php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #35323 debug_backtrace() crash when assigned to global in error handler (works in 5.1)
Submitted: 2005-11-22 08:33 UTC Modified: 2008-07-11 21:13 UTC
Votes:4
Avg. Score:4.5 ± 0.5
Reproduced:4 of 4 (100.0%)
Same Version:3 (75.0%)
Same OS:3 (75.0%)
From: tcarter at noggin dot com dot au Assigned:
Status: Wont fix Package: Scripting Engine problem
PHP Version: 4.4.2RC1 OS: Linux 2.4.31
Private report: No CVE-ID: None
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If this is not your bug, you can add a comment by following this link.
If this is your bug, but you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: tcarter at noggin dot com dot au
New email:
PHP Version: OS:

 

 [2005-11-22 08:33 UTC] tcarter at noggin dot com dot au
Description:
------------
Calls to debug_backtrace() cause PHP to crash when    
the result is assigned to a static or uninitialized global    
variable inside a custom error handler when an error is    
triggered from inside a (different) function.    
    
Crash occurs with:   
PHP 4.4.1   
PHP 4.4.2RC2 (Snapshot 200511220601) 
   
Does not occur with:   
PHP 4.3.10   
PHP 5.0.3   
   

Reproduce code:
---------------
function err_h() {
        global $backtrace;
        $backtrace = debug_backtrace();
}

set_error_handler("err_h");

function crash_me() { trigger_error('Crash!'); }

crash_me();


Expected result:
----------------
PHP shouldn't crash 

Actual result:
--------------
[trav@dev php4-STABLE-200511220601]$ ./configure 
--disable-all --enable-debug 
... 
[trav@dev php4-STABLE-200511220601]$ gdb sapi/cli/php 
... 
This GDB was configured as "i386-redhat-linux-gnu"... 
(gdb) set args -c ./php.ini-dist -f ~/crashme.php 
(gdb) run 
Starting 
program: /home/users/trav/build/php4-STABLE-200511220601/sapi/cli/php 
-c ./php.ini-dist -f ~/crashme.php 
[Tue Nov 22 18:23:15 2005]  Script:  
'/home/users/trav/crashme.php' 
--------------------------------------- 
/home/users/trav/build/php4-STABLE-200511220601/Zend/zend_opcode.c(152) : 
Block 0x0816F7E8 status: 
Beginning:      Overrun (magic=0x08170A78, 
expected=0x7312F8DC) 
      End:      Unknown 
--------------------------------------- 
[Tue Nov 22 18:23:15 2005]  Script:  
'/home/users/trav/crashme.php' 
--------------------------------------- 
/home/users/trav/build/php4-STABLE-200511220601/Zend/zend_opcode.c(159) : 
Block 0x0816A028 status: 
/home/users/trav/build/php4-STABLE-200511220601/Zend/zend_variables.c(44) : 
Actual location (location was relayed) 
Beginning:      Overrun (magic=0x0816A060, 
expected=0x7312F8DC) 
      End:      Unknown 
--------------------------------------- 
[Tue Nov 22 18:23:15 2005]  Script:  
'/home/users/trav/crashme.php' 
--------------------------------------- 
/home/users/trav/build/php4-STABLE-200511220601/Zend/zend_opcode.c(159) : 
Block 0x08169FE8 status: 
/home/users/trav/build/php4-STABLE-200511220601/Zend/zend_variables.c(44) : 
Actual location (location was relayed) 
Beginning:      Overrun (magic=0x0816A020, 
expected=0x7312F8DC) 
      End:      Unknown 
--------------------------------------- 
[Tue Nov 22 18:23:15 2005]  Script:  
'/home/users/trav/crashme.php' 
--------------------------------------- 
/home/users/trav/build/php4-STABLE-200511220601/Zend/zend_opcode.c(159) : 
Block 0x08170A40 status: 
/home/users/trav/build/php4-STABLE-200511220601/Zend/zend_variables.c(44) : 
Actual location (location was relayed) 
Beginning:      Overrun (magic=0x0816FB68, 
expected=0x7312F8DC) 
      End:      Unknown 
--------------------------------------- 
[Tue Nov 22 18:23:15 2005]  Script:  
'/home/users/trav/crashme.php' 
--------------------------------------- 
/home/users/trav/build/php4-STABLE-200511220601/Zend/zend_opcode.c(159) : 
Block 0x08170938 status: 
/home/users/trav/build/php4-STABLE-200511220601/Zend/zend_variables.c(44) : 
Actual location (location was relayed) 
Beginning:      Overrun (magic=0x08170A38, 
expected=0x7312F8DC) 
      End:      Unknown 
--------------------------------------- 
[Tue Nov 22 18:23:15 2005]  Script:  
'/home/users/trav/crashme.php' 
--------------------------------------- 
/home/users/trav/build/php4-STABLE-200511220601/Zend/zend_opcode.c(169) : 
Block 0x0816F820 status: 
Beginning:      Overrun (magic=0x401D662C, 
expected=0x7312F8DC) 
      End:      Unknown 
--------------------------------------- 
[Tue Nov 22 18:23:15 2005]  Script:  
'/home/users/trav/crashme.php' 
--------------------------------------- 
/home/users/trav/build/php4-STABLE-200511220601/Zend/zend_opcode.c(171) : 
Block 0x0816F7B0 status: 
Beginning:      Overrun (magic=0x0816F7E0, 
expected=0x7312F8DC) 
      End:      Unknown 
--------------------------------------- 
[Tue Nov 22 18:23:15 2005]  Script:  
'/home/users/trav/crashme.php' 
--------------------------------------- 
/home/users/trav/build/php4-STABLE-200511220601/Zend/zend_opcode.c(152) : 
Block 0x08170A80 status: 
Beginning:      Overrun (magic=0x0816FC20, 
expected=0x7312F8DC) 
      End:      Unknown 
--------------------------------------- 
[Tue Nov 22 18:23:15 2005]  Script:  
'/home/users/trav/crashme.php' 
--------------------------------------- 
/home/users/trav/build/php4-STABLE-200511220601/Zend/zend_opcode.c(159) : 
Block 0x0816FC28 status: 
/home/users/trav/build/php4-STABLE-200511220601/Zend/zend_variables.c(44) : 
Actual location (location was relayed) 
Beginning:      Overrun (magic=0x081701D0, 
expected=0x7312F8DC) 
      End:      Unknown 
--------------------------------------- 
[Tue Nov 22 18:23:15 2005]  Script:  
'/home/users/trav/crashme.php' 
--------------------------------------- 
/home/users/trav/build/php4-STABLE-200511220601/Zend/zend_opcode.c(159) : 
Block 0x0816FBB0 status: 
/home/users/trav/build/php4-STABLE-200511220601/Zend/zend_variables.c(44) : 
Actual location (location was relayed) 
Beginning:      Overrun (magic=0x08164618, 
expected=0x7312F8DC) 
      End:      Unknown 
--------------------------------------- 
 
Program received signal SIGSEGV, Segmentation fault. 
0x080e1dbc in _efree (ptr=0x8170adc, 
__zend_filename=0x81307c0 
"/home/users/trav/build/php4-STABLE-200511220601/Zend/zend_opcode.c", 
__zend_lineno=169, 
    __zend_orig_filename=0x0, __zend_orig_lineno=0) 
at /home/users/trav/build/php4-STABLE-200511220601/Zend/zend_alloc.c:260 
260             REMOVE_POINTER_FROM_LIST(p); 
(gdb) bt 
#0  0x080e1dbc in _efree (ptr=0x8170adc, 
__zend_filename=0x81307c0 
"/home/users/trav/build/php4-STABLE-200511220601/Zend/zend_opcode.c", 
__zend_lineno=169, 
    __zend_orig_filename=0x0, __zend_orig_lineno=0) 
at /home/users/trav/build/php4-STABLE-200511220601/Zend/zend_alloc.c:260 
#1  0x080ebabc in destroy_op_array (op_array=0x816fc60) 
at /home/users/trav/build/php4-STABLE-200511220601/Zend/zend_opcode.c:169 
#2  0x080eb8c0 in destroy_zend_function 
(function=0x816fc60) 
at /home/users/trav/build/php4-STABLE-200511220601/Zend/zend_opcode.c:100 
#3  0x080f7e25 in zend_hash_destroy (ht=0x8143220) 
at /home/users/trav/build/php4-STABLE-200511220601/Zend/zend_hash.c:556 
#4  0x080f2396 in zend_shutdown () 
at /home/users/trav/build/php4-STABLE-200511220601/Zend/zend.c:573 
#5  0x080c0b7f in php_module_shutdown () 
at /home/users/trav/build/php4-STABLE-200511220601/main/main.c:1286 
#6  0x0810aef7 in main (argc=5, argv=0xbffff924) 
at /home/users/trav/build/php4-STABLE-200511220601/sapi/cli/php_cli.c:887 
#7  0x400b5a67 in __libc_start_main () 
from /lib/i686/libc.so.6 
 

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2005-11-22 09:13 UTC] sniper@php.net
Does not happen with PHP 5.1 CVS.

 [2005-11-23 04:25 UTC] tcarter at noggin dot com dot au
PHP 4.3.11 does not crash  
PHP 4.4.0 crashes 
 
(Both versions tested on both Solars SPARC & Linux x86)
 [2006-08-15 00:42 UTC] tcarter at noggin dot com dot au
This crash seems to be related to the way that the 
$errcontext (symbol table) argument passed to the error 
handler is treated by debug_backtrace.

If you unset the $errcontext argument in the backtrace 
(arg 5 of the final call) then the crash does not occur.

It appears to be specific to debug_backtrace() because 
setting the global variable directly to $errcontext as a 
named argument, or from func_get_args() does not trigger a 
crash.
 [2008-07-11 21:13 UTC] jani@php.net
We are sorry, but we can not support PHP 4 related problems anymore.
Momentum is gathering for PHP 6, and we think supporting PHP 4 will
lead to a waste of resources which we want to put into getting PHP 6
ready.


 
PHP Copyright © 2001-2022 The PHP Group
All rights reserved.
Last updated: Wed Oct 05 15:05:52 2022 UTC