php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #27183 userland stream wrapper segfaults on stream_write
Submitted: 2004-02-08 13:10 UTC Modified: 2004-02-11 12:02 UTC
From: chregu@php.net Assigned:
Status: Closed Package: Filesystem function related
PHP Version: 4CVS-2004-02-08 (stable) OS: Mac OS X 10.3
Private report: No CVE-ID: None
 [2004-02-08 13:10 UTC] chregu@php.net
Description:
------------
Stream Wrapper defined in PHP Userland segfaults on fwrite (see code).

Couldn't reproduce it on Linux, only on OS X :(



Reproduce code:
---------------
stream_wrapper_register("one", "StreamOne");
$fd = fopen("one://tmp/bla","w");
$bla = fwrite($fd, "test");
fclose($fd);
class StreamOne {
    function stream_open ($path, $mode, $options, &$opened_path) {
        return true;
    }
    function stream_write($data) {
        return strlen($data);
    }
    function stream_close() {
        return true;
    }    
}

Expected result:
----------------
nothing

Actual result:
--------------
segfault.

Backtrace:

Program received signal EXC_BAD_ACCESS, Could not access memory.
0x000cc36c in _efree (ptr=0xbfffea40) at /opt/cvs/php4/Zend/zend_alloc.c:259
259             REMOVE_POINTER_FROM_LIST(p);
(gdb) bt
#0  0x000cc36c in _efree (ptr=0xbfffea40) at /opt/cvs/php4/Zend/zend_alloc.c:259
#1  0x000d4408 in call_user_function_ex (function_table=0x0, object_pp=0x115d6e0, function_name=0xbfffea30, retval_ptr_ptr=0xbfffea54, param_count=1411044, params=0x0, no_separation=0, symbol_table=0x0) at /opt/cvs/php4/Zend/zend_execute.h:96
#2  0x000d4408 in call_user_function_ex (function_table=0x0, object_pp=0x115d6e0, function_name=0xbfffea30, retval_ptr_ptr=0xbfffea54, param_count=1411044, params=0x0, no_separation=0, symbol_table=0x0) at /opt/cvs/php4/Zend/zend_execute.h:96
#3  0x000c2c58 in php_userstreamop_write (stream=0xbfffea40, buf=0x115e790 "\001\025?p\001\025?", count=18188432) at /opt/cvs/php4/main/user_streams.c:396
#4  0x000bbb2c in _php_stream_write (stream=0x115e6f0, buf=0x115db90 "test", count=4) at /opt/cvs/php4/main/streams.c:913
#5  0x0006b918 in zif_fwrite (ht=1075232, return_value=0x0, this_ptr=0x158bbc, return_value_used=-1073748124) at /opt/cvs/php4/ext/standard/file.c:1602
#6  0x000eaca8 in execute (op_array=0x115d6e0) at /opt/cvs/php4/Zend/zend_execute.c:1621
#7  0x000dcbc0 in zend_execute_scripts (type=-1073747392, retval=0x0, file_count=3) at /opt/cvs/php4/Zend/zend.c:884
#8  0x000b275c in php_execute_script (primary_file=0xbffff630) at /opt/cvs/php4/main/main.c:1727
#9  0x000efbc4 in main (argc=2, argv=0xbffffb4c) at /opt/cvs/php4/sapi/cli/php_cli.c:822

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2004-02-08 14:47 UTC] chregu@php.net
seems to work with 4.3.3 but not with 4.3.4..
 [2004-02-08 16:20 UTC] chregu@php.net
I could track the bug down to be introduced between 4.3.3 and 4.3.4 in 

Zend/zend.* 
and/or
Zend/zend_alloc.* 

I'm absolutely no Zend-Engine expert, therefore I can't really help you any further here or even trying to fix it by myself... But if you need more information, just ask ;)
 [2004-02-08 21:30 UTC] moriyoshi@php.net
Hmm, I couldn't replicate this on Panther. Nothing 
seemed to go wrong. What extensions are enabled in the 
build? Here's mine.

phpinfo()
PHP Version => 4.3.5RC2-dev

System => Darwin hallmark 7.2.0 Darwin Kernel Version 
7.2.0: Thu Dec 11 16:20:23
 PST 2003; root:xnu/xnu-517.3.7.obj~1/RELEASE_PPC  Power 
Macintosh
Build Date => Jan 23 2004 18:48:26
Configure Command =>  './configure' '--prefix=/Users/
moriyoshi/local' '--with-config-file-path=/Users/
moriyoshi/Library/php-4' '--enable-gd' '--with-gd' '--
with-freetype-dir=/Users/moriyoshi/local' '--with-png-
dir=/Users/moriyoshi/local' '--with-jpeg-dir=/Users/
moriyoshi/local' '--with-zlib-dir=/usr' '--with-iconv=/
usr' '--enable-mbstring' '--enable-mbregex' '--enable-
exif' '--enable-shmop' '--enable-calendar' '--enable-
sockets' '--enable-wddx' '--enable-ftp' '--with-xsl=/
Users/moriyoshi/local' '--with-libxml-dir=/Users/
moriyoshi/local' '--with-mime-magic' '--with-apxs2=/
Users/moriyoshi/local/apache-2-dev-prefork/bin/apxs' '--
enable-debug'


 [2004-02-08 21:36 UTC] moriyoshi@php.net
"--with-libxml-dir=" really wasn't meant to be there 
indeed :)

 [2004-02-09 04:27 UTC] chregu@php.net
here's my config line

'./configure' '--with-config-file-path=/usr/local/bxphp/
apache/conf' '--prefix=/usr/local/bxphp/' '--with-apxs=/
usr/local/bxphp/apache/bin/apxs' '--with-dom=/sw/' '--
with-tidy=/usr/local/' '--with-zlib' '--with-mysql=/sw/' 
'--with-png-dir=/sw/' '--with-expat-dir=/sw/' '--with-
iconv=/sw/' '--with-iconv-dir=/sw/' '--with-xml=/sw/' 
'--with-gd' '--with-jpeg-dir=/sw/' '--enable-debug=no' 
'--with-mime-magic=/sw/share/file/magic.mime' '--with-
dom-xslt=/sw/' '--with-dom-exslt=/sw/'

I'll try with a minimal set of extensions and see if the 
problem persists.
 [2004-02-09 05:25 UTC] chregu@php.net
it crashes even with the default config:

phpinfo()
PHP Version => 4.3.5RC2

System => Darwin chregu.local 7.2.0 Darwin Kernel 
Version 7.2.0: Thu Dec 11 16:20:23 PST 2003; root:xnu/
xnu-517.3.7.obj~1/RELEASE_PPC  Power Macintosh
Build Date => Feb  9 2004 11:18:45
Configure Command =>  './configure' '--with-expat-dir=/
sw/' '--with-zlib'
 [2004-02-09 05:44 UTC] sniper@php.net
I get the same crash with PHP 4.3.3..
# uname -a
Darwin foobar 6.8 Darwin Kernel Version 6.8: Wed Sep 10 15:20:55 PDT 2003; root:xnu/xnu-344.49.obj~2/RELEASE_PPC  Power Macintosh powerpc

 [2004-02-09 13:33 UTC] moriyoshi@php.net
Finally I managed to reproduce the crash. It looks like 
--enable-debug suppresses the bus error. Really 
strange... Another endian issue?
 [2004-02-09 13:50 UTC] moriyoshi@php.net
Here's the patch:

http://www.voltex.jp/downloads/bug27183-
preliminary.diff.txt

The error is obvious: one shouldn't store a transient 
pointer to a transient zval that resides in the stack 
frame :)



 [2004-02-10 16:02 UTC] chregu@php.net
moriyoshi's patch works for me.
 [2004-02-11 12:02 UTC] iliaa@php.net
This bug has been fixed in CVS.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.
 
Thank you for the report, and for helping us make PHP better.


 
PHP Copyright © 2001-2018 The PHP Group
All rights reserved.
Last updated: Sun Sep 23 00:01:24 2018 UTC