PHP :: Bug #27183 :: userland stream wrapper segfaults on stream

Bug #27183	userland stream wrapper segfaults on stream_write
Submitted:	2004-02-08 13:10 UTC	Modified:	2004-02-11 12:02 UTC
From:	chregu@php.net	Assigned:
Status:	Closed	Package:	Filesystem function related
PHP Version:	4CVS-2004-02-08 (stable)	OS:	Mac OS X 10.3
Private report:	No	CVE-ID:	None

View Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	chregu@php.net
New email:
PHP Version:		OS:

New Comment:

[2004-02-08 13:10 UTC] chregu@php.net

Description:
------------
Stream Wrapper defined in PHP Userland segfaults on fwrite (see code).

Couldn't reproduce it on Linux, only on OS X :(



Reproduce code:
---------------
stream_wrapper_register("one", "StreamOne");
$fd = fopen("one://tmp/bla","w");
$bla = fwrite($fd, "test");
fclose($fd);
class StreamOne {
    function stream_open ($path, $mode, $options, &$opened_path) {
        return true;
    }
    function stream_write($data) {
        return strlen($data);
    }
    function stream_close() {
        return true;
    }    
}

Expected result:
----------------
nothing

Actual result:
--------------
segfault.

Backtrace:

Program received signal EXC_BAD_ACCESS, Could not access memory.
0x000cc36c in _efree (ptr=0xbfffea40) at /opt/cvs/php4/Zend/zend_alloc.c:259
259             REMOVE_POINTER_FROM_LIST(p);
(gdb) bt
#0  0x000cc36c in _efree (ptr=0xbfffea40) at /opt/cvs/php4/Zend/zend_alloc.c:259
#1  0x000d4408 in call_user_function_ex (function_table=0x0, object_pp=0x115d6e0, function_name=0xbfffea30, retval_ptr_ptr=0xbfffea54, param_count=1411044, params=0x0, no_separation=0, symbol_table=0x0) at /opt/cvs/php4/Zend/zend_execute.h:96
#2  0x000d4408 in call_user_function_ex (function_table=0x0, object_pp=0x115d6e0, function_name=0xbfffea30, retval_ptr_ptr=0xbfffea54, param_count=1411044, params=0x0, no_separation=0, symbol_table=0x0) at /opt/cvs/php4/Zend/zend_execute.h:96
#3  0x000c2c58 in php_userstreamop_write (stream=0xbfffea40, buf=0x115e790 "\001\025?p\001\025?", count=18188432) at /opt/cvs/php4/main/user_streams.c:396
#4  0x000bbb2c in _php_stream_write (stream=0x115e6f0, buf=0x115db90 "test", count=4) at /opt/cvs/php4/main/streams.c:913
#5  0x0006b918 in zif_fwrite (ht=1075232, return_value=0x0, this_ptr=0x158bbc, return_value_used=-1073748124) at /opt/cvs/php4/ext/standard/file.c:1602
#6  0x000eaca8 in execute (op_array=0x115d6e0) at /opt/cvs/php4/Zend/zend_execute.c:1621
#7  0x000dcbc0 in zend_execute_scripts (type=-1073747392, retval=0x0, file_count=3) at /opt/cvs/php4/Zend/zend.c:884
#8  0x000b275c in php_execute_script (primary_file=0xbffff630) at /opt/cvs/php4/main/main.c:1727
#9  0x000efbc4 in main (argc=2, argv=0xbffffb4c) at /opt/cvs/php4/sapi/cli/php_cli.c:822

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2004-02-08 14:47 UTC] chregu@php.net

seems to work with 4.3.3 but not with 4.3.4..

[2004-02-08 16:20 UTC] chregu@php.net

I could track the bug down to be introduced between 4.3.3 and 4.3.4 in 

Zend/zend.* 
and/or
Zend/zend_alloc.* 

I'm absolutely no Zend-Engine expert, therefore I can't really help you any further here or even trying to fix it by myself... But if you need more information, just ask ;)

[2004-02-08 21:30 UTC] moriyoshi@php.net

Hmm, I couldn't replicate this on Panther. Nothing 
seemed to go wrong. What extensions are enabled in the 
build? Here's mine.

phpinfo()
PHP Version => 4.3.5RC2-dev

System => Darwin hallmark 7.2.0 Darwin Kernel Version 
7.2.0: Thu Dec 11 16:20:23
 PST 2003; root:xnu/xnu-517.3.7.obj~1/RELEASE_PPC  Power 
Macintosh
Build Date => Jan 23 2004 18:48:26
Configure Command =>  './configure' '--prefix=/Users/
moriyoshi/local' '--with-config-file-path=/Users/
moriyoshi/Library/php-4' '--enable-gd' '--with-gd' '--
with-freetype-dir=/Users/moriyoshi/local' '--with-png-
dir=/Users/moriyoshi/local' '--with-jpeg-dir=/Users/
moriyoshi/local' '--with-zlib-dir=/usr' '--with-iconv=/
usr' '--enable-mbstring' '--enable-mbregex' '--enable-
exif' '--enable-shmop' '--enable-calendar' '--enable-
sockets' '--enable-wddx' '--enable-ftp' '--with-xsl=/
Users/moriyoshi/local' '--with-libxml-dir=/Users/
moriyoshi/local' '--with-mime-magic' '--with-apxs2=/
Users/moriyoshi/local/apache-2-dev-prefork/bin/apxs' '--
enable-debug'

[2004-02-08 21:36 UTC] moriyoshi@php.net

"--with-libxml-dir=" really wasn't meant to be there 
indeed :)

[2004-02-09 04:27 UTC] chregu@php.net

here's my config line

'./configure' '--with-config-file-path=/usr/local/bxphp/
apache/conf' '--prefix=/usr/local/bxphp/' '--with-apxs=/
usr/local/bxphp/apache/bin/apxs' '--with-dom=/sw/' '--
with-tidy=/usr/local/' '--with-zlib' '--with-mysql=/sw/' 
'--with-png-dir=/sw/' '--with-expat-dir=/sw/' '--with-
iconv=/sw/' '--with-iconv-dir=/sw/' '--with-xml=/sw/' 
'--with-gd' '--with-jpeg-dir=/sw/' '--enable-debug=no' 
'--with-mime-magic=/sw/share/file/magic.mime' '--with-
dom-xslt=/sw/' '--with-dom-exslt=/sw/'

I'll try with a minimal set of extensions and see if the 
problem persists.

[2004-02-09 05:25 UTC] chregu@php.net

it crashes even with the default config:

phpinfo()
PHP Version => 4.3.5RC2

System => Darwin chregu.local 7.2.0 Darwin Kernel 
Version 7.2.0: Thu Dec 11 16:20:23 PST 2003; root:xnu/
xnu-517.3.7.obj~1/RELEASE_PPC  Power Macintosh
Build Date => Feb  9 2004 11:18:45
Configure Command =>  './configure' '--with-expat-dir=/
sw/' '--with-zlib'

[2004-02-09 05:44 UTC] sniper@php.net

I get the same crash with PHP 4.3.3..
# uname -a
Darwin foobar 6.8 Darwin Kernel Version 6.8: Wed Sep 10 15:20:55 PDT 2003; root:xnu/xnu-344.49.obj~2/RELEASE_PPC  Power Macintosh powerpc

[2004-02-09 13:33 UTC] moriyoshi@php.net

Finally I managed to reproduce the crash. It looks like 
--enable-debug suppresses the bus error. Really 
strange... Another endian issue?

[2004-02-09 13:50 UTC] moriyoshi@php.net

Here's the patch:

http://www.voltex.jp/downloads/bug27183-
preliminary.diff.txt

The error is obvious: one shouldn't store a transient 
pointer to a transient zval that resides in the stack 
frame :)

[2004-02-10 16:02 UTC] chregu@php.net

moriyoshi's patch works for me.

[2004-02-11 12:02 UTC] iliaa@php.net

This bug has been fixed in CVS.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.
 
Thank you for the report, and for helping us make PHP better.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Sun Oct 27 16:01:27 2024 UTC