:      Overrun (magic=0x0816FB68, 
expected=0x7312F8DC) 
      End:      Unknown 
--------------------------------------- 
[Tue Nov 22 18:23:15 2005]  Script:  
'/home/users/trav/crashme.php' 
--------------------------------------- 
/home/users/trav/build/php4-STABLE-200511220601/Zend/zend_opcode.c(159) : 
Block 0x08170938 status: 
/home/users/trav/build/php4-STABLE-200511220601/Zend/zend_variables.c(44) : 
Actual location (location was relayed) 
Beginning:      Overrun (magic=0x08170A38, 
expected=0x7312F8DC) 
      End:      Unknown 
--------------------------------------- 
[Tue Nov 22 18:23:15 2005]  Script:  
'/home/users/trav/crashme.php' 
--------------------------------------- 
/home/users/trav/build/php4-STABLE-200511220601/Zend/zend_opcode.c(169) : 
Block 0x0816F820 status: 
Beginning:      Overrun (magic=0x401D662C, 
expected=0x7312F8DC) 
      End:      Unknown 
--------------------------------------- 
[Tue Nov 22 18:23:15 2005]  Script:  
'/home/users/trav/crashme.php' 
--------------------------------------- 
/home/users/trav/build/php4-STABLE-200511220601/Zend/zend_opcode.c(171) : 
Block 0x0816F7B0 status: 
Beginning:      Overrun (magic=0x0816F7E0, 
expected=0x7312F8DC) 
      End:      Unknown 
--------------------------------------- 
[Tue Nov 22 18:23:15 2005]  Script:  
'/home/users/trav/crashme.php' 
--------------------------------------- 
/home/users/trav/build/php4-STABLE-200511220601/Zend/zend_opcode.c(152) : 
Block 0x08170A80 status: 
Beginning:      Overrun (magic=0x0816FC20, 
expected=0x7312F8DC) 
      End:      Unknown 
--------------------------------------- 
[Tue Nov 22 18:23:15 2005]  Script:  
'/home/users/trav/crashme.php' 
--------------------------------------- 
/home/users/trav/build/php4-STABLE-200511220601/Zend/zend_opcode.c(159) : 
Block 0x0816FC28 status: 
/home/users/trav/build/php4-STABLE-200511220601/Zend/zend_variables.c(44) : 
Actual location (location was relayed) 
Beginning:      Overrun (magic=0x081701D0, 
expected=0x7312F8DC) 
      End:      Unknown 
--------------------------------------- 
[Tue Nov 22 18:23:15 2005]  Script:  
'/home/users/trav/crashme.php' 
--------------------------------------- 
/home/users/trav/build/php4-STABLE-200511220601/Zend/zend_opcode.c(159) : 
Block 0x0816FBB0 status: 
/home/users/trav/build/php4-STABLE-200511220601/Zend/zend_variables.c(44) : 
Actual location (location was relayed) 
Beginning:      Overrun (magic=0x08164618, 
expected=0x7312F8DC) 
      End:      Unknown 
--------------------------------------- 
 
Program received signal SIGSEGV, Segmentation fault. 
0x080e1dbc in _efree (ptr=0x8170adc, 
__zend_filename=0x81307c0 
"/home/users/trav/build/php4-STABLE-200511220601/Zend/zend_opcode.c", 
__zend_lineno=169, 
    __zend_orig_filename=0x0, __zend_orig_lineno=0) 
at /home/users/trav/build/php4-STABLE-200511220601/Zend/zend_alloc.c:260 
260             REMOVE_POINTER_FROM_LIST(p); 
(gdb) bt 
#0  0x080e1dbc in _efree (ptr=0x8170adc, 
__zend_filename=0x81307c0 
"/home/users/trav/build/php4-STABLE-200511220601/Zend/zend_opcode.c", 
__zend_lineno=169, 
    __zend_orig_filename=0x0, __zend_orig_lineno=0) 
at /home/users/trav/build/php4-STABLE-200511220601/Zend/zend_alloc.c:260 
#1  0x080ebabc in destroy_op_array (op_array=0x816fc60) 
at /home/users/trav/build/php4-STABLE-200511220601/Zend/zend_opcode.c:169 
#2  0x080eb8c0 in destroy_zend_function 
(function=0x816fc60) 
at /home/users/trav/build/php4-STABLE-200511220601/Zend/zend_opcode.c:100 
#3  0x080f7e25 in zend_hash_destroy (ht=0x8143220) 
at /home/users/trav/build/php4-STABLE-200511220601/Zend/zend_hash.c:556 
#4  0x080f2396 in zend_shutdown () 
at /home/users/trav/build/php4-STABLE-200511220601/Zend/zend.c:573 
#5  0x080c0b7f in php_module_shutdown () 
at /home/users/trav/build/php4-STABLE-200511220601/main/main.c:1286 
#6  0x0810aef7 in main (argc=5, argv=0xbffff924) 
at /home/users/trav/build/php4-STABLE-200511220601/sapi/cli/php_cli.c:887 
#7  0x400b5a67 in __libc_start_main () 
from /lib/i686/libc.so.6

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2005-11-22 09:13 UTC] sniper@php.net

Does not happen with PHP 5.1 CVS.

[2005-11-23 04:25 UTC] tcarter at noggin dot com dot au

PHP 4.3.11 does not crash  
PHP 4.4.0 crashes 
 
(Both versions tested on both Solars SPARC & Linux x86)

[2006-08-15 00:42 UTC] tcarter at noggin dot com dot au

This crash seems to be related to the way that the 
$errcontext (symbol table) argument passed to the error 
handler is treated by debug_backtrace.

If you unset the $errcontext argument in the backtrace 
(arg 5 of the final call) then the crash does not occur.

It appears to be specific to debug_backtrace() because 
setting the global variable directly to $errcontext as a 
named argument, or from func_get_args() does not trigger a 
crash.

[2008-07-11 21:13 UTC] jani@php.net

We are sorry, but we can not support PHP 4 related problems anymore.
Momentum is gathering for PHP 6, and we think supporting PHP 4 will
lead to a waste of resources which we want to put into getting PHP 6
ready.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2025 The PHP Group All rights reserved.	Last updated: Tue Jul 01 20:01:36 2025 UTC