#32252 [Asn]: Segfault when offsetSet throws an Exception (only without debug)
ID: 32252
User updated by: shulmanb at il dot ibm dot com
Reported By: shulmanb at il dot ibm dot com
Status: Assigned
Bug Type: Zend Engine 2 problem
Operating System: *
PHP Version: 5.*
Assigned To: helly
New Comment:
Tested with the latest snapshot (200505110630) on Windows XP, and it is
still crashing.
Previous Comments:
[2005-05-03 14:55:02] [EMAIL PROTECTED]
Runs in php 5.1 now.
[2005-03-13 19:22:42] [EMAIL PROTECTED]
Related to http://bugs.php.net/30346
[2005-03-09 15:13:34] [EMAIL PROTECTED]
The first problem here is that the negative key results in incomplete
initialized zvals internally *before* even calling offsetSet().
[2005-03-09 14:38:38] shulmanb at il dot ibm dot com
Description:
In some cases, when offsetSet throws an exception a segfault occurs.
This does not happen when compiled with --enable-debug.
Note that if the index passed to $list is positive or a string, not
segfault occurs.
Reproduce code:
---
class a implements ArrayAccess
{
function offsetExists ($offset) { return false; }
function offsetGet ($offset) { return null; }
function offsetSet ($offset, $value) { throw new Exception ("Ooops");
}
function offsetUnset ($offset) {}
}
function test()
{
$list = new a();
try {
$list[-1] = 123;
} catch (Exception $e) { }
return true;
}
print test();
Expected result:
The output should be "1".
Actual result:
--
Segmentation fault.
The stack trace reported in Visual Studio, using the latest snapshot
and debug pack is:
php5ts.dll!shutdown_memory_manager(int silent=0, int full_shutdown=0,
void * * * tsrm_ls=0x00364b38) Line 490 + 0xb C
php5ts.dll!php_request_shutdown(void * dummy=0x) Line 1225 +
0x2fC
msvcrt.dll!77c37bbe()
user32.dll!77d5f160()
--
Edit this bug report at http://bugs.php.net/?id=32252&edit=1
#32252 [Fbk->Opn]: Segfault when offsetSet throws an Exception (only without debug)
ID: 32252 User updated by: shulmanb at il dot ibm dot com Reported By: shulmanb at il dot ibm dot com -Status: Feedback +Status: Open Bug Type: Zend Engine 2 problem Operating System: * PHP Version: 5.* Assigned To: helly New Comment: Works fine on Linux. Still crashes on Windows, even using the snapshot you provided. Previous Comments: [2005-05-14 12:40:38] [EMAIL PROTECTED] Please try using this CVS snapshot: http://snaps.php.net/php5-STABLE-latest.tar.gz For Windows: http://snaps.php.net/win32/php5.0-win32-latest.zip Can't reproduce it on Linux with latest CVS of 5.0 & 5.1 without debug. Make sure that you're trying the right binary. [2005-05-11 11:44:10] shulmanb at il dot ibm dot com Tested with the latest snapshot (200505110630) on Windows XP, and it is still crashing. [2005-05-03 14:55:02] [EMAIL PROTECTED] Runs in php 5.1 now. [2005-03-13 19:22:42] [EMAIL PROTECTED] Related to http://bugs.php.net/30346 [2005-03-09 15:13:34] [EMAIL PROTECTED] The first problem here is that the negative key results in incomplete initialized zvals internally *before* even calling offsetSet(). The remainder of the comments for this report are too long. To view the rest of the comments, please view the bug report online at http://bugs.php.net/32252 -- Edit this bug report at http://bugs.php.net/?id=32252&edit=1
#32252 [NEW]: Segfault when offsetSet throws an Exception (only without debug)
From: shulmanb at il dot ibm dot com
Operating system: Windows XP
PHP version: 5CVS-2005-03-09 (dev)
PHP Bug Type: Zend Engine 2 problem
Bug description: Segfault when offsetSet throws an Exception (only without
debug)
Description:
In some cases, when offsetSet throws an exception a segfault occurs.
This does not happen when compiled with --enable-debug.
Note that if the index passed to $list is positive or a string, not
segfault occurs.
Reproduce code:
---
class a implements ArrayAccess
{
function offsetExists ($offset) { return false; }
function offsetGet ($offset) { return null; }
function offsetSet ($offset, $value) { throw new Exception ("Ooops"); }
function offsetUnset ($offset) {}
}
function test()
{
$list = new a();
try {
$list[-1] = 123;
} catch (Exception $e) { }
return true;
}
print test();
Expected result:
The output should be "1".
Actual result:
--
Segmentation fault.
The stack trace reported in Visual Studio, using the latest snapshot and
debug pack is:
php5ts.dll!shutdown_memory_manager(int silent=0, int full_shutdown=0, void
* * * tsrm_ls=0x00364b38) Line 490 + 0xb C
php5ts.dll!php_request_shutdown(void * dummy=0x) Line 1225 +
0x2fC
msvcrt.dll!77c37bbe()
user32.dll!77d5f160()
--
Edit bug report at http://bugs.php.net/?id=32252&edit=1
--
Try a CVS snapshot (php4): http://bugs.php.net/fix.php?id=32252&r=trysnapshot4
Try a CVS snapshot (php5.0):
http://bugs.php.net/fix.php?id=32252&r=trysnapshot50
Try a CVS snapshot (php5.1):
http://bugs.php.net/fix.php?id=32252&r=trysnapshot51
Fixed in CVS:http://bugs.php.net/fix.php?id=32252&r=fixedcvs
Fixed in release:http://bugs.php.net/fix.php?id=32252&r=alreadyfixed
Need backtrace: http://bugs.php.net/fix.php?id=32252&r=needtrace
Need Reproduce Script: http://bugs.php.net/fix.php?id=32252&r=needscript
Try newer version: http://bugs.php.net/fix.php?id=32252&r=oldversion
Not developer issue: http://bugs.php.net/fix.php?id=32252&r=support
Expected behavior: http://bugs.php.net/fix.php?id=32252&r=notwrong
Not enough info:
http://bugs.php.net/fix.php?id=32252&r=notenoughinfo
Submitted twice:
http://bugs.php.net/fix.php?id=32252&r=submittedtwice
register_globals:http://bugs.php.net/fix.php?id=32252&r=globals
PHP 3 support discontinued: http://bugs.php.net/fix.php?id=32252&r=php3
Daylight Savings:http://bugs.php.net/fix.php?id=32252&r=dst
IIS Stability: http://bugs.php.net/fix.php?id=32252&r=isapi
Install GNU Sed: http://bugs.php.net/fix.php?id=32252&r=gnused
Floating point limitations: http://bugs.php.net/fix.php?id=32252&r=float
No Zend Extensions: http://bugs.php.net/fix.php?id=32252&r=nozend
MySQL Configuration Error: http://bugs.php.net/fix.php?id=32252&r=mysqlcfg
#32254 [NEW]: Nested try-catch blocks may cause segfault
From: shulmanb at il dot ibm dot com
Operating system: Linux
PHP version: 5CVS-2005-03-09 (dev)
PHP Bug Type: Zend Engine 2 problem
Bug description: Nested try-catch blocks may cause segfault
Description:
When compiled with --enable-maintainer-zts, having nested try-catch blocks
may cause segfaults in some cases.
In the following code fragment, commenting out the outer try-catch block
solves the segfault.
This DOES NOT HAPPEN when compiled with debug symbols.
This may be related to bug #32252 (for instance, if the index to $list is
positive, crash does not occur).
Reproduce code:
---
class a implements ArrayAccess {
function offsetExists ($offset) { return false; }
function offsetGet ($offset) { return null; }
function offsetSet ($offset, $value) { throw new Exception ("Oops");
}
function offsetUnset ($offset) { }
}
function test () {
try {
$list = new a();
$caught = 0;
try {
$list[-1] = 123;
} catch (Exception $e) {
$caught = 1;
}
if (!$caught)
return false;
return true;
}
catch (Exception $e) {
return false;
}
}
print test();
Expected result:
The output should be "1"
Actual result:
--
Segmentation fault.
PHP was compiled without debug symbols. The stack trace provided by gdb
was:
#0 0x08184ecd in zend_hash_destroy (ht=0x8c579c08)
at /root/php-5.0.3/Zend/zend_hash.c:524
--
Edit bug report at http://bugs.php.net/?id=32254&edit=1
--
Try a CVS snapshot (php4): http://bugs.php.net/fix.php?id=32254&r=trysnapshot4
Try a CVS snapshot (php5.0):
http://bugs.php.net/fix.php?id=32254&r=trysnapshot50
Try a CVS snapshot (php5.1):
http://bugs.php.net/fix.php?id=32254&r=trysnapshot51
Fixed in CVS:http://bugs.php.net/fix.php?id=32254&r=fixedcvs
Fixed in release:http://bugs.php.net/fix.php?id=32254&r=alreadyfixed
Need backtrace: http://bugs.php.net/fix.php?id=32254&r=needtrace
Need Reproduce Script: http://bugs.php.net/fix.php?id=32254&r=needscript
Try newer version: http://bugs.php.net/fix.php?id=32254&r=oldversion
Not developer issue: http://bugs.php.net/fix.php?id=32254&r=support
Expected behavior: http://bugs.php.net/fix.php?id=32254&r=notwrong
Not enough info:
http://bugs.php.net/fix.php?id=32254&r=notenoughinfo
Submitted twice:
http://bugs.php.net/fix.php?id=32254&r=submittedtwice
register_globals:http://bugs.php.net/fix.php?id=32254&r=globals
PHP 3 support discontinued: http://bugs.php.net/fix.php?id=32254&r=php3
Daylight Savings:http://bugs.php.net/fix.php?id=32254&r=dst
IIS Stability: http://bugs.php.net/fix.php?id=32254&r=isapi
Install GNU Sed: http://bugs.php.net/fix.php?id=32254&r=gnused
Floating point limitations: http://bugs.php.net/fix.php?id=32254&r=float
No Zend Extensions: http://bugs.php.net/fix.php?id=32254&r=nozend
MySQL Configuration Error: http://bugs.php.net/fix.php?id=32254&r=mysqlcfg
#32254 [Fbk->Opn]: Nested try-catch blocks may cause segfault
ID: 32254
User updated by: shulmanb at il dot ibm dot com
Reported By: shulmanb at il dot ibm dot com
-Status: Feedback
+Status: Open
Bug Type: Zend Engine 2 problem
Operating System: Linux
PHP Version: 5CVS-2005-03-09 (dev)
New Comment:
Latest snapshot does not cause a segfault on Linux.
However, the probably related bug #32252 still happens on Windows with
latest snapshot, so it's probable that memory corruption still occurs.
Previous Comments:
[2005-03-09 21:45:39] [EMAIL PROTECTED]
Please try using this CVS snapshot:
http://snaps.php.net/php5-STABLE-latest.tar.gz
For Windows:
http://snaps.php.net/win32/php5.0-win32-latest.zip
Works fine here.
[2005-03-09 14:52:58] shulmanb at il dot ibm dot com
Description:
When compiled with --enable-maintainer-zts, having nested try-catch
blocks may cause segfaults in some cases.
In the following code fragment, commenting out the outer try-catch
block solves the segfault.
This DOES NOT HAPPEN when compiled with debug symbols.
This may be related to bug #32252 (for instance, if the index to $list
is positive, crash does not occur).
Reproduce code:
---
class a implements ArrayAccess {
function offsetExists ($offset) { return false; }
function offsetGet ($offset) { return null; }
function offsetSet ($offset, $value) { throw new Exception
("Oops"); }
function offsetUnset ($offset) { }
}
function test () {
try {
$list = new a();
$caught = 0;
try {
$list[-1] = 123;
} catch (Exception $e) {
$caught = 1;
}
if (!$caught)
return false;
return true;
}
catch (Exception $e) {
return false;
}
}
print test();
Expected result:
The output should be "1"
Actual result:
--
Segmentation fault.
PHP was compiled without debug symbols. The stack trace provided by gdb
was:
#0 0x08184ecd in zend_hash_destroy (ht=0x8c579c08)
at /root/php-5.0.3/Zend/zend_hash.c:524
--
Edit this bug report at http://bugs.php.net/?id=32254&edit=1
#35243 [NEW]: Crashes in php_mblen when compiled with thread-safety on Linux
From: shulmanb at il dot ibm dot com Operating system: Linux PHP version: 5.0.5 PHP Bug Type: Scripting Engine problem Bug description: Crashes in php_mblen when compiled with thread-safety on Linux Description: When running on Linux with --enable-maintainer-zts (and yes, I know it's not wise...), crashes sometimes happen in ext/standard/php_string.h when using the php_mblen macro. This happens because in ext/standard/basic_functions.c, in the basic_globals_ctor function, the value of mblen_state is not initialized. The basic_globals_ctor function should include the following lines as part of the initialization: #if defined(_REENTRANT)&&defined(HAVE_MBRLEN)&&defined(HAVE_MBSTATE_T) memset(&BG(mblen_state), 0, sizeof(BG(mblen_state))); #endif Unfortunately, I am unable to include code that demonstrate this, as the crash strongly depends on the (random) value of mblen_state. -- Edit bug report at http://bugs.php.net/?id=35243&edit=1 -- Try a CVS snapshot (php4): http://bugs.php.net/fix.php?id=35243&r=trysnapshot4 Try a CVS snapshot (php5.0): http://bugs.php.net/fix.php?id=35243&r=trysnapshot50 Try a CVS snapshot (php5.1): http://bugs.php.net/fix.php?id=35243&r=trysnapshot51 Fixed in CVS:http://bugs.php.net/fix.php?id=35243&r=fixedcvs Fixed in release:http://bugs.php.net/fix.php?id=35243&r=alreadyfixed Need backtrace: http://bugs.php.net/fix.php?id=35243&r=needtrace Need Reproduce Script: http://bugs.php.net/fix.php?id=35243&r=needscript Try newer version: http://bugs.php.net/fix.php?id=35243&r=oldversion Not developer issue: http://bugs.php.net/fix.php?id=35243&r=support Expected behavior: http://bugs.php.net/fix.php?id=35243&r=notwrong Not enough info: http://bugs.php.net/fix.php?id=35243&r=notenoughinfo Submitted twice: http://bugs.php.net/fix.php?id=35243&r=submittedtwice register_globals:http://bugs.php.net/fix.php?id=35243&r=globals PHP 3 support discontinued: http://bugs.php.net/fix.php?id=35243&r=php3 Daylight Savings:http://bugs.php.net/fix.php?id=35243&r=dst IIS Stability: http://bugs.php.net/fix.php?id=35243&r=isapi Install GNU Sed: http://bugs.php.net/fix.php?id=35243&r=gnused Floating point limitations: http://bugs.php.net/fix.php?id=35243&r=float No Zend Extensions: http://bugs.php.net/fix.php?id=35243&r=nozend MySQL Configuration Error: http://bugs.php.net/fix.php?id=35243&r=mysqlcfg
#35243 [Fbk->Opn]: Crashes in php_mblen when compiled with thread-safety on Linux
ID: 35243 User updated by: shulmanb at il dot ibm dot com Reported By: shulmanb at il dot ibm dot com -Status: Feedback +Status: Open Bug Type: Scripting Engine problem Operating System: Linux PHP Version: 5.0.5 New Comment: It still is a problem with the latest snapshot. Since I don't have a server where I can host the diff file, please let me know whether you want me to put it here (12 lines, which will probably end up trunctated), or mail it to you. Please let me know what you prefer. Previous Comments: [2005-11-16 18:18:33] [EMAIL PROTECTED] And if it's still a problem, provide the patch in unified diff format. [2005-11-16 18:18:10] [EMAIL PROTECTED] Please try using this CVS snapshot: http://snaps.php.net/php5-latest.tar.gz For Windows: http://snaps.php.net/win32/php5-win32-latest.zip [2005-11-16 16:07:01] shulmanb at il dot ibm dot com Description: When running on Linux with --enable-maintainer-zts (and yes, I know it's not wise...), crashes sometimes happen in ext/standard/php_string.h when using the php_mblen macro. This happens because in ext/standard/basic_functions.c, in the basic_globals_ctor function, the value of mblen_state is not initialized. The basic_globals_ctor function should include the following lines as part of the initialization: #if defined(_REENTRANT)&&defined(HAVE_MBRLEN)&&defined(HAVE_MBSTATE_T) memset(&BG(mblen_state), 0, sizeof(BG(mblen_state))); #endif Unfortunately, I am unable to include code that demonstrate this, as the crash strongly depends on the (random) value of mblen_state. -- Edit this bug report at http://bugs.php.net/?id=35243&edit=1
#35243 [Fbk->Opn]: Crashes in php_mblen when compiled with thread-safety on Linux
ID: 35243 User updated by: shulmanb at il dot ibm dot com Reported By: shulmanb at il dot ibm dot com -Status: Feedback +Status: Open Bug Type: Scripting Engine problem Operating System: Linux PHP Version: 5.0.5 New Comment: Done. Can be found at: http://news.php.net/php.internals/20164 Previous Comments: [2005-11-17 09:39:15] [EMAIL PROTECTED] How about mailing it to internals@lists.php.net ? [2005-11-17 08:14:06] shulmanb at il dot ibm dot com It still is a problem with the latest snapshot. Since I don't have a server where I can host the diff file, please let me know whether you want me to put it here (12 lines, which will probably end up trunctated), or mail it to you. Please let me know what you prefer. [2005-11-16 18:18:33] [EMAIL PROTECTED] And if it's still a problem, provide the patch in unified diff format. [2005-11-16 18:18:10] [EMAIL PROTECTED] Please try using this CVS snapshot: http://snaps.php.net/php5-latest.tar.gz For Windows: http://snaps.php.net/win32/php5-win32-latest.zip [2005-11-16 16:07:01] shulmanb at il dot ibm dot com Description: When running on Linux with --enable-maintainer-zts (and yes, I know it's not wise...), crashes sometimes happen in ext/standard/php_string.h when using the php_mblen macro. This happens because in ext/standard/basic_functions.c, in the basic_globals_ctor function, the value of mblen_state is not initialized. The basic_globals_ctor function should include the following lines as part of the initialization: #if defined(_REENTRANT)&&defined(HAVE_MBRLEN)&&defined(HAVE_MBSTATE_T) memset(&BG(mblen_state), 0, sizeof(BG(mblen_state))); #endif Unfortunately, I am unable to include code that demonstrate this, as the crash strongly depends on the (random) value of mblen_state. -- Edit this bug report at http://bugs.php.net/?id=35243&edit=1
#35243 [Csd]: Crashes in php_mblen when compiled with thread-safety on Linux
ID: 35243 User updated by: shulmanb at il dot ibm dot com Reported By: shulmanb at il dot ibm dot com Status: Closed Bug Type: *General Issues Operating System: Linux PHP Version: 5CVS-2005-11-19 (snap) New Comment: Thanks for including the fix. >From what I've seen, it has been included in HEAD, and in 5.1.x. Any chance of it being included in 5.0.x as well? Previous Comments: [2005-11-20 19:08:11] [EMAIL PROTECTED] This bug has been fixed in CVS. Snapshots of the sources are packaged every three hours; this change will be in the next snapshot. You can grab the snapshot at http://snaps.php.net/. Thank you for the report, and for helping us make PHP better. [2005-11-18 17:18:24] shulmanb at il dot ibm dot com Done. Can be found at: http://news.php.net/php.internals/20164 [2005-11-16 18:18:33] [EMAIL PROTECTED] And if it's still a problem, provide the patch in unified diff format. [2005-11-16 16:07:01] shulmanb at il dot ibm dot com Description: When running on Linux with --enable-maintainer-zts (and yes, I know it's not wise...), crashes sometimes happen in ext/standard/php_string.h when using the php_mblen macro. This happens because in ext/standard/basic_functions.c, in the basic_globals_ctor function, the value of mblen_state is not initialized. The basic_globals_ctor function should include the following lines as part of the initialization: #if defined(_REENTRANT)&&defined(HAVE_MBRLEN)&&defined(HAVE_MBSTATE_T) memset(&BG(mblen_state), 0, sizeof(BG(mblen_state))); #endif Unfortunately, I am unable to include code that demonstrate this, as the crash strongly depends on the (random) value of mblen_state. -- Edit this bug report at http://bugs.php.net/?id=35243&edit=1
