PHP :: Bug #14365 :: require_once() causes segfault

Bug #14365

require_once() causes segfault

Submitted:

2001-12-06 14:46 UTC

Modified:

2003-01-20 03:58 UTC

Votes:	8
Avg. Score:	4.9 ± 0.3
Reproduced:	6 of 6 (100.0%)
Same Version:	0 (0.0%)
Same OS:	2 (33.3%)

From:

sean dot redmond at brooklynmuseum dot org

Assigned:

Status:

No Feedback

Package:

iPlanet related

PHP Version:

4.3.0-dev

OS:

RedHat Linux 7.3

Private report:

CVE-ID:

None

View Developer Edit

[2001-12-06 14:46 UTC] sean dot redmond at brooklynmuseum dot org

I have an old server running RedHat 6.2, Aolserver 3.0, PHP 4.0.6 (compiled as a module) and SquirrelMail (a webmail application written in PHP) 1.0.6 just fine.

I'm trying to setup a new server with RedHat 7.2, Aolserver 3.4.2, PHP 4.0.6, and SquirrelMail 1.2.0-rc3 but I run into a consistent segfault. I haven't been able to write a script that abstracts the problem but it always happens at the same point in SquirrelMail: after you login, in the function squimap_mailbox_list (in functions/imap_mailbox.php). The offending line is functions/imap_mailbox.php:217:

    require_once('../src/load_prefs.php');

This file exists and is fine, and is require_once'd several times before this invocation (and I've stepped through other invocations of virtual_file_ex to see that it works)
but this line always segfaults:

backtrace:
#0  0x400aedd3 in canonicalize (
    name=0x82f9c38 "/usr/local/aolserver-3.4.2/servers/webmail/pages/squirrelmail-1.2.0-rc3/src/../src/load_prefs.php", resolved=0x40522edc "")
    at canonicalize.c:88
#1  0x402bde61 in virtual_file_ex (state=0x40523f0c, 
    path=0x82c00dc "../src/load_prefs.php", verify_path=0)
    at tsrm_virtual_cwd.c:299
#2  0x402be427 in virtual_fopen (path=0x82c00dc "../src/load_prefs.php", 
    mode=0x402d1e07 "rb") at tsrm_virtual_cwd.c:497
#3  0x40240a84 in php_fopen_and_set_opened_path (
    path=0x82c00dc "../src/load_prefs.php", mode=0x402d1e07 "rb", 
    opened_path=0x40528880) at fopen_wrappers.c:235
#4  0x402410b9 in php_fopen_with_path (
    filename=0x82c00dc "../src/load_prefs.php", mode=0x402d1e07 "rb", 
    path=0x402d35fb ".:/usr/local/lib/php", opened_path=0x40528880)
    at fopen_wrappers.c:391
#5  0x402412e8 in php_fopen_url_wrapper (
    path=0x82c00dc "../src/load_prefs.php", mode=0x402d1e07 "rb", options=1, 
    issock=0x40525050, socketd=0x40525054, opened_path=0x40528880)
    at fopen_wrappers.c:470
#6  0x4023ece1 in php_fopen_wrapper_for_zend (
    filename=0x82c00dc "../src/load_prefs.php", opened_path=0x40528880)
    at main.c:477
#7  0x40222f06 in execute (op_array=0x84668d0, executor_globals=0x82282f8)
    at ./zend_execute.c:1999
#8  0x40220e03 in execute (op_array=0x821b2d0, executor_globals=0x82282f8)
    at ./zend_execute.c:1544
#9  0x40220e03 in execute (op_array=0x83cf358, executor_globals=0x82282f8)
    at ./zend_execute.c:1544
#10 0x40220e03 in execute (op_array=0x834c908, executor_globals=0x82282f8)
    at ./zend_execute.c:1544
#11 0x40220e03 in execute (op_array=0x83df304, executor_globals=0x82282f8)
    at ./zend_execute.c:1544
#12 0x4022f1cd in zend_execute_scripts (type=8, compiler_globals=0x839f938, 
    executor_globals=0x82282f8, file_count=3) at zend.c:752
#13 0x402401c7 in php_execute_script (primary_file=0x405316cc, 
    compiler_globals=0x839f938, executor_globals=0x82282f8, 
    core_globals=0x839b6f0) at main.c:1206
#14 0x4023df92 in php_ns_module_main (ns_context=0x81ed510, 
    sapi_globals=0x8276c50) at aolserver.c:434
#15 0x4023e1df in php_ns_request_handler (context=0x8184658, conn=0x819a8d0)
    at aolserver.c:519
#16 0x08077bb7 in Ns_ConnRunRequest (conn=0x819a8d0) at op.c:196
#17 0x0807e2c2 in ConnRun (connPtr=0x819a8d0) at serv.c:882
#18 0x0807dc10 in NsConnThread (arg=0x81f5178) at serv.c:671
#19 0x0811833b in NsThreadMain (arg=0x81f6590) at thread.c:228
#20 0x4002dc6f in pthread_start_thread (arg=0x40531be0) at manager.c:284
#21 0x4002dd5f in pthread_start_thread_event (arg=0x40531be0) at manager.c:308

and some extra gdb output:

[right before the segfault]
Breakpoint 9, canonicalize (
    name=0x82f9c38 "/usr/local/aolserver-3.4.2/servers/webmail/pages/squirrelmail-1.2.0-rc3/src/../src/load_prefs.php", resolved=0x40522edc "")
    at canonicalize.c:88
88	      rpath[0] = '/';
(gdb) print rpath[0]
$94 = 0 '\000'
(gdb) step

Program received signal SIGSEGV, Segmentation fault.
0x400aedd3 in canonicalize (
    name=0x82f9c38 "/usr/local/aolserver-3.4.2/servers/webmail/pages/squirrelmail-1.2.0-rc3/src/../src/load_prefs.php", resolved=0x40522edc "")
    at canonicalize.c:88
88	      rpath[0] = '/';

(gdb) info local
name = 0x82f9c38 "/usr/local/aolserver-3.4.2/servers/webmail/pages/squirrelmail-1.2.0-rc3/src/../src/load_prefs.php"
rpath = 0x40521dec ""
dest = 0x0
extra_buf = 0x0
start = 0x0
end = 0x0
rpath_limit = 0x40522deb "@"
num_links = 0
rpath = 0x40521dec ""
dest = 0x0
extra_buf = 0x0
end = 0x0
rpath_limit = 0x40522deb "@"
num_links = 0

php config:

./configure --with-aolserver=/usr/local/aolserver --without-mysql --with-openssl --with-gettext

I've tried this on whatever other platforms I have handy. The same segfault occurs with any combination of RedHat 7.0/7.2, Aolserver 3.0/3.4.2, SquirrelMail 1.0.6/1.2.0-rc2/1.2.0-rc3.

Thanks

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2001-12-06 19:10 UTC] sniper@php.net

Does this happen with PHP 4.1.0RC5:

http://download.php.net/~zeev/php-4.1.0RC5.tar.gz

[2001-12-10 11:25 UTC] sean dot redmond at brooklynmuseum dot org

It does happen with 4.1.0RC5:

#0  0x40247210 in php_fopen_with_path (
    filename=0x83e3aa4 "../src/load_prefs.php", mode=0x402e0094 "rb", 
    path=0x402e13b2 ".:/usr/local/lib/php", opened_path=0x404ab7d8, 
    tsrm_ls=0x8384fe8) at fopen_wrappers.c:374
#1  0x402477bb in php_fopen_url_wrapper (
    path=0x83e3aa4 "../src/load_prefs.php", mode=0x402e0094 "rb", options=1, 
    issock=0x404a7fd0, socketd=0x404a7fd4, opened_path=0x404ab7d8, 
    tsrm_ls=0x8384fe8) at fopen_wrappers.c:556
#2  0x4024408a in php_fopen_wrapper_for_zend (
    filename=0x83e3aa4 "../src/load_prefs.php", opened_path=0x404ab7d8)
    at main.c:524
#3  0x4022a64d in execute (op_array=0x84d3210, tsrm_ls=0x8384fe8)
    at ./zend_execute.c:2082
#4  0x40227f5b in execute (op_array=0x8271208, tsrm_ls=0x8384fe8)
    at ./zend_execute.c:1630
#5  0x40227f5b in execute (op_array=0x8259708, tsrm_ls=0x8384fe8)
    at ./zend_execute.c:1630
#6  0x40227f5b in execute (op_array=0x832d460, tsrm_ls=0x8384fe8)
    at ./zend_execute.c:1630
#7  0x40227f5b in execute (op_array=0x829abdc, tsrm_ls=0x8384fe8)
    at ./zend_execute.c:1630
#8  0x40237eba in zend_execute_scripts (type=8, tsrm_ls=0x8384fe8, retval=0x0, 
    file_count=3) at zend.c:814
#9  0x40246112 in php_execute_script (primary_file=0x404b46dc, 
    tsrm_ls=0x8384fe8) at main.c:1309
#10 0x40243197 in php_ns_module_main (tsrm_ls=0x8384fe8) at aolserver.c:418
#11 0x402434cc in php_ns_request_handler (context=0x817d980, conn=0x819bb88)
    at aolserver.c:502
#12 0x08077bb7 in Ns_ConnRunRequest (conn=0x819bb88) at op.c:196
#13 0x0807e2c2 in ConnRun (connPtr=0x819bb88) at serv.c:882
#14 0x0807dc10 in NsConnThread (arg=0x81d7488) at serv.c:671
#15 0x0811833b in NsThreadMain (arg=0x82ba0d8) at thread.c:228
#16 0x4002dc6f in pthread_start_thread (arg=0x404b4be0) at manager.c:284
#17 0x4002dd5f in pthread_start_thread_event (arg=0x404b4be0) at manager.c:308

[2001-12-11 16:34 UTC] mfischer@php.net

Can you try newly release 4.1.0?

And please try to provide small, self-containing reproduceable script.

What does a full backtrace give ? (bt full).

Feedback.

[2001-12-11 17:28 UTC] sean dot redmond at brooklynmuseum dot org

Also in 4.1.0. I haven't been able to write a simple script to reproduce the crash. I've stepped through the code (at least through the 4.0.6 code) and require_once() works over 300 times (a few times requiring ../src/load_prefs.php) before consistently crashing at the same point. Aolserver is multithreaded -- could it a thread issue?

4.1.0 backtrace:

#0  0x40247244 in php_fopen_with_path (
    filename=0x8553084 "../src/load_prefs.php", mode=0x402e0114 "rb", 
    path=0x402e1432 ".:/usr/local/lib/php", opened_path=0x404bc7d8, 
    tsrm_ls=0x85787e0) at fopen_wrappers.c:374
	pathbuf = 0x0
	ptr = 0x8553084 "../src/load_prefs.php"
	end = 0x0
	exec_fname = 0x0
	trypath = '\000' <repeats 124 times>, ">?\023@4U\031@D\200K@\224\220K@|?\n@\003\000\000\000?\177K@\034\220K@\000\000\000\000/usr/local/aolserver-3.4.2/servers/webmail/pages/squirrelmail-1.2.0-rc3/plugins/filters/filters.php", '\000' <repeats 745 times>, ">?\023@4U\031@?\203K@\004\224K@|?\n@\003\000\000\000\\\203K@\214\223K@\000\000\000\000/usr/loca"...
	trydir = '\000' <repeats 4094 times>
	safe_mode_include_dir = '\000' <repeats 4094 times>
	sb = {st_dev = 0, __pad1 = 0, st_ino = 0, st_mode = 0, st_nlink = 0, 
  st_uid = 0, st_gid = 0, st_rdev = 0, __pad2 = 0, st_size = 0, 
  st_blksize = 0, st_blocks = 0, st_atime = 0, __unused1 = 0, st_mtime = 0, 
  __unused2 = 0, st_ctime = 0, __unused3 = 0, __unused4 = 0, __unused5 = 0}
	fp = (FILE *) 0x8553084
	path_length = 0
	safe_mode_include_dir_length = 0
	exec_fname_length = 0
#1  0x402477ef in php_fopen_url_wrapper (
    path=0x8553084 "../src/load_prefs.php", mode=0x402e0114 "rb", options=1, 
    issock=0x404b8fd0, socketd=0x404b8fd4, opened_path=0x404bc7d8, 
    tsrm_ls=0x85787e0) at fopen_wrappers.c:556
	path = 0x8553084 "../src/load_prefs.php"
	fp = (FILE *) 0x9
	p = 0x85787e0 "?K0\b\024"
	protocol = 0x0
	n = 0
#2  0x402440be in php_fopen_wrapper_for_zend (
    filename=0x8553084 "../src/load_prefs.php", opened_path=0x404bc7d8)
    at main.c:524
	issock = 0
	socketd = 0
	old_chunk_size = 8192
	retval = (FILE *) 0x85787e0
	tsrm_ls = (void ***) 0x85787e0
#3  0x4022a64d in execute (op_array=0x82e8ec0, tsrm_ls=0x85787e0)
    at ./zend_execute.c:2082
	opened_path = 0x0
	dummy = 1
	file_handle = {type = 0 '\000', filename = 0x85232fc "s!z?\016", 
  opened_path = 0x0, handle = {fd = 1076156521, fp = 0x4024d869}, 
  free_filename = 216 '?'}
	new_op_array = (zend_op_array *) 0x0
	original_return_value = (zval **) 0x404bd0ec
	return_value_used = 0
	inc_filename = (zval *) 0x8612050
	tmp_inc_filename = {value = {lval = 1073933696, 
    dval = 6.306641578844733, str = {
      val = 0x4002ed80 "U\211?S\203?\004?????\201?L?", len = 1075395072}, 
    ht = 0x4002ed80, obj = {ce = 0x4002ed80, properties = 0x40193a00}}, 
  type = 164 '?', is_ref = 199 '?', refcount = 16459}
	failure_retval = 0 '\000'
	opline = (zend_op *) 0x8612038
	function_state = {function_symbol_table = 0x83700c8, 
  function = 0x82e8ec0, reserved = {0x404bc844, 0x0, 0x404bd094, 0x856f000}}
	fbc = (zend_function *) 0x0
	object = {ptr = 0x0}
	Ts = (temp_variable (*)[0]) 0x404b8ffc
	original_in_execution = 1 '\001'
#4  0x40227f5b in execute (op_array=0x85cdb20, tsrm_ls=0x85787e0)
    at ./zend_execute.c:1630
	calling_symbol_table = (HashTable *) 0x83b161c
	original_return_value = (zval **) 0x404be9ec
	return_value_used = 1
	opline = (zend_op *) 0x86823c8
	function_state = {function_symbol_table = 0x83b16ac, 
  function = 0x82e8ec0, reserved = {0x38, 0x3, 0x402f641c, 0x84c0e30}}
	fbc = (zend_function *) 0x0
	object = {ptr = 0x0}
	Ts = (temp_variable (*)[0]) 0x404bc87c
	original_in_execution = 1 '\001'
#5  0x40227f5b in execute (op_array=0x85cb9d0, tsrm_ls=0x85787e0)
    at ./zend_execute.c:1630
	calling_symbol_table = (HashTable *) 0x838c8fc
	original_return_value = (zval **) 0x404c32e8
	return_value_used = 0
	opline = (zend_op *) 0x867a614
	function_state = {function_symbol_table = 0x83b161c, 
  function = 0x85cdb20, reserved = {0x404bfbe4, 0x3, 0x827b5c4, 0x838abb8}}
	fbc = (zend_function *) 0x85cdb20
	object = {ptr = 0x0}
	Ts = (temp_variable (*)[0]) 0x404bdf4c
	original_in_execution = 1 '\001'
#6  0x40227f5b in execute (op_array=0x83ed340, tsrm_ls=0x85787e0)
    at ./zend_execute.c:1630
	calling_symbol_table = (HashTable *) 0x838bec4
	original_return_value = (zval **) 0x404c4240
	return_value_used = 0
	opline = (zend_op *) 0x8677db0
	function_state = {function_symbol_table = 0x838c8fc, 
  function = 0x85cb9d0, reserved = {0x404c3494, 0x3, 0x402f641c, 0x8400b58}}
	fbc = (zend_function *) 0x85cb9d0
	object = {ptr = 0x0}
	Ts = (temp_variable (*)[0]) 0x404bfbfc
	original_in_execution = 1 '\001'
#7  0x40227f5b in execute (op_array=0x84718d4, tsrm_ls=0x85787e0)
    at ./zend_execute.c:1630
	calling_symbol_table = (HashTable *) 0x8370190
	original_return_value = (zval **) 0x404c4594
	return_value_used = 0
	opline = (zend_op *) 0x83fb244
	function_state = {function_symbol_table = 0x838bec4, 
  function = 0x83ed340, reserved = {0x402cbad8, 0x4022fe9e, 0x0, 0x0}}
	fbc = (zend_function *) 0x83ed340
	object = {ptr = 0x0}
	Ts = (temp_variable (*)[0]) 0x404c34ac
	original_in_execution = 0 '\000'
#8  0x40237eba in zend_execute_scripts (type=8, tsrm_ls=0x85787e0, retval=0x0, 
    file_count=3) at zend.c:814
	tsrm_ls = (void ***) 0x85787e0
	files = 0x404c45c4
	i = 1
	file_handle = (zend_file_handle *) 0x404c56dc
	orig_op_array = (zend_op_array *) 0x837cce0
	local_retval = (zval *) 0x0
#9  0x40246146 in php_execute_script (primary_file=0x404c56dc, 
    tsrm_ls=0x85787e0) at main.c:1309
	orig_bailout = {{__jmpbuf = {138098040, 1075395192, 8, 1112493127, 24, 
      32}, __mask_was_saved = 137826256, __saved_mask = {__val = {137822744, 
        10, 1601662834, 1853189987, 1935999092, 56, 32, 137826256, 137827744, 
        6, 1869377379, 6488178, 1852795252, 88, 32, 137822664, 137822808, 13, 
        1634890337, 1818451833, 1702256997, 144, 24, 137874656, 137822832, 2, 
        97, 168, 24, 137874656, 137822856, 2}}}}
	orig_bailout_set = 204 '?'
	prepend_file_p = (zend_file_handle *) 0x85787e0
	append_file_p = (zend_file_handle *) 0x8283c88
	prepend_file = {type = 224 '?', 
  filename = 0x8370288 "?\216.\b(?+\b?!H\bx\0037\b\016", 
  opened_path = 0x2 <Address 0x2 out of bounds>, handle = {fd = 1076114600, 
    fp = 0x402434a8}, free_filename = 40 '('}
	append_file = {type = 144 '\220', 
  filename = 0x18 <Address 0x18 out of bounds>, opened_path = 0x837cce0 "", 
  handle = {fd = 137822832, fp = 0x8370270}, free_filename = 2 '\002'}
	old_cwd = 0x404c45cc "/usr/local/aolserver-3.4.2"
#10 0x402431cb in php_ns_module_main (tsrm_ls=0x85787e0) at aolserver.c:418
	tsrm_ls = (void ***) 0x85787e0
	file_handle = {type = 2 '\002', 
  filename = 0x846da28 "/usr/local/aolserver/servers/webmail/pages/squirrelmail-1.2.0-rc3/src/right_main.php", opened_path = 0x8471c74 "es.php", handle = {
    fd = 138877432, fp = 0x84719f8}, free_filename = 0 '\000'}
#11 0x40243500 in php_ns_request_handler (context=0x817d980, conn=0x819bb88)
    at aolserver.c:502
	conn = (Ns_Conn *) 0x819bb88
	status = 135904136
	tsrm_ls = (void ***) 0x85787e0
#12 0x08077bb7 in Ns_ConnRunRequest (conn=0x819bb88) at op.c:196
	reqPtr = (Req *) 0x8184ff8
	status = 0
	server = 0x8155628 "webmail"
#13 0x0807e2c2 in ConnRun (connPtr=0x819bb88) at serv.c:882
	conn = (Ns_Conn *) 0x819bb88
	ds = {
  string = 0x404c5798 "GET /squirrelmail-1.2.0-rc3/src/right_main.php HTTP/1.1", length = 55, spaceAvl = 512, 
  staticSpace = "GET /squirrelmail-1.2.0-rc3/src/right_main.php HTTP/1.1\000\000?,\b'\177-\b\234L\020\bPa+\bH?\023\b\004XL@\027J\020\b>@\022\bh9W\b\004\000\000\000Pa+\b>@\022\bH?\023\b\024XL@\a?\r\b?@\022\bH?\023\b$XL@V?\016\bh9W\bH?\023\bTXL@??\016\b\030H$\b8?\023\b?XL@??\016\b\231Y\017\b\000\000\000\000(I$\b\034?\016\bh9W\bH?\023\btXL@\203?\016\b\030H$\b"..., addr = 0x0}
	n = 550
	status = 0
#14 0x0807dc10 in NsConnThread (arg=0x82c0e90) at serv.c:671
	connPtr = (Conn *) 0x819bb88
	connPtrPtr = (Conn **) 0x82c0e90
	wait = {sec = 1008108885, usec = 915534}
	ewait = {sec = 1078745684, usec = 0}
	eopen = {sec = 1078746080, usec = 1}
	eclosed = {sec = 1078745668, usec = 135376647}
	now = {sec = 135522280, usec = 135511880}
	timePtr = (Ns_Time *) 0x404c5a3c
	next = 5
	id = 4
	thrname = "-conn4-\000\024ZL@??\002@??\023\b\004\000\000\000\000\000\000\000\214?\002@"
	new = 1073985496
	status = 0
	p = 0x813e800 ""
	headers = (Ns_Set *) 0x8243ee8
	outputheaders = (Ns_Set *) 0x8244448
	joinThread = 0x8244368
	statsPtr = (Stats *) 0x0
	entry = (Ns_Entry *) 0x0
#15 0x0811833b in NsThreadMain (arg=0x8243fd8) at thread.c:228
	thrPtr = (Thread *) 0x8243fd8
	name = "-thread8201-", '\000' <repeats 16 times>, "4U\031@"
#16 0x4002dc6f in pthread_start_thread (arg=0x404c5be0) at manager.c:284
	self = 0x404c5be0
	request = {req_thread = 0x0, req_kind = REQ_CREATE, req_args = {
    create = {attr = 0x0, fn = 0, arg = 0x0, mask = {__val = {
          0 <repeats 18 times>, 1073985496, 1073958736, 0, 1078746020, 
          1073945068, 1078746080, 0, 0, 1073945214, 0, 0, 0, 0, 0}}}, free = {
      thread_id = 0}, exit = {code = 0}, post = 0x0}}
	outcome = (void *) 0x8283c88
#17 0x4002dd5f in pthread_start_thread_event (arg=0x404c5be0) at manager.c:308
	arg = (void *) 0x404c5be0
	ldt_entry = {entry_number = 9, base_addr = 1078746080, limit = 1056, 
  seg_32bit = 1, contents = 0, read_exec_only = 0, limit_in_pages = 0, 
  seg_not_present = 0, useable = 1, empty = 0}

[2001-12-11 17:33 UTC] sean dot redmond at brooklynmuseum dot org

FYI: I did write a script with require_once() inside a for loop to see if just repetitively requiring a file would crash it. SquirrelMail uses frames so I also tried that script running in two frames at once. Both ran without crashing so it's at least more complicated than that.

[2001-12-31 13:54 UTC] sean dot redmond at brooklynmuseum dot org

Still segfaults with 4.1.1:

#0  0x4024b14c in php_fopen_with_path (
    filename=0x833e124 "../src/load_prefs.php", mode=0x402f2d94 "rb", 
    path=0x402f40ba ".:/usr/local/lib/php", opened_path=0x403c37d8, 
    tsrm_ls=0x83877a8) at fopen_wrappers.c:374
	pathbuf = 0x0
	ptr = 0x833e124 "../src/load_prefs.php"
	end = 0x0
	exec_fname = 0x0
	trypath = '\000' <repeats 124 times>, "??\023@?V\031@D?;@\224\000<@|?\n@\003\000\000\000??;@\034\000<@\000\000\000\000/usr/local/aolserver-3.4.2/servers/webmail/pages/squirrelmail-1.2.0-rc3/plugins/filters/filters.php", '\000' <repeats 745 times>, "??\023@?V\031@??;@\004\004<@|?\n@\003\000\000\000\\?;@\214\003<@\000\000\000\000/usr/loca"...
	trydir = '\000' <repeats 4094 times>
	safe_mode_include_dir = '\000' <repeats 4094 times>
	sb = {st_dev = 0, __pad1 = 0, st_ino = 0, st_mode = 0, st_nlink = 0, 
  st_uid = 0, st_gid = 0, st_rdev = 0, __pad2 = 0, st_size = 0, 
  st_blksize = 0, st_blocks = 0, st_atime = 0, __unused1 = 0, st_mtime = 0, 
  __unused2 = 0, st_ctime = 0, __unused3 = 0, __unused4 = 0, __unused5 = 0}
	fp = (FILE *) 0x833e124
	path_length = 0
	safe_mode_include_dir_length = 0
	exec_fname_length = 0
#1  0x4024b6f7 in php_fopen_url_wrapper (
    path=0x833e124 "../src/load_prefs.php", mode=0x402f2d94 "rb", options=1, 
    issock=0x403bffd0, socketd=0x403bffd4, opened_path=0x403c37d8, 
    tsrm_ls=0x83877a8) at fopen_wrappers.c:556
	path = 0x833e124 "../src/load_prefs.php"
	fp = (FILE *) 0x9
	p = 0x83877a8 "\230\016!\b\025"
	protocol = 0x0
	n = 0
#2  0x40247fce in php_fopen_wrapper_for_zend (
    filename=0x833e124 "../src/load_prefs.php", opened_path=0x403c37d8)
    at main.c:524
	issock = 0
	socketd = 0
	old_chunk_size = 8192
	retval = (FILE *) 0x83877a8
	tsrm_ls = (void ***) 0x83877a8
#3  0x4022e55d in execute (op_array=0x8519370, tsrm_ls=0x83877a8)
    at ./zend_execute.c:2082
	opened_path = 0x0
	dummy = 1
	file_handle = {type = 0 '\000', filename = 0x8386f0c "c?&\006\r", 
  opened_path = 0x0, handle = {fd = 1076172697, fp = 0x40251799}, 
  free_filename = 232 '?'}
	new_op_array = (zend_op_array *) 0x0
	original_return_value = (zval **) 0x403c40ec
	return_value_used = 0
	inc_filename = (zval *) 0x850a258
	tmp_inc_filename = {value = {lval = 1073933696, 
    dval = 6.308106422594733, str = {
      val = 0x4002ed80 "U\211?S\203?\004?????\201?L?", len = 1075395456}, 
    ht = 0x4002ed80, obj = {ce = 0x4002ed80, properties = 0x40193b80}}, 
  type = 164 '?', is_ref = 55 '7', refcount = 16444}
	failure_retval = 0 '\000'
	opline = (zend_op *) 0x850a240
	function_state = {function_symbol_table = 0x8211930, 
  function = 0x8519370, reserved = {0x403c3844, 0x0, 0x403c4094, 0x8265818}}
	fbc = (zend_function *) 0x0
	object = {ptr = 0x0}
	Ts = (temp_variable (*)[0]) 0x403bfffc
	original_in_execution = 1 '\001'
#4  0x4022be6b in execute (op_array=0x83cb080, tsrm_ls=0x83877a8)
    at ./zend_execute.c:1630
	calling_symbol_table = (HashTable *) 0x828dbc4
	original_return_value = (zval **) 0x403c59ec
	return_value_used = 1
	opline = (zend_op *) 0x863ebb0
	function_state = {function_symbol_table = 0x828dc34, 
  function = 0x8519370, reserved = {0x38, 0x3, 0x4030e85c, 0x8263000}}
	fbc = (zend_function *) 0x0
	object = {ptr = 0x0}
	Ts = (temp_variable (*)[0]) 0x403c387c
	original_in_execution = 1 '\001'
#5  0x4022be6b in execute (op_array=0x85d9e80, tsrm_ls=0x83877a8)
    at ./zend_execute.c:1630
	calling_symbol_table = (HashTable *) 0x83b2afc
	original_return_value = (zval **) 0x403ca2e8
	return_value_used = 0
	opline = (zend_op *) 0x85cc7f4
	function_state = {function_symbol_table = 0x828dbc4, 
  function = 0x83cb080, reserved = {0x403c6be4, 0x3, 0x84842dc, 0x82629b0}}
	fbc = (zend_function *) 0x83cb080
	object = {ptr = 0x0}
	Ts = (temp_variable (*)[0]) 0x403c4f4c
	original_in_execution = 1 '\001'
#6  0x4022be6b in execute (op_array=0x85c7fa8, tsrm_ls=0x83877a8)
    at ./zend_execute.c:1630
	calling_symbol_table = (HashTable *) 0x839747c
	original_return_value = (zval **) 0x403cb240
	return_value_used = 0
	opline = (zend_op *) 0x85c1610
	function_state = {function_symbol_table = 0x83b2afc, 
  function = 0x85d9e80, reserved = {0x403ca494, 0x3, 0x4030e85c, 0x8263250}}
	fbc = (zend_function *) 0x85d9e80
	object = {ptr = 0x0}
	Ts = (temp_variable (*)[0]) 0x403c6bfc
	original_in_execution = 1 '\001'
#7  0x4022be6b in execute (op_array=0x828f354, tsrm_ls=0x83877a8)
    at ./zend_execute.c:1630
	calling_symbol_table = (HashTable *) 0x82119f8
	original_return_value = (zval **) 0x403cb594
	return_value_used = 0
	opline = (zend_op *) 0x838e2ac
	function_state = {function_symbol_table = 0x839747c, 
  function = 0x85c7fa8, reserved = {0x402de534, 0x40233dae, 0x0, 0x0}}
	fbc = (zend_function *) 0x85c7fa8
	object = {ptr = 0x0}
	Ts = (temp_variable (*)[0]) 0x403ca4ac
	original_in_execution = 0 '\000'
#8  0x4023bdca in zend_execute_scripts (type=8, tsrm_ls=0x83877a8, retval=0x0,     file_count=3) at zend.c:814
	tsrm_ls = (void ***) 0x83877a8
	files = 0x403cb5c4
	i = 1
	file_handle = (zend_file_handle *) 0x403cc6dc
	orig_op_array = (zend_op_array *) 0x0
	local_retval = (zval *) 0x0
#9  0x4024a04e in php_execute_script (primary_file=0x403cc6dc, 
    tsrm_ls=0x83877a8) at main.c:1307
	orig_bailout = {{__jmpbuf = {0, 0, 1, 0, 1, 131329}, 
    __mask_was_saved = 0, __saved_mask = {__val = {325, 80, 4, 18, 0, 0, 1, 
        138307612, 1, 131331, 8, 1, 0, 0, 0, 325, 80, 4, 19, 0, 0, 1, 
        138307684, 8, 131331, 8, 1, 0, 0, 0, 325, 66}}}}
	orig_bailout_set = 0 '\000'
	prepend_file_p = (zend_file_handle *) 0x83877a8
	append_file_p = (zend_file_handle *) 0x82434b8
	prepend_file = {type = 0 '\000', 
  filename = 0x145 <Address 0x145 out of bounds>, 
  opened_path = 0x42 <Address 0x42 out of bounds>, handle = {fd = 1076130744, 
    fp = 0x402473b8}, free_filename = 40 '('}
	append_file = {type = 1 '\001', filename = 0x83e6864 "?b\"@????9", 
  opened_path = 0x8 <Address 0x8 out of bounds>, handle = {fd = 131331, 
    fp = 0x20103}, free_filename = 8 '\b'}
	old_cwd = 0x403cb5cc "/usr/local/aolserver-3.4.2"
#10 0x402470db in php_ns_module_main (tsrm_ls=0x83877a8) at aolserver.c:418
	tsrm_ls = (void ***) 0x83877a8
	file_handle = {type = 2 '\002', 
  filename = 0x81fc7d8 "/usr/local/aolserver/servers/webmail/pages/squirrelmail-1.2.0-rc3/src/right_main.php", opened_path = 0x83862e4 "filters", handle = {
    fd = 137913240, fp = 0x8386398}, free_filename = 0 '\000'}
#11 0x40247410 in php_ns_request_handler (context=0x8174728, conn=0x81960a8)
    at aolserver.c:502
	conn = (Ns_Conn *) 0x81960a8
	status = 135880872
	tsrm_ls = (void ***) 0x83877a8
#12 0x08077bb7 in Ns_ConnRunRequest (conn=0x81960a8) at op.c:196
	reqPtr = (Req *) 0x817d9e0
	status = 0
	server = 0x8155628 "webmail"
#13 0x0807e2c2 in ConnRun (connPtr=0x81960a8) at serv.c:882
	conn = (Ns_Conn *) 0x81960a8
	ds = {
  string = 0x403cc798 "GET /squirrelmail-1.2.0-rc3/src/right_main.php HTTP/1.1", length = 55, spaceAvl = 512, 
  staticSpace = "GET /squirrelmail-1.2.0-rc3/src/right_main.php HTTP/1.1\000\000\005=\bn?=\b\234L\020\bX)C\bH?\023\b\004?<@\027J\020\b>@\022\b`t!\b\004\000\000\000X)C\b>@\022\bH?\023\b\024?<@\a?\r\b?@\022\bH?\023\b$?<@V?\016\b`t!\bH?\023\bT?<@??\016\b\030d&\b8?\023\b??<@??\016\b\231Y\017\b\000\000\000\000(e&\b\034?\016\b`t!\bH?\023\bt?<@\203?\016\b\030d&\b"..., addr = 0x0}
	n = 590
	status = 0
#14 0x0807dc10 in NsConnThread (arg=0x81f4118) at serv.c:671
	connPtr = (Conn *) 0x81960a8
	connPtrPtr = (Conn **) 0x81f4118
	wait = {sec = 1009824362, usec = 210887}
	ewait = {sec = 1077725780, usec = 0}
	eopen = {sec = 1077726176, usec = 1}
	eclosed = {sec = 1077725764, usec = 135376647}
	now = {sec = 135522280, usec = 135511880}
	timePtr = (Ns_Time *) 0x403cca3c
	next = 3
	id = 2
	thrname = "-conn2-\000\024?<@??\002@??\023\b\004\000\000\000\000\000\000\000\214?\002@"
	new = 1073985496
	status = 0
	p = 0x813e800 ""
	headers = (Ns_Set *) 0x81950b8
	outputheaders = (Ns_Set *) 0x81b08e0
	joinThread = 0x82b72d8
	statsPtr = (Stats *) 0x0
	entry = (Ns_Entry *) 0x0
#15 0x0811833b in NsThreadMain (arg=0x835cac0) at thread.c:228
	thrPtr = (Thread *) 0x835cac0
	name = "-thread6151-", '\000' <repeats 16 times>, "?V\031@"
#16 0x4002dc6f in pthread_start_thread (arg=0x403ccbe0) at manager.c:284
	self = 0x403ccbe0
	request = {req_thread = 0x0, req_kind = REQ_CREATE, req_args = {
    create = {attr = 0x0, fn = 0, arg = 0x0, mask = {__val = {
          0 <repeats 18 times>, 1073985496, 1073958704, 0, 1077726116, 
          1073945068, 1077726176, 0, 0, 1073945214, 0, 0, 0, 0, 0}}}, free = {
      thread_id = 0}, exit = {code = 0}, post = 0x0}}
	outcome = (void *) 0x82434b8
#17 0x4002dd5f in pthread_start_thread_event (arg=0x403ccbe0) at manager.c:308
	arg = (void *) 0x403ccbe0
	ldt_entry = {entry_number = 7, base_addr = 1077726176, limit = 1056, 
  seg_32bit = 1, contents = 0, read_exec_only = 0, limit_in_pages = 0, 
  seg_not_present = 0, useable = 1, empty = 0}

[2002-06-24 03:44 UTC] sniper@php.net

Please try this snapshot:

http://snaps.php.net/php4-latest.tar.gz

[2002-07-15 17:16 UTC] sean dot redmond at brooklynmuseum dot org

Still Happens:

#0  0x40182cac in php_sock_stream_read_internal (stream=0x8265e3c,
    sock=0x844245c, tsrm_ls=0x82fc6d8)
    at /usr/local/src/php4-200207151200/main/network.c:714
#1  0x40183191 in php_sockop_gets (stream=0x8265e3c, buf=0x835abfc "",
    maxlen=9096, tsrm_ls=0x82fc6d8)
    at /usr/local/src/php4-200207151200/main/network.c:966
#2  0x4018075e in _php_stream_gets (stream=0x8265e3c, buf=0x835abfc "",
    maxlen=9096, tsrm_ls=0x82fc6d8)
    at /usr/local/src/php4-200207151200/main/streams.c:248
#3  0x40121ae8 in zif_fgets (ht=2, return_value=0x83be35c, this_ptr=0x0,
    return_value_used=1, tsrm_ls=0x82fc6d8)
    at /usr/local/src/php4-200207151200/ext/standard/file.c:1142
#4  0x401b3b94 in execute (op_array=0x8329378, tsrm_ls=0x82fc6d8)
    at /usr/local/src/php4-200207151200/Zend/zend_execute.c:1587
#5  0x401b3d69 in execute (op_array=0x8392360, tsrm_ls=0x82fc6d8)
    at /usr/local/src/php4-200207151200/Zend/zend_execute.c:1627
#6  0x401b3d69 in execute (op_array=0x83297c0, tsrm_ls=0x82fc6d8)
    at /usr/local/src/php4-200207151200/Zend/zend_execute.c:1627
#7  0x401b3d69 in execute (op_array=0x8309698, tsrm_ls=0x82fc6d8)
    at /usr/local/src/php4-200207151200/Zend/zend_execute.c:1627
#8  0x401b3d69 in execute (op_array=0x842b230, tsrm_ls=0x82fc6d8)
    at /usr/local/src/php4-200207151200/Zend/zend_execute.c:1627
#9  0x401b3d69 in execute (op_array=0x820747c, tsrm_ls=0x82fc6d8)
    at /usr/local/src/php4-200207151200/Zend/zend_execute.c:1627
#10 0x401a0822 in zend_execute_scripts (type=8, tsrm_ls=0x82fc6d8, retval=0x0,
    file_count=3) at /usr/local/src/php4-200207151200/Zend/zend.c:810
#11 0x401789ea in php_execute_script (primary_file=0x402d16dc,
    tsrm_ls=0x82fc6d8) at /usr/local/src/php4-200207151200/main/main.c:1390
#12 0x401bc50b in php_ns_module_main (tsrm_ls=0x82fc6d8)
    at /usr/local/src/php4-200207151200/sapi/aolserver/aolserver.c:420
#13 0x401bc840 in php_ns_request_handler (context=0x8186988, conn=0x819ebc8)
    at /usr/local/src/php4-200207151200/sapi/aolserver/aolserver.c:504
#14 0x08077a67 in Ns_ConnRunRequest (conn=0x819ebc8) at op.c:196
#15 0x0807e172 in ConnRun (connPtr=0x819ebc8) at serv.c:882
#16 0x0807dac0 in NsConnThread (arg=0x8343920) at serv.c:671
#17 0x081181eb in NsThreadMain (arg=0x8413538) at thread.c:228
#18 0x40020fef in pthread_start_thread () from /lib/i686/libpthread.so.0
#19 0x400210df in pthread_start_thread_event () from /lib/i686/libpthread.so.0

[2002-07-15 17:17 UTC] sean dot redmond at brookltnmuseum dot org

BTW, this is now on RedHat 7.3, with SquirrelMail 1.2.7

[2002-07-15 20:52 UTC] sniper@php.net

Thank you for taking the time to report a problem with PHP.
Unfortunately you are not using a current version of PHP -- 
the problem might already be fixed. Please download a new
PHP version from http://www.php.net/downloads.php

If you are able to reproduce the bug with one of the latest
versions of PHP, please change the PHP version on this bug report
to the version you tested and change the status back to "Open".
Again, thank you for your continued support of PHP.

[2002-07-15 22:33 UTC] sean dot redmond at brooklynmuseum dot org

I guess I also forgot to mention that the last backtrace was alos using the latest snapshot

[2002-07-16 09:00 UTC] sniper@php.net

reclassified. Did you try this snapshot:

http://snaps.php.net/php4-latest.tar.gz

And NOT the one with 'STABLE' text in it?

[2002-07-16 10:44 UTC] sean dot redmond at brooklynmuseum dot org

Yes. Here is the backtrace on php4-200207151200:

#0  0x40182cac in php_sock_stream_read_internal (stream=0x82235ac,
    sock=0x845770c, tsrm_ls=0x82ab448)
    at /usr/local/src/php4-200207151200/main/network.c:714
        sock = (php_netstream_data_t *) 0x8355944
        buf = '\0' <repeats 3024 times>, "?\e @|7,@?6,@\206,\030@\n\0\0\0|6,@", '\0' <repeats 20 times>, "?+\030@\0\0\0\0\0\0\0\0????\0\0\0\0\0\002", '\0' <repeats 127 times>, "\002", '\0' <repeats 90 times>, "|?\001@\t\0\0\0\030?\002@\2247,@d]\002@", '\0' <repeats 28 times>, "?\e @\fwE\b\e\0\0\0?W,@?-\030@\234?-\b?7,@\e\0\0\0\0 ", '\0' <repeats 14 times>, "\e\0\0\0A005 OK EXPUNGE completed\r\n", '\0' <repeats 2897 times>...
        nr_bytes = 138770188
        nr_read = 0
#1  0x40183191 in php_sockop_gets (stream=0x82235ac, buf=0x8355944 "",
    maxlen=9096, tsrm_ls=0x82ab448)
    at /usr/local/src/php4-200207151200/main/network.c:966
        sock = (php_netstream_data_t *) 0x845770c
        p = 0x0
        pe = 0x1b <Address 0x1b out of bounds>
        ret = 0x0
        amount = 27
#2  0x4018075e in _php_stream_gets (stream=0x82235ac, buf=0x8355944 "",
    maxlen=9096, tsrm_ls=0x82ab448)
    at /usr/local/src/php4-200207151200/main/streams.c:248
        buf = 0x8355944 ""
        maxlen = 9096
        c = 0x40201bc8 "Ⱥ\024"
#3  0x40121ae8 in zif_fgets (ht=2, return_value=0x82a5484, this_ptr=0x0,
    return_value_used=1, tsrm_ls=0x82ab448)
    at /usr/local/src/php4-200207151200/ext/standard/file.c:1142
        ht = 9097
        arg1 = (zval **) 0x8307580
        arg2 = (zval **) 0x8307584
        len = 9096
        type = 3
        buf = 0x8355944 ""
        what = (void *) 0x82235ac
#4  0x401b3b94 in execute (op_array=0x83371e8, tsrm_ls=0x82ab448)
    at /usr/local/src/php4-200207151200/Zend/zend_execute.c:1587
        original_return_value = (zval **) 0x0
        execute_data = {opline = 0x84d8294, function_state = {
    function_symbol_table = 0x8447a50, function = 0x8269db0, reserved = {0x0,
      0x2e312d6c, 0x2f372e32, 0x61636f6c}}, fbc = 0x0, object = {ptr = 0x0},
  Ts = 0x402c4b4c, original_in_execution = 1 '\001'}
#5  0x401b3d69 in execute (op_array=0x8337430, tsrm_ls=0x82ab448)
    at /usr/local/src/php4-200207151200/Zend/zend_execute.c:1627
        calling_symbol_table = (HashTable *) 0x845757c
        original_return_value = (zval **) 0x402c7ba8
        execute_data = {opline = 0x84324bc, function_state = {
    function_symbol_table = 0x82e13ac, function = 0x83371e8, reserved = {0x0,
      0x402c81ec, 0x402c81ec, 0x402c7924}}, fbc = 0x0, object = {ptr = 0x0},
  Ts = 0x402c6fbc, original_in_execution = 1 '\001'}
#6  0x401b3d69 in execute (op_array=0x8337b78, tsrm_ls=0x82ab448)
    at /usr/local/src/php4-200207151200/Zend/zend_execute.c:1627
        calling_symbol_table = (HashTable *) 0x82f8ad4
        original_return_value = (zval **) 0x402c8560
        execute_data = {opline = 0x8337038, function_state = {
    function_symbol_table = 0x845757c, function = 0x8337430, reserved = {
      0x401901c2, 0x0, 0x0, 0x5}}, fbc = 0x8337430, object = {ptr = 0x0},
  Ts = 0x402c793c, original_in_execution = 1 '\001'}
#7  0x401b3d69 in execute (op_array=0x8381c10, tsrm_ls=0x82ab448)
    at /usr/local/src/php4-200207151200/Zend/zend_execute.c:1627
        calling_symbol_table = (HashTable *) 0x83884f4
        original_return_value = (zval **) 0x402ca900
        execute_data = {opline = 0x837e1d8, function_state = {
    function_symbol_table = 0x82f8ad4, function = 0x8337b78, reserved = {0x0,
      0x82a55f4, 0x2c08, 0x82ab448}}, fbc = 0x8337b78, object = {ptr = 0x0},
  Ts = 0x402c839c, original_in_execution = 1 '\001'}
#8  0x401b3d69 in execute (op_array=0x8235c98, tsrm_ls=0x82ab448)
    at /usr/local/src/php4-200207151200/Zend/zend_execute.c:1627
        calling_symbol_table = (HashTable *) 0x826f9ec
        original_return_value = (zval **) 0x402cfad0
        execute_data = {opline = 0x84f9ecc, function_state = {
    function_symbol_table = 0x83884f4, function = 0x8381c10, reserved = {0x0,
      0x402d03bc, 0x402d03bc, 0x402ce464}}, fbc = 0x0, object = {ptr = 0x0},
  Ts = 0x402c99ac, original_in_execution = 1 '\001'}
#9  0x401b3d69 in execute (op_array=0x83bcef4, tsrm_ls=0x82ab448)
    at /usr/local/src/php4-200207151200/Zend/zend_execute.c:1627
        calling_symbol_table = (HashTable *) 0x824f30c
        original_return_value = (zval **) 0x402d0584
        execute_data = {opline = 0x82b2278, function_state = {
    function_symbol_table = 0x826f9ec, function = 0x8235c98, reserved = {
      0x40198dca, 0x0, 0x0, 0x0}}, fbc = 0x8235c98, object = {ptr = 0x0},
  Ts = 0x402ce47c, original_in_execution = 0 '\0'}
#10 0x401a0822 in zend_execute_scripts (type=8, tsrm_ls=0x82ab448, retval=0x0,
    file_count=3) at /usr/local/src/php4-200207151200/Zend/zend.c:810
        tsrm_ls = (void ***) 0x82ab448
        files = 0x402d05b4
        i = 1
        file_handle = (zend_file_handle *) 0x402d26dc
        orig_op_array = (zend_op_array *) 0x7373656d
        local_retval = (zval *) 0x0
#11 0x401789ea in php_execute_script (primary_file=0x402d26dc,
    tsrm_ls=0x82ab448) at /usr/local/src/php4-200207151200/main/main.c:1390
        orig_bailout = {{__jmpbuf = {65, 137538688, 1108533216, 15,
      1936942445, 1936025441}, __mask_was_saved = 1920098655, __saved_mask = {
      __val = {32, 32, 136639304, 136639392, 15, 1936942445, 1936025441,
        1920098655, 192, 24, 137138040, 136639480, 1, 136105472, 72, 65,
        137538688, 1108533216, 13, 1414680403, 1297436255, 1128878661, 32, 32,
        136639392, 136639480, 9, 1936159597, 1920234335, 0, 280, 32}}}}
        orig_bailout_set = 245 '?'
        prepend_file_p = (zend_file_handle *) 0x0
        append_file_p = (zend_file_handle *) 0x1b
        prepend_file = {type = 248 '?',
  filename = 0x9 <Address 0x9 out of bounds>,
  opened_path = 0x7367736d <Address 0x7367736d out of bounds>, handle = {
    fd = 1920234335, fp = 0x7274735f}, free_filename = 0 '\0'}
        append_file = {type = 224 '?',
  filename = 0xd <Address 0xd out of bounds>,
  opened_path = 0x54524f53 <Address 0x54524f53 out of bounds>, handle = {
    fd = 1297436255, fp = 0x4d554e5f}, free_filename = 69 'E'}
        old_cwd = 0x402d05bc "/usr/local/aolserver"
        retval = 0
#12 0x401bc50b in php_ns_module_main (tsrm_ls=0x82ab448)
    at /usr/local/src/php4-200207151200/sapi/aolserver/aolserver.c:420
        tsrm_ls = (void ***) 0x82ab448
        file_handle = {type = 2 '\002',
  filename = 0x826e4f8 "/usr/local/aolserver/servers/webmail/pages/src/right_main.php",
  opened_path = 0x841c33c "/usr/local/aolserver/servers/webmail/squirrelmail-1.2.7/functions/auth.php", handle = {fd = 137142520, fp = 0x82ca0f8},
  free_filename = 0 '\0'}
#13 0x401bc840 in php_ns_request_handler (context=0x8186a48, conn=0x819ecf0)
    at /usr/local/src/php4-200207151200/sapi/aolserver/aolserver.c:504
        conn = (Ns_Conn *) 0x819ecf0
        status = 135916784
        tsrm_ls = (void ***) 0x82ab448
#14 0x08077a67 in Ns_ConnRunRequest (conn=0x819ecf0) at op.c:196
        reqPtr = (Req *) 0x8186a78
        status = 0
        server = 0x8154470 "webmail"
#15 0x0807e172 in ConnRun (connPtr=0x819ecf0) at serv.c:882
        conn = (Ns_Conn *) 0x819ecf0
        ds = {string = 0x402d2798 "GET /src/right_main.php HTTP/1.1",
  length = 32, spaceAvl = 512,
  staticSpace = "GET /src/right_main.php HTTP/1.1\0\0\021\b\004\0\0\0H?\023\b?'-@?K\020\b??\023\b?oI\bD\tJ\bLK\020\bXE\"\bH?\023\b\004(-@?H\020\b?>\022\b?:I\b\004\0\0\0XE\"\b?>\022\bH?\023\b\024(-@??\r\b?>\022\bH?\023\b$(-@\006?\016\b?:I\bH?\023\bT(-@\207?\016\bX?(\bX?\023\b?(-@l?\016\bIX\017\b\0\0\0\0h?(\b??\016\b?:I\bH?\023\bt(-@3?\016\bX?(\b"..., addr = 0x0}
        n = 571
        status = 0
#16 0x0807dac0 in NsConnThread (arg=0x81fb470) at serv.c:671
        connPtr = (Conn *) 0x819ecf0
        connPtrPtr = (Conn **) 0x81fb470
        wait = {sec = 1026829970, usec = 104701}
        ewait = {sec = 1076701780, usec = 0}
        eopen = {sec = 1076702176, usec = 1}
        eclosed = {sec = 1076701764, usec = 135376311}
        now = {sec = 135518728, usec = 135508552}
        timePtr = (Ns_Time *) 0x402d2a3c
        next = 2
        id = 1
        thrname = "-conn1-\0\024*-@?!\002@\030?\023\b\004\0\0\0\0\0\0\0\214!\002@"
        new = 1073933080
        status = 0
        p = 0x813da20 ""
        headers = (Ns_Set *) 0x840ce90
        outputheaders = (Ns_Set *) 0x8231330
        joinThread = 0x0
        statsPtr = (Stats *) 0x0
        entry = (Ns_Entry *) 0x0
#17 0x081181eb in NsThreadMain (arg=0x83ff6d0) at thread.c:228
        thrPtr = (Thread *) 0x83ff6d0
        name = "-thread5126-", '\0' <repeats 16 times>, "\f\003\023B"
#18 0x40020fef in pthread_start_thread () from /lib/i686/libpthread.so.0
No symbol table info available.
#19 0x400210df in pthread_start_thread_event () from /lib/i686/libpthread.so.0
No symbol table info available.

[2002-07-16 14:29 UTC] sniper@php.net

Now, what is the script like which causes this? 
And please don't paste some huge script here, try
come up with the shortest possible script which causes this.

[2002-07-16 15:40 UTC] sean dot redmond at brooklynmuseum dot org

Unfortunately I haven't been able to come up with a simple script that reproduces the crash (see comments of 11 Dec 2001 5:28pm, and 11 Dec 2001 5:33pm). It seems to me that it's a thread problem. It also seems that different versions of Aolserver, SquirrelMail and PHP crash for different reasons (so maybe it's PHP's genreal thread instability).

[2002-07-16 17:27 UTC] philip@php.net

I vaguely remember being able to create a segfault with:

  $ret = require('file.foo');
  print $ret;  // iirc printing $ret strangly caused segfault.

It was odd.  This was long ago and it was fixed, I remember no specifics on the matter :/

[2002-09-26 10:11 UTC] wez@php.net

Could you try the latest non-stable snapshot; there have
been some more changes in this area recently.
http://snaps.php.net/php4-latest.tar.gz

[2002-10-14 19:26 UTC] php-bugs at lists dot php dot net

No feedback was provided for this bug for over a month, so it is
being suspended automatically. If you are able to provide the
information that was originally requested, please do so and change
the status of the bug back to "Open".

[2002-10-16 22:25 UTC] ariven at ariven dot com

Try modifying your ns/threads section to include a larger stacksize...the default one is 128*1024    I ran into a stacksize problem on the recent redhat update (related to glibc) that was segfaulting on a dns lookup.  I didn't associate it with the segfault I was getting for PHP (Including squirrelmail), but the segfault for SM is gone now for me after this fix and SM works perfectly.

Try this sample:

ns_section "ns/threads"
        ns_param   stacksize [expr 256*1024]

[2003-01-01 14:51 UTC] bartvb at phpbb dot com

Grr. These damn segfaults are really driving me nuts. I've been having segfaults with other versions of PHP (up to 4.2.3). I'm using PHP 4.3.0 at the moment and the number of segfaults has only increased.

Sometimes there are almost no segfaults (one every 5 minutes?) but sometimes I get stuff like this in the errorlog:
[Wed Jan  1 21:34:02 2003] [notice] child pid 13840 exit signal Segmentation fault (11)
[Wed Jan  1 21:34:03 2003] [notice] child pid 13833 exit signal Segmentation fault (11)
[Wed Jan  1 21:34:11 2003] [notice] child pid 13831 exit signal Segmentation fault (11)
[Wed Jan  1 21:34:11 2003] [notice] child pid 13816 exit signal Segmentation fault (11)
[Wed Jan  1 21:34:11 2003] [notice] child pid 13810 exit signal Segmentation fault (11)
[Wed Jan  1 21:34:20 2003] [notice] child pid 13837 exit signal Segmentation fault (11)
[Wed Jan  1 21:34:45 2003] [notice] child pid 13883 exit signal Segmentation fault (11)
[Wed Jan  1 21:34:50 2003] [notice] child pid 13878 exit signal Segmentation fault (11)
[Wed Jan  1 21:34:51 2003] [notice] child pid 13887 exit signal Segmentation fault (11)
[Wed Jan  1 21:34:51 2003] [notice] child pid 13859 exit signal Segmentation fault (11)
[Wed Jan  1 21:34:52 2003] [notice] child pid 13882 exit signal Segmentation fault (11)
[Wed Jan  1 21:35:24 2003] [notice] child pid 13904 exit signal Segmentation fault (11)
[Wed Jan  1 21:35:31 2003] [notice] child pid 13898 exit signal Segmentation fault (11)
[Wed Jan  1 21:35:31 2003] [notice] child pid 13892 exit signal Segmentation fault (11)
[Wed Jan  1 21:35:36 2003] [notice] child pid 13909 exit signal Segmentation fault (11)
[Wed Jan  1 21:35:39 2003] [notice] child pid 14006 exit signal Segmentation fault (11)
[Wed Jan  1 21:35:40 2003] [notice] child pid 13908 exit signal Segmentation fault (11)
[Wed Jan  1 21:35:44 2003] [notice] child pid 14009 exit signal Segmentation fault (11)
[Wed Jan  1 21:35:46 2003] [notice] child pid 13903 exit signal Segmentation fault (11)
[Wed Jan  1 21:35:52 2003] [notice] child pid 14017 exit signal Segmentation fault (11)
[Wed Jan  1 21:36:11 2003] [notice] child pid 14015 exit signal Segmentation fault (11)
[Wed Jan  1 21:36:17 2003] [notice] child pid 14023 exit signal Segmentation fault (11)
[Wed Jan  1 21:36:33 2003] [notice] child pid 14016 exit signal Segmentation fault (11)
[Wed Jan  1 21:36:42 2003] [notice] child pid 14019 exit signal Segmentation fault (11)
[Wed Jan  1 21:36:45 2003] [notice] child pid 14043 exit signal Segmentation fault (11)


This is making me and my users _very_ unhappy :\

With 4.2.3 I got:

(gdb) bt
#0  0x42082a0c in memcpy () from /lib/i686/libc.so.6
#1  0x08134f7d in _estrndup ()
#2  0x0810deb0 in php_var_unserialize ()
#3  0x0810e796 in php_var_unserialize ()
#4  0x0810dd7a in php_var_unserialize ()
#5  0x08106dbc in zif_unserialize ()
#6  0x08169483 in execute ()
#7  0x08145b8e in zend_execute_scripts ()
#8  0x0808a06a in php_execute_script ()
#9  0x081511ca in apache_php_module_main ()
#10 0x0808638c in php_restore_umask ()
#11 0x080863e5 in php_restore_umask ()
#12 0x08173363 in ap_invoke_handler ()
#13 0x08187e9b in ap_some_auth_required ()
#14 0x08187efc in ap_process_request ()
#15 0x0817ef05 in ap_child_terminate ()
#16 0x0817f173 in ap_child_terminate ()
#17 0x0817f4f0 in ap_child_terminate ()
#18 0x0817fac5 in ap_child_terminate ()
#19 0x081800ff in main ()
#20 0x42017589 in __libc_start_main () from /lib/i686/libc.so.6


But with 4.3.0 I get:
(gdb) bt
#0  0x4204a646 in canonicalize () from /lib/i686/libc.so.6
#1  0x08182ced in virtual_file_ex ()
#2  0x08093ba0 in expand_filepath ()
#3  0x08092d30 in php_check_specific_open_basedir ()
#4  0x08092f12 in php_check_open_basedir ()
#5  0x0809c303 in _php_stream_fopen_with_path ()
#6  0x0809d243 in php_unregister_url_stream_wrapper ()
#7  0x0809d94d in _php_stream_open_wrapper_ex ()
#8  0x0809dc3b in _php_stream_open_wrapper_as_file ()
#9  0x0809010e in zif_set_time_limit ()
#10 0x080a2573 in open_file_for_scanning ()
#11 0x080a26f7 in compile_file ()
#12 0x080a2898 in compile_filename ()
#13 0x080cc601 in execute ()
#14 0x080ca99a in execute ()
#15 0x080cc76f in execute ()
#16 0x080ca99a in execute ()
#17 0x080cc76f in execute ()
#18 0x080ca99a in execute ()
(execute continues)
#1319 0x080cc76f in execute ()
#1320 0x080ca99a in execute ()
#1321 0x080cc76f in execute ()
#1322 0x080bac4e in zend_execute_scripts ()
#1323 0x08091b71 in php_execute_script ()
#1324 0x080cf14a in apache_php_module_main ()
#1325 0x08088a44 in ap_get_server_built ()
#1326 0x08088a9d in ap_get_server_built ()
#1327 0x081a1453 in ap_invoke_handler ()
#1328 0x081b5f8b in ap_some_auth_required ()
#1329 0x081b5fec in ap_process_request ()
#1330 0x081acff5 in ap_child_terminate ()
#1331 0x081ad263 in ap_child_terminate ()
#1332 0x081ad5e0 in ap_child_terminate ()
#1333 0x081adbb5 in ap_child_terminate ()
#1334 0x081ae1ef in main ()
#1335 0x42017589 in __libc_start_main () from /lib/i686/libc.so.6

I've made the last backtrace by attaching to a running httpd and then waiting until it segfaults (which doesn't take that long on average :\).

The weird thing is that some users seem to be affected a lot more than others. I almost never get the messages, another user also rarely sees them but is getting them almost continuously when she's at her parents.

The site is almost only running phpBB 2.0.3 with on average 100 people online with peaks to 170 users.

I've reduced the MaxRequestsPerChild setting to a low number, this seems to reduce the amount of segfaults. Furthermore the segfaults increase quite a bit when I disable debug in PHP (remove the --enable-debug flag), at least that was the behaviour with PHP 4.2.3, haven't dared to try with PHP 4.3.0

BTW as far as I could see we're not using require_once() anywhere in the code.

Please tell me what to do, or tell me what information you need to get rid of these errors :\ I can also arrange for an account on my server. The annoying thing is that I have no means to consistently reproduce this error, I don't even know where it occurs, it's not on one specific page or for a specific user or OS/Browser combo. And I've only seen it on the production server when it's under load, not on my test server.

Any ideas, info, hints or tips are very welcome!

[2003-01-01 14:55 UTC] bartvb at phpbb dot com

Oh, sorry. Forgot to mention what the site is running on.

We're using Apache 1.3.26 with PHP as a module. Info page is over here:
http://www.bokt.nl/klad/info.php

It's a Redhat 7.3 box with:
gcc version 2.96 20000731 (Red Hat Linux 7.3 2.96-112)

It's an Athlon 1800 XP with 1GB ram and phpBB is using MySQL (MyISAM tables) extensively. Some stats can be seen on:

http://www.bokt.nl/stats/

[2003-01-02 11:54 UTC] wez@php.net

Can you try increasing your stack size as was suggested in one of the earlier responses?

The latest backtrace looks *very* deep - are you using a lot of nested eval() calls ?

[2003-01-05 09:07 UTC] bartvb at phpbb dot com

I would love to but I don't have a clue how I should do that :D I'm using Apache 1.3.26 and PHP 4.3.0 (but that one segfaults too often) and PHP 4.2.3 (segfaults too but less often, especially when we use a debug build and limit the MaxRequestsPerChild to 10.

Nested evals()? Hmm, we shouldn't, I'll go and see if that can be the case.

BTW how did Sean create that backtrace? It even shows in what PHP file and on what line Apache/PHP went down...

[2003-01-05 09:33 UTC] wez@php.net

See http://bugs.php.net/bugs-generating-backtrace.php for details on making backtraces.

The stack size appears to be a setting in the iPlanet configuration:Try modifying your ns/threads section to include a larger
stacksize...the default one is 128*1024    I ran into a stacksize
problem on the recent redhat update (related to glibc) that was
segfaulting on a dns lookup.  I didn't associate it with the segfault I
was getting for PHP (Including squirrelmail), but the segfault for SM is
gone now for me after this fix and SM works perfectly.

Try this sample:

ns_section "ns/threads"
        ns_param   stacksize [expr 256*1024]

"
(quoted from this bug report).

I don't have and have never used iPlanet, so it's up to you to find out how to configure it.


"

[2003-01-06 01:58 UTC] bartvb at phpbb dot com

I've read the backtrace page but the bt there doesn't show php filenames and linenumber.. But Sean mailed me that I should try 'bt full', I'll try that the next time.

Anyway, as I said I'm using Apache and not iPlanet... The canonicalize problem only seems to occur on 4.3.0, PHP 4.2.3 seems to segfault on memcopy()

[2003-01-06 06:17 UTC] bartvb at phpbb dot com

We are using evals but the worst I could find was 65 evals on one page (the template system uses evals for nested blocks). The index page has a complex template and needs 55 evals, normal pages only need 4 or 5 evals.

[2003-01-07 12:38 UTC] bartvb at phpbb dot com

Wow!
I managed to create a page that creates a segfault every time... Before PHP only crashed once in a while (once in 40 requests?) but now I finally have something reproducable.

The only thing I did was adding an extra INSERT query to the end of a search.php script. Haven't tried to create a minimal testcase yet, just to glad tat I can finally do some more testing.

BTW IMO it's a good idea to change this bug. It's not about require_once() but about canonicalize() crashing PHP 4.3.0 (and something on 4.2.3 that I haven't been able to pinpoint yet). And it's not limited to iPlanet servers.

Are there any more ways to get more information out of PHP? Memory usage? Most used functions? That kind of information?

I'm going to play a bit with standalone httpd's so I don't have to attach to a running server.
Oh and is it possible to subscribe to a bug at bugs.php.net?

[2003-01-20 03:58 UTC] sniper@php.net

No feedback was provided. The bug is being suspended because
we assume that you are no longer experiencing the problem.
If this is not the case and you are able to provide the
information that was requested earlier, please do so and
change the status of the bug back to "Open". Thank you.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Mon Dec 30 14:01:28 2024 UTC