ID: 15020
Updated by: [EMAIL PROTECTED]
Reported By: [EMAIL PROTECTED]
Status: Open
Bug Type: Reproducible crash
Operating System: Linux (SuSE 7.2)
PHP Version: 4.1.1
New Comment:
Not much I can do: I've never hacked PHP, and I'm kinda busy at the
moment. Have you tried watching arBuckets (whatever that is) in gdb?
Maybe one of those libc-allocation-function-replaceing-libraries will
work (electric fence, etc). Good luck, and thanks again.
BTW: I've been working on a different project with PHP, and had no
problems what-so-ever. This seems to be a pretty obscure thing. What
does arBuckets do anyway?
Thanks,
Charlie Dyson - [EMAIL PROTECTED]
Previous Comments:
------------------------------------------------------------------------
[2002-05-04 10:04:04] [EMAIL PROTECTED]
The same(?) problem occurs for me on Tru64 Unix 4.0f.
The problem has appeared between 4.0.6 and 4.1.0. 4.0.6 works fine,
4.1.0, 4.1.1 and 4.2.0 just crash.
---<8---<8---
zend_hash.c:935 if ((p->h == h) && (p->nKeyLength == 0)) {
(gdb) print p
$1 = (Bucket *) 0x5a5a5a5a5a5a5a5a
(gdb) print ht->arBuckets[1]
$2 = (Bucket *) 0x5a5a5a5a5a5a5a5a
(gdb) print *ht
$3 = {nTableSize = 8, nTableMask = 7, nNumOfElements = 3,
nNextFreeElement = 4, pInternalPointer = 0x140114880,
pListHead = 0x140114880, pListTail = 0x0, arBuckets = 0x1400eea60,
pDestructor = 0x120068910 <list_entry_destructor>, persistent = 0
'\000',
nApplyCount = 0 '\000', bApplyProtection = 1 '\001', inconsistent =
0}
---8<---8<---
It seems that the arBuckets table is completely freed(?) or
uninitialized(?) but is still tried to be used.
------------------------------------------------------------------------
[2002-01-15 16:41:25] [EMAIL PROTECTED]
Here are two sample pages that cause the crash on my
machine:
== login.php ==
<?
session_start();
session_register("isloggedin");
$HTTP_SESSION_VARS["isloggedin"]=0
?>
<html>
<body>
You are logged in.<br/>
<a href="logout.php">Click here</a> to log-out.<br/>
</body>
</html>
== CUT ==
== logout.php ==
<?
session_unregister("isloggedin");
session_destroy();
?>
<html>
<body>
You are now logged - out.
<a href="login.php">Click here</a> to log-in again. <br/>
<?= session_id() ?><br/>
</body>
</html>
== CUT ==
I also made some small changes to my php.ini file,
starting with php.ini-reccomended. Here is the output of
diff php.ini-recommended php.ini:
683c683
< session.save_path = /tmp
---
> session.save_path = /tmp/phpsess
690c690
< session.name = PHPSESSID
---
> session.name = POSSUMSESSID
== CUT ==
Hope this helps,
Charlie Dyson - [EMAIL PROTECTED]
------------------------------------------------------------------------
[2002-01-13 20:25:01] [EMAIL PROTECTED]
Looks like this is a session module problem. (session_unregister)
Could you make short & complete script causes this segfault?
------------------------------------------------------------------------
[2002-01-13 17:10:38] [EMAIL PROTECTED]
Hi,
I've just installed the latest version of PHP, with apache 1.3.22, and
I have found what may be a serious seg-fault bug. I have made a
backtrace. I don't know anything about PHP's internals, so you'll have
to figure out what went wrong for yourself (sorry). My config line is:
'./configure' '--with-apxs=/opt/apache/bin/apxs' '--enable-bcmath'
'--with-bz2' '--enable-calendar' '--enable-ftp' '--with-gd'
'--with-pspell' '--with-pgsql=/opt/postgres' '--enable-trans-sid'
'--without-mysql' '--with-jpeg-dir=/usr/lib' '--with-png-dir=/usr/lib'
'--with-zlib-dir=/usr/lib' '--prefix=/opt/php'
(Sorry its so long, I will try and reproduce the bug with less of this
stuff).
I can get you the core if you want it. The bug is reproducable - I was
just running a few sample pages to test it out, they can't be more that
1 or 2k, so I could send you them. It seems to happen when I go back
and forth between the same two pages (a login one and a logout one -
also, the log-out does not work properly if cookies are enabled. Any
ideas?) Also, I made a few (generally minor) modifications to php.ini -
I will send a copy or a diff if neccesary. Here's the output from gdb -
I checked the value of a few variables as well, in case it helps.
Bear in mind that I don't understand PHP's internals at all. Note that
nIndex was 539567104 the second time I did this. It would seem that
arBuckets (again, I don't know what this is) references an area of
memory the program didn't allocate itself, which causes the segfault.
Program received signal SIGSEGV, Segmentation fault.
0x40206f18 in zend_hash_del_key_or_index (ht=0x810958c,
arKey=0x8108e5c "isloggedin", nKeyLength=11, h=0, flag=0)
at zend_hash.c:484
484 p = ht->arBuckets[nIndex];
(gdb) bt
#0 0x40206f18 in zend_hash_del_key_or_index (ht=0x810958c,
arKey=0x8108e5c "isloggedin", nKeyLength=11, h=0, flag=0)
at zend_hash.c:484
#1 0x4024f14a in zif_session_unregister (ht=1,
return_value=0x8108e7c,
this_ptr=0x0, return_value_used=0) at session.c:1201
#2 0x401f32c9 in execute (op_array=0x8103a6c) at
./zend_execute.c:1590
#3 0x402024b3 in zend_execute_scripts (type=8, retval=0x0,
file_count=3)
at zend.c:814
#4 0x40211456 in php_execute_script (primary_file=0xbffff008) at
main.c:1307
#5 0x4020ce2e in apache_php_module_main (r=0x80f9eb4,
display_source_mode=0)
at sapi_apache.c:90
#6 0x4020d9ef in send_php (r=0x80f9eb4, display_source_mode=0,
filename=0x0)
at mod_php4.c:575
#7 0x4020da53 in send_parsed_php (r=0x80f9eb4) at mod_php4.c:590
#8 0x806c409 in ap_invoke_handler ()
#9 0x8081e7f in process_request_internal ()
#10 0x8081ef2 in ap_process_request ()
#11 0x8078ab6 in child_main ()
#12 0x8078c75 in make_child ()
#13 0x8078df6 in startup_children ()
#14 0x807949d in standalone_main ()
#15 0x8079cfc in main ()
#16 0x400b9c6f in __libc_start_main () from /lib/libc.so.6
(gdb) list
479 HANDLE_NUMERIC(arKey, nKeyLength,
zend_hash_del_key_or_index(ht, arKey, nKeyLength, idx,
HASH_DEL_INDEX));
480 h = zend_inline_hash_func(arKey, nKeyLength);
481 }
482 nIndex = h & ht->nTableMask;
483
484 p = ht->arBuckets[nIndex];
485 while (p != NULL) {
486 if ((p->h == h) && ((p->nKeyLength == 0) || /*
Numeric index */
487 ((p->nKeyLength == nKeyLength) &&
(!memcmp(p->arKey, arKey, nKeyLength))))) {
488 HANDLE_BLOCK_INTERRUPTIONS();
(gdb) p ht
$1 = (HashTable *) 0x810958c
(gdb) p nIndex
$2 = 0
Good luck figuring this out! Also, apologies for bad spelling (feature
request: spell check on bug form)
Thanks in advance,
Charlie Dyson - [EMAIL PROTECTED]
------------------------------------------------------------------------
--
Edit this bug report at http://bugs.php.net/?id=15020&edit=1
