From: per at computer dot org
Operating system: linux, kernel 2.4.24
PHP version: 4.3.4
PHP Bug Type: Reproducible crash
Bug description: referencing an unset global produces a segfault
Description:
------------
Hi,
I've got a situation where a seemingly innocent statement
produces a
segfault. I've tried reducing it to a single reproducable
testcase, but
without
success. The problem is however solidly reproducable in the
context in which it occurs.
I'm certain it is caused by a mistake in my code, but I
feel it isn't
exactly appropriate for php to segfault because of a user
error?
Very briefly, this is an excerpt where the segfault occurs:
<h2><?php print $_SESSION['customers'][$customer]; ?></h2>
<?php
$q="<longish SELECT query>";
$result=mysql_query( $q ) or die("mysql:".mysql_error());
$main_address=mysql_fetch_array( $result, MYSQL_ASSOC );
$q="<longish SELECT query>";
$result=mysql_query( $q ) or die(mysql_error());
$billing_address=mysql_fetch_array( $result, MYSQL_ASSOC );
$q="<longish SELECT query>";
$result=mysql_query( $q ) or die(mysql_error());
$technical_address=mysql_fetch_array( $result, MYSQL_ASSOC );
$editmain=strcasecmp($_REQUEST['contact'],"main")==0;
//
$editbilling=strcasecmp($_REQUEST['contact'],"billing")==0;
//
$edittechnical=strcasecmp($_REQUEST['contact'],"technical")==0;
?>
If I uncomment either of the last 2 commented-out
statements, I get a segfault.
I'm using php 4.3.4 and apache 2.0.49 on linux 2.4.24.
mysql is 4.0.15.
-------
OK,
I've now guarded the above with :
if ( isset($_REQUEST['contact']) )
{
$editmain=strcmp($_REQUEST['contact'],"main")==0;
$editbilling=strcmp($_REQUEST['contact'],"billing")==0;
$edittechnical=strcasecmp($_REQUEST['contact'],"technical")==0;
}
and the segfault is
gone. Still, a segfault just because I'm using an unset
global? And why only on the 2nd or later statement?
Actual result:
--------------
(gdb) run -X -f /etc/httpd/httpd.conf
Starting program: /usr/bin/httpd -X -f /etc/httpd/
httpd.conf
[New Thread 16384 (LWP 9121)]
Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 16384 (LWP 9121)]
0x40576622 in zend_get_executed_lineno () at /usr/src/
packages/SOURCES/php-4.3.4/Zend/zend_execute_API.c:271
271 return active_opline->lineno;
(gdb) bt
#0 0x40576622 in zend_get_executed_lineno () at /usr/src/
packages/SOURCES/php-4.3.4/Zend/zend_execute_API.c:271
#1 0x4057ec6d in zend_error (type=8, format=0x40706ea3
"Undefined index: %s") at /usr/src/packages/SOURCES/
php-4.3.4/Zend/zend.c:731
#2 0x405914a0 in zend_fetch_dimension_address_inner
(ht=0x81d4bf4, op2=0x821ed34, Ts=0xbfffb34c, type=0) at /
usr/src/packages/SOURCES/php-4.3.4/Zend/zend_execute.c:636
#3 0x4058a5f0 in zend_fetch_dimension_address
(result=0x821ed14, op1=0x81d4bd4, op2=0x821ed34,
Ts=0xbfffb34c, type=0) at /usr/src/packages/SOURCES/
php-4.3.4/Zend/zend_execute.c:787
#4 0x4058f7fe in execute (op_array=0x81d4f2c) at /usr/src/
packages/SOURCES/php-4.3.4/Zend/zend_execute.c:1283
#5 0x4057edbb in zend_execute_scripts (type=8, retval=0x0,
file_count=3) at /usr/src/packages/SOURCES/php-4.3.4/Zend/
zend.c:884
#6 0x40552f3f in php_execute_script
(primary_file=0xbffff3d0) at /usr/src/packages/SOURCES/
php-4.3.4/main/main.c:1729
#7 0x405923b8 in php_handler (r=0x81ef8f8) at /usr/src/
packages/SOURCES/php-4.3.4/sapi/apache2handler/
sapi_apache2.c:537
#8 0x08092d85 in ap_run_handler (r=0x81ef8f8) at
config.c:151
#9 0x08093390 in ap_invoke_handler (r=0x81ef8f8) at
config.c:358
#10 0x08076edb in ap_process_request (r=0x81ef8f8) at
http_request.c:246
#11 0x0807239d in ap_process_http_connection (c=0x81b5000)
at http_core.c:250
#12 0x0809de25 in ap_run_process_connection (c=0x81b5000)
at connection.c:42
#13 0x08091384 in child_main (child_num_arg=0) at
prefork.c:609
#14 0x0809159b in make_child (s=0x0, slot=0) at
prefork.c:649
#15 0x080915f8 in startup_children (number_to_start=5) at
prefork.c:721
#16 0x08091e6a in ap_mpm_run (_pconf=0x80d6310,
plog=0x8116410, s=0x80d9dd0) at prefork.c:940
#17 0x080983bd in main (argc=4, argv=0xbffff744) at
main.c:617
--
Edit bug report at http://bugs.php.net/?id=28006&edit=1
--
Try a CVS snapshot (php4): http://bugs.php.net/fix.php?id=28006&r=trysnapshot4
Try a CVS snapshot (php5): http://bugs.php.net/fix.php?id=28006&r=trysnapshot5
Fixed in CVS: http://bugs.php.net/fix.php?id=28006&r=fixedcvs
Fixed in release: http://bugs.php.net/fix.php?id=28006&r=alreadyfixed
Need backtrace: http://bugs.php.net/fix.php?id=28006&r=needtrace
Need Reproduce Script: http://bugs.php.net/fix.php?id=28006&r=needscript
Try newer version: http://bugs.php.net/fix.php?id=28006&r=oldversion
Not developer issue: http://bugs.php.net/fix.php?id=28006&r=support
Expected behavior: http://bugs.php.net/fix.php?id=28006&r=notwrong
Not enough info: http://bugs.php.net/fix.php?id=28006&r=notenoughinfo
Submitted twice: http://bugs.php.net/fix.php?id=28006&r=submittedtwice
register_globals: http://bugs.php.net/fix.php?id=28006&r=globals
PHP 3 support discontinued: http://bugs.php.net/fix.php?id=28006&r=php3
Daylight Savings: http://bugs.php.net/fix.php?id=28006&r=dst
IIS Stability: http://bugs.php.net/fix.php?id=28006&r=isapi
Install GNU Sed: http://bugs.php.net/fix.php?id=28006&r=gnused
Floating point limitations: http://bugs.php.net/fix.php?id=28006&r=float
