php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #49893 Apache 2.2 Child crash while creating an instance of Zend_Mail_Storage_Pop3
Submitted: 2009-10-15 19:00 UTC Modified: 2010-05-11 18:22 UTC
From: greubel at nkey dot de Assigned: dmitry
Status: Closed Package: Reproducible crash
PHP Version: 5.3.0 OS: *
Private report: No CVE-ID:
 [2009-10-15 19:00 UTC] greubel at nkey dot de
Description:
------------
While creating an instance of Zend_Mail_Storage_Pop3 using an username and NO password, the Apache Connection was ended. In error log and windows event log the message appears, that the child has exited.


Reproduce code:
---------------
$storage = new Zend_Mail_Storage_Pop3(array(
          'host' => $mailbox->incomingServer,
          'user' => $mailbox->loginName,
	  'password' => $mailbox->loginPasswd == null ? '' : $mailbox->loginPasswd
        ));

Expected result:
----------------
A error or exception that the connection to remote host could not be established

Actual result:
--------------
Apache Child crash:

[Thu Oct 15 20:43:11 2009] [notice] Parent: child process exited with status 255 -- Restarting.
[Thu Oct 15 20:43:11 2009] [notice] Apache/2.2.14 (Win32) PHP/5.3.0 configured -- resuming normal operations
[Thu Oct 15 20:43:11 2009] [notice] Server built: Sep 28 2009 22:41:08

Windows event log XML output:

- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
  <Provider Name="Application Error" /> 
  <EventID Qualifiers="0">1000</EventID> 
  <Level>2</Level> 
  <Task>100</Task> 
  <Keywords>0x80000000000000</Keywords> 
  <TimeCreated SystemTime="2009-10-15T18:43:08.000Z" /> 
  <EventRecordID>1685</EventRecordID> 
  <Channel>Application</Channel> 
  <Computer>Callipso</Computer> 
  <Security /> 
  </System>
- <EventData>
  <Data>httpd.exe</Data> 
  <Data>2.2.14.0</Data> 
  <Data>4ac181d6</Data> 
  <Data>php5ts.dll</Data> 
  <Data>5.3.0.0</Data> 
  <Data>4a4922e7</Data> 
  <Data>c0000005</Data> 
  <Data>00083381</Data> 
  <Data>d44</Data> 
  <Data>01ca4dc6c4770430</Data> 
  </EventData>
  </Event>

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2009-10-15 19:02 UTC] pajoye@php.net
Thank you for this bug report. To properly diagnose the problem, we
need a short but complete example script to be able to reproduce
this bug ourselves. 

A proper reproducing script starts with <?php and ends with ?>,
is max. 10-20 lines long and does not require any external 
resources such as databases, etc. If the script requires a 
database to demonstrate the issue, please make sure it creates 
all necessary tables, stored procedures etc.

Please avoid embedding huge scripts into the report.


 [2009-10-16 00:10 UTC] greubel at nkey dot de
<?php
require 'Zend/Mail/Storage/Pop3.php';

try {
	$acc = new Zend_Mail_Storage_Pop3(
		array(
      'host' => 'pop.gmx.de',
      'user' => 'someone@gmx.de',
      'password' => ''
		)
	);
}
catch(Exception $e)
{
	echo $e->getMessage();
	echo "<pre>";
	echo $e->getTraceAsString();
	echo "</pre>";
}
?>
 [2009-10-16 00:21 UTC] greubel at nkey dot de
I tried to find the source of the problem. If the Zend_Mail_Protocol_Pop3 is used as class to create a communication object, an exception is thrown instead of crash.

Used code:

<?php
require 'Zend/Mail/Protocol/Pop3.php';  
try {
	$acc = new Zend_Mail_Protocol_Pop3();
	$acc->connect('pop.gmx.de');
	$acc->login('someone@gmx.de', '');
}
catch(Exception $e)
{
	echo $e->getMessage();
	echo "<pre>";
	echo $e->getTraceAsString();
	echo "</pre>";
}
?>

The crashing method in Zend_Mail_Storage_Pop3 seems to be the Zend_Mail_Protocol_Pop3::login() method call in the constructor.
 [2009-10-19 10:45 UTC] jani@php.net
Please don't post bugs in 3rd party frameworks as bugs in PHP. As long as you're not able to provide a short reproducing code that does NOT require this is not a bug.
 [2009-10-19 21:07 UTC] greubel at nkey dot de

 [2009-10-19 21:37 UTC] greubel at nkey dot de
I was able to get a little bit deeper. The exception has occured inside the GC_ZOBJ_CHECK_POSSIBLE_ROOT macro.

php5ts!gc_zval_possible_root+0x61:
01483381 8a540101        mov     dl,byte ptr [ecx+eax+1]    ds:0023:79d86981=??

Marked line in source view is 

GC_ZOBJ_CHECK_POSSIBLE_ROOT(zv);
 [2009-10-19 22:37 UTC] pajoye@php.net
We need a reproduce script to be able to fix this problem.
 [2009-10-20 05:42 UTC] greubel at nkey dot de
I do not have more than in the opening post. I believe, because of the nature of the problem (garbage collector), it would be hard to find a piece of code, where the same problem occurs. Finally to say, it is possible, that it only happens on 32bit vista/xp/2000.

Why it is not possible to use the script I provided first?

Thank you and regards

Maik
 [2009-10-20 08:34 UTC] jani@php.net
Please try using this snapshot:

  http://snaps.php.net/php5.3-latest.tar.gz
 
For Windows:

  http://windows.php.net/snapshots/


 [2009-10-20 18:54 UTC] greubel at nkey dot de
The access violation has now moved to another place:

php5ts!gc_zobj_possible_root+57     038ffbc0     0273b270     038fe608    
php5ts!gc_zval_possible_root+74     038ffbc0     0273b270     00000000    
php5ts!ZEND_ASSIGN_SPEC_CV_VAR_HANDLER+69     0094fbc0     0273b270     0094fe3c    
php5ts!execute+2fb     039310b0     0273b200     00000000    
php5ts!zend_execute_scripts+f6     00000008     0273b270     00000000    
php5ts!php_execute_script+233     0094fe3c     0273b270     00000004    
php5apache2_2!php_handler+5d0     0275ead8     00a24208     0275ead8    
libhttpd!ap_run_handler+21     0275ead8     0275ead8     0275ead8    
libhttpd!ap_invoke_handler+ae     00000000     02847fc0     0094ff00    
libhttpd!ap_die+29e     0275ead8     00000000     021b51c0    
libhttpd!ap_get_request_note+1ccc     02847fc0     02847fc0     02847fc0    
libhttpd!ap_run_process_connection+21     02847fc0     00974f20     0094ff48    
libhttpd!ap_process_connection+33     02847fc0     021c81a8     00000000    
libhttpd!ap_regkey_value_remove+c7c     02847fb8     a899cc42     00000000    
msvcrt!_endthreadex+44     0094ff94     76bdd0e9     02746848    
msvcrt!_endthreadex+ce     02746848     0094ffd4     775919bb    
kernel32!BaseThreadInitThunk+e     02746848     7383fe36     00000000    
ntdll!__RtlUserThreadStart+23     76b02670     02746848     00000000    
ntdll!_RtlUserThreadStart+1b     76b02670     02746848     00000000
 [2009-10-20 19:53 UTC] pajoye@php.net
We *still* need a way to reproduce your problem. that means a small script as described already in one of my comments.
 [2009-10-20 20:11 UTC] greubel at nkey dot de
Please close. I'm not able to reproduce the problem with a small script. I tried to strip down the code from ZF to provide the same functionality but provoke the bug. This seems to be not possible on this circumstances.

This code works well:

<?php
class foo
{
	private $sock;
	private $errno;
	private $error;
	
	public function __construct()
	{
		$this->sock = fsockopen('pop.gmx.net', 110, $this->errno, $this->error);
    $r = fgets($this->sock);
    echo "$r<br/>";
		
		fputs($this->sock, "USER mike.greubel@gmx.de\r\n");
		$r = fgets($this->sock);
		echo "$r<br/>";
		
    fputs($this->sock, "PASS \r\n");
    $r = fgets($this->sock);
    echo "$r<br/>";

    fputs($this->sock, "QUIT\r\n");
    $r = fgets($this->sock);
    echo "$r<br/>";
	}
	
	public function close()
	{
		fclose($this->sock);
		$this->sock = null;
	}
}

$bar = new foo();
$bar->close();
?>

So please close.
 [2009-10-20 20:13 UTC] greubel at nkey dot de
Not reproducable
 [2009-10-20 20:57 UTC] pajoye@php.net
not a bug > bogus.
 [2010-05-11 16:45 UTC] dmitry@php.net
-Status: Bogus +Status: Assigned -Operating System: Windows Vista +Operating System: * -Assigned To: +Assigned To: dmitry
 [2010-05-11 16:45 UTC] dmitry@php.net
The bug occurs when exception is caught in destructor during another exception processing

Reproduce code:
---------------
<?php
class A {
	function __destruct() {
		try {
			throw new Exception("2");
		} catch (Exception $e) {
			echo $e->getMessage() . "\n";
		}
	}
}
class B {
	function __construct() {
		$this->a = new A();
		throw new Exception("1");
	}
}
try {
	$b = new B();
} catch(Exception $e) {
	echo $e->getMessage() . "\n";;
}
?>

Expected result:
----------------
2
1

Actual result:
--------------
2

valgrind
--------

==26823== Invalid read of size 4
==26823==    at 0x856480A: ZEND_ASSIGN_SPEC_CV_VAR_HANDLER (zend.h:385)
==26823==    by 0x84D7B98: execute (zend_vm_execute.h:104)
==26823==    by 0x84ACA44: zend_execute_scripts (zend.c:1194)
==26823==    by 0x844186E: php_execute_script (main.c:2260)
==26823==    by 0x8572CDE: main (php_cli.c:1192)
==26823==  Address 0x51f1428 is 8 bytes inside a block of size 20 free'd
==26823==    at 0x4B8C90A: free (vg_replace_malloc.c:323)
==26823==    by 0x848B079: _efree (zend_alloc.c:2348)
==26823==    by 0x849C3E3: _zval_ptr_dtor (zend_execute_API.c:444)
==26823==    by 0x84D8156: zend_leave_helper_SPEC (zend_vm_execute.h:226)
==26823==    by 0x84DA521: ZEND_HANDLE_EXCEPTION_SPEC_HANDLER (zend_vm_execute.h:680)
==26823==    by 0x84D7B98: execute (zend_vm_execute.h:104)
==26823==    by 0x84ACA44: zend_execute_scripts (zend.c:1194)
==26823==    by 0x844186E: php_execute_script (main.c:2260)
==26823==    by 0x8572CDE: main (php_cli.c:1192)
 [2010-05-11 18:09 UTC] dmitry@php.net
Automatic comment from SVN on behalf of dmitry
Revision: http://svn.php.net/viewvc/?view=revision&amp;revision=299254
Log: Fixed bug #49893 (Crash while creating an instance of Zend_Mail_Storage_Pop3)
 [2010-05-11 18:22 UTC] dmitry@php.net
-Status: Assigned +Status: Closed
 [2010-05-11 18:22 UTC] dmitry@php.net
This bug has been fixed in SVN.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.
 
Thank you for the report, and for helping us make PHP better.


 
PHP Copyright © 2001-2014 The PHP Group
All rights reserved.
Last updated: Thu Apr 17 18:02:13 2014 UTC