php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #13698 CGI version segfaults at shutdown
Submitted: 2001-10-16 19:23 UTC Modified: 2001-11-10 21:08 UTC
From: yasuo_ohgaki at yahoo dot com Assigned:
Status: Closed Package: Reproducible crash
PHP Version: 4.0CVS-2001-10-29 OS: Linux 2.4.14-pre3/glibc 2.2.2
Private report: No CVE-ID: None
 [2001-10-16 19:23 UTC] yasuo_ohgaki at yahoo dot com
CGI version segfaults at the end of test script.(i.e. at the end of "./php -q run-tests.php")
It happens both HAED (4.2.0-dev) and RC (4.1.0RC). It seems --enable-mbstr-enc-trans is the cause.

==CONFIGURE(4.1.0RC)==
I cannot reproduce segfault with 4.2.0-dev using this simple configure line  I attached more complex configure for 4.2.0-dev that causes segfault.

./configure --enable-mbstring --enable-mbstr-enc-trans --ena
ble-debug
without --enable-mbstr-enc-trans, php doesn't segfaults.

==BACKTRACE(4.1.0RC)==
[yohgaki@dev RC]$ gdb -c core
GNU gdb 20010318
Copyright 2001 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for details.
This GDB was configured as "i586-redhat-linux".
Core was generated by `/home/yohgaki/cvs/php/RC/php -C -q /home/yohgaki/cvs/php/RC/run-tests.php /home'.
Program terminated with signal 11, Segmentation fault.
#0  0x0811a453 in ?? ()
(gdb) file php
Reading symbols from php...done.
(gdb) bt
#0  0x0811a453 in _zval_dtor (zvalue=0x81e9c6c, 
    __zend_filename=0x817d27c "zend_execute_API.c", __zend_lineno=268)
    at zend_variables.c:43
#1  0x08111c82 in _zval_ptr_dtor (zval_ptr=0x81edd60, 
    __zend_filename=0x817db13 "zend_variables.c", __zend_lineno=192)
    at zend_execute_API.c:268
#2  0x0811a8ab in _zval_ptr_dtor_wrapper (zval_ptr=0x81edd60) at zend_variables.c:192
#3  0x081211b9 in zend_hash_destroy (ht=0x81e5404) at zend_hash.c:541
#4  0x0811a4d1 in _zval_dtor (zvalue=0x81e53c4, 
    __zend_filename=0x817d27c "zend_execute_API.c", __zend_lineno=268)
    at zend_variables.c:51
#5  0x08111c82 in _zval_ptr_dtor (zval_ptr=0x81eddf8, 
    __zend_filename=0x817db13 "zend_variables.c", __zend_lineno=192)
    at zend_execute_API.c:268
#6  0x0811a8ab in _zval_ptr_dtor_wrapper (zval_ptr=0x81eddf8) at zend_variables.c:192
#7  0x081211b9 in zend_hash_destroy (ht=0x81befc8) at zend_hash.c:541
#8  0x08111992 in shutdown_executor () at zend_execute_API.c:172
#9  0x0811b782 in zend_deactivate () at zend.c:600
#10 0x0806243c in php_request_shutdown (dummy=0x0) at main.c:736
#11 0x08060d83 in main (argc=5, argv=0xbffff89c) at cgi_main.c:775
#12 0x400b91be in ?? ()
(gdb) 

==CONFIGURE(4.2.0-dev)==
without --enable-mbstr-enc-trans, php doesn't segfaults.

'./configure' \
'--disable-short-tags' \
'--without-mysql' \
'--with-bz2' \
'--with-curl' \
'--with-ftp' \
'--with-iconv' \
'--with-mhash' \
'--with-mcrypt' \
'--with-openssl' \
'--with-pgsql' \
'--with-regex=system' \
'--with-zlib' \
'--with-gd=/usr' \
'--enable-gd-native-ttf' \
'--with-freetype-dir=/usr/local' \
'--with-jpeg-dir=/usr' \
'--with-png-dir=/usr' \
'--with-xpm-dir=/usr/X11R6' \
'--enable-bcmath' \
'--enable-ftp' \
'--enable-shmop' \
'--enable-sysvsem' \
'--enable-sysvshm' \
'--enable-sockets' \
'--enable-mbstring' \
'--enable-mbstr-enc-trans' \
'--enable-memory-limit' \
'--enable-wddx' \
'--enable-debug' \


==BACKTRACE(4.2.0-dev)==
[yohgaki@dev HEAD]$ gdb -c core
GNU gdb 20010318
Copyright 2001 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for details.
This GDB was configured as "i586-redhat-linux".
Core was generated by `/home/yohgaki/cvs/php/HEAD/php -C -q /home/yohgaki/cvs/php/HEAD/run-tests.php /'.
Program terminated with signal 11, Segmentation fault.
#0  0x0814e4c3 in ?? ()
(gdb) file php
Reading symbols from php...done.
(gdb) bt
#0  0x0814e4c3 in _zval_dtor (zvalue=0x82349e4, 
    __zend_filename=0x81add5c "zend_execute_API.c", __zend_lineno=268)
    at zend_variables.c:43
#1  0x08145c02 in _zval_ptr_dtor (zval_ptr=0x8238ae0, 
    __zend_filename=0x81ae5f3 "zend_variables.c", __zend_lineno=189)
    at zend_execute_API.c:268
#2  0x0814e8db in _zval_ptr_dtor_wrapper (zval_ptr=0x8238ae0) at zend_variables.c:189
#3  0x081551e9 in zend_hash_destroy (ht=0x82301ac) at zend_hash.c:541
#4  0x0814e541 in _zval_dtor (zvalue=0x823016c, 
    __zend_filename=0x81add5c "zend_execute_API.c", __zend_lineno=268)
    at zend_variables.c:51
#5  0x08145c02 in _zval_ptr_dtor (zval_ptr=0x8238b78, 
    __zend_filename=0x81ae5f3 "zend_variables.c", __zend_lineno=189)
    at zend_execute_API.c:268
#6  0x0814e8db in _zval_ptr_dtor_wrapper (zval_ptr=0x8238b78) at zend_variables.c:189
#7  0x081551e9 in zend_hash_destroy (ht=0x81ef288) at zend_hash.c:541
#8  0x08145912 in shutdown_executor () at zend_execute_API.c:172
#9  0x0814f7b2 in zend_deactivate () at zend.c:600
#10 0x08069b7c in php_request_shutdown (dummy=0x0) at main.c:736
#11 0x08068473 in main (argc=5, argv=0xbffff88c) at cgi_main.c:775
#12 0x403f81be in ?? ()
(gdb) 



--
Yasuo Ohgaki

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2001-10-19 23:17 UTC] yasuo_ohgaki at yahoo dot com
I'm using 4.1.0RC1 for this comment.

I build CGI version, with following configure.
'./configure' \
'--enable-mbstring' \
'--enable-mbstr-enc-trans' \
'--enable-debug' \
but, I didn't get segfault this time. Therefore, it may not be related to --enable-mbstr-enc-trans after all :)

I still get segfault with longer config and backtrace is the same. Anyway, since no one seems to be interested in this bug, I've take look at what is really wrong. The segfualt occurs in this macro def. (zend_API.h)

#define CHECK_ZVAL_STRING_REL(z) \
	if ((z)->value.str.val[ (z)->value.str.len ] != '\0') zend_error(E_WARNING, "String is not zero-terminated (%s) (source: %s:%d)", (z)->value.str.val ZEND_FILE_LINE_RELAY_CC);

(gdb) print zvalue->value.str.val[ zvalue->value.str.len ]
Cannot access memory at address 0x0
(gdb) print zvalue->value.str.val
$1 = 0x0
(gdb) print zvalue->value.str.len
$2 = 0
(gdb) 



 [2001-10-29 04:16 UTC] yasuo_ohgaki at yahoo dot com
It crashes today's CVS source with newer kernel.
 [2001-11-10 11:58 UTC] zeev@php.net
Is this with zlib.output_compression turned off?
 [2001-11-10 19:25 UTC] yasuo_ohgaki at yahoo dot com
zlib.output_compression is off.

--enable-debug is required, since string without '\0' will not be tested without --enable-debug.You probably knows about it, just in case :)

I'll test this problem again, please wait a moment.

 [2001-11-10 21:08 UTC] yasuo_ohgaki at yahoo dot com
It seems problem is fixed now for both 4.1.0RC and 4.2.0 :)
Closed.
 
PHP Copyright © 2001-2020 The PHP Group
All rights reserved.
Last updated: Tue Feb 18 01:01:26 2020 UTC