php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #52935 call exit in user_error_handler cause stream relate core
Submitted: 2010-09-27 17:31 UTC Modified: 2011-07-05 12:59 UTC
Votes:4
Avg. Score:4.0 ± 1.0
Reproduced:1 of 2 (50.0%)
Same Version:1 (100.0%)
Same OS:1 (100.0%)
From: laruence at yahoo dot com dot cn Assigned: cataphract
Status: Closed Package: Streams related
PHP Version: 5.2.14 OS: any
Private report: No CVE-ID:
 [2010-09-27 17:31 UTC] laruence at yahoo dot com dot cn
Description:
------------
because in PHP exit is implements by set/longjmp

so the normal sequence 

php_stream_wrapper_log_error
php_stream_display_wrapper_errors
      -> php_error_docref1
php_stream_tidy_wrapper_error_log

when use set_error_handler,  and call exit in use_handler, 
cause the php_stream_tidy_wrapper_error_log to be miss called,

which cause wrap->err_count doesn't reset to zero after request shutdown.

then cause the following code coredump in php_stream_display_wrapper_errors

 for (i = 0, l = 0; i < wrapper->err_count; i++) {
                l += strlen(wrapper->err_stack[i]); //core
                if (i < wrapper->err_count - 1) {
                    l += brlen;
                }
            }

Test script:
---------------
<?php
function err_handler(){

    exit;
    return true;
}

set_error_handler('err_handler');
$client = new SoapClient("http://unreachable.com/ServiceNoWse.asmx?WSDL");

Expected result:
----------------
normal exit

Actual result:
--------------
core dump

Patches

php_5_2_14_fixed (last revision 2010-09-28 02:40 UTC) by laruence at yahoo dot com dot cn)

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2010-09-27 23:42 UTC] felipe@php.net
Related to bug #52922
 [2010-09-28 04:35 UTC] laruence at yahoo dot com dot cn
there is  some  prombles in the example ,
1. the domain must be a valid domain
2. the envrion must can't connect to the internet

<?php
function err_handler(){

    exit;
    return true;
}

set_error_handler('err_handler');
$client = file_get_contents("http://www.laruence.com/ServiceNoWse.asmx?WSDL");
 [2010-10-02 22:01 UTC] cataphract@php.net
-Status: Open +Status: Feedback
 [2010-10-02 22:01 UTC] cataphract@php.net
I can't reproduce this.

I also don't understand the problem conceptually. php_stream_display_wrapper_errors is called before the bailout, not after so how can PHP segfault there? I must be missing something.

Script (run via the CLI):

<?php
ini_set('default_socket_timeout', 3);
function err_handler(){
//var_dump(func_get_args());
    exit;
    return true;
}

set_error_handler('err_handler');
$client = file_get_contents("http://www.laruence.com/ServiceNoWse.asmx?WSDL");

---
I also made the site unreachable:

$ sudo iptables -L OUTPUT -n
Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
DROP       all  --  0.0.0.0/0            96.0.183.49
 [2010-10-04 12:16 UTC] laruence at yahoo dot com dot cn
-Status: Feedback +Status: Open
 [2010-10-04 12:16 UTC] laruence at yahoo dot com dot cn
in cli mode , this would not been happend ,

cause, the stream wrapper is a persistent  struct ,  zend_bailout cause the 
err_count of stream wrapper struct not be zero when a new request coming.  which 
means , you should run in apache handler or cgi/fastcgi.

in cli mode , there only one request loop. 

sorry for my poor english,

and I think,  you should make network unreachable, then will be tigger a error 
with message "Network unreachable",
 [2010-10-07 10:59 UTC] tony2001@php.net
-Package: Scripting Engine problem +Package: Streams related
 [2010-12-14 13:45 UTC] richard_hu at 163 dot com
I have the similar issue, which confused me for quite some time. Though I'm not sure whether it's caused by setting the error handler.
On my linux box,using php 5.2.14, I see many apache core files after several days. and BT looks mostly like this:

(gdb) bt
#0  _zend_mm_free_int (heap=0x6b2f00, p=0x21) at /home/work/php-5.2.14/Zend/zend_alloc.c:1948
#1  0x0000002a95d53069 in php_stream_tidy_wrapper_error_log (wrapper=0x2a962116e0) at /home/work/php-5.2.14/main/streams/streams.c:192
#2  0x0000002a95d5605a in _php_stream_open_wrapper_ex (
    path=0x2a9a3267b0 "http://jp01-testing-psp01.jp01:8080/query_patterns/index", mode=0x2a95e5c804 "rb", 
    options=12, opened_path=0x0, context=0x0) at /home/work/php-5.2.14/main/streams/streams.c:1899
#3  0x0000002a95cd81b1 in zif_file_get_contents (ht=-1776162144, return_value=0x2a9a15cdd8, return_value_ptr=Variable "return_value_ptr" is not available.
)
    at /home/work/php-5.2.14/ext/standard/file.c:541
#4  0x0000002a95d78114 in zend_call_function (fci=0x7fbfff8200, fci_cache=Variable "fci_cache" is not available.
) at /home/work/php-5.2.14/Zend/zend_execute_API.c:1063
#5  0x0000002a95d78a56 in call_user_function_ex (function_table=Variable "function_table" is not available.
) at /home/work/php-5.2.14/Zend/zend_execute_API.c:650
#6  0x0000002a95cce1c8 in zif_call_user_func_array (ht=Variable "ht" is not available.
) at /home/work/php-5.2.14/ext/standard/basic_functions.c:5217
#7  0x0000002a95da57ce in zend_do_fcall_common_helper_SPEC (execute_data=0x7fbfff8560) at /home/work/php-5.2.14/Zend/zend_vm_execute.h:200
#8  0x0000002a95da4de1 in execute (op_array=0x89b390) at /home/work/php-5.2.14/Zend/zend_vm_execute.h:92
#9  0x0000002a95da50e3 in zend_do_fcall_common_helper_SPEC (execute_data=0x7fbfff9490) at /home/work/php-5.2.14/Zend/zend_vm_execute.h:234
#10 0x0000002a95da4de1 in execute (op_array=0x2a9a1534e0) at /home/work/php-5.2.14/Zend/zend_vm_execute.h:92
#11 0x0000002a95da50e3 in zend_do_fcall_common_helper_SPEC (execute_data=0x7fbfffa9c0) at /home/work/php-5.2.14/Zend/zend_vm_execute.h:234
#12 0x0000002a95da4de1 in execute (op_array=0x2a99cce868) at /home/work/php-5.2.14/Zend/zend_vm_execute.h:92
#13 0x0000002a95da50e3 in zend_do_fcall_common_helper_SPEC (execute_data=0x7fbffface0) at /home/work/php-5.2.14/Zend/zend_vm_execute.h:234
#14 0x0000002a95da4de1 in execute (op_array=0x2a99e83f08) at /home/work/php-5.2.14/Zend/zend_vm_execute.h:92
#15 0x0000002a95da50e3 in zend_do_fcall_common_helper_SPEC (execute_data=0x7fbfffb050) at /home/work/php-5.2.14/Zend/zend_vm_execute.h:234
#16 0x0000002a95da4de1 in execute (op_array=0x2a99e53098) at /home/work/php-5.2.14/Zend/zend_vm_execute.h:92
#17 0x0000002a95da50e3 in zend_do_fcall_common_helper_SPEC (execute_data=0x7fbfffb420) at /home/work/php-5.2.14/Zend/zend_vm_execute.h:234
#18 0x0000002a95da4de1 in execute (op_array=0x2a99e52f38) at /home/work/php-5.2.14/Zend/zend_vm_execute.h:92
#19 0x0000002a95da50e3 in zend_do_fcall_common_helper_SPEC (execute_data=0x7fbfffb9b0) at /home/work/php-5.2.14/Zend/zend_vm_execute.h:234
#20 0x0000002a95da4de1 in execute (op_array=0x2a99e52dd0) at /home/work/php-5.2.14/Zend/zend_vm_execute.h:92
#21 0x0000002a95da50e3 in zend_do_fcall_common_helper_SPEC (execute_data=0x7fbfffbfa0) at /home/work/php-5.2.14/Zend/zend_vm_execute.h:234
#22 0x0000002a95da4de1 in execute (op_array=0x2a968894b8) at /home/work/php-5.2.14/Zend/zend_vm_execute.h:92
#23 0x0000002a95da50e3 in zend_do_fcall_common_helper_SPEC (execute_data=0x7fbfffc5d0) at /home/work/php-5.2.14/Zend/zend_vm_execute.h:234
#24 0x0000002a95da4de1 in execute (op_array=0x2a96868e40) at /home/work/php-5.2.14/Zend/zend_vm_execute.h:92
#25 0x0000002a95da50e3 in zend_do_fcall_common_helper_SPEC (execute_data=0x7fbfffc9d0) at /home/work/php-5.2.14/Zend/zend_vm_execute.h:234
#26 0x0000002a95da4de1 in execute (op_array=0x2a96909030) at /home/work/php-5.2.14/Zend/zend_vm_execute.h:92
#27 0x0000002a95da50e3 in zend_do_fcall_common_helper_SPEC (execute_data=0x7fbfffce10) at /home/work/php-5.2.14/Zend/zend_vm_execute.h:234
#28 0x0000002a95da4de1 in execute (op_array=0x2a96821cf8) at /home/work/php-5.2.14/Zend/zend_vm_execute.h:92
#29 0x0000002a95d85ea4 in zend_execute_scripts (type=8, retval=0x0, file_count=3) at /home/work/php-5.2.14/Zend/zend.c:1134
#30 0x0000002a95d42dcd in php_execute_script (primary_file=0x7fbffff2e0) at /home/work/php-5.2.14/main/main.c:2036
#31 0x0000002a95e154a6 in php_handler (r=0x8670d8) at /home/work/php-5.2.14/sapi/apache2handler/sapi_apache2.c:639
#32 0x0000000000436cf3 in ap_run_handler (r=0x8670d8) at config.c:157
#33 0x0000000000437191 in ap_invoke_handler (r=0x8670d8) at config.c:372
#34 0x00000000004666c0 in ap_process_request (r=0x8670d8) at http_request.c:258
#35 0x0000000000463ead in ap_process_http_connection (c=0x855238) at http_core.c:190
#36 0x000000000043d6c3 in ap_run_process_connection (c=0x855238) at connection.c:43
#37 0x000000000047f824 in child_main (child_num_arg=Variable "child_num_arg" is not available.
) at prefork.c:650
#38 0x000000000047fa44 in make_child (s=0x5ce498, slot=1) at prefork.c:746
#39 0x000000000047fade in startup_children (number_to_start=4) at prefork.c:764
#40 0x00000000004802ed in ap_mpm_run (_pconf=Variable "_pconf" is not available.
) at prefork.c:985
#41 0x00000000004249b5 in main (argc=Variable "argc" is not available.
) at main.c:730
 [2010-12-20 12:10 UTC] jani@php.net
-Package: Tidy +Package: Streams related
 [2011-06-30 11:16 UTC] cataphract@php.net
-Assigned To: +Assigned To: cataphract
 [2011-07-05 12:09 UTC] cataphract@php.net
Automatic comment from SVN on behalf of cataphract
Revision: http://svn.php.net/viewvc/?view=revision&amp;revision=312937
Log: - Fixed bug #52935 (call exit in user_error_handler cause stream relate core).
 [2011-07-05 12:59 UTC] cataphract@php.net
-Status: Assigned +Status: Closed
 [2012-04-18 09:50 UTC] laruence@php.net
Automatic comment on behalf of cataphract
Revision: http://git.php.net/?p=php-src.git;a=commit;h=9898f9070ffdc983e2ed0387df760f8441ddc49c
Log: - Fixed bug #52935 (call exit in user_error_handler cause stream relate core).
 [2012-07-24 23:41 UTC] rasmus@php.net
Automatic comment on behalf of cataphract
Revision: http://git.php.net/?p=php-src.git;a=commit;h=9898f9070ffdc983e2ed0387df760f8441ddc49c
Log: - Fixed bug #52935 (call exit in user_error_handler cause stream relate core).
 [2013-11-17 09:37 UTC] laruence@php.net
Automatic comment on behalf of cataphract
Revision: http://git.php.net/?p=php-src.git;a=commit;h=9898f9070ffdc983e2ed0387df760f8441ddc49c
Log: - Fixed bug #52935 (call exit in user_error_handler cause stream relate core).
 
PHP Copyright © 2001-2014 The PHP Group
All rights reserved.
Last updated: Thu Apr 17 09:02:29 2014 UTC