PHP :: Bug #32514 :: session_start() crashes when session exists

Bug #32514

session_start() crashes when session exists

Submitted:

2005-03-31 11:06 UTC

Modified:

2005-04-05 12:19 UTC

Votes:	1
Avg. Score:	5.0 ± 0.0
Reproduced:	1 of 1 (100.0%)
Same Version:	1 (100.0%)
Same OS:	1 (100.0%)

From:

red at raven dot ch

Assigned:

Status:

Not a bug

Package:

Session related

PHP Version:

5CVS-2005-03-30

OS:

Fedora Core 3

Private report:

CVE-ID:

None

View Add Comment Developer Edit

[2005-03-31 11:06 UTC] red at raven dot ch

Description:
------------
When I create a session and write some objects to it the server crashes with a segmentation fault on the next request.

When searching in the bug database I found http://bugs.php.net/bug.php?id=31734 which seems to have similar behaviour on my machine.

Reproduce code:
---------------
This is the content of the session file: The code is a bit too complex to post here.

VidaAuth|O:8:"VidaAuth":4:{s:14:"VidaAuthuser";N;s:18:"VidaAuthloggedIn";N;s:25:
"VidaAuthuserEntityClass";s:4:"User";s:25:"VidaAuthuserObjectCache";O:4:"User":5
:{s:13:"*entityCore";N;s:14:"*tableScheme";O:13:"DBTableScheme":9:{s:20:"DBTable
Schemetable";s:5:"users";s:21:"DBTableSchemefields";a:3:{i:0;s:8:"username";i:1;
s:8:"password";i:2;s:5:"email";}s:20:"DBTableSchemetypes";a:3:{s:8:"username";s:
6:"string";s:8:"password";s:6:"string";s:5:"email";s:6:"string";}s:18:"DBTableSc
hemekey";s:8:"username";s:19:"DBTableSchemenull";a:3:{s:8:"username";b:0;s:8:"pa
ssword";b:0;s:5:"email";b:0;}s:29:"DBTableSchemeeffectiveTypes";a:3:{s:8:"userna
me";s:7:"varchar";s:8:"password";s:7:"varchar";s:5:"email";s:7:"varchar";}s:21:"
DBTableSchemelength";a:3:{s:8:"username";s:3:"255";s:8:"password";s:3:"255";s:5:
"email";s:3:"255";}s:26:"DBTableSchemeforeignKeys";a:0:{}s:22:"DBTableSchemesetI
nfo";a:0:{}}s:12:"*newValues";a:0:{}s:13:"*nullValues";a:0:{}s:8:"*state";i:0;}}
FormManager|O:11:"FormManager":2:{s:7:"counter";i:2;s:5:"stock";a:2:{s:13:"VidaL
oginForm";a:1:{i:1;O:15:"FormDataStorage":7:{s:6:"values";a:0:{}s:25:"FormDataSt
orageinvalids";a:0:{}s:8:"messages";a:0:{}s:29:"FormDataStoragesystemValues";a:2
:{s:15:"controllerClass";s:11:"LoginAction";s:3:"url";O:7:"ThisURL":5:{s:11:"URL
scheme";s:0:"";s:9:"URLhost";s:0:"";s:9:"URLpath";s:6:"/vita/";s:9:"URLfile";s:1
0:"index.php5";s:16:"URLqueryValues";a:0:{}}}s:23:"FormDataStorageparent";N;s:27
:"FormDataStorageidentifier";i:1;s:24:"FormDataStoragereferer";O:7:"Referer":5:{
s:11:"URLscheme";s:0:"";s:9:"URLhost";s:0:"";s:9:"URLpath";s:6:"/vita/";s:9:"URL
file";s:10:"index.php5";s:16:"URLqueryValues";a:0:{}}}}s:13:"XmlModuleForm";a:1:
{i:2;O:15:"FormDataStorage":7:{s:6:"values";a:0:{}s:25:"FormDataStorageinvalids"
;a:0:{}s:8:"messages";a:0:{}s:29:"FormDataStoragesystemValues";a:2:{s:15:"contro
llerClass";s:15:"XmlModuleAction";s:3:"url";r:45;}s:23:"FormDataStorageparent";N
;s:27:"FormDataStorageidentifier";i:2;s:24:"FormDataStoragereferer";O:7:"Referer
":5:{s:11:"URLscheme";s:0:"";s:9:"URLhost";s:0:"";s:9:"URLpath";s:6:"/vita/";s:9

Expected result:
----------------
To load the session and create the Objects.

Actual result:
--------------
Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread -1208899904 (LWP 28088)]
0x012d7aaf in zend_do_fcall_common_helper (execute_data=0xbfe83c20, 
    opline=0x99f46dc, op_array=0x99ef37c)
    at /usr/local/src/php-5.0.3/Zend/zend_execute.c:2656
2656            if (EX(function_state).function->common.fn_flags & ZEND_ACC_ABSTRACT) {

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports

[2005-03-31 11:11 UTC] tony2001@php.net

Thank you for this bug report. To properly diagnose the problem, we
need a short but complete example script to be able to reproduce
this bug ourselves. 

A proper reproducing script starts with <?php and ends with ?>,
is max. 10-20 lines long and does not require any external 
resources such as databases, etc.

If possible, make the script source available online and provide
an URL to it here. Try to avoid embedding huge scripts into the report.

Please try to reduce your reproduce script to reasonable size (~20 lines) or upload it somewhere and gives us the link.
Also, please post _full_ backtrace instead of the last line.

[2005-03-31 11:43 UTC] red at raven dot ch

Unfortunatly I am not able to write a short script which reproduces this segfault.

(gdb) bt
#0  0x012b4aaf in zend_do_fcall_common_helper (execute_data=0xbfeed720, 
    opline=0x891d6dc, op_array=0x891837c)
    at /usr/local/src/php-5.0.3/Zend/zend_execute.c:2656
#1  0x012b5583 in zend_do_fcall_by_name_handler (execute_data=0xbfeed720, 
    opline=0x891d6dc, op_array=0x891837c)
    at /usr/local/src/php-5.0.3/Zend/zend_execute.c:2825
#2  0x012af3ed in execute (op_array=0x891837c)
    at /usr/local/src/php-5.0.3/Zend/zend_execute.c:1400
#3  0x012b4ece in zend_do_fcall_common_helper (execute_data=0xbfeed8c0, 
    opline=0x890cd7c, op_array=0x8949dc4)
    at /usr/local/src/php-5.0.3/Zend/zend_execute.c:2740
#4  0x012b5583 in zend_do_fcall_by_name_handler (execute_data=0xbfeed8c0, 
    opline=0x890cd7c, op_array=0x8949dc4)
    at /usr/local/src/php-5.0.3/Zend/zend_execute.c:2825
#5  0x012af3ed in execute (op_array=0x8949dc4)
    at /usr/local/src/php-5.0.3/Zend/zend_execute.c:1400
#6  0x012b4ece in zend_do_fcall_common_helper (execute_data=0xbfeeda00, 
    opline=0x85ce3f4, op_array=0x89498fc)
    at /usr/local/src/php-5.0.3/Zend/zend_execute.c:2740
#7  0x012b5583 in zend_do_fcall_by_name_handler (execute_data=0xbfeeda00, 
    opline=0x85ce3f4, op_array=0x89498fc)
    at /usr/local/src/php-5.0.3/Zend/zend_execute.c:2825
#8  0x012af3ed in execute (op_array=0x89498fc)
at /usr/local/src/php-5.0.3/Zend/zend_execute.c:1400
#9  0x012b7c40 in zend_include_or_eval_handler (execute_data=0xbfeedba0, 
    opline=0x8630e30, op_array=0x85d3dac)
    at /usr/local/src/php-5.0.3/Zend/zend_execute.c:3565
#10 0x012af3ed in execute (op_array=0x85d3dac)
    at /usr/local/src/php-5.0.3/Zend/zend_execute.c:1400
#11 0x012b4ece in zend_do_fcall_common_helper (execute_data=0xbfeedda0, 
    opline=0x871aec8, op_array=0x871b1d0)
    at /usr/local/src/php-5.0.3/Zend/zend_execute.c:2740
#12 0x012b5583 in zend_do_fcall_by_name_handler (execute_data=0xbfeedda0, 
    opline=0x871aec8, op_array=0x871b1d0)
    at /usr/local/src/php-5.0.3/Zend/zend_execute.c:2825
#13 0x012af3ed in execute (op_array=0x871b1d0)
    at /usr/local/src/php-5.0.3/Zend/zend_execute.c:1400
#14 0x0127b952 in zend_call_function (fci=0xbfeedf00, fci_cache=0x0)
    at /usr/local/src/php-5.0.3/Zend/zend_execute_API.c:836
#15 0x0127a9a4 in call_user_function_ex (function_table=0x850de20, 
    object_pp=0x0, function_name=0xbfeedfc0, retval_ptr_ptr=0xbfeedfa8, 
    param_count=1, params=0xbfeedfdc, no_separation=0, symbol_table=0x0)
    at /usr/local/src/php-5.0.3/Zend/zend_execute_API.c:551
#16 0x0127be99 in zend_lookup_class (name=0x85e0224 "User", name_length=4, 
    ce=0xbfeee028) at /usr/local/src/php-5.0.3/Zend/zend_execute_API.c:928
#17 0x01225613 in php_var_unserialize (rval=0xbfeee08c, p=0xbfeee1bc,
max=0x863d0e0 "\204&#65533;217*ZZZZZZZZI", var_hash=0xbfeee1a4)
    at /usr/local/src/php-5.0.3/ext/standard/var_unserializer.c:488
#18 0x0122669f in process_nested_data (rval=0xbfeee1b0, p=0xbfeee1bc, 
    max=0x863d0e0 "\204&#65533;217*ZZZZZZZZI", var_hash=0xbfeee1a4, ht=0x863d6c4, 
    elements=0) at /usr/local/src/php-5.0.3/ext/standard/var_unserializer.c:196
#19 0x01226964 in object_common2 (rval=0xbfeee1b0, p=0xbfeee1bc, 
    max=0x863d0e0 "\204&#65533;217*ZZZZZZZZI", var_hash=0xbfeee1a4, elements=4)
    at /usr/local/src/php-5.0.3/ext/standard/var_unserializer.c:259
#20 0x01225910 in php_var_unserialize (rval=0xbfeee1b0, p=0xbfeee1bc, 
    max=0x863d0e0 "\204&#65533;217*ZZZZZZZZI", var_hash=0xbfeee1a4)
    at /usr/local/src/php-5.0.3/ext/standard/var_unserializer.c:540
#21 0x01116ad1 in ps_srlzr_decode_php (
    val=0x863c82c "VidaAuth|O:8:\"VidaAuth\":4:{s:14:\"", vallen=2228)
    at /usr/local/src/php-5.0.3/ext/session/session.c:509
#22 0x01116f76 in php_session_decode (
    val=0x863c82c "VidaAuth|O:8:\"VidaAuth\":4:{s:14:\"", vallen=2228)
    at /usr/local/src/php-5.0.3/ext/session/session.c:567
#23 0x011175b2 in php_session_initialize ()
    at /usr/local/src/php-5.0.3/ext/session/session.c:748
#24 0x011195b4 in php_session_start ()
    at /usr/local/src/php-5.0.3/ext/session/session.c:1195
#25 0x0111b14f in zif_session_start (ht=0, return_value=0x87122dc, 
    this_ptr=0x0, return_value_used=0)
#26 0x012b4d35 in zend_do_fcall_common_helper (execute_data=0xbfeee680, 
    opline=0x8714b88, op_array=0x85dccfc)
    at /usr/local/src/php-5.0.3/Zend/zend_execute.c:2711
#27 0x012b5691 in zend_do_fcall_handler (execute_data=0xbfeee680, 
    opline=0x8714b88, op_array=0x85dccfc)
    at /usr/local/src/php-5.0.3/Zend/zend_execute.c:2843
#28 0x012af3ed in execute (op_array=0x85dccfc)
    at /usr/local/src/php-5.0.3/Zend/zend_execute.c:1400
#29 0x012b7c40 in zend_include_or_eval_handler (execute_data=0xbfeeea00, 
    opline=0x871a6dc, op_array=0x85d368c)
    at /usr/local/src/php-5.0.3/Zend/zend_execute.c:3565
#30 0x012af3ed in execute (op_array=0x85d368c)
    at /usr/local/src/php-5.0.3/Zend/zend_execute.c:1400
#31 0x012b7c40 in zend_include_or_eval_handler (execute_data=0xbfeeec10, 
    opline=0x85dc22c, op_array=0x875a66c)
    at /usr/local/src/php-5.0.3/Zend/zend_execute.c:3565
#32 0x012af3ed in execute (op_array=0x875a66c)
    at /usr/local/src/php-5.0.3/Zend/zend_execute.c:1400
#33 0x01287ba4 in zend_execute_scripts (type=8, retval=0x0, file_count=3)
    at /usr/local/src/php-5.0.3/Zend/zend.c:1069
#34 0x01241020 in php_execute_script (primary_file=0xbfef0f70)
    at /usr/local/src/php-5.0.3/main/main.c:1628
#35 0x012bb6c4 in php_handler (r=0x85c82e0)
    at /usr/local/src/php-5.0.3/sapi/apache2handler/sapi_apache2.c:537
#36 0x005e49f7 in ap_run_handler () from /usr/sbin/httpd
#37 0x083faa70 in ?? ()
#38 0x005e49ce in ap_run_handler () from /usr/sbin/httpd
#39 0x085c82e0 in ?? ()
#40 0x085c82e0 in ?? ()
#41 0xbfef10e8 in ?? ()
#42 0x005e4e63 in ap_invoke_handler () from /usr/sbin/httpd
Previous frame inner to this frame (corrupt stack?)
(gdb) frame 30
#30 0x012af3ed in execute (op_array=0x85d368c)
    at /usr/local/src/php-5.0.3/Zend/zend_execute.c:1400
1400                    if (EX(opline)->handler(&execute_data, EX(opline), op_array TSRMLS_CC)) {

[2005-03-31 20:39 UTC] sniper@php.net

Please try using this CVS snapshot:

  http://snaps.php.net/php5-latest.tar.gz
 
For Windows:
 
  http://snaps.php.net/win32/php5-win32-latest.zip

[2005-04-01 00:02 UTC] red at raven dot ch

tried the latest snapshot (200503312030) . still the same.

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread -1208932672 (LWP 3881)]
0x012dbcee in zend_do_fcall_common_helper_SPEC (execute_data=0xbfe190b0)
    at zend_vm_execute.h:120
120             if (EX(function_state).function->common.fn_flags & ZEND_ACC_ABST
RACT) {
(gdb) bt
#0  0x012dbcee in zend_do_fcall_common_helper_SPEC (execute_data=0xbfe190b0)
    at zend_vm_execute.h:120
#1  0x012dc705 in ZEND_DO_FCALL_BY_NAME_SPEC_HANDLER (execute_data=0xbfe190b0)
    at zend_vm_execute.h:288
#2  0x012dbc3b in execute (op_array=0x8a24f6c) at zend_vm_execute.h:78
#3  0x012dc073 in zend_do_fcall_common_helper_SPEC (execute_data=0xbfe19220)
    at zend_vm_execute.h:204
#4  0x012dc705 in ZEND_DO_FCALL_BY_NAME_SPEC_HANDLER (execute_data=0xbfe19220)
    at zend_vm_execute.h:288
#5  0x012dbc3b in execute (op_array=0x875be54) at zend_vm_execute.h:78
#6  0x012dc073 in zend_do_fcall_common_helper_SPEC (execute_data=0xbfe19360)
    at zend_vm_execute.h:204
#7  0x012dc705 in ZEND_DO_FCALL_BY_NAME_SPEC_HANDLER (execute_data=0xbfe19360)
    at zend_vm_execute.h:288
#8  0x012dbc3b in execute (op_array=0x875ae9c) at zend_vm_execute.h:78
#9  0x0130d185 in ZEND_INCLUDE_OR_EVAL_SPEC_CV_HANDLER (
    execute_data=0xbfe194d0) at zend_vm_execute.h:18130
#10 0x012dbc3b in execute (op_array=0x88f01c4) at zend_vm_execute.h:78
#11 0x012dc073 in zend_do_fcall_common_helper_SPEC (execute_data=0xbfe19670)
    at zend_vm_execute.h:204
#12 0x012dc705 in ZEND_DO_FCALL_BY_NAME_SPEC_HANDLER (execute_data=0xbfe19670)
    at zend_vm_execute.h:288
#13 0x012dbc3b in execute (op_array=0x870ad08) at zend_vm_execute.h:78
#14 0x012ac2f3 in zend_call_function (fci=0xbfe19810, fci_cache=0xbfe19800)
    at /usr/local/src/php5-200503312030/Zend/zend_execute_API.c:851
#15 0x012ac842 in zend_lookup_class (name=0x876b32c "User", name_length=4, 
    ce=0xbfe198e4)
    at /usr/local/src/php5-200503312030/Zend/zend_execute_API.c:956
#16 0x0125c5fa in php_var_unserialize (rval=0xbfe19950, p=0xbfe19a90, 
    max=0x87e05e8 "\204&#65533;217*ZZZZZZZZA", var_hash=0xbfe19a70)
    at /usr/local/src/php5-200503312030/ext/standard/var_unserializer.c:565
#17 0x0125d704 in process_nested_data (rval=0xbfe19a84, p=0xbfe19a90, 
    max=0x87e05e8 "\204&#65533;217*ZZZZZZZZA", var_hash=0xbfe19a70, ht=0x87e192c, 
    elements=0)
    at /usr/local/src/php5-200503312030/ext/standard/var_unserializer.c:232
#18 0x0125da92 in object_common2 (rval=0xbfe19a84, p=0xbfe19a90, 
    max=0x87e05e8 "\204&#65533;217*ZZZZZZZZA", var_hash=0xbfe19a70, elements=4)
    at /usr/local/src/php5-200503312030/ext/standard/var_unserializer.c:322
#19 0x0125c8fd in php_var_unserialize (rval=0xbfe19a84, p=0xbfe19a90, 
    max=0x87e05e8 "\204&#65533;217*ZZZZZZZZA", var_hash=0xbfe19a70)
    at /usr/local/src/php5-200503312030/ext/standard/var_unserializer.c:623
#20 0x01150b56 in ps_srlzr_decode_php (
    val=0x87dfd34 "VidaAuth|O:8:\"VidaAuth\":4:{s:14:\"", vallen=2228)
    at /usr/local/src/php5-200503312030/ext/session/session.c:509
#21 0x01151015 in php_session_decode (
    val=0x87dfd34 "VidaAuth|O:8:\"VidaAuth\":4:{s:14:\"", vallen=2228)
at /usr/local/src/php5-200503312030/ext/session/session.c:571
#22 0x011515a8 in php_session_initialize ()
    at /usr/local/src/php5-200503312030/ext/session/session.c:752
#23 0x01153265 in php_session_start ()
    at /usr/local/src/php5-200503312030/ext/session/session.c:1203
#24 0x01154c98 in zif_session_start (ht=0, return_value=0x8762bc4, 
    this_ptr=0x0, return_value_used=0)
    at /usr/local/src/php5-200503312030/ext/session/session.c:1665
#25 0x012dbf22 in zend_do_fcall_common_helper_SPEC (execute_data=0xbfe19e70)
    at zend_vm_execute.h:175
#26 0x012e0074 in ZEND_DO_FCALL_SPEC_CONST_HANDLER (execute_data=0xbfe19e70)
    at zend_vm_execute.h:1535
#27 0x012dbc3b in execute (op_array=0x870e19c) at zend_vm_execute.h:78
#28 0x0130d185 in ZEND_INCLUDE_OR_EVAL_SPEC_CV_HANDLER (
    execute_data=0xbfe1a150) at zend_vm_execute.h:18130
#29 0x012dbc3b in execute (op_array=0x8a01be4) at zend_vm_execute.h:78
#30 0x012e0b88 in ZEND_INCLUDE_OR_EVAL_SPEC_CONST_HANDLER (
    execute_data=0xbfe1a350) at zend_vm_execute.h:1835
#31 0x012dbc3b in execute (op_array=0x876e204) at zend_vm_execute.h:78
#32 0x012b7752 in zend_execute_scripts (type=8, retval=0x0, file_count=3)
    at /usr/local/src/php5-200503312030/Zend/zend.c:1059
#33 0x0127711a in php_execute_script (primary_file=0xbfe1c6c0)
    at /usr/local/src/php5-200503312030/main/main.c:1639
#34 0x01328681 in php_handler (r=0x86fb2a8)
    at /usr/local/src/php5-200503312030/sapi/apache2handler/sa
#35 0x0087a9f7 in ap_run_handler () from /usr/sbin/httpd
#36 0x08511a70 in ?? ()
#37 0x0087a9ce in ap_run_handler () from /usr/sbin/httpd
#38 0x086fb2a8 in ?? ()
#39 0x086fb2a8 in ?? ()
#40 0xbfe1c838 in ?? ()
#41 0x0087ae63 in ap_invoke_handler () from /usr/sbin/httpd
Previous frame inner to this frame (corrupt stack?)

[2005-04-03 01:09 UTC] sniper@php.net

Thank you for this bug report. To properly diagnose the problem, we
need a short but complete example script to be able to reproduce
this bug ourselves. 

A proper reproducing script starts with <?php and ends with ?>,
is max. 10-20 lines long and does not require any external 
resources such as databases, etc.

If possible, make the script source available online and provide
an URL to it here. Try to avoid embedding huge scripts into the report.

[2005-04-04 10:32 UTC] red at raven dot ch

Sorry, I can't reduce this to a few lines of code. It seems this segmentation fault does only occure in rather complex situations (and I can't put the finger on it). I'm working with the Vida-Framework ( http://www.vidaframework.ch/ - latest cvs-version) and it seems the problem can be found in these lines:

<?php
class User extends VidaUser {
    public static function __classConstruct(){
        $class = __CLASS__;
        parent::__classConstruct($class);
        DBEntity::setTable($class,'users');
    }
    
    /*
    Other methods
     */
}
User::__classConstruct();
?>

[2005-04-05 01:43 UTC] sniper@php.net

Have you ever thought that it might not be good idea to put everything into a session?

[2005-04-05 12:19 UTC] red at raven dot ch

but why is it possible if it's no a good idea?

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Fri May 17 13:01:32 2024 UTC