#24659 [Ver]: Crash due to some internal memory corruption (?)

sniper Thu, 17 Jul 2003 22:34:58 -0700

 ID:               24659
 Updated by:       [EMAIL PROTECTED]
 Reported By:      fujimura at wakhok dot ac dot jp
 Status:           Verified
 Bug Type:         Zend Engine 2 problem
 Operating System: Linux kernel-2.4.21
 PHP Version:      5.0.0b2-dev
 New Comment:


The second script crashes much earlier:

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 1024 (runnable)]
0x40425fde in zend_hash_add_or_update (ht=0x80ded04, arKey=0x80ded24
"\\sA@", nKeyLength=7, pData=0x0, nDataSize=4, 
    pDest=0xbfffcd54, flag=1) at
/usr/src/web/php/php5/Zend/zend_hash.c:238
238             INIT_DATA(ht, p, pData, nDataSize);
(gdb) bt
#0  0x40425fde in zend_hash_add_or_update (ht=0x80ded04,
arKey=0x80ded24 "\\sA@", nKeyLength=7, pData=0x0, 
    nDataSize=4, pDest=0xbfffcd54, flag=1) at
/usr/src/web/php/php5/Zend/zend_hash.c:238
#1  0x404271f4 in zend_hash_copy (target=0x80ded04, source=0x80de7e4,
pCopyConstructor=0x4041fce4 <zval_add_ref>, 
    tmp=0xbfffcda4, size=4) at
/usr/src/web/php/php5/Zend/zend_hash.c:750
#2  0x4041fde6 in _zval_copy_ctor (zvalue=0x80f160c) at
/usr/src/web/php/php5/Zend/zend_variables.c:124
#3  0x4042b068 in zif_set_exception_handler (ht=1,
return_value=0x80f160c, this_ptr=0x0, return_value_used=0)
    at /usr/src/web/php/php5/Zend/zend_builtin_functions.c:1017
#4  0x40451d4f in zend_do_fcall_common_helper (execute_data=0xbfffcf5c,
op_array=0x80ea62c)
    at /usr/src/web/php/php5/Zend/zend_execute.c:2634
#5  0x404523f4 in zend_do_fcall_handler (execute_data=0xbfffcf5c,
op_array=0x80ea62c)
    at /usr/src/web/php/php5/Zend/zend_execute.c:2763
#6  0x4043a7ee in execute (op_array=0x80ea62c) at
/usr/src/web/php/php5/Zend/zend_execute.c:1194
#7  0x4042190f in zend_execute_scripts (type=8, retval=0x0,
file_count=3) at /usr/src/web/php/php5/Zend/zend.c:1017
#8  0x403ef2c5 in php_execute_script (primary_file=0xbffff288) at
/usr/src/web/php/php5/main/main.c:1695
#9  0x4045c07e in apache_php_module_main (r=0x81bf684,
display_source_mode=0)
    at /usr/src/web/php/php5/sapi/apache/sapi_apache.c:54
#10 0x4045cd00 in send_php (r=0x81bf684, display_source_mode=0,
filename=0x0)
    at /usr/src/web/php/php5/sapi/apache/mod_php5.c:621
#11 0x4045cd6a in send_parsed_php (r=0x81bf684) at
/usr/src/web/php/php5/sapi/apache/mod_php5.c:636
#12 0x8054f09 in ap_invoke_handler ()
#13 0x806b0cf in process_request_internal ()
#14 0x806b13a in ap_process_request ()
#15 0x8061916 in child_main ()
#16 0x8061af5 in make_child ()
#17 0x8061c76 in startup_children ()
#18 0x806230d in standalone_main ()
#19 0x8062b9c in main ()
#20 0x4016c9cb in __libc_start_main (main=0x80627d8 <main>, argc=3,
argv=0xbffff6b4, init=0x804ed2c <_init>, 
    fini=0x8082e64 <_fini>, rtld_fini=0x4000aea0 <_dl_fini>,
stack_end=0xbffff6ac)
    at ../sysdeps/generic/libc-start.c:92



Previous Comments:
------------------------------------------------------------------------

[2003-07-18 00:34:39] [EMAIL PROTECTED]

The first script (that xml thing) does this after some reloads:

Warning: xml_set_default_handler(): supplied resource is not a valid
XML Parser resource in /www/apache-1.3.27/htdocs/exep.php on line 13

Warning: xml_parser_free(): supplied resource is not a valid XML Parser
resource in /www/apache-1.3.27/htdocs/exep.php on line 15

Warning: Unknown list entry type in request shutdown (135138372) in
Unknown on line 0

Given enough requests, (ab -n 1000 http://localhost/bug24658_a.php), it
crashes:


[Switching to Thread 1024 (runnable)]
0x4042e1fd in zend_objects_destroy_object (object=0x80e907c, handle=1)
at /usr/src/web/php/php5/Zend/zend_objects.c:36
36              zend_function *destructor = object->ce->destructor;
(gdb) bt
#0  0x4042e1fd in zend_objects_destroy_object (object=0x80e907c,
handle=1)
    at /usr/src/web/php/php5/Zend/zend_objects.c:36
#1  0x40430855 in zend_objects_store_del_ref (zobject=0x80e0f9c) at
/usr/src/web/php/php5/Zend/zend_objects_API.c:142
#2  0x4041fccc in _zval_dtor (zvalue=0x80e0f9c) at
/usr/src/web/php/php5/Zend/zend_variables.c:61
#3  0x40417389 in _zval_ptr_dtor (zval_ptr=0x80ecff0) at
/usr/src/web/php/php5/Zend/zend_execute_API.c:344
#4  0x40426be8 in zend_hash_destroy (ht=0x404a6990) at
/usr/src/web/php/php5/Zend/zend_hash.c:509
#5  0x40416f55 in shutdown_executor () at
/usr/src/web/php/php5/Zend/zend_execute_API.c:211
#6  0x40421257 in zend_deactivate () at
/usr/src/web/php/php5/Zend/zend.c:795
#7  0x403ee8e6 in php_request_shutdown (dummy=0x0) at
/usr/src/web/php/php5/main/main.c:1174
#8  0x4045c0d5 in apache_php_module_main (r=0x81bf684,
display_source_mode=0)
    at /usr/src/web/php/php5/sapi/apache/sapi_apache.c:60
#9  0x4045cd00 in send_php (r=0x81bf684, display_source_mode=0,
filename=0x0)
    at /usr/src/web/php/php5/sapi/apache/mod_php5.c:621
#10 0x4045cd6a in send_parsed_php (r=0x81bf684) at
/usr/src/web/php/php5/sapi/apache/mod_php5.c:636
#11 0x8054f09 in ap_invoke_handler ()
#12 0x806b0cf in process_request_internal ()
#13 0x806b13a in ap_process_request ()
#14 0x8061916 in child_main ()
#15 0x8061af5 in make_child ()
#16 0x8061c76 in startup_children ()
#17 0x806230d in standalone_main ()
#18 0x8062b9c in main ()
#19 0x4016c9cb in __libc_start_main (main=0x80627d8 <main>, argc=3,
argv=0xbffff6b4, init=0x804ed2c <_init>, 
    fini=0x8082e64 <_fini>, rtld_fini=0x4000aea0 <_dl_fini>,
stack_end=0xbffff6ac)
    at ../sysdeps/generic/libc-start.c:92



------------------------------------------------------------------------

[2003-07-16 20:56:28] fujimura at wakhok dot ac dot jp

> Backtrace is useless as long as you don't have
> --enable-debug in your configure line. 
Okay, I rebuilt PHP with --enable-debug, but this bug did not
reproduce.
And next, I did again without --enable-debug, this bug reproduced.
I have discovered that set_exception_handler() causes this one too.
<?php
    set_exception_handler("test_func");
    function test_func($exception) {
        var_dump($exception);
        exit;
    }
    throw new Exception();
    print "A";
?>

I cannot understand. The debug codes of Zend causes with this?
What can I do?

> Also include the full configure line you used.
./configure \
--with-apxs=/usr/local/apache/bin/apxs \
--disable-short-tags \
--enable-versioning \
--enable-mbstring \
--enable-mbregex \
--enable-dom \
--with-iconv \
--with-xsl \
--with-openssl \
--with-zlib \
--with-bz2
...and --enable-debug

------------------------------------------------------------------------

[2003-07-16 03:54:01] [EMAIL PROTECTED]

Backtrace is useless as long as you don't have
--enable-debug in your configure line. 
So add it, and put new backtrace here.

Also include the full configure line you used.


------------------------------------------------------------------------

[2003-07-15 04:16:58] fujimura at wakhok dot ac dot jp

-$parser AND die;
+$parser OR die;

;-)

------------------------------------------------------------------------

[2003-07-15 04:15:16] fujimura at wakhok dot ac dot jp

Description:
------------
The following code crashes(segmentation fault, and empty output) at a
whim.
But it does not reproduce when php invoked as CLI.


Reproduce code:
---------------
<?php

class MyHandler {
    public function test($parser, $data) {
        print $data;
    }
}

$parser = xml_parser_create();
$parser AND die;

$handler = new MyHandler();

xml_set_default_handler($parser, array($handler, "test"));

xml_parser_free($parser);

?>

Expected result:
----------------
Nothing.

Actual result:
--------------
SIGSEGV logged to error_log.



------------------------------------------------------------------------


-- 
Edit this bug report at http://bugs.php.net/?id=24659&edit=1

#24659 [Ver]: Crash due to some internal memory corruption (?)

Reply via email to