http://bugzilla.novell.com/show_bug.cgi?id=568667
http://bugzilla.novell.com/show_bug.cgi?id=568667#c2
Peter Poeml changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEEDINFO |NEW
InfoProvider|poeml@cmdline.net |
--- Comment #2 from Peter Poeml 2010-04-12 14:12:55 UTC ---
Unfortunately, the crash still occurs:
#0 0xb76d5d4f in zend_is_callable_ex (callable=0x0, object_ptr=0x0,
check_flags=8, callable_name=0xbfee6c58, callable_name_len=0xbfee6b78,
fcc=0xbfee6c40,
error=0xbfee6c54) at /usr/src/debug/php-5.3.2/Zend/zend_API.c:2695
2695 switch (Z_TYPE_P(callable)) {
(gdb) info locals
ret = <value optimized out>
callable_name_len_local = -1074893864
fcc_local = {initialized = 190 '?', function_handler = 0xb8410430,
calling_scope = 0x48e5c91a, called_scope = 0x133b2a0, object_ptr = 0xb833b2b8}
(gdb) bt
#0 0xb76d5d4f in zend_is_callable_ex (callable=0x0, object_ptr=0x0,
check_flags=8, callable_name=0xbfee6c58, callable_name_len=0xbfee6b78,
fcc=0xbfee6c40,
error=0xbfee6c54) at /usr/src/debug/php-5.3.2/Zend/zend_API.c:2695
#1 0xb76c5ce8 in zend_call_function (fci=0xbfee6c90, fci_cache=0xbfee6c40) at
/usr/src/debug/php-5.3.2/Zend/zend_execute_API.c:797
#2 0xb76c6f84 in call_user_function_ex (function_table=0xb81f9da8,
object_pp=0x0, function_name=0x0, retval_ptr_ptr=0xbfee6cf8, param_count=2,
params=0xb833bd78,
no_separation=1, symbol_table=0x0) at
/usr/src/debug/php-5.3.2/Zend/zend_execute_API.c:738
#3 0xb76c6ffb in call_user_function (function_table=0xb81f9da8, object_pp=0x0,
function_name=0x0, retval_ptr=0xb833b308, param_count=2, params=0xbfee6d60)
at /usr/src/debug/php-5.3.2/Zend/zend_execute_API.c:711
#4 0xb75ccaa3 in ps_call_handler (func=0x0, argc=2, argv=0xbfee6d60) at
/usr/src/debug/php-5.3.2/ext/session/mod_user.c:53
#5 0xb75ccf71 in ps_open_user (mod_data=0xb77d3e10, save_path=0xb8236e38
"/var/lib/php5", session_name=0xb833be98 "ampache")
at /usr/src/debug/php-5.3.2/ext/session/mod_user.c:93
#6 0xb75c852d in php_session_start () at
/usr/src/debug/php-5.3.2/ext/session/session.c:488
#7 0xb75c90c0 in zif_session_start (ht=0, return_value=0xb833b160,
return_value_ptr=0x0, this_ptr=0x0, return_value_used=0)
at /usr/src/debug/php-5.3.2/ext/session/session.c:1860
#8 0xb7723b38 in zend_do_fcall_common_helper_SPEC (execute_data=0xb83901fc) at
/usr/src/debug/php-5.3.2/Zend/zend_vm_execute.h:313
#9 0xb76ffc46 in execute (op_array=0xb83e1dc8) at
/usr/src/debug/php-5.3.2/Zend/zend_vm_execute.h:104
#10 0xb76d04f6 in zend_execute_scripts (type=8, retval=0x0, file_count=3) at
/usr/src/debug/php-5.3.2/Zend/zend.c:1194
#11 0xb767591a in php_execute_script (primary_file=0xbfee91c0) at
/usr/src/debug/php-5.3.2/main/main.c:2260
#12 0xb775e93d in php_handler (r=0xb838b598) at
/usr/src/debug/php-5.3.2/sapi/apache2handler/sapi_apache2.c:655
#13 0xb7f637fd in ap_run_handler (r=0xb838b598) at config.c:158
#14 0xb7f6734f in ap_invoke_handler (r=0xb838b598) at config.c:372
#15 0xb7f74011 in ap_process_request (r=0xb838b598) at http_request.c:282
#16 0xb7f70b58 in ap_process_http_connection (c=0xb8366a18) at http_core.c:190
#17 0xb7f6bc2d in ap_run_process_connection (c=0xb8366a18) at connection.c:43
#18 0xb7f794d1 in child_main (child_num_arg=<value optimized out>) at
prefork.c:662
#19 0xb7f79813 in make_child (s=<value optimized out>, slot=4) at prefork.c:758
#20 0xb7f7a132 in ap_mpm_run (_pconf=0xb7f910a8, plog=0xb7fbf160, s=0xb7f92fa0)
at prefork.c:776
#21 0xb7f4e051 in main (argc=-1208422240, argv=0xbfee96f4) at main.c:740
I looked at the ampache source code and the crash happens when ampache calls
session_start(). Ampache uses a function that autoload its classes, and classes
can have an _auto_init() function that is called once the class is loaded. This
is done in /srv/www/ampache/lib/general.lib.php. For some reason, the
_auto_init() function of the class in
/srv/www/ampache/lib/class/vauth.class.php is not called as it should be. The
following line of code is never executed therefore:
session_set_save_handler(array('vauth','open'),array('vauth','close'),array('vauth','read'),array('vauth','write'),array('vauth','destroy'),array('vauth','gc'));
When I put the line somewhere else (at the beginning of the class file, so it
is actually executed, the user-defined session handling functions are correctly
mapped and the crash doesn't occur anymore.
Not sure if this bug is in the ampache autoloader code, or anywhere else.
Anyway, PHP shouldn't crash. The functions that handle user-defined functions
should not crash when called with empty arguments. I suppose this is easy to
catch by adding a check for a null pointer, and erroring out if needed, e.g.
here:
#1 0xb76c5ce8 in zend_call_function (fci=0xbfee6c90, fci_cache=0xbfee6c40) at
/usr/src/debug/php-5.3.2/Zend/zend_execute_API.c:797
797 if (!zend_is_callable_ex(fci->function_name, fci->object_ptr,
IS_CALLABLE_CHECK_SILENT, &callable_name, NULL, fci_cache, &error TSRMLS_CC)) {
(gdb) l
792
793 if (!fci_cache) {
794 fci_cache = &fci_cache_local;
795 }
796
797 if (!zend_is_callable_ex(fci->function_name, fci->object_ptr,
IS_CALLABLE_CHECK_SILENT, &callable_name, NULL, fci_cache, &error TSRMLS_CC)) {
798 if (error) {
799 zend_error(E_WARNING, "Invalid callback %s, %s",
callable_name, error);
800 efree(error);
801 }
(gdb) info locals
fci_cache_local = {initialized = 0 '\0', function_handler = 0x0, calling_scope
= 0x0, called_scope = 0x0, object_ptr = 0x0}
callable_name = <value optimized out>
error = 0x0
i = <value optimized out>
original_return_value = <value optimized out>
calling_symbol_table = <value optimized out>
original_op_array = <value optimized out>
original_opline_ptr = <value optimized out>
current_scope = <value optimized out>
current_called_scope = <value optimized out>
calling_scope = <value optimized out>
called_scope = <value optimized out>
current_this = <value optimized out>
execute_data = {opline = 0x0, function_state = {function = 0xb825a0a0,
arguments = 0xb839036c}, fbc = 0x0, called_scope = 0x0, op_array = 0x0, object
= 0x0,
Ts = 0xb8390268, CVs = 0xb8390248, symbol_table = 0x0, prev_execute_data =
0xb838f570, old_error_reporting = 0x0, nested = 1 '\001', original_return_value
= 0x0,
current_scope = 0xb83628f4, current_called_scope = 0xb83628f4, current_this =
0x0, current_object = 0x0, call_opline = 0xb83dc288}
The code should probably check fci->object_ptr for being NULL before calling
zend_is_callable_ex(), and leave processing via zend_error() if it is.
--
Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.