php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #26483 Segfault in zend_hash.c
Submitted: 2003-12-01 05:54 UTC Modified: 2003-12-07 12:00 UTC
From: jan at horde dot org Assigned:
Status: No Feedback Package: mbstring related
PHP Version: 4CVS-2003-12-01 (stable) OS: Linux
Private report: No CVE-ID: None
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If this is not your bug, you can add a comment by following this link.
If this is your bug, but you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: jan at horde dot org
New email:
PHP Version: OS:

 

 [2003-12-01 05:54 UTC] jan at horde dot org
Description:
------------
Again, no script to reproduce, this happens while parsing a compley mime message in IMP.

Backtrace:

0x4066edd2 in zend_hash_find (ht=0x859369c, arKey=0x407fe161 "this",
    nKeyLength=5, pData=0xbffee2ac)
    at /home/jan/software/php43/Zend/zend_hash.c:892
892     /home/jan/software/php43/Zend/zend_hash.c: No such file or directory.
---Type <return> to continue, or q <return> to quit---
        in /home/jan/software/php43/Zend/zend_hash.c
(gdb) bt
#0  0x4066edd2 in zend_hash_find (ht=0x859369c, arKey=0x407fe161 "this",
    nKeyLength=5, pData=0xbffee2ac)
    at /home/jan/software/php43/Zend/zend_hash.c:892
#1  0x40679973 in execute (op_array=0x84da0bc)
    at /home/jan/software/php43/Zend/zend_execute.c:1527
#2  0x4067a0f3 in execute (op_array=0x848e08c)
    at /home/jan/software/php43/Zend/zend_execute.c:1660
#3  0x4067a0f3 in execute (op_array=0x8185a1c)
    at /home/jan/software/php43/Zend/zend_execute.c:1660
#4  0x4067a0f3 in execute (op_array=0x851004c)
    at /home/jan/software/php43/Zend/zend_execute.c:1660
#5  0x4067a0f3 in execute (op_array=0x850fe74)
    at /home/jan/software/php43/Zend/zend_execute.c:1660
#6  0x4067a0f3 in execute (op_array=0x850fe74)
    at /home/jan/software/php43/Zend/zend_execute.c:1660
#7  0x4067a0f3 in execute (op_array=0x8658354)
    at /home/jan/software/php43/Zend/zend_execute.c:1660
#8  0x4067a0f3 in execute (op_array=0x850fc9c)
    at /home/jan/software/php43/Zend/zend_execute.c:1660
#9  0x4067a0f3 in execute (op_array=0x8484bf4)
    at /home/jan/software/php43/Zend/zend_execute.c:1660
#10 0x4067a0f3 in execute (op_array=0x846d5ac)
    at /home/jan/software/php43/Zend/zend_execute.c:1660
---Type <return> to continue, or q <return> to quit---
#11 0x4067a0f3 in execute (op_array=0x850fe74)
    at /home/jan/software/php43/Zend/zend_execute.c:1660
#12 0x4067a0f3 in execute (op_array=0x850fd84)
    at /home/jan/software/php43/Zend/zend_execute.c:1660
#13 0x4067a0f3 in execute (op_array=0x81826ec)
    at /home/jan/software/php43/Zend/zend_execute.c:1660
#14 0x4066888a in zend_execute_scripts (type=8, retval=0x0, file_count=3)
    at /home/jan/software/php43/Zend/zend.c:884
#15 0x406316e1 in php_execute_script (primary_file=0xbffff1e0)
    at /home/jan/software/php43/main/main.c:1729
#16 0x4067ef94 in apache_php_module_main (r=0x80ceee0, display_source_mode=0)
    at /home/jan/software/php43/sapi/apache/sapi_apache.c:54
#17 0x4067ff49 in send_php (r=0x80ceee0, display_source_mode=0,
    filename=0x80d0d10 "/home/jan/headhorde//imp/message.php")
    at /home/jan/software/php43/sapi/apache/mod_php4.c:620
#18 0x4067ffc2 in send_parsed_php (r=0x80ceee0)
    at /home/jan/software/php43/sapi/apache/mod_php4.c:635
#19 0x080557a7 in ap_invoke_handler ()
#20 0x0806aaf0 in process_request_internal ()
#21 0x0806ad81 in ap_process_request ()
#22 0x08062762 in child_main ()
#23 0x0806290a in make_child ()
#24 0x08062a46 in startup_children ()
---Type <return> to continue, or q <return> to quit---
#25 0x080634eb in standalone_main ()
#26 0x08063ca6 in main ()

(gdb) frame 1
#1  0x40679973 in execute (op_array=0x84da0bc)
    at /home/jan/software/php43/Zend/zend_execute.c:1527
1527    in /home/jan/software/php43/Zend/zend_execute.c
(gdb) print (char *)(executor_globals.function_state_ptr->function)->common.function_name
Address of symbol "executor_globals" is unknown.


This is what I found in my logs:

[Mon Dec  1 11:50:10 2003]  Script:  '/home/jan/headhorde//imp/message.php'
---------------------------------------
/home/jan/software/php43/ext/mbstring/mbstring.c(329) : Block 0x087A2EA8 status:
Beginning:      OK (allocated on /home/jan/software/php43/ext/mbstring/mbstring.
c:314, 17 bytes)
      End:      Overflown (magic=0x29736D61 instead of 0x2A8FCC84)
                At least 4 bytes overflown



Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2003-12-01 06:00 UTC] sniper@php.net
You really should provide short example script..debugging using something like IMP is PITA..

Anyway, does this happen if you disable mbstring?

 [2003-12-01 06:12 UTC] derick@php.net
Perhaps you can also check with valgrind, and running apache in single process mode (-X).
 [2003-12-01 06:15 UTC] jan at horde dot org
I know this is hard to debug, but the complexity of the involved classes simply can't be boiled down to a single script, unless I exactly know where the crash happens.

I tested disabling mbstring right after submitting the report and indeed the segfaults don't happen anymore.
 [2003-12-01 06:31 UTC] jan at horde dot org
Alright, I got valgrind installed. Never used it before, how about one or two cli lines to get some useful results?
 [2003-12-01 06:43 UTC] derick@php.net
valgrind /path/to/non-stripped/httpd -X

then request the page that borks.

valgrind will spit out messages to stderr then.
 [2003-12-07 12:00 UTC] sniper@php.net
No feedback was provided. The bug is being suspended because
we assume that you are no longer experiencing the problem.
If this is not the case and you are able to provide the
information that was requested earlier, please do so and
change the status of the bug back to "Open". Thank you.


 
PHP Copyright © 2001-2019 The PHP Group
All rights reserved.
Last updated: Tue Sep 17 00:01:27 2019 UTC