From: [EMAIL PROTECTED]
Operating system: Linux (SuSE 7.2)
PHP version: 4.1.1
PHP Bug Type: Reproducible crash
Bug description: Segfault - something to do with arBuckets
Hi,
I've just installed the latest version of PHP, with apache 1.3.22, and I
have found what may be a serious seg-fault bug. I have made a backtrace. I
don't know anything about PHP's internals, so you'll have to figure out
what went wrong for yourself (sorry). My config line is:
'./configure' '--with-apxs=/opt/apache/bin/apxs' '--enable-bcmath'
'--with-bz2' '--enable-calendar' '--enable-ftp' '--with-gd'
'--with-pspell' '--with-pgsql=/opt/postgres' '--enable-trans-sid'
'--without-mysql' '--with-jpeg-dir=/usr/lib' '--with-png-dir=/usr/lib'
'--with-zlib-dir=/usr/lib' '--prefix=/opt/php'
(Sorry its so long, I will try and reproduce the bug with less of this
stuff).
I can get you the core if you want it. The bug is reproducable - I was
just running a few sample pages to test it out, they can't be more that 1
or 2k, so I could send you them. It seems to happen when I go back and
forth between the same two pages (a login one and a logout one - also, the
log-out does not work properly if cookies are enabled. Any ideas?) Also, I
made a few (generally minor) modifications to php.ini - I will send a copy
or a diff if neccesary. Here's the output from gdb - I checked the value
of a few variables as well, in case it helps.
Bear in mind that I don't understand PHP's internals at all. Note that
nIndex was 539567104 the second time I did this. It would seem that
arBuckets (again, I don't know what this is) references an area of memory
the program didn't allocate itself, which causes the segfault.
Program received signal SIGSEGV, Segmentation fault.
0x40206f18 in zend_hash_del_key_or_index (ht=0x810958c,
arKey=0x8108e5c "isloggedin", nKeyLength=11, h=0, flag=0)
at zend_hash.c:484
484 p = ht->arBuckets[nIndex];
(gdb) bt
#0 0x40206f18 in zend_hash_del_key_or_index (ht=0x810958c,
arKey=0x8108e5c "isloggedin", nKeyLength=11, h=0, flag=0)
at zend_hash.c:484
#1 0x4024f14a in zif_session_unregister (ht=1, return_value=0x8108e7c,
this_ptr=0x0, return_value_used=0) at session.c:1201
#2 0x401f32c9 in execute (op_array=0x8103a6c) at ./zend_execute.c:1590
#3 0x402024b3 in zend_execute_scripts (type=8, retval=0x0, file_count=3)
at zend.c:814
#4 0x40211456 in php_execute_script (primary_file=0xbffff008) at
main.c:1307
#5 0x4020ce2e in apache_php_module_main (r=0x80f9eb4,
display_source_mode=0)
at sapi_apache.c:90
#6 0x4020d9ef in send_php (r=0x80f9eb4, display_source_mode=0,
filename=0x0)
at mod_php4.c:575
#7 0x4020da53 in send_parsed_php (r=0x80f9eb4) at mod_php4.c:590
#8 0x806c409 in ap_invoke_handler ()
#9 0x8081e7f in process_request_internal ()
#10 0x8081ef2 in ap_process_request ()
#11 0x8078ab6 in child_main ()
#12 0x8078c75 in make_child ()
#13 0x8078df6 in startup_children ()
#14 0x807949d in standalone_main ()
#15 0x8079cfc in main ()
#16 0x400b9c6f in __libc_start_main () from /lib/libc.so.6
(gdb) list
479 HANDLE_NUMERIC(arKey, nKeyLength,
zend_hash_del_key_or_index(ht, arKey, nKeyLength, idx, HASH_DEL_INDEX));
480 h = zend_inline_hash_func(arKey, nKeyLength);
481 }
482 nIndex = h & ht->nTableMask;
483
484 p = ht->arBuckets[nIndex];
485 while (p != NULL) {
486 if ((p->h == h) && ((p->nKeyLength == 0) || /*
Numeric index */
487 ((p->nKeyLength == nKeyLength) &&
(!memcmp(p->arKey, arKey, nKeyLength))))) {
488 HANDLE_BLOCK_INTERRUPTIONS();
(gdb) p ht
$1 = (HashTable *) 0x810958c
(gdb) p nIndex
$2 = 0
Good luck figuring this out! Also, apologies for bad spelling (feature
request: spell check on bug form)
Thanks in advance,
Charlie Dyson - [EMAIL PROTECTED]
--
Edit bug report at: http://bugs.php.net/?id=15020&edit=1
--
PHP Development Mailing List <http://www.php.net/>
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]
